Risk
3/12/2012
12:20 PM
Connect Directly
RSS
E-Mail
50%
50%

Facebook Social Engineering Attack Strikes NATO

Top military commander in NATO targeted by attackers wielding fake Facebook pages. Some security watchers ask if Chinese culprits were involved.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
The top military commander in NATO has been targeted by attackers wielding fake Facebook pages.

Attackers have been creating Facebook pages under the name of Admiral James Stavridis, NATO's Supreme Allied Commander Europe (SACEUR), in an attempt to lure his colleagues, friends, and family into connecting with the account and divulging private information, reported The Observer newspaper in Britain on Sunday.

"There have been several fake SACEUR pages. Facebook has cooperated in taking them down… the most important thing is for Facebook to get rid of them," a NATO official told the Observer, noting that similar attacks first began about two years ago.

The fake pages are cause for concern for NATO officials, who have been turning to social media to disseminate more news relating to the alliance. In October, Stavridis used his Facebook page to announce the end of military operations in Libya. "First and foremost, we want to make sure that the public is not being misinformed. SACEUR and NATO have made significant policy announcements on either the Twitter or Facebook feed, which reflects NATO keeping pace with social media. It is important the public has trust in our social media," said the NATO official.

[ Hacktivist group leader turns informant after arrest. Read more at Hacker Sabu Worked Nonstop As Government Informer. ]

Meanwhile, Facebook Monday released a statement emphasizing that it had rapidly expunged the latest fake page targeting Stavridis. "We removed the profile for violating our terms within a business day of receiving a report," said a spokesman.

These types of social engineering attacks, which trick people into divulging useful or sensitive information, have been on the rise, not least because they're inexpensive yet often quite effective. In fact, according to a security summit hosted last year by security firm RSA, the leading advanced persistent threat (APT) attack vector is the social engineering attack.

Unfortunately, defending against these types of attacks can be quite difficult, given that it's often up to individual employees--not just automated technology defenses--to recognize the exploit for what it is. That's why many security experts recommend ongoing user training, including penetration-testing scenarios that include attempting to fool employees into divulging sensitive information.

According to a "security source" quoted by the Observer, NATO appears to be wise to these types of threats, saying that "the most senior people in NATO were warned about this kind of activity."

Who was behind the Facebook attack? That's likely impossible to say for sure, but numerous government and military officials have been increasingly blaming China for these types of attacks. Furthermore, a new report into China's online espionage capabilities prepared for the U.S.-China Economic and Security Review Commission by military contractor Northrop Grumman and released last week found that China's capabilities continue to improve, and that has not just military but also business-related repercussions. "Computer network operations have assumed a strategic significance for the Chinese leadership that moves beyond solely military applications and is being broadly applied to assist with long term strategies for China's national development," according to the report.

"The United States suffers from continual cyber operations sanctioned or tolerated by the Chinese government," commission chairman Dennis Shea said at a news conference last week, in which he detailed the report's findings.

The perceived threat from China aside, the bigger-picture perspective on these attacks--as with exploits conducted by hacktivist groups such as Anonymous--is that businesses and government agencies often aren't being hacked using state-of-the art techniques, but rather simply because they failed to patch known database vulnerabilities, or because an employee opened a suspicious attachment.

Furthermore, many organizations apparently lack the resources to detect that they were hacked, and in some cases--such as at Nortel--attackers may enjoy years of undetected network access.

"Media and industry reports portray some of the incidents attributed to China as advanced, but the reality is that many successful penetrations are 'advanced' only because the targeted organization was unable to stop them or detect the presence of the operators on their networks," said the Northrop Grumman report. "Many victim organizations, however, lack the resources to maintain a large or highly skilled information security organization to adequately defend against these adversaries."

InformationWeek is conducting a survey on information security and risk management. Upon completion of our survey, you will be eligible to enter a drawing to receive an 64-GB Apple iPad 2. Take our Alternative Strategic Security Survey now. Survey ends March 16.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
3/15/2012 | 1:55:01 AM
re: Facebook Social Engineering Attack Strikes NATO
@readers G does you organization have a social networking policy, and if so, how does security factor in?
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio