Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/22/2011
02:56 PM
50%
50%

Air Force Seeks Fake Online Social Media Identities

The military has issued a request for bids on software to let it spread messages and make online friends using non-existent identities on social media sites.

The United States Air Force is taking an unusual approach to cyber-security with a request for bids for "Persona Management Software," which would let someone command an online unit of non-existent identities on social media sites. The move became a major topic last week following the release of emails from private security firm HBGary, which were disclosed after an attack by Wikileaks competitor and collaborator Cryptome.org.

According to Solicitation Number: RTB220610 , the armed services division sought a software program that could manage 10 personas per user, including background; history; supporting details, and cyber presences that are " technically, culturally and geographacilly [sic] consistent. Individual applications will enable an operator to exercise a number of different online persons from the same workstation and without fear of being discovered by sophisticated adversaries. Personas must be able to appear to originate in nearly any part of the world and can interact through conventional online services and social media platforms. The service includes a user friendly application environment to maximize the user's situational awareness by displaying real-time local information."

The request, made in June 2010, was for 50 licenses, for a total of 500 fake Internet identities, which the Air Force planned to deploy in Iraq and Afghanistan. The software would protect government agencies' identities by using several false signals to convince other users that the poster was a real person, according to the contract. For example, each persona could receive its own IP address, making it appear to post from a different location around the world.

At least one individual was surprised that the proposal was published openly.

"This is posted on open source. Are you ****ing serious?" wrote Greg Hoglund, owner of HBGary, in an email leaked by a group of hackers that broke into the security firm's network earlier this month. "Just curious, this particular one is pretty sensitive and I'm wondering why it was in the public domain," he added, in a separate email.

Details about the contract were disclosed when hacker Cryptome.org broke into the email account of HBGary, which develops computer forensics and malware analysis tools. Its sister company, HBGary Federal, provides security services -- such as installing intrusion detection systems, secure networking, penetration testing, and vulnerability assessment -- to public and private sector organizations.

The fake-personal social media contract would allow the government to "friend" real people on Facebook as a way to show support for pro-government messages, according to information revealed during the hack.

The software could cross-reference all available social media such as Facebook, Twitter, MySpace, and other services to collect data on real individuals, and then use this to gain access to users' social circles, according to the emails.

"Using the assigned social media accounts we can automate the posting of content that is relevant to the persona. In this case there are specific social media strategy Web site RSS feeds we can subscribe to and then repost content on twitter with the appropriate hashtags. In fact using hashtags and gaming some location-based check-in services we can make it appear as if a persona was actually at a conference and introduce himself/herself to key individuals as part of the exercise, as one example. There are a variety of social media tricks we can use to add a level of realness to all fictitious personas," said Aaron Barr, HBGary CEO, in the hacked emails.

By using information -- such as their high schools, colleges, and home towns -- that users freely share on social networking sites, the Air Force could gain access to individual's social circles, creating a Classmates.com account at the same school and within the same graduating class, and then creating a Facebook account in the name of a real person who does not have a Facebook account, the email exchanges said. By friending someone with 300 to 500 friends, a fake persona easily can develop mutual friends before sending a friend request to the targeted individual, the emails said.

"When choosing to participate in social media, an individual is only as protected as his/her weakest friend," according to the documents.

In 2009, the Pentagon spent at least $4.7 billion and employed 27,000 people solely for recruitment, advertising, and public relations, according to a 2009 report by the Associated Press.

The Armed Forces increasingly has integrated social media considerations into operations. In November, the Air Force warned members about the dangers of location services such as Facebook Places and Foursquare. A year ago, the Department of Defense released a policy memorandum regarding the safe and effective use of Internet-based capabilities, including social media.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
When Older Windows Systems Won't Die
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12184
PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172
PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
CVE-2019-12168
PUBLISHED: 2019-05-17
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
CVE-2019-12170
PUBLISHED: 2019-05-17
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PH...