10 January 2018

To Stay Safe On The Internet, Don't Stand Out From The Herd

by Scott Stewart

Over the holidays, Kyle Richards, a star of the TV show "Real Housewives of Beverly Hills," and her family enjoyed a luxurious vacation in Aspen, Colorado. But back in California, burglars broke into their home on the night of Dec. 27 and made off with more than $1 million in jewelry. Their home appears to have been carefully targeted; the criminals knew where it was and apparently what was inside. They also knew that the family was away on vacation, because Richards had heavily documented the trip on her Instagram account.


Earlier in the month in Germany, anarchists published photographs of 54 Berlin police officers on the website indymedia.org. The officers had participated in a raid to evict squatters from a former carpet factory. The occupation of the building and the eviction were highly publicized events for European anarchists, and they asked people to help identify the officers involved and to offer "tips regarding where they live or can be met privately." The German police union took that request as an obvious threat against the officers and their families.

While I've written before about the dangers of making oneself a target on social media, these two cases had me thinking about the intersection of the internet and the attack cycle - or attack cycles really, because there is a difference between being targeted by criminals, terrorists and hostile intelligence officers - as well as the variety of operations these malefactors are capable of.
The Criminal Actor

Let's first consider the criminal planning cycle.


As I've noted before, there are strong similarities between the criminal and terrorist attack cycles. All criminals must progress through the cycle by selecting their target, planning the crime, conducting the crime and escaping, even though some do so in a condensed time frame. There is a huge difference in the amount of time a kidnapper spends selecting a target and surveilling him or her for weaknesses compared with the time a lurking mugger or rapist takes. Nevertheless, the process is still being followed, albeit in a different order.

An opportunistic criminal is more like an ambush predator, one who plans a crime, identifies an ideal site in which to conduct it and then waits for a suitable victim - like a crocodile at a watering hole. Such criminals are not really relevant to this discussion because they are not targeting a specific individual; they are merely preying on vulnerable targets who happen to wander into their attack site.

The criminals who pose the greatest threat by using information posted online are those who operate more like stalking predators, such as a lion surveying a herd and looking for the most vulnerable animal. Such criminals can include burglars, kidnappers, scam artists and extortionists. And in such cases, people make themselves more desirable targets by standing out from an array of potential victims. They do this by providing information about their wealth or possessions and by publicizing their whereabouts on social media. These details can be used for the target-selection and planning phases of the criminal cycle. The high-profile armed robbery of Kim Kardashian in October 2016 at a chic Paris hotel is a textbook example of such a case, and it appears as if the burglary of the Richards' home is another - as well as the latest in a string of burglaries targeting celebrities in Los Angeles in recent years.

In some cases, a stalking criminal may be motivated by personal animus. This group could include a disgruntled former employee, a jilted lover or even a mentally disturbed stalker with an irrational focus of interest. The May 2016 attack on Japanese pop star Mayu Tomita by a deranged fan is such an example. While her attacker selected her because of his fixation on her, she promoted her appearance in advance on social media, and he used the information to plan his knife attack, which left her critically wounded.

Of course, not all criminals need to make physical contact with their victims. Lawbreakers are increasingly active in cyberspace, and the information people provide online, frequently on social media sites, can be mined to aid in cybercrimes. Recently I saw a message that a family member had responded to on Facebook that appears to have been specifically engineered to elicit the kinds of information used to answer security questions for account logins and password resets. The message was framed as "let's get to know each other better in this hectic, disconnected world," but it included questions about the city where you met your spouse, the name of your first pet, the town your mom was born in and the name of your high school mascot. It was clearly about far more than becoming better acquainted.

In phishing and ransomware attacks, social media can not only be used to collect intelligence for target selection and planning, but it can also serve as the conduit for the attack itself if infected files or URLs are passed over social networking apps. Iranian intelligence agents did this in their hack of professional services firm Deloitte, and this leads us to the use of social media in human intelligence recruitment.
Recruiting a Human Intelligence Asset


Human intelligence recruitment has three basic segments: spotting, developing and pitching. In the spotting phase, recruiters try to determine a list of the people who have access to desired information and then assess who among them will be the easiest to approach and recruit. Developing is establishing a relationship with the target in order to make a recruitment pitch. And pitching is just that, using whatever approach - money, ideology, sex, coercion, ego or something else - that will allow the human intelligence practitioner to recruit the target as a source.

In the Deloitte hack, it was relatively easy for Iranian intelligence to identify potential targets by using the job descriptions listed on their LinkedIn accounts. Agents then approached potential targets using the social media profile of an attractive woman, "Mia Ash," and based on their responses to the contact request, worked on developing those deemed the most receptive. And they did find one who was willing to take their malware bait.

Besides cyberespionage, the information offered on social media would be helpful for human intelligence practitioners in the real world as well. I know that in my own social media universe, I often see the online interests and posts that would seem to make people ripe for recruitment. Think about the people on your social media feeds who are always complimenting attractive people of the opposite sex and how they would be ripe for a honey-trap approach. Or consider the people complaining about not being able to afford this or that being open to financial enticement. Or think about the people who are always posting selfies looking for affirmation and how they would be susceptible to a little ego stroking.

Moreover, the people who share their favorite hobbies, bars, gyms, restaurants and more make it easy for an intelligence officer to find them and make contact. Armed with so much personal information about their likes and dislikes, developing a relationship would be child's play. In the old days, an intelligence agency would have needed an access agent inside an organization, or extensive surveillance, to obtain those details on a prospective source. Today, many people broadcast all that information for the world to see, providing significant shortcuts for human intelligence practitioners looking to prey on them.

And for some practitioners, the internet has become a powerful tool to spot, develop and pitch terrorist recruits. Some of the initiates have traveled overseas to fight with jihadist or other groups. Others have joined extremist groups at home or have decided to conduct attacks near where they live. But aside from recruiting, there are other places where the terrorist attack cycle intersects the internet.
Planning a Terrorist Act


Obviously, much as there are different types of criminals, there are different types of terrorists: Some specifically target individuals, and some target a place and whoever happens to be there at the time of the attack. In the first category, it is easy to see how information that a potential target reveals on the internet can be used to aid in planning an attack, especially when the information helps establish routines, routes and habits. However, while such information is quite helpful in target selection and can provide significant time savings at the beginning of the planning stage, it is generally not sufficient to plan a sophisticated operation, such as an armed assault or assassination bombing. Additional physical surveillance is needed to finalize the details. There simply is no substitute to seeing the attack site, the target and the security measures with one's own eyes. The same principle holds true for complex crimes, such as kidnappings, high-end burglaries or bank robberies - the criminals need to case the target in person. Of course, this leaves them vulnerable to detection during their surveillance.

As for terrorists planning attacks on places rather than against specific individuals, I had the opportunity to do a presentation at the InfraGard association's annual meeting in September 2016 on the topic of the "Internet and the Terrorist Attack Cycle." For that presentation, I decided to assume the role of a terrorist looking to attack my own speech, and with the help of another analyst, I scoured the internet for all available information on the speech and the venue: Room W303 at the Orange County Convention Center in Orlando, Florida. In the end, we found the information on the internet extremely helpful but incomplete, with some significant gaps. We determined that we would have needed more information to plan a successful suicide bombing or armed assault. That information would have to be obtained either via personal surveillance or by recruiting an informant who worked there.

And with all that said, it is still a good practice not to make life any easier for terrorists, criminals or hostile intelligence agents. Because of this, it is best to limit the type and amount of personal information one makes available on the internet that could be used to cause you harm.

"To Stay Safe on the Internet, Don't Stand Out From the Herd" is republished with permission of Stratfor.

No comments: