Social media: The zero-trust game

information security enable businessOur value today is measured in numbers. Followers, connections, likes, tweets, and impressions now count toward not only the value of our opinions but also quantify our sphere of influence. These metrics, however, are easily manipulated to such an extent that even elections have allegedly been at the mercy of the social media numbers game.

Given the power of digital influence, it stands to reason that it has quickly become the platform of choice to communicate a message. Although for many of us it requires an enormous time investment to build such credibility, there are some who take a shortcut.

The spreading of information via social media platforms has been the subject of multiple studies, particularly in the wake of numerous reported misinformation campaigns. In a recent post by Twitter concerning the 2016 election in the United States, the company “expanded the number of people notified about interactions with Twitter accounts potentially connected to a propaganda effort by a Russian government–linked organization known as the Internet Research Agency” and that “approximately 1.4 million people have now received a notification from Twitter.” Tactics to influence people from the bottom up are not limited solely to elections. We have now seen claims that bots are looking to hijack the gun debate.

Recently, the McAfee Advanced Threat Research team uncovered a campaign exploiting shortcuts within social media to proliferate propaganda. However, unlike with infamous bot farms, this campaign used social media profiles, and associated credibility, to spread messages. This is a crucial difference: From Robert Cialdini’s Influence: The Psychology of Persuasion (1984), this attack leverages “authority” as the subconscious lever, rather than “social validation.” In this instance, attackers targeted the Twitter accounts of high-profile individuals in politics and the press, and once compromised would almost immediately promote their agenda to account followers. Yet this was only part of the attack, actors also used direct messaging to target other high-profile individuals, harvest their credentials and repeat the same attack.

Why should you trust a direct message (DM)? Why wouldn’t you? It is surely more trustworthy than receiving an email, particularly as the work required to make a DM appear to come from someone trusted is considerably harder than with an email. However, the fallacy that DMs and even tweets are from trusted sources should be reconsidered. This campaign proves that an attacker can compromise account after account relatively easily, reinforcing the adage that security is only as strong as its weakest link. Equally, our implicit trust placed on information disseminated through such channels must surely now be suspect. To simply place all obligations on the platforms is an abdication of responsibility by each of us as users.

Such challenges are not new. Accusations that media had influenced elections were leveled at newspapers more than one hundred years ago. Today the power to influence and manipulate is within everyone’s grasp and has driven the economy for bot farms for hire to promote any message of our choosing. Sadly, the power of social media is being lost due to the many methods which destroy the integrity it once promised. The failure of social media platforms to incorporate any significant measures beyond the whack-a-mole of disabling bot accounts is having a real impact on our ability to trust what we read.

Unless more significant measures are taken, social networks will quickly become an echo chamber of vitriol, perpetuated by personal and political agendas and controlled by those that have no interest in seeing us succeed.

I would like to acknowledge and thank the team at Social Safeguard who supported our recent investigation into the Twitter campaign detailed in this article.

Don't miss