Loki's Net

The National Security Risks of Gov 2.0 and the Social Web

by Jeff Carr | comments: 16

Every culture has its Trickster myths because Trickster lives on the edge of what the rest of us perceive as "real." He crosses boundaries so often and with such ease, not to mention panache, that our own boundaries expand because of him. Trickster is “the doorway leading out, the spirit of the road at dusk” (Lewis Hyde) that doesn't belong to any town but is in-between all towns; the province of thieves and spies.

Here's an updated version of an old Trickster tale that I think is particularly relevant to the topic of this post--the national security risks associated with a more open Government in general and social software in particular.

Loki, the Norse God of mischief and mayhem, had taken to the mountains for refuge after angering the other Gods with his latest antics. The first thing he did was build a house with four doors; one on every side so that he could see in all directions. With his Intrusion Detection System in place, Loki spent the rest of his time playing in the water as a salmon, leaping waterfalls and negotiating mountain streams.

One morning, Loki sat by a fire and considered how the gods might capture him. Since he spent much of his time as a fish, Loki grabbed some linen string and fashioned a fishing net of a size and weight sufficient to snare him. Unfortunately, just as he finished, the other Gods rushed in. Loki threw the net into the fire, transformed into a salmon, and swam away. Acting quickly, the Gods extracted the ashes of the net from the fire and, from the remnants, rebuilt Loki’s net, eventually ensnaring him in it.

Like Loki, we construct through our Twitter posts, Facebook Wall entries and LinkedIn profiles our own unique “net” that sets us up for a social engineering exploit, a financial crime, or an act of espionage.

The Trickster archetype aptly frames this discussion about the risks and benefits of bringing Government into a Web 2.0 world because the classic Trickster is neither good nor bad, but encompasses elements of both. Too often, the debate surrounding Gov 2.0 becomes polarizing. Critics are frequently grouped together as Gov 1.0 thinkers struggling against a 2.0 world, while advocates sometimes embrace Gov 2.0 as a holy quest, refusing to acknowledge any significant risks whatsoever.

I cannot emphasize enough that the surest way to slow our progress toward a more technologically open Government is to try to craft this debate in dualistic terms. Indigenous Trickster tales teach us that a more valuable approach is to substitute utility for morality. Loki and Coyote (a famous Trickster in Native American lore) both understand how to trap a fish because they have swum as fish. Hyde writes in his book Trickster Makes This World that “nothing counters cunning like more cunning. Coyote's wits are sharp precisely because he has met other wits.”

There are serious and significant risks associated with Government 2.0 and the use of Social Software from a national security perspective that need to be talked about and addressed. It is a topic that is both complex and far-ranging and deserves much more coverage than I can provide in this post, although I hope to at least start the conversation at a new and edgier level. To give some perspective to the problem, there are 22,000,000 employed by the U.S. government, not counting government contractors. That fact alone makes Gov 2.0 a very significant technological evolution.

There is ample evidence that state and non-state actors are engaged in finding ways to exploit vulnerabilities in the U.S.'s critical infrastructure as well as the Department of Defense's secure (SIPRNET) and non-secure (NIPRNET) networks. Many of these attacks have been well-documented by Inspectors General (IG) and Government Accountability Office (GAO) investigations as well as through Congressional committee testimony by experts. One of the easiest ways for an attacker to gain access to those protected networks is not through the firewall, but through the user. In any secure system, the human element is always the weakest link. As Tim Thomas wrote in his excellent "Cyber-Skepticism" article for IO Sphere, the mind has no firewall but skepticism. The attack vector that best takes advantage of that vulnerability is known as social engineering.

Do you recall how Matthew Broderick's character cracked the password for the DOD computer Joshua in the 1983 movie “War Games?" He studied details about the life of its creator. That's the same strategy that David Kernell used when he allegedly hacked into Governor Palin's Yahoo account, except he had the benefit of a Web 2.0 invention known as Wikipedia.

How did the individuals behind the GhostNet espionage ring manage to entice so many people (1300 computers in 103 countries) to open an infected document which loaded a Chinese trojan named ghostRAT onto their system? They crafted an enticing email and document that was tailor-made for their audience -- supporters and/or employees of the Office of His Holiness the Dalai Lama. It was such an effective social engineering campaign that 30% of the infected computers were in sensitive government offices. And to make matters worse, most anti-virus programs failed to identify the Trojan.

In Cyber Warfare terms, these types of hacks are a part of Computer Network Operations (CNO) known as Computer Network Exploitation (CNE). Today, over 130 countries are developing a cyber warfare capability with CNE as one component.

Social media like Twitter, Facebook, MySpace, LinkedIn, GovLoop, and many others are very attractive venues for CNE by our adversaries because they are easily accessible, target-rich environments that can be exploited with little to no risk under cover of anonymity.

According to a recent study conducted for one of the U.S. Armed Services, 60% of the service members involved in the study have posted enough information on MySpace to make themselves vulnerable to adversary targeting. And these weren’t only young recruits making bad Operations Security (OPSEC) decisions. The 60% group included officers and enlisted troops from Intelligence and Security postings as well as other sensitive positions posting such things as units they have deployed with, new duty stations, personal medical data, job duties, information about training, and pictures of themselves at deployed locations.

