The Other Side of the Coin: Understanding Social Media Attacksand

How to Respond to Them

Speaker: Peter Berghammer

13:45-14:15

The SMILE Conference Venue, First Floor

1777 F Street, NW, Washington, DC 20006

About Today’s Speaker

• Background in the MilDef and IT industries• Founded and spun off aerospace & military IT, consumer electronics data

companies• Has written for a number of magazines

– Hidden data transfer issues consumer electronics– Economics column– Legal implications of data transfer initiatives

• Active speaker internationally on– Open Source Warfare– Protocol Triangulation schema– Data transfer and Data recoverability – Malicious Social Engineering

• In 1996 made a Non-residential Fellow at Stanford Law: Center for Internet & Society researching Darknets, “hidden” encrypted data transfer etc.

• And a tip of the hat to Public Communications Worldwide (who kindly underwrote my participation here today)

Some of my research

• Some of the areas in which I’ve been particularly interested:– Cold boot attacks– Trusted Computing Platform flaws– Remote firmware “updates” to compromise routers, other hardware etc.– Pulling data out of on-air pager communications– SCADA intrusions– GPS hacks

• Some of the areas in which I’m very involved:– Off the shelf hardware manipulation: toys, implantable medical devices,

household robotics – War rocketing & war “plane-ing”– Transatlantic Constitutional Law (constitutional aspects of privacy, US &

EU)

– What they all have in common: data extraction & manipulation, application vs. no application, centralized vs. distributed, open standards vs. closed

The issue with Social Media

“Opinion is the internet’s new pornography” NYT

• Everyone has an opinion and wants to share it

• Distrust of advertising and managed communications: they don’t believe this stuff anymore

• 45% of internet users have created content online

• 67% of users want opinions from other users (McKinzie)

Is Social Media compatible with Local Government?

• Here is a great example of a debate last week about Social Media

• Everyone agreed that blogging about wildflowers was great! (Parks & Rec)

• There was no idea how to handle monitoring, or responding

• “A way for commenters to harass our employees”

• Data retention policies to match the law (1 year in this case)?

Narrative Timeframes

• I think the issue that surprises the military personnel that I speak to is the issue of Narrative, and the corresponding issues of narrative timeframes

• Bear in mind that things like Twitter are very perishable in terms of lasting impact

• Blog commentary,newspaper reader response pages and the like are more lasting

• Facebook and LinkedIn fall somewhere in between

• The military is always surprised when we discuss the issue of “myth” as part of the narrative

• In fact, most hacktivist-style negative commentary revolves around this issue

• Evidence, the Teabaggers, 9-11 Truthers, assorted conspiracy websites etc.

• Reference point: whatdoesitmean.com

Can you Brand your Department?

• The previous slide actually hints at the concerns inherent in deciding to “Brand” your department

• It also brings up a disturbing contradiction:• At its core, branding implies CHOICE• If we were to “brand” a department are there any implications? Do

your constituents actually have a choice? In reality, no; in marketing terms, perhaps.

• Social Media activists look long and hard at this issue - and don’t be surprised that this fundamental contradiction offers them ammunition

• There is not a real answer here - but I’m sure plenty of controversy….

How the Air Force looks at it (Federal Level)

• Discover

• Evaluate

• Respond

• Response Considerations

• What is interesting here is the insistence in “full disclosure”

• This is not something that we’re going to see on the hacktivist side…

• In fact, quite the opposite

What we’re talking about when we say Social Media

• In the most widely understood sense of the term we mean the big 3: Twitter, Facebook and LinkedIn

• In the parlance of the US government we actually talking about any “collaborative” platform including blogs, wikis, instant messaging and the like

• In the “hacking sense” we’re talking about any “collaborative platform” in which information can be shared

Suspect “Collaborative Platforms” in use today

• Generic email accounts that can be used as dead drops• Pictures, videos etc. that can have additional data encoded into them

(steganography) – this includes printers, optical media etc.• Ring tones, SMS messages, encrypted file sharing, spam mimicking, on

time read messaging…(limited only by the imagination)• Also things such as message boards, feedback boards, customer review

boards et al• We also mean web-enabled support groups, PACS, hobby groups, P2P,

Virtual Worlds and more• Newspaper reader feedback sites, Collaborative Wikis• Anonymous domain name registrations and consequently “poisoned”

websites• Bluetooth messaging• Anonymous email registrations and usage• “Wish lists”: Amazon, Adam & Eve, Target etc. etc.

Note: spam emails oddly don’t apply for today’s purposes• Assertion: from a Law Enforcement perspective all things are already

considered Social…let me explain…

Longer Lasting Damage: Search Engine Results

• The goal in any effort to manipulate is to own search engine results• For whatever reason, results from Google and Bing and Yahoo…

seem to lend credence and believability to users unable or unwilling to find out the “truth”

• Fake histories created over a number of months convey the illusion that the “fact” is not in dispute

• Search results are the new “shelf space” of organizations on the net, instead of in stores

• If organizations checked their search results regularly they would be shocked……

• It’s populated by negative comments, negative reviews, competitor results and competitor inroads….

How hard is it really to hijack an identity, or even to create completely new ones on the web?

