Social Espionage

Last Updated on May 1, 2011

Updated on 5/6/2011: Primoris Era is Back!

Few days ago the Twitter Community was shaken by the affair of @PrimorisEra AKA “The tweeter who loved me”, a Twitter user with more than 23.000 tweets and 1300 followers, depicting herself as a young, attractive woman with a keen interest in missile technology and national security strategy. Her sudden departure has subsequently created many questions and concerns about the security of information on the Internet and Social Network. As a matter of fact, more than a few Twitter users who work in national security panicked upon hearing the accusation lodged against @PrimorisEra, since it looks like she (or he) allegedly requested sensitive information using Twitter’s Direct Messaging, or DM, service, persuading several young men on Twitter (and Facebook as well) to divulge sensitive information for more than two years.

Albeit this interesting article explains the (alleged) real story behind, and in a certain manner belittles the spy story, social pitfalls (socialeaks) remain more relevant than ever.

This does not sound surprising to me: as soon as my colleague David told me the story (of course by mean of a tweet), the notorious affair of Robin Sage came immediately to my mind: a fake Facebook (and LinkedIn) Profile of a Cyber Threat Analyst, who was capable to gain access to email addresses, bank accounts and location of secret military units from her 300 contacts, persuading them to be a 25-year-old “cyber threat analyst” at the Naval Network Warfare Command in Norfolk, Virginia, graduated from MIT, with 10 years of work experience, despite her young age (she was also given private documents for review and was offered to speak at several conferences).

Lesson learned? Not at all, (nearly) every security professional should know very well, at least in theory, the story of Robin Sage and the consequent risks connected with a fickle Social behavior, most of all in those blurred cases when professional and personal information overlaps. Never ignore the first rule: young attractive girls have nothing to do with geeks, even if they often have persuading arguments, sometimes so persuading to tear down the personal natural defenses (the first form of “physical” security), especially in those cases (as in the example of Robin Sage) when other trusted peers have already fallen in the (honey)trap, and consequently appear between the contacts of the fake profile.

Even if @PrimorisEra or @LadyCaesar (another pseudonym of her Digital Identity) is not a spy in the pay of any foreign country, the possibility to use the Social Network for espionage, SecOps, or PsyOps is far from being remote. Indeed is a consolidated practice and may already rely on an (in)famous example: the one of Anna Chapman, the 28 years old Russian Spy, living in new york, arrested on 27 June 2010, together with other 9 people, on suspicion of working for Illegals Program spy under the Russian Federation’s external intelligence agency. One of the noticeable aspects of the whole story was just her Facebook profile full of hot pictures (and equally hot comments) used to attract friends, and probably as one of the ways to grab information (curiously it looks like she did not show how many friends she had, as to say, unlike everyone else, that spies apparently know how to deal with Facebook privacy settings.

Another amusing example is the saga of HB Gary Federal, whose CEO, Aaron Barr, claimed to have infiltrated the Hacker Group Anonymous, by using services such as LinkedIn, Classmates.com, Facebook, as well as IRC itself, being able to identify several high-level Anonymous members. Although his intention was (apparently) to show how easy it is to forge a fake virtual identity and use it to grab information, Anonymous was not very pleased for the list released by Aaron Barr (even because it had some controversial and incorrect information) and as a brutal revenge hacked the HBGary Federal Web Site, being also able to compromise the internal network , stealing and releasing nearly 5 gbytes of internal data including, projects, financial information. They also took over Aaron Barr’s Twitter Account leaking plenty of personal information, including a plot, involving Bank Of America, to help destroy secrets outlet WikiLeaks and discredit bloggers (full, really interesting story, here).

Of course False Social Network identities may not be used only to perform SecOps or obtain (real or alleged) sensitive information, as in the above mentioned cases), but also to perform PsyOps, not necessarily using human identities rather than fake software created human identities. Science Fiction? Not too much actually, since it is exactly what Air Force did, ordering software to manage army of fake virtual people, allowing:

10 personas per user (50 licenses), replete with background , history, supporting details, and cyber presences that are technically, culturally and geographically consistent. Individual applications will enable an operator to exercise a number of different online persons from the same workstation and without fear of being discovered by sophisticated adversaries. Personas must be able to appear to originate in nearly any part of the world and can interact through conventional online services and social media platforms. The service includes a user friendly application environment to maximize the user’s situational awareness by displaying real-time local information.

Guess who provided the Software? Curiously, the software was provided by HB Gary Federal (Let us hope this time the result will be different than the previous one).

Even if David reported the article a couple of months ago (rigorously with a tweet), only in the light of currents events, I was able to understand the real scope and the fact that the Social Network is becoming a more and more important battlefield. Think what a fake army of Bloggers or Social Network users could do in manipulating ideas or opinions or driving them towards the “right side” (to have an idea try to have a look to one of Bashar Facebook groups, of course do not forget to turn English Translation on unless you are able to speak Arabic!) or which information they can steal hiding behind their false identities and false interests in common.

At the end…

It is clear that the last events are attracting the attention and the focus on Social Network Security Concerns from all those Organization which must use the Web 2.0 features and may not allow to deploy a preventive total block. Consequently they are going to enforce more and more security countermeasures to protect their information from “accidental” leaks (or Socialeaks). Meanwhile, since the first level of security rely on the individual, here are Some simple suggestions to defend our real identity from virtual fake identities:

1) Never accept virtual candies from strangers. Use always the right amount of diffidence in accepting new requests of connections, mostly if coming from attractive, apparently disjoint, profiles. Even if they may rely on known or trusted persons between contacts. If possible a quick check on the identity of the requester through the trusted known contacts is a good practice. Remember that attractive girls have little do deal with geeks!

2) Nobody has ever regretted being silent rather than speaking too much. (or even typing too much). Use always the right amount of diffidence in providing information and never cross the borderline between personal and professional arguments while playing with your social avatar in non-professional social networks (but attention is needed also in professional networks).

3) Words fly away, writings remain. Remember that whatever information is typed may be eavesdropped, copied and/or saved to be used in inappropriate manner. Always be cautious in what you write, mostly if to an untrusted interlocutor.

4) Beware of the Social Network, in general use it with attention, I would suggest not to access it from workspace and during working hours. Never use work accounts (such as email addresses), not even provide professional information in any case. Never transmit, in any case, sensitive information (Credit Cards, Bank Account Coordinates, passwords, etc.).

A couple of semi-serious final suggestions:

1) Security professionals are familiar with white-box or black-box penetration testing/information gathering techniques. I believe times are mature for blue-box information gathering techniques: Security Consulting firms could begin to offer security services for organizations to assess their level of security with respect to Social Networks.

2) A final thought to fake personas. Among the other things, the above quoted contact from Air Force stated that:

Individual applications will enable an operator to exercise a number of different online persons from the same workstation and without fear of being discovered by sophisticated adversaries.

I could not help thinking to the initial scene of Blade Runner, and in particular to the interrogation of Replicant Leon Kovalsky. Metaphorically speaking the situation into the virtual world is exactly the same: If fake personas may not be discovered by sophisticated adversaries, are Organization going to train special agents (or develop software fake counter-personas) to drive out the impostors? Waiting for the answer, let us have a look to that wonderful sequence of Ridley Scott’s masterpiece.

[youtube=http://www.youtube.com/watch?v=VvpmxY4dc4c]