Much has been said about the military’s effort to incorporate social media platforms into its arsenal of weapons.
Over the past two years, there have been several detailed reports claiming that the armed forces are engaging in large scale social media manipulation initiatives. In his article, “Military’s ‘persona’ software cost millions, used for ‘classified social media activities’”, Stephen Webster provides details about a contract issued by the USAF to develop software that will allow it to create, manage, and operate an army of sock puppets worldwide. In a different article, “US Military Caught Manipulating Social Media, Running Mass Propaganda Accounts” Anthony Gucciardi describes how this is done.
The fact that the military is using SN manipulation tools to fight the war is laudable. It’s about time they started using non conventional solutions to carry the war into the back alley Internet cafes where virtual battlefields of radicalization are raging.
The national defense agencies, which are among the most technical and professional organizations out there, are self conscious about the pros and cons of dabbling with SN. The USAF social media guide illustrates these concerns. It offers a detailed analysis and operational recommendations for engaging in SN activity. for example, the global media information flow is shown through the following diagram:
In another section, the “guidelines to assist Airmen in engaging online conversations” offers a list of the following dos and don’ts:
No Classified Info
Do not post classified or sensitive information (for example, troop movement, force size, weapons details, etc.). If in doubt, talk to your supervisor or security manager.
Replace Error with fact Not Argument
When you see misrepresentations made about the Air Force in social media, you may certainly use your blog, their’s, or someone else’s to point out the error. Always do so with respect and with the facts. When you speak to someone with an adversarial position, make sure that what you say is factual and is not disparaging. Avoid arguments.
Be the first to respond to your own mistakes. If you make an error, be up front about your mistake and correct it quickly. If you choose to modify an earlier post, make it clear that you have done so (such as by using the strikethrough function).
Use Your Best Judgment
Remember there are always consequences to what you write. If you’re still unsure, and the post is about the Air Force, discuss your proposed post with your supervisor. Ultimately, however, you have sole responsibility for what you choose to post to your blog.
Avoid The Offensive
Do not post any defamatory, libelous, vulgar, obscene, abusive, profane, threatening,
racially and ethnically hateful, or otherwise offensive or illegal information or material.
Do not post any information or other material protected by copyright without the permission of the copyright owner. Also, consider using a Creative Commons license to protect your own work (see http://creativecommons.org for details).
Trademarks- Don’t Breach
Do not use any words, logos or other marks that would infringe upon the trademark, service mark, certification mark, or other intellectual property rights of the owners of such marks without the permission of such owners.
Don’t Violate Privacy
Do not post any information that would infringe upon the proprietary, privacy or personal rights of others.
Do not use the Air Force name to endorse or promote products, opinions or causes.
Do not forge or otherwise manipulate identifiers in your post in an attempt to disguise, impersonate or otherwise misrepresent your identity or affiliation with any other person or entity.
Identify to readers of a personal social media site or post that the views you express are yours alone and that they do not necessarily reflect the views of the Air Force. Use a disclaimer such as: “The postings on this site are my own and don’t necessarily represent Air Force positions, strategies or opinions.”
Stay In Your Lane
Discussing issues related to your AFSC or personal experiences is acceptable but do not
discuss areas of expertise for which you have no background or knowledge.
Considering the fact that SN bridges numerous EULA and jurisdictional boundaries, it’s likely that these tools will end up violating some privacy laws. But with that having been said, I also have the utmost faith in the military’s ability to regulate and control itself. Between the office of the inspector general, the Uniform Code of Military Justice, and the clear constitutional limitations imposed on the military’s ability to operate on US soil, I think that there are enough checks and balances to prevent wide scale domestic Orwellian style abuse of this technology.
So, what seems to be the problem? Well, the biggest issue is that parts of the SM intelligence collection, monitoring, and analysis are no longer being carried out by the military/three letter government agencies. Rather, it’s being conducted by a horde of private intelligence firms. Some of these include: Palantir, Stratfor, HBGary Federal, Berico Technologies, Endgame Systems, and Booz Allen Hamilton which recently gained notoriety thanks to Edward Snowden’s mega leaks.
A better insight into the functioning of this rent-an-intelligence world of shadows can be gleaned from the hack by LulzSec. In 2010, the group successfully breached the private intelligence firm HBGary/HBGary Federal. The hack captured over 75,000 e-mails. It revealed the close cooperation between large commercial firms such as Bank of America and various government agencies. For example, it showed that BoA solicited the Department of Justice for help regarding possible disclosure by WikiLeaks. The Department of Justice then referred BoA to the political lobby firm Hunton and Willliams, which in turn connected the bank with a group of information security ‘fixers’ known as Team Themis.
