PeterBerghammerSlides

advertisement
The Other Side of the Coin: Understanding Social Media Attacks
and
How to Respond to Them
Speaker: Peter Berghammer
13:45-14:15
The SMILE Conference Venue, First Floor
1777 F Street, NW, Washington, DC 20006
About Today’s Speaker
•
•
•
•
•
•
Background in the MilDef and IT industries
Founded and spun off aerospace & military IT, consumer electronics data
companies
Has written for a number of magazines
–
Hidden data transfer issues consumer electronics
–
Economics column
–
Legal implications of data transfer initiatives
Active speaker internationally on
–
Open Source Warfare
–
Protocol Triangulation schema
–
Data transfer and Data recoverability
–
Malicious Social Engineering
In 1996 made a Non-residential Fellow at Stanford Law: Center for
Internet & Society researching Darknets, “hidden” encrypted data transfer
etc.
And a tip of the hat to Public Communications Worldwide (who kindly
underwrote my participation here today)
Some of my research
•
•
Some of the areas in which I’ve been particularly interested:
– Cold boot attacks
– Trusted Computing Platform flaws
– Remote firmware “updates” to compromise routers, other hardware etc.
– Pulling data out of on-air pager communications
– SCADA intrusions
– GPS hacks
Some of the areas in which I’m very involved:
– Off the shelf hardware manipulation: toys, implantable medical devices,
household robotics
– War rocketing & war “plane-ing”
– Transatlantic Constitutional Law (constitutional aspects of privacy, US &
EU)
– What they all have in common: data extraction & manipulation,
application vs. no application, centralized vs. distributed, open
standards vs. closed
The issue with Social Media
“Opinion is the internet’s new pornography” NYT
•
Everyone has an opinion and wants to share it
•
Distrust of advertising and managed communications: they don’t believe this
stuff anymore
•
45% of internet users have created content online
•
67% of users want opinions from other users (McKinzie)
Is Social Media compatible with Local Government?
•
•
•
•
•
Here is a great example of a debate
last week about Social Media
Everyone agreed that blogging
about wildflowers was great! (Parks
& Rec)
There was no idea how to handle
monitoring, or responding
“A way for commenters to harass
our employees”
Data retention policies to match the
law (1 year in this case)?
Narrative Timeframes
•
•
•
•
•
•
•
•
I think the issue that surprises the military personnel that I speak to is the
issue of Narrative, and the corresponding issues of narrative timeframes
Bear in mind that things like Twitter are very perishable in terms of lasting
impact
Blog commentary,newspaper reader response pages and the like are more
lasting
Facebook and LinkedIn fall somewhere in between
The military is always surprised when we discuss the issue of “myth” as part
of the narrative
In fact, most hacktivist-style negative commentary revolves around this
issue
Evidence, the Teabaggers, 9-11 Truthers, assorted conspiracy websites
etc.
Reference point: whatdoesitmean.com
Can you Brand your Department?
• The previous slide actually hints at the concerns inherent in deciding
to “Brand” your department
• It also brings up a disturbing contradiction:
• At its core, branding implies CHOICE
• If we were to “brand” a department are there any implications? Do
your constituents actually have a choice? In reality, no; in marketing
terms, perhaps.
• Social Media activists look long and hard at this issue - and don’t be
surprised that this fundamental contradiction offers them ammunition
• There is not a real answer here - but I’m sure plenty of
controversy….
How the Air Force looks at it (Federal Level)
•
•
•
•
Discover
Evaluate
Respond
Response Considerations
•
What is interesting here is the
insistence in “full disclosure”
•
This is not something that
we’re going to see on the
hacktivist side…
•
In fact, quite the opposite
What we’re talking about when we say Social Media
•
In the most widely understood sense of the term we mean the big 3: Twitter,
Facebook and LinkedIn
•
In the parlance of the US government we actually talking about any
“collaborative” platform including blogs, wikis, instant messaging and the
like
•
In the “hacking sense” we’re talking about any “collaborative platform” in
which information can be shared
Suspect “Collaborative Platforms” in use today
•
•
•
•
•
•
•
•
•
•
•
Generic email accounts that can be used as dead drops
Pictures, videos etc. that can have additional data encoded into them
(steganography) – this includes printers, optical media etc.
Ring tones, SMS messages, encrypted file sharing, spam mimicking, on
time read messaging…(limited only by the imagination)
Also things such as message boards, feedback boards, customer review
boards et al
We also mean web-enabled support groups, PACS, hobby groups, P2P,
Virtual Worlds and more
Newspaper reader feedback sites, Collaborative Wikis
Anonymous domain name registrations and consequently “poisoned”
websites
Bluetooth messaging
Anonymous email registrations and usage
“Wish lists”: Amazon, Adam & Eve, Target etc. etc.
Note: spam emails oddly don’t apply for today’s purposes
Assertion: from a Law Enforcement perspective all things are already
considered Social…let me explain…
Longer Lasting Damage: Search Engine Results
• The goal in any effort to manipulate is to own search engine results
• For whatever reason, results from Google and Bing and
Yahoo…seem to lend credence and believability to users unable or
unwilling to find out the “truth”
• Fake histories created over a number of months convey the illusion
that the “fact” is not in dispute
• Search results are the new “shelf space” of organizations on the net,
instead of in stores
• If organizations checked their search results regularly they would be
shocked……
• It’s populated by negative comments, negative reviews, competitor
results and competitor inroads….
How hard is it really to hijack an identity, or even to create completely new ones
on the web?