• Lets be clear: stealing an identity on the web is in many case illegal and useless for our purposes

• However, creating “duplicate” identities in the web is pretty easy – sometimes illegal and sometimes not

• Generally duplicating screen names on the web is not illegal if not done to foster a crime

• And creating new (fake) identities on the web is almost never illegal – and in the few cases where it could be prosecuted rarely is…and it’s really simple to do.

• HINT: go out after this conference and “own” every legitimate screen name on every network that you can for yourself and your organization!

What we’re Trying to Accomplish

• We’re trying to create simulated groups of fictitious people who are untraceable, with address that appear permanent but are disposable, on websites that appear legitimate but will disappear

• In order to create the illusion of stability, integrity, durability, believability etc…

• (All of this by the way is untrue)

What we are really doing…

• Is creating the illusion of “mass buy-in” and support for a particular position

• Is creating the illusion of broad coalitions

• Is spreading doubt, fear, disbelief under the guise of respected community leaders

How many people does it take…

• To poison a political career or derail a topic? 3 – 10 people working 4 hour days for at least 60 days (in municipalities and counties) note: in order to own search engine results it does take many more months but the other numbers remain the same

• The numbers grow exponentially depending on the scale of the campaign (local vs. national) but oddly, once critical mass develops the workload decreases because other committed, real people not affiliated with the original group, take over.

• Bizarre, huh?

The Importance of Communications

You are what you broadcast…

• Let’s look at the concept of triangulation (whether you like it or not, data leakage is part of social media)

• Identifying users not only by what they post but also by what they broadcast…• What’s interesting here is that LE is “built” on the concept if identity - and yet in

the social media sphere this for some reason falls by the wayside• What we’re looking at is voluntary/involuntary real world data vs. predictive

analytics

Sense Networks & loopt

TV / Radio

Bluetooth802.11a/b/g/n

802.15/.16GSMGPRSGPS

CDMAAMPSRFID

IRUWB

WiMAXUMTS802.20

TVRadio

Near Field Broadcast

NFCOTAP

Ad infinitum

Basically what we’re looking at is the move from:

Everything in a radio (device)

ToA radio in everything

ToNetworked everything*

(centralized surveillance)

*Special Thanks to:

John Waclawsky Ph. D. Software Architect, Motorola Software GroupMotorola, Inc.

Back to the 1980s

• US 2009: Google launches PowerMeter

• Flashback: Germany, 1981:– Cruise & Pershing II missile

“crisis” and its impact on NATO

• Visit from the German Police

• Conclusion: everything is “Social”

Some Examples

• Lets take a look at some examples:

SLA: Symbionese Liberation ArmySocial Media Circa 1973

Eva Silverstein: Micromanaging de Sitter HolographySocial Media Circa 2010

Some of the more useful anonymity tools

“Better be careful - I think we’ve been infiltrated”

• Dear Friend , We know you are interested in receiving • red-hot news . If you are not interested in our publications • and wish to be removed from our lists, simply do NOT • respond and ignore this mail . This mail is being sent • in compliance with Senate bill 2116 ; Title 8 , Section • 302 . Do NOT confuse us with Internet scam artists • ! Why work for somebody else when you can become rich • in 10 weeks . Have you ever noticed how many people • you know are on the Internet & nearly every commercial • on television has a .com on in it ! Well, now is your • chance to capitalize on this ! We will help you use • credit cards on your website & increase customer response • by 110% . You can begin at absolutely no cost to you • ! But don't believe us . Mrs Simpson of Nebraska tried • us and says "My only problem now is where to park all • my cars" ! We are a BBB member in good standing . Do • not go to sleep without ordering ! Sign up a friend • and you'll get a discount of 30% . Warmest regards • ! Dear Decision maker ; This letter was specially selected • to be sent to you . If you are not interested in our • publications and wish to be removed from our lists, • simply do NOT respond and ignore this mail . This mail • is being sent in compliance with Senate bill 1624 , • Title 7 ; Section 305 ! THIS IS NOT MULTI-LEVEL MARKETING • ! Why work for somebody else when you can become rich • within 51 MONTHS . Have you ever noticed how long the • line-ups are at bank machines & how long the line-ups • are at bank machines . Well, now is your chance to • capitalize on this . We will help you process your • orders within seconds and deliver goods right to the • customer's doorstep . You can begin at absolutely no • cost to you . But don't believe us ! Ms Simpson who

This is how a spam translation looks…

Browser Obfuscation

A simple tool to re-identify a browser’s reporting function

IP Obfuscation

Tor

Hotspot Shield

Twitter Automation

Automate user infoScrape dating sites for user picturesgMail account creation and validation

The only issue is that Twitter has very little impact locally in a political context – it appears to be on the “larger” issues that it works best. Why?

Is it a crime to Tweet LE activity?

Philadelphia Flash Mobs

Another flash mob rocks South StreetIn the 'tsunami,' chants of 'Burn the city!'

By KITTY CAPARELLA & STEPHANIE FARRPhiladelphia Daily News

caparek@phillynews.com 215-854-5880

Business owners yesterday called on Mayor Nutter to stop "flash mobs" on South Street after patrons couldn't shop, dine or get home on Saturday night because of the hordes of teens roaming the neighborhood.

Inspired by Twitter messages to "come to South Street," police say hundreds - business owners say thousands - of young teens stampeded down South Street in waves, jumping on top of cars, knocking over pedestrians and fighting and cursing…

An example of what not to do

Thank you