Mitch Wagner

Executive Editor, Community

BLOGGERS


NEWS

Bill Targets Mobile Phone Service Providers

Legislation introduced by four U.S. senators seeks to limit early termination fees leveled by wireless carriers.

More Stories

More >>

Newsletter Sign up

Get timely, actionable insights tailored to the Government IT decision maker in your inbox every Thursday.

Sign Up

UK Spy Chief's Embarrassing Photos Teach Social Media Security Lesson

Posted by Mitch Wagner on July 9, 2009 10:12 AM

The wife of Sir John Sawers, the new head of British spy agency MI6, caused a stir when she posted personal family information to Facebook, including an unflattering photo of the middle-aged bureaucrat wearing nothing but Speedos swim trunks while on vacation at the beach. It's a silly, tabloid story—but it also teaches a serious lesson about social media security.

Sawers is due to take over as head of the Secret Intelligence Service in November, putting him in charge of Britain's spying operations abroad. Lady Shelley Sawers posted family photos and information to Facebook, which could have compromised the safety of the family and their friends, according to the Daily Mail. The Facebook information, available to any of the 200,000 people in the service's London network, includes the location of the London apartment the couple use, and the whereabouts of their three children and Sir John's parents.

Also included: A plethora of photos of the family looking ultra-dorky.

Sawers's political opponents are calling for an investigation into what they describe as a security breach that questions whether Sawers has the judgment to serve.

Foreign Secretary David Milbrand defended Sawers. "It is not a state secret that he wears Speedo swimming trunks," he said.

But maybe it should be. This was not a flattering photo.

It's a funny story. But it also teaches a serious lesson about the security problems that come up when people in high-responsibility positions use social media.

When we think about insider security problems, we worry about disaffected employees deliberately stealing or doing damage. Or we worry about dumb employees making mistakes that can be exploited by enemies. But the Sawers incident shows how even otherwise smart people can make innocent mistakes that compromise security.

The Sawers incident underscores a report made by the U.S. Defense Intelligence Agency several weeks earlier.

America's soldiers are smart enough to avoid tweeting things like, "Sooper-seekrit invasion starts tomorrow! See you at the airport at 0800!" But even something perfectly innocent, like mentioning a nearby Starbucks, can breach security, according to Nick Jensen, an operational security analyst at DIA.

Jensen presented a fictional scenario ... in which a foreign agent named Jane starts by exploring the membership of a LinkedIn group called Intelligence Professionals.

In Jensen’s scenario, LinkedIn provides a target DIA employee’s basic résumé with a link to his blog. The blog, in turn, has links to other social media sites the person participates in, so the adversary can browse Flickr photos and Twitter messages, continuing to round out the picture. The DIA employee uses the same handle on many Web sites, allowing Jane to search for posts he has made elsewhere. On Slashdot, he mentions something about the Starbucks near his house.

That allows Jane to bump into her target at Starbucks, hack the wireless session he initiates from his iPhone and eventually capture information, including his online banking password. From there, she has many options to monitor his every move, drain his bank account or blackmail him.

Adversaries might be able to identify individuals working on strategic technology by combing LinkedIn. Online discussion groups and blogs might help foreign intelligence services find disgruntled employees who could be recruited or blackmailed.

People with access to sensitive information need to learn to be more circumspect, and take precautions such as using different user names on different services, the DIA advised.

In the case of the Sawers incident, enemy agents could identify Sawers's family members and close friends, and target them for kidnapping. Knowing where the Sawers stay when in London could allow them to bring an attack literally to the family's doorsteps.

Or the enemy agents could simply threaten to make fun of how Sawers looks in Speedos.



Black Hat is like no other security conference. It happens in Las Vegas, July 25-30. Find out more and register.

Follow InformationWeek on Twitter, Facebook, and LinkedIn:

Twitter:
@InformationWeek
@IWpremium
@MitchWagner

Facebook:
InformationWeek
Mitch Wagner

LinkedIn:
InformationWeek
Mitch Wagner



This is a public forum. United Business Media and its affiliates are not responsible for and do not control what is posted herein. United Business Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of United Business Media LLC and may be edited and republished in print or electronic format as outlined in United Business Media's Terms of Service.

Important Note: This comment area is NOT intended for commercial messages or solicitations of business.


Best of the Web

see all best of web >>

Whitepapers