Taliban uses sexy Facebook profiles to lure troops into giving away military secrets

Why you shouldn't add just anyone on Facebook -- even if it's a hot girl.

This probably shouldn't come as a huge surprise, but apparently the Taliban is using fake Facebook profiles to spy on Australian troops.

According to a review of social media and defense by the Australian government, an "overt reliance" on privacy settings has led to a "false sense of security" among personnel. In other words -- just because you're a Facebook privacy ninja doesn't mean you should go around posting military secrets on the Internet.

Here's how it works: the tech-savvy Taliban is creating fake Facebook profiles using pictures of attractive women. They're then using these fake profiles to befriend Australian soldiers, and are gathering information based on those soldiers' Facebook updates. A big problem, of course, is Facebook's geo-tagging function, which logs the location from which posts or photos are uploaded. If a soldier posts something to Facebook while they're in the field, this pretty much gives away their location.

According to News.com.au, three Australian soldiers were murdered inside their base this month, allegedly by an Afghan Army trainee.

According to the review of social media and defense, many soldiers did not realize that people using fake profiles can capture information and movements.

"Few consider the possibilities of data mining and how patterns of behavior can be identified over time," the review states. The review surveyed 1577 Australian Department of Defence members on their social media practices and knowledge (or lack thereof) of associated risks. Fifty-eight percent of Defence staff reportedly had no social media training.

The Australian Department of Defence is currently working on new social media guidelines, which will be released by Christmas.

It's not just the Taliban...

You may not be a member of the Australian military, but that doesn't mean you should go around friending just anybody on Facebook. Fake Facebook friends and profiles have been around since the beginning of Facebook, and may be anyone from federal agents to spies to companies looking for buzz.

The obvious advice is that you shouldn't add anyone on Facebook unless you know them in real life -- hot girl or not. However, if you insist on making virtual friends over social networking platforms, here are some guidelines to keep your personal information safe:

- Add as little personal information as possible to your profile. Needless to say, your address, phone number, and date of birth (at the very least, birth year) should not be publicly available or even available to "friends only" on your profile.

- Understand how social engineers can use different pieces of information on the Internet to gather intel about you. For example, if you put your birth day and month on your Facebook profile, and you put your high school graduation year on your LinkedIn profile, a savvy social engineer will be able to put two and two together. Therefore, limit personal information as much as possible.

- If you're on vacation (or in a secret military location), don't post about it until after you get back (or to a safe, non-secret military location). Posting pictures and updates while you're thousands of miles away from your home advertises that you're...thousands of miles away from your home.

- Monitor what your friends say to you and about you on Facebook. In your Privacy settings, it's a good idea to turn on the "review posts" feature, which lets you approve (or disapprove) posts your friends want to tag you in before they automatically appear on your timeline. To turn on this feature, go to Privacy > Timeline and Tagging > Review posts friends tag you in before they appear on your timeline, and turn it "On."

- Be careful about what your photos say. Many smartphones automatically geo-tag photos, so it's a good idea to turn this off, if possible. To turn off geo-tagging on an iPhone, go to Settings > Location Services > Camera, and turn the Location Services "Off" for the camera. To turn of geo-tagging on an Android phone, open up your camera, go to Camera settings > Store location, and make sure this is turned "Off."

As I said earlier, the easiest way to avoid this type of privacy mishap is to only friend people you actually know in real life. Still, it's a good idea to take these precautions--after all, you never know which of your real-life Facebook friends may have left their account open on a public computer somewhere.

Follow Sarah on Twitter, Facebook, or Google+.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sarah Jacobsson Purewal

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place