social context
Augmented Reality Security Considerations
This post had originally been titled "The Top Augmented Security Threats"....on what grounds do I have to make such claims? These technologies and ideas are new. As such, aggressively speculating on potential future dangers (with no idea how real they are) is dangerous. In writing this blog, I hope to spark new thoughts and build upon the ideas of others. What I do not want is to over-sensationalize the threats I discuss. Many of them are simply conceptual and interesting to think about, but to no extent do I wish to peddle fear off on to others for my own personal gain. ::cough:: 60 minutes ::cough:: As this blog matures, I hope to promote worthy dialogue and keep fear mongering out of proximity. That said..
With augmented reality systems on the rise it has become important to focus on the corresponding security threats users may face. Fundamentally, the AR paradigm allows users to interface with a more intelligent planet. Our mobile devices now provide a gateway to context specific knowledge and information. This knowledge rich virtual layer permits individuals to more intelligently maneuver and manipulate our contemporary surroundings.
Context hacking and location manipulation: As we become more dependent on these mobile devices to provide information relevant to our surrounding environment, a trust relationship is born. We as users come to trust that the information we receive is valid and credible. Applications such as Layer, show users what is in proximity to them by displaying real time digital information on top of reality through the mobile phone's camera. Much of the real time digital information that we find in such applications is user submitted data. What is to prevent malicious users from targeting specific locations and submitting false information? Attackers could target specific locations, manipulate the environment's digital context, and more effectively facilitate attacks such as spear phishing and social engineering. Attackers can easily leverage the power of social context to stack the deck in their favor. Take it one step further. What if attackers target a specific business or organization? By hacking context and manipulating location, attackers can desecrate an organization's reputation. Attackers could even go so far as to depreciate the value of a home simply by means of context hacking and location manipulation. As can be seen in the new Twitter API for location based trends these attacks really are not that far away.
Location Based DDoS'ing: AR systems and location go hand in hand. It is the location based information, in many cases, that makes an AR system worth using. The ubiquitous networking of objects and the Internet of things implies networks and their hosts will become somewhat presence aware. Users will come to rely upon systems and networks with presence that are location specific. Attackers may choose to DDoS location specific targets particular to a mission. However, this idea is not intrinsically new. AR systems simply have the potential to amplify such threats.
Physical Threat: Continuing on with the importance of location, physical threats become more relevant. Users with mobile devices, acting as sensors, promote the dissemination of location relevant information. As such, an individual targeting another individual in physical space (instead of virtual space) could conceivably do so more effectively.
Spam: Spam, sigh, the problem we were to have solved back in 2006. Spam will be just as relevant to AR systems as it is today with email. This virtual layer will likely become littered in spam. Advertisements will be everywhere. Users themselves may become the advertisements.... similar to something like this. Will users simply learn to tone them out as they do with advertisements on the Web? Probably. However, the market and dirty money to disseminate spam will still be there.
Mobile Metadata Mining: I posted about this a few days ago. Is it a threat? I suppose. Is it something that should keep me up at night? Absolutely not. The metadata associated with output from mobile devices will eventually allow us to do some pretty incredible things....that is of course, if it becomes standardized. Until then, mobile metadata mining will simply be the mass acquisition of dissimilar data. The differences in format and semantics will only permit a group or individuals mining the data to do so much. If some kind of standard to recognize the who, what, where, when does come to exist, look out. Intelligence gathering will grow to new levels.
Delicious
Digg
TechnoratiHow to Leverage Virtual Worlds to Improve Security
I recently began reading Beautiful Security: Leading Security Experts Explain How Think, in particular chapter 9, Tomorrow's Security Cogs and Levers by Andy Oram and John Viega. The chapter is a great read for any information security professional and thus far my favorite in the book. To develop some context, the chapter begins with...
Information security is not just about technology. It is about people, processes, and
technology, in that order—or more accurately, about connecting people, processes, and
technology together so that humans and entire systems can make informed decisions. It
may at first seem rather odd to start a chapter in a book about the future of security
management technology with a statement that puts the role of technology firmly in third
place, but I felt it was important to put that stake in the ground to provide context for the
rest of this chapter.
Oram and Viega go on to discuss two different types of security people; builders and breakers. Builders are the optimists. Despite recognizing the profound seriousness of security vulnerabilities and dangers we face today, there is still room for encouragement. Breakers, as you can imagine, are the pessimists. "You wonder when listening to some of them, why the Internet hasn't totally collapsed already and why any of us have money left unpilfered in our bank accounts" (Oram & Viega).
Despite drastically different mentalities, there is one simple truth: with innovation, when benefits outweigh drawbacks, innovation almost always succeed. Builders understand this. They understand that new technology, with significant benefits, will move forward and inescapably reveal new security issues. Unlike breakers, who at times can be intimidated by change, builders look to see how novel technologies can be leveraged to improve security.