Team Themis—a group made up of HBGary Federal and the intelligence firms Palantir Technologies (named after Saruman’s seeing stone in J. R. Tolkien’s Lord of the Rings), Berico Technologies, and Endgame Systems—was consulted regarding ways to destroy the credibility of WikiLeaks and Glenn Greenwald, a Salon.com reporter who wrote favorably about WikiLeaks. The strategy, sought to “sabotage or discredit the opposing organization” and even included a plan to submit fake leaked documents and then call out the error.
Interestingly, some of the leaked documents contained Palantir’s and HBGary’s PowerPoint decks and e-mails which detailed various Machiavellian schemes. A notable example was the strategy for destroying the credibility of Glenn Greenwald.
Even more troubling were plans to use malicious software to hack into computers owned by the opponents and their families. The e-mails show a proposal to develop and use “custom malware” and “zero day” exploits to gain control of a target’s computer network in order to snoop their files, delete content, monitor keystrokes, and manipulate websites.
In one e-mail, a 27 year old Matthew Steckman, a Palantir employee who was central to the Themis operations, boasted:
“We are the best money can buy! Damn it feels good to be a gangsta.”
It turns out that Palantir, in addition to living the “gangsta” life style to the fullest was also shooting ‘sideways’ at it’s competitors by allegedly misappropriating IP by fraudulent means and conducting domestic industrial espionage.
The bizarre story revolves around Shyam Sankar, Palantir’s Director of Forward Deployed Engineering who allegedly represented himself as a principal of SRS Enterprises, a straw company registered under the names of his parents in Florida, he and his brother fraudulently obtained i2 competing software solutions and used them to design Palantir’s products.
Illustration 1: i2 Civil Action Against Palantir
Illustration 2: Company registration Details for SRS
I don’t know if any of these allegations are true because the case was just settled before going to trail, but if even some of details are correct, this is the stuff that spy novels are made out of.
I’m not sure what I find to be more outrages in this case, Palantir’s complete disregard for the law or their nonchalant gangster attitude.
I have no problem rationalizing the military’s proposal to carefully use software like MetalGear to conduct “classified blogging activities on foreign-language Web sites to enable CENTCOM to counter violent extremist and enemy propaganda outside the U.S.”, but Palantir and HBGary were proposing to use such technologies wholesale on US soil for subversive (and most likely illegal) corporate and financial gain.
Several months after the attack against HBGary Federal, Anonymous hacked into another private intelligence firm: Stratfor. They released a stash of about five million e-mails which provided deep insight into how the private security/intelligence companies view themselves vis-a-vis government agencies like the C.I.A. and F.B.I.
In one e-mail to his employees, Stratfor chairman arrogantly dismisses the C.I.A.’s capabilities. He writes:
From: George Friedman [mailto:email@example.com]
Sent: Wednesday, December 29, 2004 9:13 AM
To: firstname.lastname@example.org; email@example.com
Subject: CIA head of analysis fired
Jamie Miscik, Deputy Director of Intelligence at the CIA was fired today. As
DDI, she ran the analytic shop. According to media reports, she was fired
for squandering resources on day to day reports while ignoring the broad
trends. In other words, she was fired for looking at the trees and being
unable to see the forest. She was also accused of spending too much time
updating policy makers and too little time trying to grasp the broad
trends–giving customers what they wanted instead of what they needed. In
the end, it was her customers that turned on her.
My charge against her was and remains that she took no pride in her craft
and turned intelligence into PR and shoddy process. She and her gang are now
This gives Stratfor an enormous, historic opportunity. The CIA model of
analysis has been invalidated. The ponderous, process driven machine that
could only manage the small things now needs to be replaced by a robust,
visionary, courageous analytic system. Stratfor has the opportunity to show
the way. In fact, we are showing the way. Everyone in Langley knows that we
do things they have never been able to do with a small fraction of their
resources. They have always asked how we did it. We can now show them and
maybe they can learn.
Reading this statement makes you wonder how the C.I.A has ever managed all of these years without Strafor’s robust, visionary, and courageous guidance.
