The Problem With Privacy:

How Social Media Can Be Used Against You

Ken Smith

Any views or opinions presented are solely those of the author and do not necessarily represent those of SecureState LLC.

The Problem With Privacy: How Social Media Can Be Used Against You

Synopsis
The advent of Internet-based Social Media has revolutionized the way in which people communicate with one another. From maintaining relationships to sparking revolutions, popular networks like Facebook, Twitter, and Instagram allow people to connect across borders and language barriers. For all of its benefits, however, Internetbased Social Media is not without dangers. Users who share personal information irresponsibly are contributing to a growing problem. The immediate consequences of over-sharing include identity theft and fraud, but the larger picture is far more disconcerting. Extremist networks and criminal organizations are increasingly using information scraped from Social Media websites to their own advantages. Social Media has merged many of the traditional resources for open source intelligence gathering into a single, easy-to-use toolset. In this sense, National Security begins at the user level. Being aware of ones own cyber footprint promotes personal safety online and deters those who would exploit the features of Social Media for nefarious purposes.

Table of Contents
Introduction ............................................................................................................................................................................ 3 What Exactly Am I Sharing? ................................................................................................................................................ 3 The New Phishing ............................................................................................................................................................ 4 Geolocation ..................................................................................................................................................................... 4 The Broader Consequences ................................................................................................................................................ 5 Conclusion ............................................................................................................................................................................... 7 Works Cited ............................................................................................................................................................................. 8

The Problem With Privacy: How Social Media Can Be Used Against You

Introduction
Over the last five years, Social Media has become thoroughly ingrained into the daily life of the average American adult. According to a recent study by the PewResearch Center, as many as 92% of Internet users ages 18-29 and 73% of Internet users ages 30-49 make regular use of one or more Social Media websites (Brenner, 2013). Subsidized smart phones and growing cellular networks in the Third World are quickly ensuring that even the poorest of the poor have access to the services provided by companies like Facebook and Twitter. While the benefits of instant, worldwide social connections range from the mundane to the revolutionary, massive, unbridled information sharing can easily put users in danger. In order to mitigate any possible threats, there are two groups of people that must be addressed: the blissfully unaware and those who would exploit them. The former share everything that goes on in their lives with very little regard for the potential consequences. From baby pictures to intimate career details to dietary habits, these men, women, and children practice very little self-control or awareness with respect to their online habits. The latter group is far more dangerous. Extremist factions, criminal organizations, and foreign governments are increasingly turning to Social Media as a means to gather open source intelligence. By exploiting the trusting nature of the average user and flawed "features" in Social Media applications, these organizations are able to more accurately plan operations in cyberspace and the real world. By more closely examining the information people are sharing online and the consequences of that data falling into the wrong hands, it is possible to better protect oneself while still maintaining a meaningful presence on the Internet.

What Exactly Am I Sharing?

Every few months, an inaccurate Facebook status regarding changing privacy policies goes viral. The posts often claim that unless users forward the message, Facebook will take ownership of any available personal information; they are often justified with citations from fictitious legal cases and irrelevant international agreements (see Figure 1). The fervor and outrage that normally accompany these posts demonstrates the great Social Media privacy paradox: On sites dedicated to the sharing of personal information with the world, can there be a realistic expectation of privacy? The truth of the matter is that anonymity on the Internet is completely dependent on the individual. Once something has been posted online, it is there for good.
Figure 1: 2012 Privacy Post (stanforddaily.com)

The Problem With Privacy: How Social Media Can Be Used Against You

The New Phishing

Many Social Media users do take appropriate steps to prevent obvious personally identifiable information (PII) leaks. Traditional social engineering attacks like Prince of Nigeria emails rarely fool the average Internet user today. Phishing emails requesting social security numbers are
Figure 2: "Likejacking" attack (labs.m86security.com)

deleted, and users know to avoid turning over usernames and passwords to strangers. In recent years, the use of these traditional malware vectors has declined in favor of Social Media. According to SOPHOS, clickjacking worms designed to exploit the Facebook Like feature (See Figure 2) began to surface in 2010, By hiding an invisible button under your mouse, the hackers are able to capture your click wherever you click on the webpage. So your mouse press is hijacked and secretly clicks on a button which tells Facebook that you 'like' the webpage instead (Cluley, 2010). Even if users manage to avoid click-based attacks, information shared in public profiles like hobbies, favorite music, and educational history can be leveraged against them. Many email services and Social Media sites often include security questions to reset passwords or retrieve lost accounts. More often than not, the answers to commonly asked questions can be found by scrolling through a users public profile. Additionally, criminals with minimal social engineering experience can use birthdates, addresses, phone numbers, and linked accounts to impersonate legitimate users over the phone with banks and retail companies. In 2012, Wired author Mat Honan fell victim to such an attack. In the span of a single hour, a hacker was able to compromise his accounts with Google, Apple, Amazon, and Twitter. The young man ultimately remotely wiped Honans iPod, iPad, and MacBook in an effort to cover his tracks; as Honan described it, my entire digital life was destroyed (2012).

