Whenever I shop on the internet, I skip right over the positive reviews of products and go straight for the bad ones, figuring the company probably paid some hack to sit and create fictional names and post fake glowing five-star reviews for their products to dupe unsuspecting customers. But what if the federal government could operate this way?
What if the government had the ability to pass its own information through false mediums to unsuspecting citizens?
The U.S. government recently offered private intelligence companies contracts to create special software to it help manage a number of “fake” profiles on social media websites.
The contract opportunity (PDF) — posted last summer at FedBizOpps.gov — actually calls for the development of an “Online Persona Management Service” for the U.S. Air Force, a software that would help a single user manage a variety of distinct fake profiles online. According to the contract proposal, the software could be deployed in Iraq and Afghanistan, but there is no guarantee it would not be used domestically as well.
Why is this only now coming to light?
Recently leaked** email files from the private security firm HBGary reveal internal discussions of how one person could use the software to create an army of fake profiles. In essence, it allows a small group of people to appear to be many.
According to the contract, the software would enable the government to shield its fake identity by employing a number of false signals to make it appear that the profile belongs to a real person. Additionally, software technicians could manipulate unique IP addresses to make it look like the profile originated from anywhere around the globe.
“A single user could manage unique background information and status updates for up to 10 fake people from a single computer,” The Enquirer notes.
Included in the leaked emails was a specific proposal on how to use Facebook to spread government messages.
“Those names can be cross-referenced across Facebook, twitter, MySpace, and other social media services to collect information on each individual. Once enough information is collected this information can be used to gain access to these individuals social circles. …
Even the most restrictive and security conscious of persons can be exploited. Through the targeting and information reconnaissance phase, a person’s hometown and high school will be revealed. An adversary can create a classmates.com account at the same high school and year and find out people you went to high school with that do not have Facebook accounts, then create the account and send a friend request.
Under the mutual friend decision, which is where most people can be exploited, an adversary can look at a targets friend list if it is exposed and find a targets most socially promiscuous friends, the ones that have over 300-500 friends, friend them to develop mutual friends before sending a friend request to the target. To that end friend’s accounts can be compromised and used to post malicious material to a targets wall. When choosing to participate in social media an individual is only as protected as his/her weakest friend.”
The leaked emails also include messages from sister company HBGary Federal’s CEO Aaron Barr saying, “There are a variety of social media tricks we can use to add a level of realness to all fictitious personas… Using hashtags and gaming some location based check-in services we can make it appear as if a persona was actually at a conference and introduce himself/herself to key individuals as part of the exercise, as one example.”
Additional emails sent back-and-forth among HBGary employees also shed disturbing light on how the software could be manipulated to infiltrate groups, data mine, and even bombard discussion sites with orchestrated government messages — a.k.a. propaganda.
One employee wrote, “and now social networks are closing the gap between attacker and victim, to the point I just found (via linked-in) 112 females, wives of service men, all stationed at Hurlbert Field FL – in case you don’t know this is where the CIA flies all their “private” airlines out of. What a damn joke – the U.S. is no longer the super power in cyber, and probably won’t be in other areas soon.”
Barr also predicted a steady rise in clandestine or secret government operations to stem the flow of sensitive information. “I would say there is going to be a resurgence of black ops in the coming year as decision makers settle with our inadequacies… Critical infrastructure, finance, defense industrial base, and government have rivers of unauthorized communications flowing from them and there are no real efforts to stop it.”
“I don’t know about you, but this concerns me greatly,” Daily Kos blogger Happy Rockefeller writes. “It goes far beyond the mere ability for a government stooge, corporation or PR firm to hire people to post on sites like this one. They are talking about creating the illusion of consensus. And consensus is a powerful persuader.”
Gawker’s Adrian Chen asks: Why is the military creating an army of fake people on the internet?
The request was for 50 licenses, which means the Air Force hoped to create up to 500 fake Internet people. The request was filled in June, which means these fake people could be roaming the ‘net right now.
“WTF Dude?” one HBGary employee emailed to another. “This is posted on open source. Are you f***ing serious?”
Apparently this type of government contract is generally negotiated behind closed doors.
Given the importance of social media nowadays — namely the influence the networking sites have had on organizing protests and spreading information — this kind of technology could potentially become a very powerful social weapon.
**The emails were reportedly leaked by Anonymous, one of the world’s most notorious underground hacking groups. Recently, the group caught national attention after hacking sites of companies which cut off ties to the online site WikiLeaks. Anonymous also revealed that HBGary colluded with Bank of America in a plot to disrupt WikiLeaks. As a result, a number of security firms have cut ties with HBGary.
“Anonymous used to be all about disrupting the Web sites of companies that helped block WikiLeaks’ funding. Now it’s starting to act like WikiLeaks itself,” Forbes recently noted.