Aerospace eBusiness

Using FaceBook while working in Aerospace? Take steps to protect your identity. April 21, 2009

This morning the Wall Street Journal reported that computer spies had breached the Joint Strike Fighter project, exploiting vulnerabilities in subcontractor networks (See Full Article). Most people reading this article would immediately think about Chinese hackers busy “cracking” the firewalls of foreign companies. The reality is much simpler and at the same time much more alarming.

This article reminded me of a famous chart that has for long made the rounds of the IT security offices in A&D companies.

That is right, the vast majority of breaches occur through internal access. Although very few users intentionally steal data from their employers’ systems, many fall prey to simple tricks orchestrated by unassuming “spies”. Although the DoD has not revealed how the data was lifted from the subcontractor systems, the fact that the article mentions the environment had to be “cleaned up” points to malicious software installed on end-user systems or laptops, copying data under a valid access account.

But how would a spy target a JSF end-user? A visit the Spy Museum in Washington, DC will provide you many ideas, but I was wondering if FaceBook has not made things easier for spies? I opened my personal account and simply searched for JSF, Joint Strike Fighter, and F35. In my local network, I found a dozen OPEN profiles of people that list JSF in their job information. I was able to see their email address, some of them had their home addresses, their phone number, etc… In some cases I was able to access their spouse’s and kids’ profiles including cute family pictures. If I was able to find 12 people in ten minutes, I wonder how many one can find in the Fort Worth (Texas) network? You get the point!

If you use FaceBook for your PERSONAL social networking (as you should), there is absolutely NO reason to keep your profile open for everyone to see. Unfortunately, this is the default setting so many novice users have an open profile unbeknownst to them. You should also make sure you limit the information you list about yourself (Don’t your friends already know you work for Lockheed?). Finally, shouldn’t A&D companies instill a policy requiring employees to declare their FaceBook account so they can verify they have been reserved to their friends and not open to spies?