recommended reading

State-sponsored cyber spies want your Facebook status, researchers say

Pan Xunbin /

This story was updated to provide a link to the Imperva report after it was released.

Facebook frequently takes flack for privacy invasions, but the next controversial byproduct of the social network may be cyber espionage, according to security researchers.

Status updates on Facebook posted by friends and family of government officials or the officials' own unencrypted Facebook activities can be used to gather intelligence such as U.S. troop movements, says Rob Rachwald, security strategy director for cybersecurity firm Imperva.

While data brokers profit by collating social communications for advertisers, spies and hackers on government payrolls can profit by parsing the same information. And there's a lot of it. In 2011, Max Schrems, a Vienna law student interested in the dossier Facebook's computers kept on him, filed a request for his social media records under European data protection regulations. He claims to have received a 1,222-page file of deleted messages, removed "friends" and other current and former data.

An Imperva report released on Tuesday explains hackers can analyze these records, including connections between "friended" business partners and colleagues, to map out the hierarchy of different organizations. "The organizational structure can be used for corporate espionage, foreign-government and even military intelligence," states a draft reviewed by Nextgov.

"The worst case scenario is you get admin rights to Gmail," by piecing together public or hacked intelligence from Facebook, Rachwald said in an interview. Last year, assailants apparently based in China actually did target the personal Gmail accounts of senior federal officials, according to Google.

Facebook spokesman Fred Wolens, who had not seen the report, said in response to Rachwald's concerns, "We designed Facebook to provide a safer and more trusted online environment by offering users industry leading tools to control access to their information so they can choose what they share and with whom they share it. We encourage people exercise caution when connecting with others unknown to them online or otherwise."

He added that the company has many technical systems in place to prevent "scraping," or mining the site's data, and to restrict Web search services from crawling through non-public information.

Rachwald said individuals often post status updates that unwittingly reveal their geographic locations. "Geolocation data is all together more valuable when cross-referencing it with the organizational structure. This can be very useful, say, to gain military intel on the location of the adversary's military units. In fact, last year an [Israel Defense Forces] operation was cancelled following a soldier's status update of the operation's time and location," the report states.

Government-sponsored hackers and spies may use tactics such as eavesdropping on a Facebook member's activities through unencrypted Wi-Fi connections, the paper states. Facebook uses a secure connection to read users' login credentials but all other information is sent back and forth in an unprotected format. Responding to this potential vulnerability, Facebook in January allowed users to opt into a setting that secures all Facebook activities. Imperva recommends users enable that option.

On the flipside, U.S. agencies can tap the same intelligence to ensnare spies and criminals, the report notes. Mentions of extreme weather in status updates have tipped off authorities to the locations of fugitives. And federal law enforcement officials need only a subpoena to obtain Facebook records on criminal suspects, according to the company's safety guidelines.

(Image via Pan Xunbin /

Threatwatch Alert

Network intrusion / Stolen credentials

85M User Accounts Compromised from Video-sharing Site Dailymotion

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.