Page 262 - Trust in ICT 2017
P. 262
5 Trust in ICT
1) Self-promoting attacks: a malicious user can intentionally promote its importance (by providing
good recommendations for itself) in order to be selected as the service provider, but then it
provides malfunctioned service.
2) Whitewashing attacks: a malicious entity can disappear and re-join the application to wash
away its bad reputation.
3) Discriminatory attacks: a malicious entity can discriminatively attack non-friends or entities
without strong social ties (without many common friends) because of human nature or
propensity towards friends in social networks.
4) Bad-mouthing attacks: a malicious entity can ruin the reputation of another well-behaved
entity by providing bad recommendations so as to decrease the chance of this good entity being
selected as a service provider. This is a form of collusion attacks, i.e., it can collaborate with
other bad entities to ruin the reputation of the good entity.
5) Ballot-stuffing attacks: a malicious entity can boost the reputation of another bad entity by
providing good recommendations for it so as to increase the chance of this bad entity being
selected as a service provider. This is also a form of collusion attacks, i.e., it can collaborate with
other bad entities to boost the reputation of each other.
c) Threats in social networks
Social networking tools have changed the way people interact in their personal life and business. Increasingly,
these tools play a significant role in how business gets done; however, they also have risks as follows
[b-PANet].
1) Phishing bait: Many users of the social networking services had their accounts compromised.
Although this was only a tiny fraction of a percent, it is still a significant number considering
that famous social networking services have over several million users. To their credit, the social
networking services acted quickly, working to blacklist that domain, but many copycat efforts
ensued.
2) Data leaks: Social networks are all about sharing. Unfortunately, many users may share too
much sensitive information about their organizations such as projects, products, financial,
organizational changes, and/or scandals, etc.
3) Botnets: Recently, the accounts of a social networking service are used as the command and
control channel for a few botnets. It is shutting these accounts down given the ease of access
of infected machines via the social networking service.
4) Advanced persistent threats: One of the key elements of advanced persistent threats is the
gathering of intelligences of persons of interest, for which social networks are a data source.
Perpetrators use this information to further their threats by placing more intelligence gathering
(e.g., malware, Trojans), and then gaining access to sensitive systems.
5) Cross-site request forgery: This attacks exploit the trust that a social networking application
has in a logged-in user's browser. Consequently, as long as the social network application is not
checking the referrer header, it is easy for an attack to share an image in a user's event stream
that other users might click on to catch and spread the attacks.
6) Impersonation: The social network accounts of several prominent individuals with thousands
of followers have been hacked. Furthermore, several impersonators have gathered hundreds
and thousands of followers.
I.4 Risks from the integration of the physical, cyber, and social worlds
a) A numerous number of ICT resources
Risks threaten ICT infrastructures and services to cope with complexity of interactions and mechanisms of
the entities. The access of a large number of ICT resources causes irreparable damages and creates
unpredictable dangers. It is essential to make ICT resources accessible to all the people with promises but
with unknown dangers.
254