Stratfor Also illustrated their ability to collect deep intelligence by performing private surveillance activities on US soil of protestors in Occupy Austin movement. To achieve this, one of their agents went undercover and joined an Occupy Austin meeting in order to gain insight into how the group operated.
Yet, in another e-mail reveals their ability to gain access to secret government documents. Fred Burton, the Stratfor vice president for Intelligence told one corporate client: “The F.B.I. has a classified investigation [that may be of interest and]…I’ll see what I can uncover.” in similar e-mail, he claims to have access to top secret materials captured during the raid on the OBL compound and goes as far as offering a Q&A session regarding it’s content:
From: Fred Burton
To: Secure List
Subject: OBL take — quick response needed
Sent: May 12, 2011 15:25
I can get access to the materials seized from the OBL safe house.
What are the top (not 45) questions we want addressed?
Office: +1 512-279-9479
Mobile: +1 512-758-5967
Strategic Forecasting, Inc.
Now, I could understand if Strafor was offering supplementary intel to various government agencies, but the ironic implication here is that they are syphoning classified information from the government and handing it over to their corporate clients.
Indeed, as Morpheus stated, “Fate, it seems, is not without its sense of irony”, Stratfor, the organization that prided itself on teaching the C.I.A a thing or two about security and intelligence gathering got hacked through the most benign means.
When you read the details of the Stratfor and HBGary exploits, you can’t help but scratch your head in amazement. For example:
HBGary website failed through a simple SQL injection. The site didn’t scrub nor sanitize any requests. This allowed the attackers to quickly retrieve the site’s User IDs and Passwords.
With a User ID and Password in their possession, they download the entire user database. Next, they proceeded to crack it. If the password database was properly protected, they would have gotten nowhere, but again, poor security procedures enabled them to retrieve all the passwords. It turns out that the HBGary Federal database stored passwords in simple MD5 hashes. To overcome this, the attackers used readily available rainbow tables.
After getting the passwords of two of HBGary’s executives, Aaron Barr and Ted Vera, they discovered that the passwords only consisted of eight characters: six lower-case letters and two numbers. With the User ID and Password details of the two executives, the attackers found out that this pair reused their passwords in multiple locations, including: e-mail accounts, LinkedIn (see bellow), Twitter and a customer facing server. So now Anonymous was able to access their e-mails too.
Illustration 4: Aaron Barr’s defaced LinkedIn Page
Illustration 5: Aaron Barr’s Updated LinkedIn Page (note the striped personal details and the recommendation by Pulkit Kapila, from Bozz Allen Hamilton)
The accounts on the support server belonged to ordinary users but the system wasn’t patched against a privilege elevation attack. Now, with administrative access and due to the fact that one of the executives was also the administrator of the entire e-mail system, Anonymous gained full control of all HBGary Federal e-mail accounts. Using this vulnerability, they gained access to the account of another executive, Greg Hoglund, where they found an e-mail containing the root password for the entire site.
Anonymous had a root password, but couldn’t access the site server from outside of the firewall. They needed to login as a standard user and then switch to root.
To achieve this, they utilized a simple social engineering exploit. Using Greg Hoglund’s account, they contacted an administrator who had root access to the server. Through an e-mail exchange, they said that they had a problem logging in to the server and convinced the root admin to reset Greg’s password and also reveal his username–the two pieces of information they needed to complete their exploit and gain access to the Stratfor list of customers and their credit card files, which interestingly enough, were kept in a plane text file.
This wasn’t unique to HBGary or Strafor. In all hacking cases involving private security or intelligence companies, the analysis of the attack shows that it was executed via the most common methods. No mission impossible scenarios took place, the root cause was just your common run of the mill information security negligence.
Case in point is that regardless of their patriotic pitch and public assertions of lofty ideals such as “solve the most important problems for the world’s most important institutions”, most of these companies are bottom feeders who are in it just for a fistful of dollars. From the various e-mails disclosed, its obvious that they have no qualms milking the tax payer dry by charging exorbitant fees like $250 per hour to troll SM sites.
Regardless of how attractive privatizing intelligence and security may seem at the moment, ultimately, national intelligence should be managed by military and career civil servants that should report to elected officials, who in turn should have specific term limits. True, this may not be the best way, after all, Edgar Hoover’s managed to abuse the process through the term of six presidents, but in the end, as the founding fathers envisioned, the system does self correct, it has been doing it now for over two hundred years.
© Copyright 2013 Yaacov Apelbaum. All Rights Reserved.