Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Iran Internet Blackout: Using Twitter for Operational Intelligence

Published: 2009-06-16
Last Updated: 2009-06-16 14:19:21 UTC
by John Bambenek (Version: 1)
1 comment(s)

One of the topics in the halls here at SANSFIRE is how twitter has been the one tool that has breached the attempt of Iranian national censors to control the information flow within and outside the country. Much of the media reporting on the violence that has resulted from the protests was first covered on twitter before it made the news. Can twitter be a useful intelligence tool? Kinda.

The problem with twitter, or for that matter any "as-it-happens" information, is that there is no good way to determine the reliability of that information. You can read some of the latest posts on the Iranian issue here.  On of the top posts as I write this is that the Iranian Army itself is moving into Tehran to restore order. Is that, in fact, true? I tend to think not, but time will tell.

Because of the way "trending" twitter topics work, anyone talking about an issue will show up in that feed. That includes accounts just created today. Why does this matter? It's relevant because it would be trivial to put up "counterintelligence" via twitter. There is no tools with which to measure the "reputation" of the person posting the information. Number of followers and tweets helps, but most of the people posting information have followers in the hundreds which is a trivial amount of followers to acquire before even posting your first tweet.

An example I use in my criticism of emergency text messaging is that there have been incidents where false information led victims TO a threat instead of away from one. While there is some debate, the Omagh bombing in N. Ireland in 1998 arguably included this where the Real IRA called in a bomb threat to the court house by the car bomb was near a market center. The result was that the police evacuated people to the area the bomb actually.  "Leading people to the threat" is a real danger in unreliable information and it is a tactic that's known. Bottom-line is that unreliable communications can be used just as easily by people who would feed in unreliable or intentionally false information (counter-intelligence).

From an information security perspective, the threat is leading people to malicious websites. Set up a blog with an archive of posts on the issue, "borrow" a few pictures of the conflict and post them.  Tweet a message that says "live images of protestors being shot at" and point to your blog that also includes pre-tested malware that is known to be not detected by AV vendors.  Twitter and social networking tools provide another mechanism to lead people to the cyber-threat where only e-mail was used before.  Twitter has no "anti-spam" features, everyone talking about a subject shows up.

So while the use of twitter and other tools provide for a means to breach censorship rules of foreign regimes, it does not come without risks. Is the information valid? Is it leading you to malware infecting your machine?

P.S. I'm working on the intellectual exercise of developing a "honeypot" for twitter / social networking so we can get some visibility into those who would use those avenues to distribute malware. Feel free to send in suggestions.

--
John Bambenek
bambenek /at/ gmail /dot/ com

1 comment(s)
Diary Archives