Easter is a wonderful time; celebrating new life with family and friends, enjoying a bit of time off and relaxing with an extended long weekend. For millions of Christians around the world, like me, it more importantly marks the death and resurrection of Jesus; an event which defines and changes human history.
Thinking back to when I was a kid, I have great memories of Easter with my family. We celebrated with eggs and the Easter Bunny, but never lost sight of the wonderful death and resurrection of Jesus. We told the story of the disciples, Jesus time in the garden, his betrayal by Judas, his death at the hands of Pilot, the desperation of the disciples, their denial of Jesus, and ultimately their disbelief at his resurrection. But as I’ve got older, this story has become more stale. I don’t share the same wonder as I did as a child. The events don’t have the same reality as they once did.
For the last few Christian Holidays, the Bible Society of Australia has tapped into this idea, and has been running an SMS (and now Messenger) series to help bring the Easter story alive. The basic premise is this: for a period of days leading up to and after Easter, you receive a number of messages from characters within the story, helping you to relive the events hag happened approximately 2000 years ago.
One of the criticisms that I’ve had of the last few runs of the story is that it is impersonal. The BSA sent messages from the same number and prefixed the characters name to each message, resulting in something that read like a play script. It was hard to suspend belief and actually get carried into the narrative of the story. This Easter, they’ve done something a bit different, and have used a feature of SMS that allows message senders to change the “sent from” code to deliver messages with the characters name in the sender. This means that it feels more like you are getting messages from the characters in the story.
I applaud the ingenuity of the idea. I love that they have taken that next step to help make the Easter message more real for those who subscribe to the service.
But earlier in the week, the messages started arriving with external links to content (images, videos and audio recordings) to enhance the story. These links enhance the story, and are shortened using the popular URL shortener service, bit.ly – which masks the location the content is hosted. They are also sent without http or https, which stops at least Apple’s URL unrolling from happening.
We spend so much time in information security reminding and encouraging people to not click links that are sent to them in messages. Most commonly these messages are phishing attempts to get people to enter usernames and passwords for external services or to install malware and keyloggers on their devices using known vulnerabilities in their browsers.
But because the messages come from Text caller IDs, with no prior warning and authenticating markers, there is no reason to believe that they are authentic. Yet, the author of the messages, the Bible Society, creates an implicit trust of these messages.
But why does this matter? Well, normally you wouldn’t trust a link sent to you from an unknown person. I wouldn’t normally click on it – but this program has even caused me to violate that normal value judgement and choose to click on the links.
Now, an attacker, being aware of this, could relatively easily construct a fake message, timed approximately in the story and sent it to a range of targets to get them to click and install some malware on their system. For instance, I created this test and sent it to myself:
The URL I used makes reference to a non-existing part of Luke (but it need not have) and points to a URL on the Real World website.
I imagine it would be relatively trivial to guess the numbers of some prominent Christians that are likely participating in the program, and trip them into clicking a link that is not as innocent as the one I’ve crafted above.
So how do we get around this? Well, the first thing is to consider our web of trust as users. We need to be vigilant, and not click on links from messages, in emails or in other sources without checking the URL and being sure of its authenticity. Services such as bit.ly being used in this program are a classic example of a bad link to click on, because you have no idea what resides behind the URL.
As a provider of such services, the BSA could both do more to authenticate their messages and use their own URLs (eg URLs that directly head to the Bible Society website) or a URL shortener run by them. They could also take care to send URLs with the protocol prefix (http or https) so URL unrolling happens on mobile platforms more easily. Or even better, don’t send additional links – the security and trust issues probably aren’t offset by the enhancement to the story anyways. Information Security best practice should be carefully understood and followed, especially in these circumstances – and we should be doing our best to educate our users, friends and families of what is and isn’t a safe way to use the internet.
So, if you are part of HolyTXT this Easter, please enjoy the service and the opportunity to relive the story in a new way, but be careful not to fall victim to the potential traps this program could hold. (And for the record, I’m not aware of anyone using this for an attack – just at the surprisingly easy opportunity for attack that this creates.)