Thursday, July 22, 2010

Hezbollah Spies via Facebook

In an excellent article in The Washington Times, UPI’s Shaun Waterman described a “red team” activity in which a security consultant created a false persona on Facebook that appeared to be attractive young woman who was working in cyber defense. She quickly garnered hundreds of friends in the national security community, as well as job offers and invites to conferences. In the process she gathered a great deal of sensitive materials such as inadvertently exposed passwords.

This is not a hypothetical concern – Hezbollah (long a terrorism pioneer) has already employed this strategy. According to the Israeli news site MySay:
The Hizbullah agent pretended she was an Israeli girl named “Reut Zukerman”, “Reut” succeeded during several weeks to engage more then 200 reserve and active personnel.

The Hizbullah agent gained the trust of soldiers and officers that didn’t hesitate to confirm him as a “friend” once they saw he/she is friends with several of their friends from the same unit. Most of them assumed that “Reut” was just another person who served in that elite intelligence unit.

In this way, Hizbullah collected information about the unit’s activity, names and personal details of its personnel, the unit’s slang, and visual information on its bases. This user / agent using Facebook is an example of a trend called fakebook.
The picture attached to “Reut Zukerman” was, of course, an appealing young woman (some tricks are timeless.)

Implications

The first concern regarding incidents of this nature is the raw intelligence collected. But more than the data, it creates opportunities to gather even more data. An op-ed I co-authored for The Washington Times on the probable future of cyber-war argued:
Critical government systems are run on Intranets, networks that are separate from the Internet.... Most government Intranets do have points at which they interface with the Internet, and Intranets have been infected with malware from the Internet. However, Intranets are relatively controlled environments, so anomalous activity (at least theoretically) can be controlled and isolated quickly.

Because compromising those networks may be crucial in a military conflict, nation-states with serious cyberwar ambitions will carefully tailor malware for specific systems....

The most serious cases of identity theft usually involve social engineering, tricking the target to reveal crucial information that facilitates the crime. The same may be true in tailoring attacks to critical networks.... Social-network analysis could be used to identify individuals who are likely to have contacts within the security establishment and attempt to insert malware through them.

Imagine the now ubiquitous phishing attacks masquerading as e-mail from banks and credit card companies but instead designed by sophisticated intelligence agencies and carefully targeted at small communities.
The fakebook phenomenon adds additional wrinkles to this possibility. Using social network information, infiltrators will have additional information with which to identify targets for social engineering, develop material and approaches for these targets, and identifying people who the target would “trust.”

Consider this scenario (which is not far from what has happened). A foreign intelligence agency identifies an analyst that has access to a network of interest. The agency sends the analyst a spoof email that appear to be from someone known in the field containing a paper for review that also contains malware. Using data collected from social network analysis, the intelligence agency can carefully choose the spoofed specialist – making sure it isn’t someone the analyst knows well – but is someone that analyst would know of and maybe the email could refer to mutual acquaintances. The paper could be carefully tailored to relevant interests.

This may sound like a great deal of work, but modern computing makes the accumulation and correlation of data far easier so that much of this effort could be generated automatically.

Cyber-security is clearly a growth industry and presents serious challenges. But whatever technical innovations are employed to prevent intrusions, they cannot succeed if they do not fully consider the human side of the equation.

Thursday, July 8, 2010

Obama-Netanyahu: Reality Sets In

Every pundit worth his/her appearance fee has weighed in on the Obama-Netanyahu summit (the Washington Institute’s Rob Satloff wrote a good analysis). The TerrorWonk has little to add, only a broader observation. In studying bureaucratic politics one reality that jumps out is that it is very hard for the President of the United States to get his own government to do what he wants. That goes at least double when dealing with other governments.

