From Facebook to Twitter to ‘check-in’s,’ ‘followers’ and ‘pokes’ galore, it’s increasingly hard for social media users to distinguish who their “friends” really are. Now add this to your list of concerns: on behalf of the U.S. Air Force, are your “friends” even real people?
Leaked emails from data security firm HBGary show the federal government is offering private intelligence companies contracts to create software to manage “fake people” on social media sites, possibly to manipulate public opinion or create the illusion of consensus on controversial issues.
The federal contract, from the 6th Contracting Squadron at MacDill Air Force Base in Florida, calls for the development of “Persona Management Software,” software that manages online “personas,” allowing a single human to assume the identities of as many fake people as they’d like.
The revelation was among those contained in a set of HBGary emails publicly leaked after hackers with the cyber protest group “Anonymous” broke into the firm’s computer systems.
The Air Force request was for 50 licenses, which could create up to 500 fake Internet people, to be used in Iraq and Afghanistan. The personas, the contract reveals, would have to be “replete with background , history, supporting details, and cyber presences that are technically, culturally and geographically consistent.”
The timing of the request, filed last June, hints that the results, or fake people, could be live on social media sites now.
The request, as posted on the Federal Business Opportunities website, notes the need for secure virtual private networks that randomize the operator’s IP address to make it impossible to detect a single person is behind all the posts, and calls for static IP address management to make it appear as though each fake person was using the same computer each time.
The Air Force also sought methods to anonymously establish virtual private servers in specific geographic locations to allow “geosites” to be integrated with their social media profiles to make it appear the user is posting from locations around the world.
The proposal for the government contract describes how the fake users would ‘friend’ real people on Facebook as a way to convey government messages, stating:
“Those names can be cross-referenced across Facebook, twitter, MySpace, and other social media services to collect information on each individual. Once enough information is collected this information can be used to gain access to these individuals social circles. Even the most restrictive and security conscious of persons can be exploited. Through the targeting and information reconnaissance phase, a person’s hometown and high school will be revealed. An adversary can create a classmates.com account at the same high school and year and find out people you went to high school with that do not have Facebook accounts, then create the account and send a friend request. Under the mutual friend decision, which is where most people can be exploited, an adversary can look at a targets friend list if it is exposed and find a targets most socially promiscuous friends, the ones that have over 300-500 friends, friend them to develop mutual friends before sending a friend request to the target. To that end friend’s accounts can be compromised and used to post malicious material to a targets wall. When choosing to participate in social media an individual is only as protected as his/her weakest friend.”
The leaked emails from HBGary also include notes from the firm’s CEO Aaron Barr saying, “There are a variety of social media tricks we can use to add a level of realness to all fictitious personas… Using hashtags and gaming some location based check-in services we can make it appear as if a persona was actually at a conference and introduce himself/herself to key individuals as part of the exercise, as one example.”
In addition to HBGary Federal, other vendors interested in working with the government on the “persona management software” included Global Business Solutions and Associates LLC, Uk Plus Logistics, Ltd., NevinTelecom, Bunker Communications and Planmatrix LLC.
Both HBGary and MacDill Air Force Base have so far declined media requests for comment or an explanation of the contract.