Vulnerability on Social Networking Sites to Adversary Influence Operations
I recently completed a study for the USAF.
"Online Vulnerabilities of USAF Personnel to Adversary Influence Operations on Social Networking Websites".
If you are in the DOD or IC and are working in IO, OPSEC, etc and are interested in a copy send me an email to mike_mcgannon@sra.com and I will forward a copy.
How Vulnerable are you to Adversary Influence Operations online...a Questionaire
Adversary Influence Operations Vulnerability Self Assessment Questionnaire
Instructions: This questionnaire was designed to determine how vulnerable an online user is to Adversary Influence operations. While no one can be expected to do their jobs without accessing the internet, there are sites or types of information that users can post online that would make them more vulnerable to influence.
Ratings
0-25 Points Low Risk
26-50 Points Moderate Risk
51-75 Points High Risk
76-100 Points Target
Low Risk: You use the internet, but protect yourself online; however you should still be aware that there are risks.
Moderate Risk: You are giving away bits and pieces of critical information that put together over time could make you vulnerable to influence.
High Risk: You are posting critical information that does make you a likely target candidate.
Target: It is too late you are already a target; you have given the adversary everything they need to carry out an influence operation.
Scoring the Questionnaire: For every question with a single answer yes/no assign 1 point for yes, 0 points for no. For questions with multiple answers using the following points score
a. None 0 Points
b. 1 1 Points
c. 1 to 5 3 Points
d. More than 5 5 Points
Part I Websites
1. Are you currently in a critical career field which may be the target of Adversary Espionage or Influence Operations? (Y/N) (Target career fields include Intelligence, Special Operations, Communications, Security Forces, Aviators, Combat Weather, TACP, Nuclear Weapons)
2. Do you use social networking websites?
a. None
b. 1
c. 1 to 5
d. More than 5
3. Do you post on blogs?
a. None
b. 1
c. 1 to 5
d. More than 5
4. Do you participate in forums?
a. None
b. 1
c. 1 to 5
d. More than 5
5. Do you have a personal website?
a. None
b. 1
c. 1 to 5
d. More than 5
6. Do you use photo album websites?
a. None
b. 1
c. 1 to 5
d. More than 5
7. Do you post resumes to employment websites?
a. None
b. 1
c. 1 to 5
d. More than 5
8. Do you belong to any dating sites?
a. None
b. 1
c. 1 to 5
d. More than 5
9. Do you post on bulletin boards and newsgroups?
a. None
b. 1
c. 1 to 5
d. More than 5
10. Do you use email listservers?
a. None
b. 1
c. 1 to 5
d. More than 5
11. Do you belong to online groups and clubs?
a. None
b. 1
c. 1 to 5
d. More than 5
12. Do you participate in chat groups (AOL, Yahoo, MSN, etc)?
a. None
b. 1
c. 1 to 5
d. More than 5
13. Do you use instant messenger software?
a. None
b. 1
c. 1 to 5
d. More than 5
14. Do you use online auction sites?
a. None
b. 1
c. 1 to 5
d. More than 5
15. Do you use online training?
a. None
b. 1
c. 1 to 5
d. More than 5
16. Do you play online games?
a. None
b. 1
c. 1 to 5
d. More than 5
17. Are you on any other sites not listed above that you provide data to?
a. None
b. 1
c. 1 to 5
d. More than 5
Part II Types of Information
When you post online do you:
1. Use your real name? (Y/N)
2. Use identifying usernames i.e. USAFTACP? (Y/N)
3. Post your military/government affiliations? (Y/N)
4. Provide Personal Information
a. Hometown (Y/N)
b. Schools (Y/N)
c. Previous Employment (Y/N)
d. Names of relatives (Y/N)
e. Names of friends (Y/N)
f. Duty Stations (Y/N)
g. Military Units (Y/N)
h. Training (Y/N)
i. Deployments (Y/N)
j. Business associations (Y/N)
k. Personal associations (Y/N)
5. Post a daily journal of your activities? (Y/N)
Part III Public Records
1. Are you listed in yellow and/or white pages? (Y/N)
2. Do you have court records online? (Y/N)
3. Do you have real estate records online (county you live in may post this information without your knowledge or permission)? (Y/N)
4. Do you have an online business? (Y/N)
5. Are you listed on school/university websites? (Y/N)
6. Are you listed on professional association websites? (Y/N)
7. Do you hold patents or copyrights? (Y/N)
8. Are you published? (Y/N)
Tip Sheet: How to Protect Yourself Online
1. Use tools to make your online use anonymous. An anonymizer or an anonymous proxy is a tool that attempts to make activity on the Internet untraceable. It accesses the Internet on the user's behalf, protecting personal information by hiding the source computer's identifying information.
2. Use generic free email accounts.
3. Use junk info in web forms (name, address, phone #, etc.).
4. Use random user names. For example USAFTACP is not a good username while spacecadet4687yb is a random username.
5. Use multiple usernames and email accounts so all of the websites you access cannot be linked together.
6. Do not use you .mil or .gov email outside of the DOD network.
7. Do not give out any personal information unless it is absolutely required for school, business or professional transactions.
8. Be mindful of OPSEC when you are online and let you friends and family know what information they should post about you, if any.
Adversary Resources
An adversary will have access to all the tools and resources that are available online that you do. So a good assumption is that if you have access to a public website then so will an adversary. If an adversary has your basic information they can pay a variety of websites for additional information about you.
Online Background Checks: After an adversary has obtained information on a subject they can perform more detailed background searches using the following services.
http://www.zabbasearch.com/
http://www.criminalwatchdog.com/
http://www.peoplelookup.com
https://www.backgroundchecks.com/
Maps and Satellite Imagery: Once they have an address they can use online tools to get directions, maps of the locations and even satellite imagery using a variety of free online websites.
http://maps.google.com/maps
http://maps.live.com/
http://www.zillow.com/
Public Records: State, County, and City Sites
http://www.brbpub.com/pubrecsitesStates.asp
State Occupational Licensing Boards http://www.brbpub.com/pubrecsitesOccStates.asp
State Appellate & Supreme Court Opinions & Decisions http://www.brbpub.com/pubrecsitesSea...+%26+Decisions
Federal Courts http://www.brbpub.com/pubrecsitesSea...Federal+Courts
Other Government & Private Information Sources
Obtain Your Own Driving Record http://www.brbpub.com/pubrecsitesSea...Driving+Record
Decode a VIN http://www.brbpub.com/pubrecsitesSea...t=Decode+a+VIN
Online Information Management: While posting your own information online can be easy to control and remove, online public records may not be as easy. Here are some links to opt out of public records on the sites listed in the previous section.
Zaba Search http://www.zabasearch.com/opt-out/
People Lookup http://www.peoplelookup.com/privacy-faq.php#5
Background checks info@backgroundchecks.com
Public Records: As laws and policies vary by state; you must contact each organization individually that has your public records to see if those can be removed from online searches.
Well, that will sure help