The reason Presidents can only rarely give orders is due to the combination of shared constitutional powers and the plethora of competing interests in the American political landscape. Now, when dealing with foreign governments they have their own competing interests and institutional limitations. Then there are bi-national and multi-national issues to further complicate the issue. (The classic on this is Richard Neustadt’s case study of the Skybolt affair. We wanted to cancel Skybolt because it was expensive and would never work. But we were building it with the Brits, for whom it was the only way to keep a viable nuclear arm. The alternative was to let the Brits have the Polaris missile – but that might have interfered with European unity efforts – and possibly a nuclear Germany. We ended up giving the Brits the Polaris, European unity efforts still blundered on, and Germany did not go nuclear.)

Obama attempted to dictate to the Israeli government without taking its domestic political pressures into the equation. This had an unfortunately high cost, making the President look foolish and weak on the world stage. Unfortunately, governments don’t tend to accept conditions that will result in falling out of power and Netanyahu was no exception.

But doesn’t the U.S. give Israel several billion a year in aid? Shouldn’t that translate into influence?

True enough, but even substantial aid does not make one government beholden to another. Consider that the United States pays for essentially the entire Afghan government and has 100,000 troops on the ground and still can’t get Hamid Karzai to do what it wants.

For that matter, in pressing for payments from BP Obama has had to be sensitive to domestic British politics – the list goes on. In that sense, Israel is just like every other country in world. Approaching it any other way will be a huge cost in political capital at home and abroad.

Monday, July 5, 2010

Terrorists: Nitwits or Masterminds?

Recently, in the Atlantic Monthly Daniel Byman and Christine Fair (two first-rate analysts) argue that the reality is that the terrorist enemies of the United States are not highly disciplined religious fanatics – but in fact are a bunch of nitwits. The article is interesting, provocative, and makes some important points. But we cannot dismiss the terrorists as nitwits quite yet – they’ve had failings in attacking the U.S. homeland directly, but they have also had some important successes.

Byman and Fair point out the many cases of terrorist incompetence such as the Times Square bomber, the UK doctors, and the Miami jihadis. In many regards, I agree with them. Terrorist groups are extremely constrained in their efforts to hit “far targets.” I’ve argued that this is a logistical issue. With intelligence agencies worldwide on high alert it is increasingly difficult to move operatives long distances. This complicates long-range terror strikes. Self-starters do not have the necessary skills and groups do not want to risk well-trained operatives on operations that will probably not succeed. The failed attacks on the West aren’t because the terrorists are stupid. What’s more they are adaptable. My argument continued that the danger was now in the realm of geopolitics – terrorists destabilizing and important country rather than carrying out direct attacks in the U.S. or the West.

Fair and Byman also state that the Taliban are similarly stupid. They frequently blow themselves up and also become intimate with livestock (this has been caught on tape by drones and other battlefield cameras). Maybe, but they are also giving the U.S. military a run for its money so discounting their capabilities seems unwise. I would be remiss if I did not note two important points their article makes. First that the less than pious behavior, as well as their tactical mishaps, could be important tools for American public diplomacy efforts to discredit them. Second, Fair and Byman point out the importance of disrupting terrorist training facilities so that they can remain stupid. This is dead on – terrorist groups are adaptable, “learning” organizations. If they cannot learn and transfer knowledge, they cannot survive.

But another recent event highlights the adaptability of asymmetric opponents and perhaps is a caution against any kind of over-confidence. The Gaza Flotilla was a brilliantly planned operation on every level (tactical and strategic). If the key in asymmetric warfare is to exploit critical vulnerabilities with small amounts of force – the Flotilla operation succeeded. (Strictly speaking, calling the Gaza Flotilla terrorists is problematic as they were attacking military personnel. On the other hand, they were doing so in an effort to support Hamas – a terrorist organization.)

Tactically, the Flotilla organizers carefully examined Israeli operations and identified a way to create a situation that worked to their advantage. Politically the Flotilla undermined Israel’s Gaza policy, the Israeli-Turkish alliance, and drew attention to Egypt’s siege on Gaza. (Long-term, as I’ve argued before, the Egypt angle may be the most significant.)

There have been important gains against terrorism, but very serious dangers remain. There are a lot of dumb terrorists – but there are also more than enough smart ones.