Your new Facebook friend might be a spy

The war between security firm HBGary and Anonymous reveals new tactic: fake social network profiles to gather information

Is that new friend really your friend, or just someone pretending to be your friend so he can spy on you? No, I'm not just being more paranoid than usual. This really does happen - especially if you're a member of an anonymous collective determined to do battle with the forces of corporate evil (not to mention Tom Cruise, Soulja Boy, and your mom).

The ongoing battle between Anonymous and the security wonks who are trying to take it down has revealed a new weapon: Creating fake profiles on social networks to trace out the connections between you and your comrades.

[ See also: Facebook ads use your face for free ]

In what proved to be a colossally dimwitted move, HBGary Federal executive Aaron Barr bragged to the Financial Times about his success in infiltrating Anonymous.

Mr Barr said he had collected information on the core leaders, including many of their real names, and that they could be arrested if law enforcement had the same data... But he does not plan to give specifics to police, who would face hurdles in using some of the methods he employed, including creating false Facebook profiles.

In other words, to "catch" Anonymous, Barr had to resort to methods the police could not - violating Facebook's terms of service in the process.

OK. Maybe sometimes you need to bend the rules to get the bad guys (assuming you consider Anonymous the bad guys - in this scenario it's increasingly unclear.) But bragging about it?

Barr might just as well have smeared peanut butter all over his body and jumped into the elephant cage at the San Diego Zoo.

Anonymous was not amused. And the collective decided to exact revenge in the usual manner - by pwning every digital device in Barr's realm, including his Twitter account, his iPhone, HBGary's Web site and its corporate servers. They defaced the site with a taunting letter and posted more than 40,000 HBGary emails on Pirate Bay. Among other things, those emails revealed the details of a plot cooked up by HBGary on behalf of Bank of America to take down WikiLeaks by subverting reporters sympathetic to it.

But the emails also reveal the details of how Barr "infiltrated" the group. An excellent report in Ars Technica goes into further detail on Barr's methods:

Barr had been interested in social media for quite some time, believing that the links it showed between people had enormous value when it came to mapping networks of hackers-and when hackers wanted to target their victims. He presented a talk to a closed Department of Justice conference earlier this year on "specific techniques that can be used to target, collect, and exploit targets with laser focus and with 100 per cent success" through social media.

His curiosity about teasing out the webs of connections between people grew. By scraping sites like Facebook or LinkedIn, Barr believed he could draw strong conclusions, such as determining which town someone lived in even if they didn't provide that information. How? By looking at their friends.

"The next step would be ok we have 24 people that list Auburn, NY as their hometown," he wrote to the programmer implementing his directives. "There are 60 other people that list over 5 of those 24 as friends. That immediately tells me that at a minimum those 60 can be tagged as having a hometown as Auburn, NY. The more the data matures the more things we can do with it."

The same went for hackers, whose family and friends might provide information that even the most carefully guarded Anonymous member could not conceal. "Hackers may not list the data, but hackers are people too so they associate with friends and family," Barr said. "Those friends and family can provide key indicators on the hacker without them releasing it..."

As the emails reveal, Barr wasn't actually interesting in "doing good" by taking down Anonymous. He picked that group as a test case to prove that parsing publicly available information from social networks was enough to expose their identities. Barr was solely interested in getting publicity for HBGary and driving business to it in the process.

Well, he succeeded on the publicity part. Drumming up business, not so much.

Using social networks to gather intelligence about people can quickly lead you down the rabbit hole - and you often end up chasing the wrong rabbit. Barr's colleagues doubted his conclusions internally, and even Anonymous said he was way off base, including people as "key members" who were tangentially related to the group at best.

Barr has done us a public service though, by reminding us (yet again) that when we use social networks, we often end up revealing far more than we may think - and that information can be used against us.

ITworld TY4NS blogger Dan Tynan knows who your friends are (and hopefully none of them are Aaron Barr). Experience his juvenile sense of humor at eSarcasm (Geek Humor Gone Wild) or follow him on Twitter:@tynan_on_tech.

Sign up for ITworld's Daily newsletter Follow ITworld on Twitter @ITworld

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicessoulsocial mediainternetFacebook

More about FacebookYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Dan Tynan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts