In an excellent article in The Washington Times, UPI’s Shaun Waterman described a “red team” activity in which a security consultant created a false persona on Facebook that appeared to be attractive young woman who was working in cyber defense. She quickly garnered hundreds of friends in the national security community, as well as job offers and invites to conferences. In the process she gathered a great deal of sensitive materials such as inadvertently exposed passwords.
This is not a hypothetical concern – Hezbollah (long a terrorism pioneer) has already employed this strategy. According to the Israeli news site MySay:
The Hizbullah agent pretended she was an Israeli girl named “Reut Zukerman”, “Reut” succeeded during several weeks to engage more then 200 reserve and active personnel.
The Hizbullah agent gained the trust of soldiers and officers that didn’t hesitate to confirm him as a “friend” once they saw he/she is friends with several of their friends from the same unit. Most of them assumed that “Reut” was just another person who served in that elite intelligence unit.
In this way, Hizbullah collected information about the unit’s activity, names and personal details of its personnel, the unit’s slang, and visual information on its bases. This user / agent using Facebook is an example of a trend called fakebook.
The picture attached to “Reut Zukerman” was, of course, an appealing young woman (some tricks are timeless.)
The first concern regarding incidents of this nature is the raw intelligence collected. But more than the data, it creates opportunities to gather even more data. An op-ed I co-authored for The Washington Times on the probable future of cyber-war argued:
Critical government systems are run on Intranets, networks that are separate from the Internet…. Most government Intranets do have points at which they interface with the Internet, and Intranets have been infected with malware from the Internet. However, Intranets are relatively controlled environments, so anomalous activity (at least theoretically) can be controlled and isolated quickly.
Because compromising those networks may be crucial in a military conflict, nation-states with serious cyberwar ambitions will carefully tailor malware for specific systems….
The most serious cases of identity theft usually involve social engineering, tricking the target to reveal crucial information that facilitates the crime. The same may be true in tailoring attacks to critical networks…. Social-network analysis could be used to identify individuals who are likely to have contacts within the security establishment and attempt to insert malware through them.
Imagine the now ubiquitous phishing attacks masquerading as e-mail from banks and credit card companies but instead designed by sophisticated intelligence agencies and carefully targeted at small communities.
The fakebook phenomenon adds additional wrinkles to this possibility. Using social network information, infiltrators will have additional information with which to identify targets for social engineering, develop material and approaches for these targets, and identifying people who the target would “trust.”
Consider this scenario (which is not far from what has happened). A foreign intelligence agency identifies an analyst that has access to a network of interest. The agency sends the analyst a spoof email that appear to be from someone known in the field containing a paper for review that also contains malware. Using data collected from social network analysis, the intelligence agency can carefully choose the spoofed specialist – making sure it isn’t someone the analyst knows well – but is someone that analyst would know of and maybe the email could refer to mutual acquaintances. The paper could be carefully tailored to relevant interests.
This may sound like a great deal of work, but modern computing makes the accumulation and correlation of data far easier so that much of this effort could be generated automatically.
Cyber-security is clearly a growth industry and presents serious challenges. But whatever technical innovations are employed to prevent intrusions, they cannot succeed if they do not fully consider the human side of the equation.