Geolocation
Geolocation is another important and relatively new feature in Social Media. Twitter, Facebook, Instagram and many other services feature options to tag posts with geodata or check-in at restaurants and other hot spots. Many businesses even reward customers for using these elements in return for the free marketing and exposure. The benefits to disabling this brand of sharing may be evident to some, but unfortunately, many users leave location-based services operational, and the potential fallout is severe. In 2010, Microsoft partnered with Twitter to develop an add-on for Bing Maps which allows for the tracking of users as they tweet (See Figure 3). In order for tweets to be visible, the users must have previously allowed for geolocation tagging, and it is possible to use third party services to spoof a location. Nevertheless, the tool is incredibly easy to use and is very effective for high level geolocation analysis.

The Problem With Privacy: How Social Media Can Be Used Against You

Figure 3: Tweets from the Pentagon, 15FEB2012 (bing.com)

With a little technical knowledge, the process can be taken a step further. Last year, Roelof Temmingh, the developer of Maltego, a program designed to scrape publically available PII from Social Media websites, demonstrated how easy it is to map the actions of National Security Agency (NSA) employees. A search for tweets made within the vicinity of the parking lot of the NSA headquarters in Fort Meade, Maryland revealed a wealth of potential marks (Kirk, 2012). Maltego allows users to connect accounts from multiple Social Media services; geodata from Twitter can be combined with check-in statuses from Facebook to gain a clearer pattern of life for a single person or an entire social network.

The Broader Consequences

Extremist groups and criminal networks have been quick to adapt to emerging Social Media trends. The Twitter account of Al-Shabaab, a Somalia-based Al-Qaeda affiliate network, claims over 2,000 followers (See Figure 4). Somalia topped the Fund for Peaces Failed State Index between 2008 and 2012, but thanks to cellular and WIFI technology, a small but growing portion of the Somali populace, including the Al Shabaab leadership, has been able to access the Internet for some time (Hanna, 2012 & Kalan, 2012). Al-Shabaab often violates Twitters terms of use by posting threatening messages and pictures of their victims, but multiple bannings from Twitter have done little to stifle the groups Social Media presence. The most recent account has existed only since February 3, 2013, less than two weeks at the time of this writing; the previous incarnation of @HSMPress carried nearly 20,000 followers (Gordts, 2013).

The Problem With Privacy: How Social Media Can Be Used Against You Many criminal organizations are also using online Social Media to facilitate real world crimes. At the AusCERT conference in 2012, Brad Barker of the HALO Corporation gave a talk regarding Mexican drug cartels using Social Media vectors to automate cross-border kidnapping and human trafficking operations. The La Familia cartel, Barker explained, would plant a teenager in the U.S. at an expensive, private school. The kid attends class, gets good grades, joins sports teams, gets popular. They get on Facebook, they Friend everybody (Tung, 2012). As the plants social media network expands, La Familia leaders are able to log into the accounts and make kidnapping decisions based on the visibility, value, and vulnerability of each member of the plants social media network. Another
Figure 4: Initial tweets from the latest Al-Shabaab account (twitter.com)

powerful Mexican cartel, Los Zetas, Barker explained, learned to use IP trace routing to tag, track, and locate Mexican citizens responsible for disparaging blog posts about the cartel. According to Barker, They had to put an end to it. And how did they do it? The same old way they have been: by killing people in a public way and torturing them and then writing notes to the media in their own blood that this is what happens to you if you blog about the Zetas (Tung). In 2008, a U.S. Army Intelligence report expressed concerns that criminals and terrorists may be using geodata from military tweets to more accurately plan ambushes and kinetic operations. The report covered three possible developments: The first scenario is that terrorists can send and receive near real-time updates on the logistics of troops movements in order to conduct more successful ambushes. The second is that one operative with an explosive device or suicide belt uses his mobile phone to send images of his or her location to a second operative who can use the near actual-time imagery to time the precise moment to detonate the explosive device. The third is that a cyberterrorist operative finds a soldiers account and is then able to hack into his account and communicate with other soldiers under the stolen identity. (Weimann, 2011). Their concerns are not unwarranted. An experiment conducted by noted security expert, Thomas Ryan of Provide Security, demonstrated the true potential of information leaks via Social Media. In late 2009, Ryan established a fake online persona, Robin Sage, designed to attract the attention of members of the military and intelligence communities. Through a twenty-eight day period in December of that year, Ryan created an intricate network of Social Media profiles

