It was an interesting week at Defcon last Thursday to Sunday. During that week we also had Blackhat and BSidesLV and all these events want pass on information to a diverse community of security and IT folks that are mixed up and come from different countries, ethnicities and also genders. In the midst of all this diversity one sometimes asks the question of how the operations and day to day security of such events is planned and lastly implemented to adhere to the very same principles of being secure and protected from multiple levels of hacks. Many people that I watched at BsidesLV and Defcon are more than likely oblivious to Espionage or SE (Social Engineering) at some levels and walk from one session to another without really looking at the people they are standing next to, drinking with and going to some of the parties. I admit, it would be nice once an a while to just let go and think you are with like-minded people, reality and the world we currently live in has taught me (for better or for worse) that you can never really let your guard down at these types of events (unless you have your own group of vetted people that is. 😉
When I think about these types of events and how many people there are, I also come to the conclusion that there are multiple spies, police, undercover agents and all kinds of other resources that are trying to identify criminals, other spies and also keep an eye on things as the rest of the crowd moves on, parties and thinks they are “SUPERl337”, are they, are we, or are we missing something that is so obvious that many have forgotten the lessons of history. I would hope not, but my gut says something different. I am not talking about the undercover agents (you would expect them) but spies. To think that defcon, BSidesLV or any other “security” conference is not being scoped out or monitored by other nations spies would be a mistake at best, asinine at worse.
In recent years we have talked about various influences of certain “players” in elections as well as other assorted goodies of security, social media and all kinds of threats and risks. My thoughts go out to last week and some things I have observed on a more strategic level. Recently many of us (including me) were so focused on election meddling that we totally forgot about one of the most dangerous forms of espionage, that of using sex or better known as “HONEYTRAPS”.
Honeytraps (simular to honey pots for us techies) lures the victim into a situation in which they are left with two choices, be loved or be rejected. Since this short entry is not about the total history (maybe I can focus on that in another post) but is rather focused on getting some (re)awareness on this oldest of espionage practices back onto the world stage and everyones radar. Sex and espionage seem to be constant partners for some countries, although I am sure most countries do this I will focus on one specifically (because they are so damn good at it) that is Russia (China however comes in a very close second).
Now that we focus on Russia, lets take a look at what types of people are recruited (in the past and just academically of course) by a espionage agency. Contrary to what some people think spies are recruited in both the female and male population and both are very good and successful at their jobs. Throughout history there are many examples of multiple men and women coercing and seducing men and women in high positions and with access to very secret information and data. The practices that these “assets” deploy is to achieve what we all foolishly believe is undoable, to get people to fall in love with them so that they can obtain valuable information, updates or be planted as sleeper cells (only to be activated years later) to do a job or achieve goals that are given to them by their handlers or contact people. Agents recruited to do these types of things are typically very smart, obviously attractive and are sociable. Seems logical right? The KGB, FSB and GRU commonly refers to these types of assets as “swallows” and most training programs are not teaching most folks about the dangers of these types of spies (I think its time we do this for both female and male security folks).
So what are the tactics that both male and female “swallows” use to get to their targets (I am sure those of you who read this will find a shocking truth…). The following is a basic list of things (certainly not exhaustive).
- Don’t tend to make the first move, usually staying in the background waiting for the “right time”. This means in many cases events or times when people are vulnerable or easier to convince.
- Are attractive and pay attention to looking that way (okay this one is obvious I get it…)
- Use extensive sources and OSINT to scope out the environment and identify key HVTs (thats High Value Targets for you non-mils). These people are smart (remember this!) and they certainly are dedicated to researching everything about you if you are a target.
- Sex is not the MOST important aspect of getting to target. These spies want to build a relationship that can last over a longer period and since that is important they are not quick to have sex just to get to a target. This actually makes sense at a physiological level and social level as people want to be loved and be accepted, this is one of the most important aspects that makes this really work consistently and over longer periods of time.
- Work in spans of years, not months or days. Many successful spies came to the US and where here for more than 8-10 years. This length of time gave them access to various people and enabled handlers to choose the targets that would yield the most information and data.
- Agents would typically not be in DC but in upstate New York, New York City, Boston and other places to fall under the radar.
So now that we went through some info and the topic lets use a practical example of just how real this is. Lets take for instance New York City and look at some tinder profiles of people that “appear” in the city. Notice how they look and what they do…
(Tinder) Tinder has multiple profiles like the one below and many people fit this profile to a t. I am not going to tell you what to believe, but it is interesting to compare how many profiles like this you will find.
So the profile above contains someone who is smart, looks attractive and apparently is a software programer. I am not saying she is a spy (for the record) but I did find profiles based on real examples of clients getting compromised that fit this example.
So a few comments and thoughts, I have friends in many countries I don’t hate Russia, China or any other country for that matter as long as the people are cool and want to live a peaceful life. I am saying however that it does pay sometimes in life if you work in an important sector like critical infrastructure, defense, research or other related areas to be really careful. I know its fantastic to be accepted but use caution and be careful, there are some pretty good social engineers in this world and they are not all cool folks.
So thats it for this post, I hope you liked it, it provided some value and highlighted some security core principles that we teach others as sec folks but sometimes may not heed ourselves. Stay safe, be smart, lat3rs!