Just perused on DarkReading an article about a social networking experiment centered around fake profile “Robin Sage.” I know the article is maybe a bit sensationalist and simplistic, but I fail to see why someone accepting a friend with a fake profile is a Big Deal.
(Disclaimer: I didn’t know about Robin Sage nor have any interaction with this experiment. I’m feeling left out!)
There *are* some interesting aspects, and I hope the forthcoming BlackHat USA talk will expond on some of these issues, and leave alone the silly issue with “omg I friended a bot” aspect. This is a lot like saying someone is dumb because they looked down when you pointed and said their shoe is untied.
1. People put stupid (and valuable) stuff online. Sure, Facebook and other places may seem like they’re private, but really they’re not when you don’t properly vet friend requests. Once you have more than 50, you simply can’t keep them all properly identified and you’ll likely start getting into the 2+ degrees of separation; i.e. the friends of your friends, and so on. So putting even your day-to-day boring diary bits out there can be revealing when you’re, say, in the military. Hell, you can even get closer to home and post that you’re out of town for a weekend, which can lead to a break-in by someone close to you. Or be stalked by someone obssessed with you. Sure, most of the time nothing will happen and certainly few people are truly targets of interested parties trying to piece together information from 1,000s of sources like a nationstate espionage net, but there is still risk in throwing such activities to the digital winds.
Passive credibility.I think this is far more interesting! If you want to gain some instant “credibility” in social networks, you don’t start pestering people when you have 0 followers/friends/connections. You start going after the ones who auto-follow you back. Then target the ones who seem to have so many, that there’s no way they can closely monitor them all. By then, you’ll have plenty of “names” that others will recognize, which can lend some immediate “credibility” for people who superficially check you out. And you can just slowly work from there. This is really all old hat, but effective.
Take Ligatt’s twitter account, for instance. At least early on, almost all of his followers were celebrities or other accounts that only follow-back out of politeness. He might have 500 followers, but 490 of them were never reading a thing he wrote. Likewise look at some of the #LIGATT infiltrators trying to redeem the company’s services through twitter posts. They scream “fake” because of the sub-2 followers/followees.
How does a spy not look like a spy? By having a presence in the community and with friends/neighbors such that they appear to be an average citizen. Not some loner, curmugeon who looks over his shoulder constantly and only does yard work at night or only get visitors who look like they’re Russian army castoffs.
Not so much these days, but certainly in the earlier decades of the Internet we all had this ability to take on a fake persona and build up a “brand” around it. Back then it was called having an online nick/handle/screenname. Today, we have so many average people using their real names online that seem so very surprised, shocked, that such subterfuge happens! TO those of us that have done these things in the past, this is certainly not new or surprising or even that hard.
3. Assets. Sure, most people don’t have anything to worry about. But plenty of people should be aware of how potentially valuable they may be to foreign agents (foreign being different/opposed to you, whether it be national or corporate). There have been decades of work done on turning assets in the meatspace of espionage, and much of that work is far easier in the online realms.