Every few years the next big thing comes along and polarizes security people into these two philosophical camps (Oram & Viega). We are currently seeing it with Web 2.0 (social networking, wikis, social bookmarking, etc) and roars are beginning to escalate concerning cloud computing. Inevitably we will see the same with virtual worlds. This got me thinking. Wouldn't it be interesting to look at ways in which virtual worlds could improve security? Here are a couple quick ones off the top of my head.....
1) Dramatically improve communication in real-time
The ability to quickly communicate amongst the masses in real-time is very powerful. Twitter has recently made this more apparent than ever. Virtual worlds take real-time communication to a whole new level, incorporating both social context and environmental relevance. These components will improve the clarity of information dissemination and mitigate ambiguity commonly seen in text based communications.
2) Fertile ground for innovative, small businesses to cheaply and more effectively produce novel security solutions
Virtual worlds provide an ideal space for small businesses to form and produce a wide-ranging set of assorted security solutions. This idea encompasses two components. First, virtual worlds provide a cheap environment to bring together intelligent individuals from all over the world. As a result, many effective small businesses will ubiquitously spawn. Second, these small businesses will have concentrated focuses. They will become experts and have an esoteric understanding of individual security components few others will understand. Instead of devising and implementing large, bulky security solutions, enterprise organizations will have a selection of small, more modular components (supplied by small businesses providing in depth, esoteric knowledge) that can be amended to enterprise specific requirements.
3) Provide a neutral site for rich communication between diverse organizations (government agencies, contractors, private businesses, public organizations, etc) to discuss security
A virtual world has the ability to provide an environment, organizationally agnostic, enabled for rich communication amongst a diverse set of organizations with varying goals. What I mean essentially is a neutral virtual environment to bring different groups together, deter motivational bias, and avoid turf battles. Let me once again reiterate, they have the ability to do so. This does not mean a single organization with private property, masked as public, holding information exchanges with additional organizations is in fact a "neutral" site.
These simply are just a few thoughts off of the top of my head. I am sure there are many more. Notice that all leverage the power of collaboration and communication, characteristics virtual environments are best suited to facilitate.
Finally, understanding a conscientious builder mentality can be a driving force in devising secure, innovative solutions with advanced technologies. We should not be scared of what is on the horizon, but rather embrace it, and mold it to our needs and requirements.
The Power of Social Context; Altruism & Behavioral Confirmation
Dr. Nick Yee, of the Daedalus Project, is an American researcher who studies self-representation and social interaction in virtual environments. The Daeldulus Project is Dr. Yee’s research initiative into the psychology and sociology of MMORPGs. Yee, well respected by academia and extensively cited, has published a number of articles concerning the power of social context in virtual environments. One in particular, “The Proteus Effect: The Effect of Transformed Self-Representation on Behavior”, at a high level depicts how similarities in social interaction in the real world extend virtual environments. Malicious users, comprehending these social similarities can effectively instigate social actions as a means to expose expected social reactions. This understanding gives attackers a powerful platform to utilize contextually and socially relevant phishing and social engineering attacks not yet possible in today’s two-dimensional Web.
Yee’s “The Proteus Effect” discusses an idea known as the behavioral confirmation, which is the process, whereby the expectations of one person (typically referred to as the perceiver) cause another person (typically referred to as the target) to behave in ways that confirm the perceiver’s expectations (Snyder, Tanke, & Berscheid, 1977). For instance, a perceiver, using an attractive avatar to interact with a target will likely find the target to behave more friendly and in an altruistic manner. It is important to note that the source of behavioral change from the effects of behavioral confirmation stem from the perceiver rather than the target. It is the perceiver’s behavior that in turn causes a change in the target’s behavior (Yee 2007).
In virtual, three-dimensional social contexts, attackers will understand aspects of behavioral confirmation and initiate perceiver behavior that will help better facilitate phishing and social engineering attacks. Attackers will expose how individuals feel inclined to help others given certain social circumstance.
Lets say I am an attacker, in the perceiver’s social role, aware that how I look and act will influence my social target(s) to respond in a manner I can readily predict. Perhaps, my avatar is displayed as an attractive female mulling about at a chessboard in Second Life looking confused. Perhaps, my avatar sits down and stands up at the board multiple times. Maybe my avatar wonders around the board in circles. These signs taciturnly suggest that I am confused and in need of help. Without initiating conversation, there is an excellent chance another user’s avatar will approach me to see if I need help. At this point, as an attacker, I have an excellent chance of getting my overly altruistic target to interact with my malicious chessboard that perhaps runs a malicious script upon moving a piece (or something along those lines).
What is unequivocally powerful concerning this method of attack is that attackers no longer need to seek out victims. Attackers can manipulate social context and drive unsuspecting victims to the attackers themselves. Instead of baiting a hook and placing it in water hoping for fish to bite, fish are jumping out of water and directly into a fisherman’s clutches.