The Problem With Privacy: How Social Media Can Be Used Against You and accounts all linked to the fictitious woman (See Figure 5). Numerous clues to the deception were left in the open. She claimed to have 10 years experience in the cyber security field - which would mean that she entered it at age 15...Even her name is taken from the code name of an annual U.S. special-forces military exercise (Waterman, 2010).

Figure 5: Former Facebook Profile for Robin Sage (viceland.com)

Ryan was able to make over four hundred connections to high level members of the U.S. intelligence and military communities, including men working for the chairman of the Joint Chiefs of Staff, a senior intelligence official in the U.S. Marine Corps, and executive civilian defense contractors at Northrop Grumman, Lockheed Martin, and Booz Allen Hamilton (Vijayan, 2013 & Waterman, 2010).

Conclusion
Over-sharing on Facebook and Twitter may seem harmless, and the benefits of participating in online Social Media certainly outweigh the risks. But self-control and awareness are crucial to maintaining an acceptable level of personal security online. From the common criminal to the cyber terrorist, there are people in the world who work to exploit every bit of PII and geodata they can gather online. Social Media users need to begin to operate under the assumption that privacy does not exist on the Internet. Common sense practices and an occasional Google search will go a long way to securing online profiles, and maintaining a healthy dose of skepticism can help users avoid the pitfalls of social engineering attacks. Always be cognizant of your cyber footprint and share responsibly.

The Problem With Privacy: How Social Media Can Be Used Against You

Works Cited
Brennder, Joanna. (2013, February 5). Pew Internet: Social Networking (full detail). PewResearch Center. Retrieved from http://pewinternet.org/Commentary/2012/March/Pew-Internet-Social-Networking-full-detail.aspx Cluley, Graham. (2010, June 14). Facebook users clickjacked by the 101 Hottest Women in the World. Naked Security from SOPHOS. Retrieved from http://nakedsecurity.sophos.com/2010/06/14/ facebook-users-clickjacked-101-hottest-women-world/ Gordts, Eline. (2013, January 14). Dead French Soldier Photo: Tweet By Al Shabaab Allegedly Shows Troop Killed in Somalia. The Huffington Post. Retrieved from http://www.huffingtonpost.com/2013/01/14/dead-frenchsoldier-photo-tweet-al-shabaab_n_2474141.html Hanna, John. (2012, June 18). Somalia tops failed states index for fifth year. CNN. Retrieved from http://news.blogs .cnn.com/2012/06/18/somalia-tops-failed-states-index-for-fifth-year/ Honan, Mat. (2012, August 6). How Apple and Amazon Security Flaws Led to My Epic Hacking. Wire Retrieved from http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/ Kalan, Jonathan. (2012, October 23). Somalias ambitions online could bring Mogadishu to the world. BBC. Retrieved from http://www.bbc.co.uk/news/business-19961266 Kirk, Jeremy. (2012, October 17). Who is tweeting from the NSAs parking lot? Computer World. Retrieved from http://www.computerworld.com/s/article/9232476/Who_is_tweeting_from_the_NSA_39_s_parking_lot_ Tung, Liam. (2012, May 18). AusCERT 2012: Facebook automates human trafficking ops. Retrieved from http://www.cso.com.au/article/424986/auscert_2012_facebook_automates_human_trafficking_ops/ Vijayan, Jaikumar. (2013, January 17). Manti Teo meet Robin Sage. Computer World. Retrieved from http://blogs.computerworld.com/internet/21656/manti-teo-meet-robin-sage Waterman, Shaun. (2010, July 18). Fictitious femme fatale fooled cybersecurity. The Washington Times. Retrieved from http://www.washingtontimes.com/news/2010/jul/18/fictitious-femme-fatale-fooled-cybersecurity/ ?page=all Weimann, Gabriel. (2011). Al Qaeda Has Sent You A Friend Request: Terrorists Using Online Social Networking. Israeli Communication Association. PDF. Retrieved from http://www.securitymanagement.com/sites/security management.com/files/Al%20Qaeda%20Has%20Sent%20You%20a%20Friend%20Request%20Terrorists%20Usin g%20Online%20Social%20Networking.pdf