Risk ManagementRisk-Based Security for Executives

The Misinformation Age & Social Media Engineering

“Falsehood flies, and the truth comes limping after it.”
Jonathan Swift, The Examiner No. XIV

Social media has made the sharing of information easier. The abundance and speed of information distribution is increasing, but not necessarily the accuracy or quality. Due to the amount of information coming at us on a daily basis, truth can be elusive.

With the increasing number of security incidents from hacktivists and other groups, we have become both numb and dumb. When one of these groups takes credit for or announces a hack it many take it at face value and spread the word through blogs, Twitter and other social media channels. To the masses if looks like a hack and a group takes credit for it, possibly putting information on Pastebin or other false proof out into the media, they will believe that it is true.

One of many great social media propaganda style posters by Aaron Wood

A few months ago an offshoot of the Anonymous hacktivist group AntiSec announced that they hacked into an FBI agent’s laptop and stole a file containing millions of Apple device IDs (UDIDs). The file actually came from Blue Toad, an analytics company who had recently suffered a breach. However, the group utilized social engineering tactics on a massive scale to get the press and social media to believe their claims.

First they took advantage of people’s increasing paranoia of the government spying on them through technology, through projects such as Trapwire and New York’s Domain Awareness System, where it would seem as if the government has increasing wide ranging domestic cyber sleuthing powers. The second was taking advantage of people’s fears of Apple’s UDID after work by Aldo Cortes and others showing how UDIDs can be used to reveal information about device users.

Finally of course is the hacktivist group themselves, since they have a history of successfully taking sites down and high profile data breaches, it provided them with a degree of credibility making their claims more believable. Their claims spread like wildfire across the web and social media, catching the FBI off guard. It was not until security consultant David Schuetz discovered the true origins of the UDID file several days later that the ruse was exposed. Even as I write this if you do searches regarding this faux breach you come across articles that were never updated with the actual source of the breach,  still claiming the FBI was hacked.

Another example is the recent hardware failure at GoDaddy, where their systems went down for several hours on September 10th, bringing a large number of sites down with it. There was no initial word from GoDaddy regarding the cause indicating that it was in fact a hardware failure. While customers and the media were clamoring for answers a Twitter account known to be associated by Anonymous claimed responsibility for the outage around noon that day.

It then took GoDaddy and hour and a half before they responded on their own Twitter account regarding outage, but failed to rule out a security incident. By then the story had already gone viral with many top news outlets claiming that Anonymous was responsible for the outage. Even after GoDaddy started notifying customers through Twitter and other channels the real cause of the outage it was too late, the damage was done.


Previous post

Penetration Testing with Smartphones Part 1

Next post

Low Cost Open Source Wireless Hacking - HackRF Jawbreaker

Ken Westin

Ken Westin

Your Pundit of Paranoia