Sjterp ds_of_misinfo_feb_2019

Bodacea Light Industries, 2019
Data Science of
Misinformation
Sara-Jayne “SJ” Terp
February 2019
1

Yeah. Me.
• Lifetime includes: Big data. Submarines. Robots. Cold
War information systems. Large-scale data systems.
Traffic. Human-robot cooperation. Crisismapping.
Developing world community-driven data. Consultant to
fortune100s. Pyrotechnics. Adtech. Some other stuff.
• Has a ‘big ideas’ habit (last one was “change the way
NGOs use data”). Current big idea is that misinformation
control is very similar to infosec, it’ll develop in a similar
way, and we’ll need to use similar (ongoing forever)
patterns
2

What I do all day
• URL-based misinformation:
• Global Disinformation Index: data science
• Message-based misinformation:
• Credibility Coalition: Misinfosec WG
• Sofwerx/Arizona: misinfo red team exercise
• Sofwerx: misinfo alerting design
• Misinfosec: community
• MLsec, book etc
3

(my) Misinformation Hacking
• Understand it
• Try to stop it happening
• Know when someone’s trying to do it
• Know when someone’s done it
• Respond to it
• (try to) stop it happening again
4

Misinformation
It’s not all fake news
5

Misinformation
6

Individuals: fake events
7

Communities: diverted crisis efforts
8

Nationstates: Qanon campaigns
9
“Action: continuous barrage of
memes. All SM platforms
Hashtags: #HRCvideo
#releasethevideo #maga #QAnon
Use top trending hashtags along
with your posts. Share and
retweet as much as possible”

Actors, Motivations
• State/nonstate actors
• Entrepreneurs
• Grassroots groups
• Private influencers
10

Social Engineering
11

At Scale
12
Facebook group total_shares interactions
Facebook.com/Blacktivists 103,767,792 6,182,835
Facebook.com/Txrebels 102,950,151 3,453,143
Facebook.Com/MuslimAmerica 71,355,895 2,128,875
Facebook.Com/Patriototus 51,139,860 4,438,745
Facebook.Com/Secured.Borders 5,600,136 1,592,771
Facebook.Com/Lgtbun 5,187,494 1,262,386

Targeting all social sites
13

Targeting everyone
14

(Maybe) Coordinated
15

Defences
“Isn’t it just like spam?”
16

Sources
17

Artefacts: Content
18
• Co-occurring hashtags
• Correlated text
• URLs
• Stories

Stories
19

Artefacts: Context
20
• Known botnets/trolls
• Previous rumours
• friends/followers
• retweets/likes
• Metadata (e.g. DNS)

Money
21

Respond
22

Individual: report trolls/botnets
23
“Twitter (reportedly)
suspended over 70 million
accounts”
“Facebook created a human
crisis team after algorithms
failed it”

Individual: report fraud
24

Individual: block
25

Platforms
• Remove non-human traffic
• Rate-limit / shadowban trolls
• Remove pages from ad exchanges
• Remove non-human traffic from ad exchanges
26

Community: Engage
27

Individual: Repair
28

Community
• Parody-based counter-campaigns (e.g. riffs on “Q”)
• SEO-hack misinformation sites
• Dogpile onto misinformation hashtags
• Divert followers (typosquat trolls, spoof messaging etc)
• Identify and engage with affected individuals
• Educate, verify, bring into the light
29

Adaptations
The game is changing all the time
30

Attacks are adapting all the time
31

Offense: Potentials for Next
• Algorithms + humans attack algorithms + humans
• Shift from trolls to ‘nudging’ existing human communities
(‘useful idiots’)
• Subtle attacks, e.g. ’low-and-slows’, ‘pop-up’, etc
• Massively multi-channel attacks
• More commercial targets
• A well-established part of hybrid warfare
32

Defence: Potential for next
• Strategic and tactical collaboration
• Trusted third-party sharing on fake news sites / botnets
• Misinformation version of ATT&CK, SANS20 frameworks
• Algorithms + humans counter algorithms + humans
• Thinking the unthinkable
• “Countermeasures and self-defense actions”
33

The Datascience part
And now we go digging
34

Master “trackers”
• Kate Starbird
• Ben Nimmo / #DigitalSherlocks
• @Conspirator0
• Josh Russell (@Josh_Emerson)
• Iwr
• …
35

