Cross-posted from my blog http://politeching.wordpress.com/
Social Engineering relates to the practice of deceiving people or manipulating public opinion through misrepresentation. The perpetrators usually pretend to be someone they are not. In terms of stealing your personal information, Social Engineers use all kinds of low tech tricks to get information out of you. Politically, Social Engineers use various ways to manipulate public opinion. With the wide use of social media nowadays, social engineering for political purposes has adopted new means to take advantage of this new medium. The new methods that can be used are illustrated below.
STEALING YOUR PERSONAL INFORMATION
A wide misconception of how to protect your privacy and personal information is that you need to protect your computer and saved data. However, Social Engineers do not need to hack into your account. Techniques used by Social Engineers are nothing new. Famous social engineers and former computer criminal Kevin Mitnick claim that it is easier to trick someone into giving a password than it is to spend the effort to hack a system.
Survey or Research Fraud– One technique used to make people reveal their personal information is by phone call saying they are conducting survey on behalf of your financial institution or as part of a research. Sometimes they will promise you a gift. Once the question starts rolling in, they could ask question like your birthday, address, income and employer. That information can then be used to apply for a credit card or apply for credit using your name. Other low tech method would be a smooth talking con chatting with you on a bar to get some personal information out of you.
Social Networks – One instance of social engineering involves a simple google search of a victim’s e-mail address. It then gave the perpetrator lots of personal information such as phone numbers and address. Most user also have their personal information readily available on Facebook. A lot of uninformed Facebook users unsuspectingly shared their personal information with third-party app developer.
Phishing scam – this technique uses e-mail or instant messaging to fool people into providing personal information by making themselves appear legitimate. It is with this method that foreign hackers were able to hack into Government of Canada’s Finance Department and Treasury Board’s computer network.
Those are just a few of the examples. A good general rule of thumb is never give out your password or personal information that you normally use to authenticate your financial account.
After the media’s excitement about Egypt’s “Facebook revolution”, I’ve warned against overhyping social media. It is just another tool that those who seek to manipulate information would adopt and use to its advantage before long.
A malicious government don’t need to put much effort into social engineering. They can just access your census, passport information or personal information. They can then tailored their appeal to you based on your ethnicity and religion. Measures needs to be in place such that user id of any officials accessing personal private information is logged.
Canada’s government was mired in controversy when they mailed out Jewish Rosh Hashanah greeting cards in 2007 and 2008. On both occasions, some of the recipients expressed serious concerns.
"I was a little alarmed at the idea that the government might have some list of Canadian Jews, whether or not they're using that for benevolent or malevolent or cynical reasons," Mr. Terkel said. "It doesn't seem my religion should be the business of any federal government." - Jonathan Terkel (Reported by Canada.com)
The government claim they got their names from local community. But several recipients disputed that, expressing similar claim as Jonathan Terkel.
He says he subscribes to no Jewish publications and doesn't give to any specifically Jewish causes, so he isn't sure how the PMO got his name.
It is not clear where the government got the people’s religious information from and it might very well not be as I described above. However, a government that single out a specific group based on religion or ethnicity is just a bit unnerving.
Political Army of Internet Posters
A political party could try to influence public opinion by creating an illusion of popular opinion. This can be done by staffing their war room or campaign strategy central with armies of posters who populate internet forum and news sites comments section with their talking points. This employ the “Big Lie” technique where
If you tell a lie big enough and keep repeating it, people will eventually come to believe it.
Plus people are vulnerable to the bandwagon effect. Where they are more likely to adopt what they perceive as popular opinion. A desire to belong to what is popular and what is hip.
Just as I was preparing to write about social engineering and how it could be a threat to democracy, when voters are manipulated through orchestrated misinformation, a developing story came out about the internet activist group called “Anonymous” and their war with security firm HBGary Inc.
HBGary Inc is a digital security firm with close ties to U.S. government officials from Air Force, CIA, FBI, etc. Anonymous reportedly used SQL injection vulnerability in HBGary’s system to attack them along with the use of social engineering technique. Anonymous gained access to the site and troves of HBGary's e-mails which have since been posted at Torrent's site.
Some e-mail revelation includes HBGary working with Bank of America and U.S. government to undermine Wikileaks, and helping U.S. Chamber of Commerce to campaign against Progressive Bloggers. They are also said to be working on a new rootkit for windows that will be undetectable. But the real revelation for me pertaining to social engineering is the fact that HBGary plan to develop a software for the U.S. government that would allow them to have control over a large numbers of virtual social media profile (i.e. fake personas). Such large amount of virtual profiles could be used to propagate fake opinion and false news.
Software will allow 10 personas per user, replete with background , history, supporting details, and cyber presences that are technically, culturally and geographacilly consistent. Individual applications will enable an operator to exercise a number of different online persons from the same workstation and without fear of being discovered by sophisticated adversaries. Personas must be able to appear to originate in nearly any part of the world and can interact through conventional online services and social media platforms. The service includes a user friendly application environment to maximize the user's situational awareness by displaying real-time local information.(TechDirt)
During the Egyptian’s revolution, Twitter played an important role in providing up to the second update from the grassroot level. Foiling attempts by Egyptian government to block out news and instigate violence to create excuse for crackdown. I thought at that time that future authoritarian regime could use Twitter to spread false information and put fake posters claiming to support the dictator. But then I thought with a popular uprising the scale of Egypt, the army of government posters would easily be outnumbered.
But that has changed with HBGary revelation. Their plan is to allow the capability for one person to control 10 personas. That way they don’t need to outnumber the real dissenters. They need 10 times less than the amount of real people. It is not inconceivable that the numbers could easily be increased to more than 10 per one controlling person. When such tool is used in a democratic election, it would lead to propagation of false information and undermine fair election.