140 likes | 312 Views
Social Networking and The OPSEC Threat I. Social Networking and The OPSEC Threat. Soldiers were recently given permission to access on-line social network sites via their government computers:. INFORMATION WEEK, 12 Jun 09 –
E N D
Social Networking and The OPSEC Threat I
Social Networking and The OPSEC Threat Soldiers were recently given permission to access on-line social network sites via their government computers: INFORMATION WEEK, 12 Jun 09 – “There's long been a military-wide ban on access to a number of specific social media sites, and while that still stands, some soldiers will now be able to access other social media sites that had inadvertently gotten caught in the same ban despite not being on the official banned list. Last month, the 93rd Signal Brigade of the 7th Signal Command, which oversees the Army's communications networks inside the United States, published an operations order that officially allows soldiers to access Facebook, Delicious, Flickr, Twitter, Vimeo, and Web-based e-mail (e.g., G-mail, Hotmail, etc) within the contiguous United States. Sites placed on a block list by superseding order of the Joint Task Force-Global Network Operations remain on the list, including YouTube, MySpace, Photobucket, and Pandora, while the 93rd Signal Brigade remains silent on a few other sites like FriendFeed, Digg, and StumbleUpon. Exemptions for these sites and others have to go through a formal process, beginning with the submission of a request for information to the 93rd Signal Brigade.”
Social Networking and The OPSEC Threat What are social networking sites? * Social networking sites, sometimes referred to as “friend-of-a-friend” sites, build upon the concept of traditional social networks where you are connected to new people through people you already know. The purpose of some sites may be purely social, all owing users to establish friendships, while others may focus on establishing business connections. Although the features of social networking sites differ, they allow users to provide information about themselves and offer some type of communication mechanism (forums, chat rooms, email, instant messenger) that enables you to connect with other users. * Mindi McDowell, US-CERT
Social Networking and The OPSEC Threat What security implications do these sites present? * Social networking sites rely on connections and communication, so they encourage you to provide a certain amount of personal information. When deciding how much information to reveal, people may not exercise the same amount of caution as they would when meeting someone in person, because: the internet provides a sense of anonymity the lack of physical interaction provides a false sense of security (social network) users tailor the info for their friends to read, forgetting that other may see it, too they want to offer insights to impress potential friends or associates While the majority of people using these sites do not pose a threat, malicious people are drawn to them because of the accessibility and amount of (personal) information that’s available. The more information malicious people have about you, the easier it is for them to take advantage of you. Using information that you provide about your location, hobbies, interests, and friends, a malicious person could impersonate a trusted friend or convince you that they have the authority to access other personal or financial data. * Mindi McDowell, US-CERT
Social Networking and The OPSEC Threat While some soldiers may consider that a good thing, it is an OPSEC issue - GOVERNMENT COMPUTER NEWS, 16 Jun 09 - In an earlier era, “loose lips sink ships” was the military’s warning not to let even small details about military movements and operations slip in casual conversation. In contrast, social media Web sites today thrive on loose lips, making it even tougher to maintain operational security (i.e., OPSEC). The problem is not so much people twittering away secrets as letting slip many smaller pieces of information that an adversary can piece together. Operational security (i.e., OPSEC) refers to the process of denying information to potential adversaries about capabilities or intentions of individuals or organizations by identifying and protecting generally unclassified information on the planning and execution of sensitive activities. An adversary trying to uncover secrets will start by chipping away at operational security (i.e., OPSEC) indicators that point them toward a target. A foreign agent seeking to steal stealth technology might start by trying to identify individuals who are working on the technology, figuring out whom they associate with, following their movements, looking for clues on new research areas and so on. Much of that information might be available through a professional profile on LinkedIn, for example. Furthermore, participation in online discussion groups or blogs might help foreign intelligence services single out disgruntled military or intelligence agency employees who could be recruited or blackmailed. Not only are younger employees immersed in the social media culture, but older ones often become participants without understanding their limited control over the information they post online, he added.
Social Networking and The OPSEC Threat HOWEVER, be warned there are many dangers when using these social networks Angela Moscaritolo, 28 Sep 08 - A trojan-laden phish disguised as a message from the popular social networking website Facebook is making the rounds. Web security company Websense said that the email appeared to be sent by the domain facebookmail.com with a subject line that reads "An old friend added you as a friend of facebook." The email contains an attachment called "picture.zip" that is actually a trojan. The body of the email contained a view of Facebook's login page with a notification that says an old classmate has requested to be your friend and, "To see her picture please check your attachment.“ Users might not think twice about clicking the attachment, said Ken Dunham, director of global response for iSight Partners, a global risk mitigation company. "Big brand names like Facebook, MySpace, YouTube - those are trusted names that people are less likely to be concerned about," he told SCMagazineUS.com on Tuesday. The email body contains Facebook's login screen and will take users there, lending to the legitimacy of the message. This technique is commonly used by phishers as a way to gain trust so victims do not think they are being duped, Dunham said.
Social Networking and The OPSEC Threat “Facebook is the new playground for phishers.” Bob Sullivan, 02 Jun 09 – Why? The social networking site has made things relatively easy for computer criminals. So far, the consequences have been relatively mild -- mostly, some annoying emails. But if Facebook and other social networking sites don't get a handle on security issues soon, a serious outbreak could occur. Behind every successful criminal computer hack a simple two-step process: gain trust, then exploit that trust with an attack. Computer criminals will tell you that gaining trust is the hard part. Consider a real-world parallel: Breaking into a bank is difficult. But if you befriend a guard, he’ll eventually let you walk right in through the front door. Facebook attacks are so easy says Mary Landesman, senior researcher at ScanSafe. "Facebook users assume a level of trust they just should not assume when using the site." Phishing attacks have been popping up nearly every week on Facebook and other social sites like Twitter. Victims receive e-mails from friends with innocent-sounding messages, such as "click on this video." Those who are duped then surrender their login information on a rogue Web site, and then a criminal is off to the races with their identity. People who would never fall for an old-fashioned phishing note are getting tripped up by Facebook phish for one simple reason: They trust the sender. "People are pretty unguarded in the social networking environment," said Kevin Haley, director of Symantec Corp.'s security response team. "You figure you're surrounded by friends, so why have your guard up?"