•
Lets be clear: stealing an identity on the web is in many case illegal and
useless for our purposes
•
However, creating “duplicate” identities in the web is pretty easy –
sometimes illegal and sometimes not
•
Generally duplicating screen names on the web is not illegal if not done to
foster a crime
•
And creating new (fake) identities on the web is almost never illegal – and in
the few cases where it could be prosecuted rarely is…and it’s really simple
to do.
•
HINT: go out after this conference and “own” every legitimate screen name
on every network that you can for yourself and your organization!
What we’re Trying to Accomplish
•
We’re trying to create simulated groups of fictitious people who are
untraceable, with address that appear permanent but are disposable, on
websites that appear legitimate but will disappear
•
In order to create the illusion of stability, integrity, durability, believability
etc…
•
(All of this by the way is untrue)
What we are really doing…
•
Is creating the illusion of “mass buy-in” and support for a particular position
•
Is creating the illusion of broad coalitions
•
Is spreading doubt, fear, disbelief under the guise of respected community
leaders
How many people does it take…
• To poison a political career or derail a topic? 3 – 10 people working
4 hour days for at least 60 days (in municipalities and counties)
note: in order to own search engine results it does take many more
months but the other numbers remain the same
• The numbers grow exponentially depending on the scale of the
campaign (local vs. national) but oddly, once critical mass develops
the workload decreases because other committed, real people not
affiliated with the original group, take over.
• Bizarre, huh?
The Importance of Communications
You are what you broadcast…
•
•
•
•
Let’s look at the concept of triangulation (whether you like it or not, data
leakage is part of social media)
Identifying users not only by what they post but also by what they
broadcast…
What’s interesting here is that LE is “built” on the concept if identity - and yet
in the social media sphere this for some reason falls by the wayside
What we’re looking at is voluntary/involuntary real world data vs. predictive
analytics
Bluetooth
802.11a/b/g/n
802.15/.16
GSM
GPRS
GPS
CDMA
AMPS
RFID
IR
UWB
WiMAX
UMTS
802.20
TV
Radio
Near Field
Broadcast
NFC
OTAP
Basically what we’re looking at
is the move from:
Everything in a radio (device)
To
A radio in everything
To
Networked everything*
(centralized surveillance)
Sense Networks & loopt
Ad infinitum
*Special Thanks to:
John Waclawsky Ph. D.
Software Architect, Motorola Software Group
Motorola, Inc.
Back to the 1980s
• US 2009: Google launches
PowerMeter
• Flashback: Germany, 1981:
– Cruise & Pershing II missile
“crisis” and its impact on
NATO
• Visit from the German Police
• Conclusion: everything is
“Social”
Some Examples
•
Lets take a look at some examples:
SLA: Symbionese Liberation Army
Social Media Circa 1973
Eva Silverstein: Micromanaging de Sitter Holography
Social Media Circa 2010
Some of the more useful anonymity tools
“Better be careful - I think we’ve been infiltrated”
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Dear Friend , We know you are interested in receiving
red-hot news . If you are not interested in our publications
and wish to be removed from our lists, simply do NOT
respond and ignore this mail . This mail is being sent
in compliance with Senate bill 2116 ; Title 8 , Section
302 . Do NOT confuse us with Internet scam artists
! Why work for somebody else when you can become rich
in 10 weeks . Have you ever noticed how many people
you know are on the Internet & nearly every commercial
on television has a .com on in it ! Well, now is your
chance to capitalize on this ! We will help you use
credit cards on your website & increase customer response
by 110% . You can begin at absolutely no cost to you
! But don't believe us . Mrs Simpson of Nebraska tried
us and says "My only problem now is where to park all
my cars" ! We are a BBB member in good standing . Do
not go to sleep without ordering ! Sign up a friend
and you'll get a discount of 30% . Warmest regards
! Dear Decision maker ; This letter was specially selected
to be sent to you . If you are not interested in our
publications and wish to be removed from our lists,
simply do NOT respond and ignore this mail . This mail
is being sent in compliance with Senate bill 1624 ,
Title 7 ; Section 305 ! THIS IS NOT MULTI-LEVEL MARKETING
! Why work for somebody else when you can become rich
within 51 MONTHS . Have you ever noticed how long the
line-ups are at bank machines & how long the line-ups
are at bank machines . Well, now is your chance to
capitalize on this . We will help you process your
orders within seconds and deliver goods right to the
customer's doorstep . You can begin at absolutely no
cost to you . But don't believe us ! Ms Simpson who
This is how a spam translation looks…
Browser Obfuscation
A simple tool to re-identify a browser’s reporting function
IP Obfuscation
Tor
Hotspot Shield
Twitter Automation
Automate user info
Scrape dating sites for user pictures
gMail account creation and validation
The only issue is that Twitter has very little impact locally in a political context –
it appears to be on the “larger” issues that it works best. Why?
Is it a crime to Tweet LE activity?
Philadelphia Flash Mobs
Another flash mob rocks South Street
In the 'tsunami,' chants of 'Burn the city!'
By KITTY CAPARELLA & STEPHANIE FARR
Philadelphia Daily News
caparek@phillynews.com 215-854-5880
Business owners yesterday called on Mayor Nutter to stop "flash mobs" on
South Street after patrons couldn't shop, dine or get home on Saturday
night because of the hordes of teens roaming the neighborhood.
Inspired by Twitter messages to "come to South Street," police say hundreds business owners say thousands - of young teens stampeded down South
Street in waves, jumping on top of cars, knocking over pedestrians and
fighting and cursing…
An example of what not to do
Thank you
Download