In an excellent article in The Washington Times, UPI’s Shaun Waterman described a “red team” activity in which a security consultant created a false persona on Facebook that appeared to be attractive young woman who was working in cyber defense. She quickly garnered hundreds of friends in the national security community, as well as job offers and invites to conferences. In the process she gathered a great deal of sensitive materials such as inadvertently exposed passwords.
This is not a hypothetical concern – Hezbollah (long a terrorism pioneer) has already employed this strategy. According to the Israeli news site MySay:
The Hizbullah agent pretended she was an Israeli girl named “Reut Zukerman”, “Reut” succeeded during several weeks to engage more then 200 reserve and active personnel.
The Hizbullah agent gained the trust of soldiers and officers that didn’t hesitate to confirm him as a “friend” once they saw he/she is friends with several of their friends from the same unit. Most of them assumed that “Reut” was just another person who served in that elite intelligence unit.
In this way, Hizbullah collected information about the unit’s activity, names and personal details of its personnel, the unit’s slang, and visual information on its bases. This user / agent using Facebook is an example of a trend called fakebook.
The picture attached to “Reut Zukerman” was, of course, an appealing young woman (some tricks are timeless.)
Implications
The first concern regarding incidents of this nature is the raw intelligence collected. But more than the data, it creates opportunities to gather even more data.