Perhaps we can help the poor Admiral
127.0.1.1 www.facebook.com
NATO’s most senior military official has come under a concerted cyber attack from hackers believed to be operating from the People’s Republic of China. The Observer reported on Sunday that cyber fiends had targeted Supreme Allied Commander Europe (SACEUR) Admiral James Stavridis by opening fake Facebook accounts in his name in …
This 'guy' isn't messing about posting on face book, the article states that these were fake pages setup to try to trick others. The problem with social engineering isn't the people that are aware of it but the others who aren't.
Part of my training when I was in the military was to be aware of these things. Good for me to know about but if someone pretends to be me on a system I don't use not easy for the uninformed to be aware of.
It is a bit worrying that someone in such a high position is so publically exposed. I suppose, though, that it's just how things are these days. It isn't rare, is it?
What is more worrying is that there is something in it for the Chinese (or whoever). It implies that there are internal weaknesses in NATO that are vulnerable to phishing/misrepresentation approaches that would be facilitated by information gathered in this way.
They need to think about isolating their people as well as their networks.
Everyone is publicly exposed. And the nature of his role requires that he be a known individual.
Should he have to live on top of a mountain with no internet connection or social life just because of his career? Should we make all figures involved with politics, research and defence close down all social networking and private email addresses, blogs and websites? Obviously not. But that means that social hacking is and always will be a risk to him and others in important roles. So the goal becomes not to prevent such people from casting a shadow on the Internet, but to instead ensure that no risk is associated with it.
So one would hope that his password is a 16 digit random string, rather than his dog's name...
Does that really make sense in the long term, though?
You could make a case that the current leadership of NATO should stay off social media, but what happens in ten or twenty years time? Is today's 20- or 30-something junior officer supposed to commit social media suicide in order to have a shot at a senior staff position? I have a Facebook, Google+ and Twitter account (and even use them sometimes) and in the event that I get promoted into a staff role (hahaha - just made captain) should I delete all of those?
Now if any NATO/military systems are actually vulnerable to data gleaned from social phishing, that's a big problem. It seems highly unlikely, from my experience.
I accept the reality that people in high positions are now more publicly exposed and that it is probably now unreasonable to expect people who are in such positions or aspire to them keep off the social networks.
I also agree with the last point of the second AC post above : it would be bloody shocking if any NATO/military systems were directly vulnerable.
My main point is that there is obviously concern that this approach can be used to gain some form of access by a round-about route, via social engineering. That implies a weakness in the systems' meatware, that needs to be addressed.
"that it is probably now unreasonable to expect people who are in such positions or aspire to them keep off the social networks."
People who have shown they cannot combine the responsibilities present in their function with their presence on social media should be removed from the latter, and preferrably from both.
I doubt very much that anyone would be able to be able to become a RealWorld 1.0 friend or even acquaintance of Admiral Stavridis without being thoroughly probed by the Secret Service. So why would this be as easy as a few mouseclicks in FakeWorld 2.0?
What? Now one cannot be an acquaintance of a senior officer without being vetted?!
I think that you are seriously over-estimating the time and budget of counter-intelligence agencies, because that's not how vetting works. Suspicious contacts are reported, but defence staff do not 'phone Five every time they chat to someone in the pub.
Furthermore, how would avoidance of social media prevent someone making a fake profile for you on said media?
Truth is that a social media presence is NOT a risk, so long it is compartmentalised from any restricted work-based information (including locational data, one would hope), just as ANY personal information given (be it in conversation or writing) should have no bearing on restricted information. Anyone is susceptible to social engineering hacks, unless they live in a box. And although many career military individuals make an awful lot of sacrifices for their careers (including existing defined limits on social networking), asking them to bow out of the 21st century completely is not viable.
Not just *SOME* senior brass, he's SACEUR. And if if he's not worthy of SecService scrutiny beyond the average level, I don't know who is.
And there's a difference between using social media (which, for some obscure reason humanity has managed to do without pretty well for a fair part of its earthly presence anyway, so it's apparently not a showstopper if you don't partake) and using those channels in lieu of, say, a press conference to announce the end of NATO action in Libya.
And whether or not some joker manages to set up an account in your name is irrelevant. If whoever was trying to make contact with the real Admiral Stavridis fell for the fake account, then so what? MI5 got a volunteer assistant.
But a concern is not strictly a risk, if properly countered and predicted. ie: If the Admiral already knows not to use passwords tied to his private life, or to discuss restricted information in public or on social media, it's not a problem: ie it already has been addressed.
Whilst this kind of thing is possible, China blocks all Facebook activity. Very odd that individuals in China with a good knowledge of hacking and the English language as well as familiarisation with Facebook which is generally not known in China would spend their time doing this. Still it can be argued that anything is possible!
The fact that F***book itself is "prohibited" for mere mortals behind the Great (Fire)Wall does not logically lead to the conclusion that China does not have people with the skills to do this.
If China was void of people qualified to make F***book "do things", F***book would have been looking somewhere else and not china for developers and offering their SDK somewhere else as well.
That is besides the fact that people who are doing this are not necessarily mere mortals in the first place - they may have their own holes (big enough to drive an elephant through) in the Great (Fire)Wall.
"That is besides the fact that people who are doing this are not necessarily mere mortals in the first place"
It's not at all unlikely they're from a governmental department that has very close ties to the one sitting on top of the Great Firewall. And those on top don't need holes *through* the wall.
Why is it very odd?
It's basic social engineering. Except this is the 21st Century, so now people can do it via Facebook, rather than phoning your home pretending to be someone else.
China is the most heavily populated planet on Earth. I have no doubt that the total number of people fluent in English and skilled in hacking there probably outstrips that of most European countries. And 'familiarisation with Facebook' is hardly complex. It could be picked up inside a couple of working days... ok; make that a week now they've added Timeline...