The war between security firm HBGary and Anonymous reveals a new tactic: using fake social network profiles to gather information.
Is that new friend really your friend, or just someone pretending to be your friend so he can spy on you? No, I'm not just being more paranoid than usual. This really does happen - especially if you're a member of an anonymous collective determined to do battle with the forces of corporate evil (not to mention Tom Cruise, Soulja Boy, and your mom).
The ongoing battle between Anonymous and the security wonks who are trying to take it down has revealed a new weapon: Creating fake profiles on social networks to trace out the connections between you and your comrades.
[ See also: Facebook ads use your face for free ]
In what proved to be a colossally dimwitted move, HBGary Federal executive Aaron Barr bragged to the Financial Times about his success in infiltrating Anonymous:
Mr Barr said he had collected information on the core leaders, including many of their real names, and that they could be arrested if law enforcement had the same data... But he does not plan to give specifics to police, who would face hurdles in using some of the methods he employed, including creating false Facebook profiles.
In other words, to "catch" Anonymous, Barr had to resort to methods the police could not - violating Facebook's terms of service in the process.
OK. Maybe sometimes you need to bend the rules to get the bad guys (assuming you consider Anonymous the bad guys - in this scenario it's increasingly unclear.) But bragging about it?
Barr might just as well have smeared peanut butter all over his body and jumped into the elephant cage at the San Diego Zoo.
Anonymous was not amused. And the collective decided to exact revenge in the usual manner - by pawning every digital device in Barr's realm, including his Twitter account, his iPhone, HBGary's Web site and its corporate servers. They defaced the site with a taunting letter and posted more than 40,000 HBGary emails on Pirate Bay. Among other things, those emails revealed the details of a plot cooked up by HBGary on behalf of Bank of America to take down WikiLeaks by subverting reporters sympathetic to it.
But the emails also reveal the details of how Barr "infiltrated" the group. An excellent report in Ars Technica goes into further detail on Barr's methods:
Barr had been interested in social media for quite some time, believing that the links it showed between people had enormous value when it came to mapping networks of hackers-and when hackers wanted to target their victims. He presented a talk to a closed Department of Justice conference earlier this year on "specific techniques that can be used to target, collect, and exploit targets with laser focus and with 100 percent success" through social media.
His curiosity about teasing out the webs of connections between people grew. By scraping sites like Facebook or LinkedIn, Barr believed he could draw strong conclusions, such as determining which town someone lived in even if they didn't provide that information. How? By looking at their friends.
"The next step would be ok we have 24 people in that list Auburn, NY as their hometown," he wrote to the programmer implementing his directives. "There are 60 other people that list over 5 of those 24 as friends. That immediately tells me that at a minimum those 60 can be tagged as having a hometown as Auburn, NY. The more the data matures the more things we can do with it."
The same went for hackers, whose family and friends might provide information that even the most carefully guarded Anonymous member could not conceal. "Hackers may not list the data, but hackers are people too so they associate with friends and family," Barr said. "Those friends and family can provide key indicators on the hacker without them releasing it..."
As the emails reveal, Barr wasn't actually interested in "doing good" by taking down Anonymous. He picked that group as a test case to prove that parsing publicly available information from social networks was enough to expose their identities. Barr was solely interested in getting publicity for HBGary and driving business to it in the process.
Well, he succeeded on the publicity part. Drumming up business, not so much.
Using social networks to gather intelligence about people can quickly lead you down the rabbit hole - and you often end up chasing the wrong rabbit. Barr's colleagues doubted his conclusions internally, and even Anonymous said he was way off base, including people as "key members" who were tangentially related to the group at best.
Barr has done us a public service though, by reminding us (yet again) that when we use social networks, we often end up revealing far more than we may think - and that information can be used against us.
SUBSCRIBE TO BLOG BY: EMAIL
:
Is that new friend really your friend, or just someone pretending to be your friend so he can spy on you? No, I'm not just being more paranoid than usual. This really does happen - especially if you're a member of an anonymous collective determined to do battle with the forces of corporate evil (not to mention Tom Cruise, Soulja Boy, and your mom).
The ongoing battle between Anonymous and the security wonks who are trying to take it down has revealed a new weapon: Creating fake profiles on social networks to trace out the connections between you and your comrades.
[ See also: Facebook ads use your face for free ]
In what proved to be a colossally dimwitted move, HBGary Federal executive Aaron Barr bragged to the Financial Times about his success in infiltrating Anonymous:
Mr Barr said he had collected information on the core leaders, including many of their real names, and that they could be arrested if law enforcement had the same data... But he does not plan to give specifics to police, who would face hurdles in using some of the methods he employed, including creating false Facebook profiles.
In other words, to "catch" Anonymous, Barr had to resort to methods the police could not - violating Facebook's terms of service in the process.
OK. Maybe sometimes you need to bend the rules to get the bad guys (assuming you consider Anonymous the bad guys - in this scenario it's increasingly unclear.) But bragging about it?
Barr might just as well have smeared peanut butter all over his body and jumped into the elephant cage at the San Diego Zoo.
Anonymous was not amused. And the collective decided to exact revenge in the usual manner - by pawning every digital device in Barr's realm, including his Twitter account, his iPhone, HBGary's Web site and its corporate servers. They defaced the site with a taunting letter and posted more than 40,000 HBGary emails on Pirate Bay. Among other things, those emails revealed the details of a plot cooked up by HBGary on behalf of Bank of America to take down WikiLeaks by subverting reporters sympathetic to it.
But the emails also reveal the details of how Barr "infiltrated" the group. An excellent report in Ars Technica goes into further detail on Barr's methods:
Barr had been interested in social media for quite some time, believing that the links it showed between people had enormous value when it came to mapping networks of hackers-and when hackers wanted to target their victims. He presented a talk to a closed Department of Justice conference earlier this year on "specific techniques that can be used to target, collect, and exploit targets with laser focus and with 100 percent success" through social media.
His curiosity about teasing out the webs of connections between people grew. By scraping sites like Facebook or LinkedIn, Barr believed he could draw strong conclusions, such as determining which town someone lived in even if they didn't provide that information. How? By looking at their friends.
"The next step would be ok we have 24 people in that list Auburn, NY as their hometown," he wrote to the programmer implementing his directives. "There are 60 other people that list over 5 of those 24 as friends. That immediately tells me that at a minimum those 60 can be tagged as having a hometown as Auburn, NY. The more the data matures the more things we can do with it."
The same went for hackers, whose family and friends might provide information that even the most carefully guarded Anonymous member could not conceal. "Hackers may not list the data, but hackers are people too so they associate with friends and family," Barr said. "Those friends and family can provide key indicators on the hacker without them releasing it..."
As the emails reveal, Barr wasn't actually interested in "doing good" by taking down Anonymous. He picked that group as a test case to prove that parsing publicly available information from social networks was enough to expose their identities. Barr was solely interested in getting publicity for HBGary and driving business to it in the process.
Well, he succeeded on the publicity part. Drumming up business, not so much.
Using social networks to gather intelligence about people can quickly lead you down the rabbit hole - and you often end up chasing the wrong rabbit. Barr's colleagues doubted his conclusions internally, and even Anonymous said he was way off base, including people as "key members" who were tangentially related to the group at best.
Barr has done us a public service though, by reminding us (yet again) that when we use social networks, we often end up revealing far more than we may think - and that information can be used against us.
SUBSCRIBE TO BLOG BY: EMAIL
:
