Inside Cyber Warfare - Jeffrey Carr [64]
Adversary scenarios
The following are potential adversary scenarios:
Kidnapping scenario in Iraq
Lt. Smith keeps a daily journal, with pictures, on her MySpace account of what she does in Iraq. As a result, an adversary is able to locate and kidnap her.
PRC technology transfer
Dr. Joe Smith (GS-14) is a scientist employed by the USAF at Wright Patterson Air Force base’s AFRL. He becomes a target of Chinese intelligence.
Blackmail scenario of USAF research officer
Lt. Col. Joe Smith has what he believes is an innocent MySpace page. It was intended for him to keep in touch with his family during deployments, as well as with other F-22 pilots in his unit. He becomes a target of blackmail.
Study findings
60.4% of USAF personnel posting on MySpace have provided sufficient information to make themselves vulnerable to adversary targeting (Figure 6-2), including seven critical variables of information:
First name
Last name
Hometown
Home state
Duty location
Public account
Job type
25.4% were found to be fair targets, and only 14.2% were found to be poor targets (not vulnerable).
Figure 6-2. 60.4% of 500 participants were vulnerable to adversary targeting
TwitterGate: A Real-World Example of a Social Engineering Attack with Dire Consequences
On May 1, 2009, a French hacker going by the alias of Hacker Croll announced that he had penetrated Twitter’s security and accessed its company records. (Twitter is a popular microblogging service.) Screenshots of a few of them were posted as proof on a forum at zataz.com, a French website.
This was the second time in 2009 that Twitter had a breach in its security (the first being in January by a hacker named GMZ), and also for the second time, Twitter CEO Evan Williams announced that a “thorough, independent security audit of all internal systems and implementing additional anti-intrusion measures to further safeguard user data” would be done.
Williams also claimed, much to Croll’s chagrin, that no important files were accessed, nor was anything taken.
Deciding to teach Twitter a lesson and provide a warning to corporations everywhere, Croll sent a zipped file of over 300 Twitter documents, including financial statements and executive memos and meeting notes, to TechCrunch, a popular and influential IT website owned by Silicon Valley entrepreneur Michael Arrington.
TechCrunch created a firestorm of controversy on July 16, 2009, when it published a number of the stolen documents on its website.
TechCrunch followed that up with a detailed accounting of exactly how Hacker Croll accomplished his break-in. He didn’t use any hacking tools, Croll told reporter Robert McMillan for a May 1, 2009 article for IDG News:
“One of the admins has a Yahoo! account, I’ve reset the password by answering to the secret question. Then, in the mailbox, I have found her [sic] twitter password,” Hacker Croll said Wednesday in a posting (http://www.warezscene.org/hacking/699733-twitter-got-hacked-again-3.html#post1312899) to an online discussion forum. “I’ve used social engineering only, no exploit, no xss vulnerability, no backdoor, no sql injection.”
According to the information that Croll provided to TechCrunch, here is the rather simple process that he followed to crack Twitter’s security and gain access to its files.
Using publicly available information, he built a profile of the company with emphasis on creating an employee list.
For every employee identified, he looked for email addresses, birth dates, names of pets, spouses, and children.
He began accessing popular web services that each employee may have had an account with (e.g., Gmail, Yahoo!, Hotmail, YouTube, MySpace, Facebook, etc.), and using the discovered email address as the username (which frequently is the