In their paper “Social Software and National Security," Mark Drapeau and Linton Wells discuss the use of Twitter by Colleen Graffy, formerly Deputy Assistant Secretary of State for Public Diplomacy, to “impress her personality and message on foreign media prior to arriving in their countries, and after leaving.” As the authors point out, there are positives and negatives to Graffy’s method of using Twitter. One of the negatives that they do not address is that Graffy’s Twitter usage can become a vector for a non-state hacker to exploit with a @colleen_graffy tweet containing a malicious link disguised as a tiny URL. All of a sudden, Graffy‘s public diplomacy 2.0 effort could result in a State Department computer becoming a zombie.

The Open APIs on Twitter and Facebook provide a virtually unlimited resource for building target profiles on employees of sensitive government agencies like the Departments of Defense, State, Justice, Energy, Transportation, and Homeland Security. The Twitter stream, for example, adds a timeline for tracking when you’re at work, where you’re going after work, and what you are doing right now.

Another risk category is disinformation. Twitter received a lot of coverage during the Mumbai terror attacks of November, 2008 for its role in covering the events in real time. Part of what emerged was the potential for terrorists to use Twitter to propagate disinformation about their whereabouts; i.e., to announce a new attack occurring at a wrong address, thus adding chaos and confusion to an already chaotic situation.

Finally, there is the phenomenon of online trust. If you work in a targeted industry, you will be approached, sooner or later, by someone who isn’t who she claims to be for the purpose of gaining and exploiting your trust to further her own nation’s intelligence mission. One of the quickest ways to establish trust online is by finding things you both hold in common. Both Twitter and Facebook postings excel at that discovery effort.

How do you mitigate the risks while enjoying the benefits of Gov 2.0 and the social web? You do it by thinking like your opponent; or like the Trickster. Read your post twice before you hit send; once as you and once as your adversary who is looking to exploit you. If you work for the DOD or a government contractor, start by re-reading your employer's OPSEC guidelines and edit your profile and your posts accordingly. If your office hasn’t created any OPSEC guidelines for social media yet, please let me know. My company GreyLogic is creating training for precisely that purpose. In the meantime, here are five things that you can do right now to reduce your risk profile:

1. Involve your family members. They should understand that by virtue of your employment with a department, agency, or service, their posts are prime fodder for CNE. You can start by having them read this article.

2. Make OPSEC fun by making a game of it. For example, trade Twitter or Facebook aliases among your coworkers and see how much information you can learn about each other by using publicly available search tools. Then draft two or three email topics that would entice that person to take your bait if you were an adversary running a Spear Phishing operation. I promise that you’ll be amazed at the results. In fact, you should do this same exercise with your family members.

3. Be more skeptical about anyone who contacts you as a result of your posting on a social network. See if you can find their Internet footprint by searching on their name and email address. An alias with no Internet history should immediately raise a red flag.

4. Anyone can start a DOJ, DHS, DOE or other government agency community on Ning, LiveJournal, Facebook, etc. Don’t affiliate yourself with any community that you don’t know for sure is an officially sponsored and sanctioned one. Talk about shooting fish in a barrel.

5. Facebook recently reported that 70% of its traffic comes from overseas. Become more cautious about who you friend and who is privy to reading your posts.

In myth, like in life, the Trickster relies on the instincts and appetites of his prey to spring his trap. For those of us in Government or affiliated with Government, we would do well to remember that as we engage with Gov 2.0 on the social web.

Building Bridges with the U.S. Intelligence Community

by Jeff Carr | comments: 3

Guest blogger Jeffrey Carr is a cyber intelligence expert, Principal of GreyLogic, columnist for Symantec's Security Focus, and author who specializes in the investigation of cyber attacks against governments and infrastructures by State and Non-State hackers. Jeff is the Principal Investigator for Project Grey Goose, an Open Source intelligence investigation into the Russian cyber attacks on Georgia in August, 2008.

About three weeks before the start of the Russia-Georgia war last August, the Office of the Director of National Intelligence issued a directive entitled “Analytic Outreach”. In it, DNI McConnell authorized members of the 16 agencies that comprise the U.S. Intelligence Community (IC) to reach out to people outside the IC, “to explore ideas and alternate perspectives, gain new insights, generate new knowledge, or obtain new information.”

As someone who writes about Intelligence and National Security matters, particularly in the area of Cyber Warfare, this Directive was pretty inspiring to me. I had long held the opinion that Web technologists and researchers had an important role to play in Government. Unfortunately, I had no way of communicating that vision to anyone who mattered so I just decided to act on my own and launched an Open Source Intelligence gathering effort called Project Grey Goose, which brought together an eclectic mix of hackers, spooks, and techies from inside and outside the Intelligence Community.

Imagine how happy I was six months later to hear about a formalized and much easier way to bring outside expertise into the IC thanks to the dedicated efforts of a few intelligence professionals and the Deputy Director of National Intelligence for Analysis. Appropriately enough, this project is named BRIDGE.

According to its creator, Dan Doney, BRIDGE hopes to do for Public-Private collaboration what the iPhone Apps Store has done for the iPhone and its customers--produce a mind-boggling explosion of innovative applications for use by the Intelligence Community. We aren't at the mind-boggling stage yet because BRIDGE is still in its infancy, but there are some pretty cool apps which I'll describe in a moment.

In addition to being a development sandbox, BRIDGE also allows intelligence analysts to interact with outside experts whether they be in industry, academia, or other government agencies at the Federal, State, Local or Tribal level. Alternative analysis has long been a recommended approach to avoid myopic thinking by specialists. BRIDGE provides a platform for debating alternative viewpoints and comparing evidence across agencies, specialties, and borders of all kinds.

(continue reading)

Recent Posts