@katestarbird
36

#digitalsherlocks
37

@josh_emerson
38

@Conspirator0
39

@r0zetta (Andy Patel)
40

@fs0c131y (Elliot Alderson)
41

www.iwr.ai
42

Doing the thing
Getting into misinformation data science
43

Asking questions
• Is there unusual activity on hashtag x, topic y, platform z?
• What are ‘known’ bots talking about today?
• What’s the chatter in 8chan/ 4chan/ r/thedonald
RussiaToday etc
• What are the misinformation creators trying to do? What
artifacts are they likely to leave when they do it?
• What are the other trackers getting excited about today?
44

Getting your own data
Trollbot lists:
• https://botsentinel.com/
Tools:
• https://github.com/IHJpc2V1cCAK/socint
• https://labsblog.f-secure.com/2018/02/16/searching-twitter-with-
twarc/
Existing datasets
• https://github.com/bodacea/misinfolinks
45

Trollbots
46

Code
47

Artifacts: Images
48

Artefacts: text
49

Artefacts: message times
50

Artefacts: Relationships
51

And then the rest of the DS cycle
• Explore: Go play. Pull some troll data, and think about
what you’d like to know about it. Look at the hours the
trolls tweet at, the topics, the hashtags. Do they repeat
each other at all? Are there patterns? Think about
names, dates, followers/following, profiles. Are they on
existing “naughty lists”. Etc
• Model
• Iterate
• Explain (who to?)
52

Thank you
SJ Terp
@bodaceacat
53

Bonus: Misinfo + Infosec
What’s already happening here?
54

Infosec support to misinfo tracking
55

Include misinfo in infosec definitions?
56
“Prevention of damage to, protection of, and
restoration of computers, electronic
communications systems, electronic
communications services, wire communication,
and electronic communication, including
information contained therein, to ensure its
availability, integrity, authentication,
confidentiality, and nonrepudiation”
- NSPD-54

Mapping Parallels
• As Information Security (Gordon, Grugq)
• Via Information Operations / Influence Operations (Lin etc)
• As a form of conflict
57

Mapping frameworks
58

Misinfo red team exercises
59

Frameworks
How do we adapt these standards?
60

Infosec already includes cognitive
61

Stage-based models are useful
62

Mapping Phases to Techniques is really useful
63

Each Tactic stage has a pick-list of Techniques
64

Zooming out (aka naming things is hard)
• Campaigns : Advanced persistent threats
• e.g. Internet Research Agency, 2016 elections
• Incidents
• e.g. Columbia chemicals
• Failed attempts
• ?
65

2014 Columbian Chemicals incident
66
• Summary: Early Russian (IRA) “fake news” stories. Completely fabricated; very short lifespan.
• Actor: probably IRA (source: recordedfuture)
• Timeframe: Sept 11 2014 (1 day)
• Presumed goals: test deployment
• Artifacts: text messages, images, video
• Method:
• 1. Create messages. e.g. “A powerful explosion heard from miles away happened at a chemical
plant in Centerville, Louisiana #ColumbianChemicals”
• 2. Post messages from fake twitter accounts; include handles of local and global influencers
(journalists, media, politicians, e.g. @senjeffmerkley)
• 3. Amplify, by repeating messages on twitter via fake twitter accounts
• Result: limited traction
• Counters: None seen. Fake stories were debunked very quickly.
• Related attacks: These were all well-produced fake news stories, promoted on Twitter to
influencers through a single dominant hashtag -- #BPoilspilltsunami, #shockingmurderinatlanta,

Tactics (draft, very draft)
67

Techniques (draft)
68

Example Technique
• Behavior
• Requirements
• Cause
• Effects
69

Why Build This?
• Understand badguys: create red team exercises
• Build an alert structure (cf US-CERT)
• Defend/countermove against reused techniques
• Transfer other infosec principles
• Identify gaps in attacks
• Assess defence tools & techniques
• Plan for large-scale adaptive threats (hello, Machine Learning!)
70

We also need to design response
71

Your part: don’t fight the last war
72

Sjterp ds_of_misinfo_feb_2019

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Sjterp ds_of_misinfo_feb_2019

Similar a Sjterp ds_of_misinfo_feb_2019 (20)

Más de bodaceacat

Más de bodaceacat (20)

Último

Último (20)

Sjterp ds_of_misinfo_feb_2019

Notas del editor