Inside Cyber Warfare - Jeffrey Carr [88]
Social engineering as a tactic for hackers precedes all of the previously mentioned services by many years. In fact, the “old-school” approach consisted of dumpster diving and other “meat space” techniques used to gather user login and password information from target companies. Thanks to the rapidly growing social media space, those old-school techniques have given way to a completely online approach.
The Government 2.0 movement of 2009 highlights many of the benefits that might accrue with the use of social software by government officials and agencies, including providing a real-time gauge for evaluating public sentiment during key moments of national or international events and policy debate.
The negative aspects relate directly to social engineering hacks. Government employees’ user profiles, not to mention their posts, often contain personal data that a motivated hacker could leverage into an attack similar to the one described in the GhostNet case.
Since there are legitimate uses for this information as well as nefarious ones, specialty Internet search engines are being created that focus on the Social Web. A January 2009 post on the Online Marketing blog (http://www.toprankblog.com/2009/01/6-social-search-engines/) reviewed no less than six new social search engines, three of which were:
WhosTalkin.com
This application searches for keyword topics in conversation threads taking place in over 60 social media portals.
Samepoint.com
This application tracks millions of conversations taking place in tens of thousands of blogs and on social media sites.
OneRiot.com
OneRiot crawls the links people share on Twitter, Digg, and other social sharing services, and then indexes the content on those pages in seconds.
The Social Graph API
Google Labs recently created the Social Graph API, which allows developers to access the connections that people have made via the Web, whether through blogs, Digg, YouTube, LinkedIn, Facebook, Twitter, or other social networks. This has significant intelligence-gathering implications for adversaries looking to target specific groups of people.
The Social Graph API works by searching for pages that belong to you via your membership in one of the many social networks on the Web. In addition to finding your Twitter, Daily Motion, and Flickr home pages (for example), it will also look for links between friends, followers, or even your blog roll.
By now it should be obvious that employees who work in targeted, high-value industries (e.g., government, public utilities, defense contractors) must exercise caution in revealing any personal details, areas of interest, and affiliations. It is simply too easy to build detailed personal profiles from open sources, and it’s getting easier every day.
Channel Consolidation
Jeff Jonas has established a well-deserved reputation for excellence in demonstrating how large organizations can sort through ever-growing mountains of data and make vital connections, whether the purpose is national security or sustaining profitability.
In 2009, Jonas wrote a blog post entitled “Channel Consolidation.” In it, he makes the case that channel consolidation is an essential ingredient to improving accuracy in prediction (for example, when an online travel site makes suggestions based on your past trips).
Jeff points out that channel separation is what we have known all of our lives. Even though our actions are recorded by each credit card purchase and cell phone call, our banker doesn’t know where we were at 11 a.m. yesterday, and your doctor isn’t informed as to the contents of your email inbox.
Channel consolidation, however, is what we are moving toward. As Jonas points out, it is an essential component in making accurate predictions about what you want