Tuesday, September 01, 2009

Social Engineering: Duplicity of Twitter Risk...

The use of commercial-off-the-shelf (COTS) software applications and the revolution of Cyberspace virtual hardware devices connected to the "Cloud" has proactive Operational Risk professionals "burning the midnight oil". How many of your Executive Management and other employees with roles and access to sensitive proprietary information are using Twitter today? Did any of them update their Facebook profile last evening indicating their next travel stop? Are any of these individuals part of the corporate Mergers & Acquisitions team?

The use of social networking tools is not new when it comes to networking with colleagues or updating the professional experience history. What is less well known is how foreign intelligence agencies and competitive intel units from commercial enterprises are utilizing these products and solutions to perpetuate their collection of human and program information.

One only has to watch Tony Gilroy's latest movie "Duplicity" with Clive Owen and Julia Roberts to better understand the risks to corporate and national security. Gilroy's sequence of the Jason Bourne series to Michael Clayton and now Duplicity and "State of Play" all have very important lessons for us. Here is the Duplicity synopsis:

Julia Roberts working for the CIA and Clive Owen working for MI6 play competing undercover corporate high level top secret business spies who may or may not be conning each other. The movie shows us what lengths mega corporations will try and go to keep their new product information out of the hands of their competitors. The spies in this case will not even acknowledge their relationship as a sly parallel to regular relationships. The implication here is that most people do not say or trust themselves in relationships, but as spies Julia and Clive have good reason to be wary. Multi continent travels, many plot twists and counter twists follow. The music is light locations are beautiful and evokes the Ocean's movies and fun is had by all even if you can't always follow the plot.

Are you following someone on "Twitter" that is with one of your competitors? Do you know all of your followers personally? Who is in your supply or customer chain that may be leaking vital information before it's ready for "Prime Time"? What is the point. Hypothesis? Let's see if this makes any sense:

Lockheed Martin has thousands of suppliers. Each of those suppliers is interested in selling their products or services to LMT's competitors to increase their own market share. VirTra is one of those suppliers and provides the following capabilities to Lockheed:

(OTC:VTSI.PK), today announced
that VirTra has received another order from Lockheed Martin Simulation Training
and Support business for VirTra`s newest and smallest Threat-Fire device, the
Threat-Fire II.

The Threat-Fire II is a clip-on return fire simulator, similar in function to
the Threat-Fire belt; however, the Threat-Fire II is designed to clip-onto an
officer or soldier`s duty belt. The Threat-Fire II is not only small and
lightweight to be unobtrusive, but it is also rechargeable and compatible with
VirTra`s wireless system.

"We are thrilled that Lockheed Martin has ordered our very latest Threat-Fire
II. Our Threat-Fire line of return fire are highly effective simulation training
aids and it is an honor that an industry pioneer like Lockheed Martin Simulation
Training and Support continues to order VirTra`s unique training devices,"

You can get to this press release from following this Twitter page and you ask yourself why would this person be tweeting about Lockheed Martin or VirTra's deal with them?

1,691 Following 1,313 Followers

VirTra Receives Fourth Order from Lockheed Martin Simulation ... http://bit.ly/1ZNuVz

A quick Open Source search reveals that she is a Sales Manager at Harrahs/Rio in Las Vegas. Whether she got this information on the VirTra deal because she is following someone or one of her followers sent her this "Tweet" on the press release does not matter. She could have read this information in the local newspaper or on the RSS feed she has set up for tracking the Defense Industrial Base companies doing business together. What matters is the relevance of this information and the speed that it is currently being known by many, not just a few.

There is no law prohibiting the "Tweeting" of public information as long as the so called public information is not subject to some national classification scrutiny or some kind of insider information for the review of the SEC. What is more likely is that she is like millions of others on the web who are using social networking to drive you to a web site that is being driven by advertising or some other multi-level marketing offer.

This is just one small illustration of the power and the vulnerability that exists with the COTS software operating in our planet's virtual digital cloud today. How we apply it's use for the good or the bad of humanity is up to each of the humans behind the keys on the PDA, Blackberry or PC. Therefore, just as the Internet has spawned the age of transnational economic crime, child pornography and cyber extortion plots so too will these same tools on our mobile devices be leveraged to do us potential harm or good.

Viral Marketing is here to stay and the use of these new age tools to spread the word on a new product, a new stock offering or the sighting of a celebrity on Rodeo Drive in Beverly Hills is exploding:


  • The Ponzi scheme and related investment Pyramid schemes, are early examples of viral marketing. In each round, investors are paid interest from the principal deposits of later investors. Early investors are so enthusiastic that they recruit their friends resulting in exponential growth until the pool of available investors is tapped out and the scheme collapses.
  • Multi-level marketing popularized in the 1960s and '70s (not to be confused with Ponzi schemes) is essentially a form of viral marketing in which representatives gain income through marketing products through their circle of influence and give their friends a chance to market products similarly. When successful, the strategy creates an exponentially growing network of representatives and greatly enriches adopters. Examples include Amway and Mary Kay Cosmetics among many others.

Tom Olzak offers us some great perspective on how to deal with the inevitable digital wave upon us:

Defending against the inevitable

Trying to adequately control new employee use of public social networking by simply telling them to stop is futile, although use of these sites should be addressed in the company’s acceptable use policy. And employee behavior can be modified somewhat by awareness training, but behavior is what it is. Some employees will continue to act in either careless or malicious ways, especially if motivated to do so. However, there are still things you can do, in addition to basic security controls, to mitigate risk, including:

  1. Block use of public social networking sites from the office is my strongest recommendation. This will help protect your data or social engineered information, about your company or network, from finding its way directly from the employee’s desk or your network, to either a social networking site or a friend met at such a site.
  2. Implement DLP (data leakage prevention). Know where and how your data is moving. If an online ‘friend’ of one of your employees happens to gain access because of sharing activities, you will be able to block data loss or at least know it’s happening.

Keep your eyes and ears open to what you are saying at the local restaurant or on the phone in the lobby of that big metro area hotel. It could be known to your competitors or your enemies within a matter of minutes.