FUD can Sometimes be Useful

There has been a story making the rounds the last few weeks that is really bugging me. I was going to let it slide but the story just won’t die and every time it comes around again I just get angrier. The problem is I don’t think the story is actually true, which wouldn’t be that big a deal if I could actually prove it wasn’t true but in this case its just a feeling, I have no proof, not even a preponderance of evidence, just a feeling.

The story is sort of infosec related and deals with the geotagging of photos uploaded to social media sites. This is a very real concern for people like the US Army who usually don’t want it known where high value targets like say, oh, AH-64 Apache helicopters might be parked. The problem I have is that I seriously doubt the scenario as presented by Steve Warren, deputy G2 for the Maneuver Center of Excellence actually happened.

“Warren cited a real-world example from 2007. When a new fleet of helicopters arrived with an aviation unit at a base in Iraq, some Soldiers took pictures on the flight line, he said. From the photos that were uploaded to the Internet, the enemy was able to determine the exact location of the helicopters inside the compound and conduct a mortar attack, destroying four of the AH-64 Apaches.”

There are just so many things wrong with this story as it is presented to make it believable to me. Is it possible? Absolutely. Is it a real security concern? Most definitely. But did it really happen? I don’t think so.

First lets try to imagine how the US Army determined that the enemy downloaded the photos and extracted the GPS location in order to lob mortars at the helicopters. How did the Army find that out? Did they enemy carry a sign past the airbase front gate saying “Hey, grabbed your FaceBook pics HA! HA!” Did they capture an enemy combatant and water-board it out of him? Did they recover a laptop with a bunch of photos and map coordinates? Why are we only hearing about it five! years after happened? How did the Army determine how the enemy got the information? That part is never explained.

Lets look at a second more plausible explanation, assuming that helicopters actually did get blown up. A fleet of UH-64s are not easy to hide. If you’re a Iraqi sitting in your house eating your hummus and pita bread and you’re hear a fleet of UH-64s fly over head your gonna notice it. You put down the pita and look out the window to see the helicopters flying off to the nearby US Army base. Then you call your buddies, grab your motor tube and go have some fun. To me this makes a lot more sense than randomly grabbing pictures off FaceBook.

So if this is really a made up story why did the US Army release it? I suspect they know they have a very real problem of soldiers uploading geotagged photos to social media sites. They tried banning Facebook and other sites before and that didn’t work. And actually the military needs social media for morale reasons. The number one morale booster when I was in the service was mail, or more accurately communication home to family and loved ones and with todays military that communication happens over the Internet and with social media. We cannot turn it off. So you have to do the next best thing, educate the users/soldiers/sailors/airmen/marines not to post stupid stuff that will compromise your military situation. Loose lips sink ships, or in this case geotaged photos blow up helicopters (doesn’t really have the same ring to it.) Based on my own experience with educating users I suspect they have met with only limited success.

So this story of UH-64s being bombed via Facebook makes a perfect urban/military legend. To people in the military it does not matter if it was true or not the story will live on and spread and take on a life of its own. Now soldiers will double check their buddies when they take pictures because they won’t want mortors raining down on their own heads. Where training has failed peer pressure will succeed, and it gets repeated so many times it just magically become fact. Mission Accomplished.

But to those of us in infosec we need to look at this story for what it is, a possibility, not yet a reality, but something to look out for and to caution our clients against. Just remember not everything you read is true, the sky isn’t always falling but that doesn’t mean you shouldn’t pay attention.