}

Social Spies: How Governments and Companies Use Social Media for Intel

15/10/2019

[:en]I wrote a year ago about Social Media and identity theft. In that post, I discussed information leakage and how bad actors could use that for stealing someone's identity. There are other off-label uses for social media platforms including business competitive analysis, actual spying, and a place for covert operatives to help secure their assumed identities.

Competitive Intelligence


It is only natural that businesses want to learn about their competition: they read other companies' annual reports and SEC filings, they watch news wires, and they analyze competitors' websites, among other things. But social media can provide a treasure trove of data through the same information leakage I discussed in the earlier post.

One avenue for the leakage is job posting sites. If a company posts an opening for, say, a marketing director in a company or region where they do not currently operate, it may indicate an expansion. A posting for a software developer experienced in the Internet of Things (IoT), it may indicate the development of products in that area.

Likewise, employees can unintentionally leak information on a social site. They may ask or answer questions about technologies not usually associated with their employer. Or they may just a little too much on a slide-sharing site or a video platform. In researching this post, I found some specific examples in an older post on forbes.com; there are clearly more options now.

On a similar note, attackers can use these sites to discover titles and job roles at companies they want to attack. They can select employees for spear phishing attacks, for example. Or they might forge emails from a manager to her employees. Before the prevalence of social media, company employee lists were often considered confidential. Now a search on LinkedIn (and I am using them only as an example. They are only one such site. I am a LinkedIn user and have no intention of saying anything negative about them here) or other platforms can help one generate a partial list short order.

Connecting to a Spy


Both corporate and more conventional spies understand that one essential (and in many cases the core) technique is something called "HUMINT" or human intelligence. What better place to connect to people is through social media? A LinkedIn connection request may appear to come from a potentially valuable business contact, but may indeed come from a spy of either type.

The requester could appear to have an impressive resume and multiple contacts. When was the last time you actually took the time to verify a LinkedIn contact request? It may be very difficult. Will a company verify that a person actually works there? If you message one of their contacts, wouldn't a bogus one verify the individual's identity?

And don't think this is limited to LinkedIn; a connection could be on any number of platforms. In fact, a request on multiple platforms might make it more believable!

And once you accept such a contact, you may inadvertently share information with that spy. Personally, I have few, if any, Facebook contacts I do not know personally (I am connected to people with whom I work, but have only communicated with via email, for example). I don't share much on LinkedIn outside of a few groups where I am aware people I do not know could see the information.

Keeping Your Cover


Spies need cover identities or "legends". If you wanted to build a profile that people could believe, social media would be a great option. You could use a real photo and everything else could be bogus. This was discussed briefly in an article in the International Business Times which also discusses other social media by intelligence services.

Social Media is clearly for more than cute cats and rants about politics. It has serious uses for both good guys and bad guys. Being aware of these uses can make them safer for organizations and individuals.

To your safe computing.[:]

Written by John McDermott

John McDermott, CPLP, started his work in computer security in 1981 when he caught an intruder in a system he was managing. In recent years his consulting has included security consulting for small businesses. He is Security+ and CCP certified. In his 30 years with Learning Tree John has written and taught courses in programming, networking and computer security. He is the co-author of Learning Tree’s course System and Network Security: A Comprehensive Introduction. John is currently a learning and development consultant in northern New Mexico. He lives in a house made of earth with his wife, who is an artist.