Social Networking and The OPSEC Threat A simple Facebook flaw puts all members at risk of identity. SOPHOS, 23 Jun 09 - IT security and control firm Sophos is again reminding internet users that their personal information may be being placed at risk - and is perhaps best kept off the internet - following news that popular social networking website Facebook contained a flaw that could have allowed hackers to access sensitive profile information about any of the site's 200 million plus users. Just last month, a security loophole was found that could have allowed identity thieves and spammers to gather users' personal email addresses. Sophos notes that this data, which includes date of birth, home town, gender, family members, relationship status and political and religious views, could then have been used to commit ID fraud. Maybe people need to learn that if they really want to be secure on social networks they shouldn't rely on the website keeping their data safe and sound - maybe it's better not to upload any personal information in the first place.
Social Networking and The OPSEC Threat Enough about Facebook, what about Twitter? Federal Times, 23 Jun 08 – An Army intelligence report warns that Twitter might also be used by terrorists and insurgents for surveillance, command and control and targeting of U.S. forces. The social networking service is among a number of new communications technologies the Army’s 304th MI Bn says are likely to be turned against U.S. troops. An Open Source Intelligence (OSINT) team discovered Internet forums where terrorists log in to discuss ways the global positioning capabilities of cell phones can be used to pinpoint U.S. troop positions, and how cell phone cameras can be used for surveillance and directing attacks. In an Oct. 16 report on “potential creative uses” of mobile communications technology by terrorists, the 304th MI Bn’s OSINT team warns that “there are numerous different tactics, tools and software services that can be used by terrorists to conduct activities that go well beyond the original intent of the mobile phone voice communications.”
Social Networking and The OPSEC Threat Using Twitter for Open Source Intel, cont. But it was the news that terrorists might be using Twitter that spread as fast as, well, a Tweet — one of the 140-or-less-character text messages that urgently flitter across Twitter. Developed in 2006, Twitter, according to its Web page, “is a service for friends, family and co-workers to communicate and stay connected.” All you need is an Internet connection or a mobile phone. “With Twitter, you can stay hyper-connected to your friends and always know what they’re doing,” the Web page says. That could be a useful capability for terrorists, too, the 304th MI Bn’s OSINT team concluded. The team gathers intelligence by combing through open sources — newspapers, foreign government reports and, in this case, al-Qaida-like Web sites — then distilling what it finds into useful in reports, summaries and periodic newsletters posted on a secure Web site.
Social Networking and The OPSEC Threat Revelations from a survey of all social networks Help Net Security, 25 Jun 09 - Surveying over 1,100 members of Facebook, LinkedIn, MySpace, Twitter and other popular social networks, Webroot uncovered numerous behaviors that put social networkers' identities and wallets at risk. Among the highlights: • Two-thirds of respondents don't restrict any details of their personal profile from being visible through a public search engine like Google; • Over half aren't sure who can see their profile; • About one third include at least three pieces of personally identifiable information; • Over one third use the same password across multiple sites; and • One quarter accept "friend requests" from strangers Social Networks Present New Opportunities for Cybercriminals. Cybercriminals employ various types of trickery and malware to capitalize on risky behaviors. One common tactic is phishing, which hackers use to entice victims into downloading an infected file, visiting a disreputable site outside the social network, or wiring money to a "friend in distress." In recent months, Webroot has seen an increase in these types of attacks on social networks, including "Trojan-MyBlot," which targeted users of MyYearbook.com, and others targeting Facebook users including "Koobface" and several spread through the domains "mygener.im," "ponbon.im" and "hunro.im."
Social Networking and The OPSEC Threat Social Networks survey, cont. Sophisticated means have been used to execute attacks on social networks: Webroot survey respondents who reported experiencing identity theft, a hijacked account and unauthorized username or password changes may have been victimized by hackers who were able to access their profiles and guess their passwords based on the personal information they included. Privacy concerns outweigh protective actions: 78% expressed some concern over the privacy of the information they share in their profiles 36% use the same password across multiple sites 30% do not have adequate protection against viruses and spyware Younger users take more risks – 18-29 year olds are more likely to: Use the same password across multiple sites (51% vs 36% overall) Accept a friendly request from a stranger (40% vs 28% overall) Share more personal information that may compromise online privacy (67% share birth date, vs 52% overall; 62% share home town vs 50% overall; 45% share employer, vs 35% overall) Experience a security attack (nearly 40%, vs 30% overall)
Social Networking and The OPSEC Threat HOW MUCH OF YOUR PERSONAL INFORMATION ARE YOU OR YOUR FAMILY WILLING TO COMPROMISE?
Social Networking and The OPSEC Threat The latest educational information and ways to protect yourself from the latest scams can be found at http://www.ftc.gov/bcp/consumer.shtm If you become a victim of a phishing incident, forward the phishing e-mail to www.IFCCFBI.gov, or REPORTPHISHING@ANTIPHISHING.ORG If you are an Army employee, you can also protect your home computer by downloading free antivirus and firewall software from the Army Computer Emergency Response Team at https://www.acert.1stiocmd.army.mil/Antivirus/Home_Use.htm