FPBlog has a brief post in which Joshua Keating gently mocks the potential dangers of a fake Facebook page for Ronald K. Noble of Interpol. To quote the relevant portion,
I’m trying to imagine how the fake Ronald Nobles would go about trying to deceive their marks: “Hey there, it’s Ron from Interpol. Just postin’ on ur wall to see how that big organized crime investigation is going. Please send me all the deets including names of suspects and plans for future operations! TTYL!!!”
If fake Facebook pages are really a threat to Interpol security, they probably have bigger things to worry about.
Perhaps I could jog his imagination a little, since he finds it so difficult to imagine a plausible scenario.
Scenario 1: Someone sets up a fake Noble FB profile. He manages it carefully to make it appear a perfectly legitimate profile. At some point, the creator also writes a blog post (or something along those lines) in another fake ID which makes good, cogent, and on-topic points about the challenges facing Interpol. The fake Noble profile links to it, with a comment along the lines of “Interesting read. I disagree with X, Y, Z”, etc. etc. And, of course, the link appears to be a perfectly legitimate webpage. But it’s not, and people following the link just got infected with spyware. Heck, they could even send individual facebook messages to targeted recipients a la GhostNet, meaning there’s no chance of the recipient being warned by another “friend” who realizes what happened.
Scenario 2: A pretty thorough “web of friends” for those who accept the fake FB user’s friend request makes all sorts of problems more likely (blackmail being the most obvious and readily apparent, but not the only potential problem arising from them knowing who Interpol agents and affiliates are friendly with).
Scenario 3: A habitual facebook addict (the sort who checks their profile every 20-30 minutes when at a computer) could give a lot away just based on when they’re logging in to facebook. Imagine if you managed to friend an Interpol agent who leaves his desk almost only at the end of work or to accompany actual busts… if he suddenly stops checking Facebook, maybe it’s a good time to destroy incriminating evidence or get out of town. With a little technological savvy, you could automate that sort of tracking to automatically warn you. If you friend someone who travels every few weeks, you could probably keep reasonable track of what time zone they are in… if you’re worried about them being in London, you could breathe a small sigh of relief if you realize they’re on Hawaiian time. And so forth.
Scenario 4: Basically exactly what Keating mocks. Through other sources, you find out that an intern just published an analysis based on some classified data. The “Interpol chief” drops a message with the intern saying “So-and-so just mentioned that he was impressed with your analysis, and that I should really take it a look. Any chance you could drop me a copy at this email?” Sure, the intern should know better… but he might not. Is Interpol supposed to guarantee that everyone who sees or hears any classified data will be properly cautious? Friends, relatives, contractors, etc.
Scenario 5: The fake FB page gets an angry flame message from an employee who was just fired and thinks it’s the actual boss’s page. Guess who could be offering the employee a new job the next morning?
I could probably go on. While it may seem like careful security measures would render Facebook totally disconnected from any sensitive information, there are two problems with that happy assumption. First, even if the security protocols were rigorously followed by everyone, they would have to be absurdly paranoid to actually secure any information that could be potentially sensitive, because almost any information is potentially sensitive if combined with enough other small pieces of information. As I’m sure Interpol knows, and Keating apparently doesn’t. Second, to assume blithely that everyone in and around any organization the size of Interpol is a stickler for following security protocol is an absurdly high bar to set.