topleft
topright
Enter the Member Network Zone View the Top 10 Points Leaderboard View Members Who Are Currently Online View Latest Member Activity

Featured Members


Member Network Zone

Expert Blog Comments

How Do I Get Relevant Industry Experience?
Hi I would like to thank the builder of this website because it is helping so much people to find a ...
Project Managment Superheros: 6 Project-Saving Superpowers
Hinder the pace http://www.chanelbagsoutlet.com/ of our progress is often not the body extremely ht...
Employees Complain About Blocked Websites
I'm with Sean, basically. But there's probably not a one-size-fits-all solution here. Consultants ...
The Most Important Skill A Programmer Needs Isn’t Code Writing
It’s true, code generation made easy by development tools, programmers should have domain expertis...
5 Keys to Effective Status Reporting
great one. thanks for your work..
Adversary Exploitation of Social Media Print E-mail
Share This -
Digg
Delicious
Slashdot
Furl it!
Reddit
Spurl
Technorati
YahooMyWeb

 

 

By David Carr

Adversary Exploitation of Social Media 

 
I just came back from the Department of Defense Intelligence Information Systems (DoDIIS) conference in Orlando, and one of the more interesting sessions was on "How Adversaries Exploit Poor OPSEC" given by a couple of Defense Intelligence Agency guys.

Although the focus was on precautions people in sensitive military and intelligence roles should take, I came away with a lot of food for thought for anyone who has access to any sort of sensitive information -- military, government, corporate, whatever.

I came away with a little DIA pamphlet called "Elicitation: Would You Recognize It" that goes through all sorts of social engineering hacks that an adversary might run on you during a "chance" encounter at the library or the coffee shop to elicit sensitive information in seemingly casual conversation. The danger is not that a DIA professional would blurt out top secret information in such an encounter. Rather, it is that they would violate the "need to know" principle of not giving out any sort of operational information without a good reason. In other words, an adversary who takes a systematic approach may be able to use many small bits of information to piece together a picture of military operations. One person lets slip something about the mission, another says something about who is involved, a third gives a clue about timing.

I think the WWII era motto on the subject was "Loose Lips Sink Ships."

So what are we letting slip in our online existence, in the era of social media, which is all about sharing information with (in many cases) perfect strangers and online personas who may not be who they claim to be?

As part of the presentation, DIA's Nick Jensen, a Cyber Operator / Analyst for OPSEC Operations, ran through a scenario that talked about how easy it would be for an adversary to find a DIA employee on a site such as LinkedIn and start piecing together a picture of who that person is, what his job function is, what his political views are, who he is associated with (online friends or connections), and what his habits are.

LinkedIn provides the basic resume, which may include details on projects and specialties. In Jensen's scenario, a DIA employee also provides a link to his blog. The blog, in turn, has links to all the other social media sites this person participates in -- so pretty soon the adversary is browsing Flickr photos and Twitter status messages, continuing to round out the picture. One of those status messages mentions something about the Starbucks near his house (horrible customer service, but he hangs out there anyway).

That allows the adversary to "bump into" the target at Starbucks, hack the wireless session he initiates on his laptop, and ... well, things go downhill from there.

Despite highlighting this danger (which I also saw mentioned in another DIA pamphlet), the agency apparently doesn't prohibit employees from participating in networks such as LinkedIn and Facebook. It would probably be futile for them to try to do so, given how pervasive use of these social networks has become. In a quick search, I found 163 LinkedIn members who listed DIA as their current place of employment, including 22 people whose profiles included "security" as a keyword, such as one D.C. based Information Security Analyst.

What DIA tells people is to be conscious of the kind of information they share in such public places (and I will say that the LinkedIn profiles I found were relatively minimal).

Still, the point about the dossier someone can build on you by hopping between multiple social networks and looking at your connections and status information is a sobering one -- particularly given that most commercial organizations probably have given far less guidance on what employees should and shouldn't be posting online.

I'm curious whether anyone outside of the military and intelligence fields is looking at these issues.

 




Comments (1)
RSS comments
1. 06-02-2009 11:13
 
We have not found our competitors to be using the social engineering aspects of social media outlined in this article, but that is certainly a very plausible scenario. What we have found, however, are competitors using fake personas to attempt to discredit us in social media outlets; this is not necessarily new as this technique has been occuring since online forums were created, but the potential virality of these claims in channels like Twitter is greater and therefore requires diligience among those building brands via social media channels.
Registered
 
Frederick B. Kauber

Only registered users can write comments.
Please login or register.

 
Share This -
Digg
Delicious
Slashdot
Furl it!
Reddit
Spurl
Technorati
YahooMyWeb
< Previous   Next >




News & Noteworthy Archive

Past News Items From Reuters

White Paper Library

Copyright © 2007-2010 CIOZones. All Rights Reserved. CIOZone is a property of PSN, Inc.