Unmasked - Ars Technica [27]
But HBGary Federal’s real interest had become social media like Facebook and Twitter—and how they could be used to explore and then penetrate secretive networks. And that was exactly what the Air Force wanted to do.
Fake Facebook friends
In June 2010, the government was expressing real interest in social networks. The Air Force issued a public request for “persona management software,” which might sound boring until you realize that the government essentially wanted the ability to have one agent run multiple social media accounts at once.
It wanted 50 software licenses, each of which could support 10 personas, “replete with background, history, supporting details, and cyber presences that are technically, culturally and geographically consistent.”
The software would allow these 50 cyberwarriors to peer at their monitors all day and manipulate these 10 accounts easily, all “without fear of being discovered by sophisticated adversaries.” The personas would appear to come from all over the world, the better to infiltrate jihadist websites and social networks, or perhaps to show up on Facebook groups and influence public opinion in pro-US directions.
As the cyberwarriors worked away controlling their 10 personas, their computers would helpfully provide “real-time local information” so that they could play their roles convincingly.
In addition the Air Force wanted a secure virtual private network that could mask the IP addresses behind all of this persona traffic. Every day, each user would get a random IP address to help hide “the existence of the operation.” The network would further mask this persona work by “traffic mixing, blending the user’s traffic with traffic from multitudes of users from outside the organization. This traffic blending provides excellent cover and powerful deniability.”
This sort of work most interested HBGary Federal’s Aaron Barr, who was carving out a niche for himself as a social media expert. Throughout late 2010 and early 2011, he spent large chunks of his time attempting to use Facebook, Twitter, and Internet chat to map the network of Exelon nuclear plant workers in the US and to research the members of Anonymous. As money for his company dried up and government contracts proved hard to come by, Barr turned his social media ideas on pro-union forces, getting involved in a now-controversial project with two other security firms.
But e-mails make clear that he mostly wanted to sell this sort of capability to the government. “We have other customers, mostly on offense, that are interested in Social Media for other things,” he wrote in August 2010. “The social media stuff seems like low hanging fruit.”
How does one use social media and fake “personas” to do anything of value? An e-mail from Barr on August 22 makes his thinking clear. Barr ponders “the best way to go about establishing a persona to reach an objective (in this case ft. belvoir/INSCOM/1st IO).”
The Army’s Fort Belvoir, like any secretive institution, might be more easily penetrated by pretending to be an old friend of a current employee. “Make your profile swim in a large sea,” Barr wrote. “Pick a big city, big high school, big company. Work your way up and in. Recreate your history. Start by friending high school people. In my case I am in the army so after you have amassed enough friends from high school, then start friending military folks outside of your location, something that matches the area your in, bootcamp, etc. Lastly start to friend people from the base, but start low and work your way up. So far so good.”
Once the persona had this network of friends, “I will start doing things tricky. Try to manipulate conversations, insert communication streams, etc,” said Barr. This sort of social media targeting could also be used to send your new “friend” documents or files (such as the Al-Qaeda poison document discussed above) [that] come complete with malware, or by directing them to specially-crafted websites designed to elicit some specific piece of information: directed