Forgot your password?
typodupeerror
Security Social Networks The Military United States IT

'Robin Sage' Social Hoax Duped Military, Security Pros 191

Posted by timothy
from the keep-mum-about-this-job dept.
ancientribe writes "A social networking experiment of a phony female military security professional known as 'Robin Sage' (named after a US Army Special Forces training exercise) worked way too well, fooling even the most security-savvy professionals on LinkedIn, Facebook, and Twitter. It also led to the leakage of sensitive military information after an Army Ranger accepted 'Robin's' friend request on Facebook and his photos from Afghanistan exposed geolocation information accessible to 'Robin.' The researcher who conducted the experiment will show off his findings at the upcoming Black Hat USA conference in Las Vegas, where the real woman pictured in the profiles is scheduled to introduce him for his presentation."
This discussion has been archived. No new comments can be posted.

'Robin Sage' Social Hoax Duped Military, Security Pros

Comments Filter:
  • by Spazztastic (814296) <[moc.liamg] [ta] [citsatzzaps]> on Wednesday July 07, 2010 @12:12PM (#32827542)

    Is the fake facebook profile: http://www.facebook.com/robin.sage.641a [facebook.com]

    • by Culture20 (968837)
      I don't know about that. The link to view all of "Robin"'s dupe^Wfriends would be interesting. I kind of want to see if she and I have any friends in common.
    • Re: (Score:2, Insightful)

      by gregrah (1605707)
      It appears that her profile pic up until June 27th was much less provocative [facebook.com].

      That makes the people who accepted her friend invites a little less shameful in my opinion.

      I was able to discover this tidbit of information by clicking on the racy profile picture in attempt to see more. Given that I already knew at that point that she was a security researcher posing as a Russian spy posing as a Defense Dept. employee - I am inclined to judge myself much more harshly than the folks named in the parent arti
  • by Anonymous Coward on Wednesday July 07, 2010 @12:16PM (#32827594)

    Cool!

  • by gandhi_2 (1108023) on Wednesday July 07, 2010 @12:18PM (#32827632) Homepage

    ...but anyone who has ever thought about going for the long tab would catch that name. Robin Sage, really? Come on! [wikipedia.org]

    • What's even worse is that when you do a Google image search for "Robin Sage" (with the quotes) the whole page is nothing but pictures of Special Forces in training. If a Google search for the straight term doesn't clue you in you're freaking hopeless.

      I think the sad thing is that 'security professionals' at least at the Federal level rely too much on internal systems and don't go looking for anything themselves. 'Oh well they're not in our Super Awesome Database (SAD) so I guess there's no problem and we'
      • by gknoy (899301)

        Perhaps google image searches are banned. :)

        I wonder, does filtering one's access to things like that increase the risk of social engineering?

    • Only if they were thinking with their brain at the time.

    • And her FB profile name includes 641a. That's the AT&T wiretap room number.

      Hackers use fake names [Bob Cat is not my given name]. The name "Robin Sage" was an excellent choice for a hacker girl. However, 641a is not something anyone with a clearance would use.

    • ...but anyone who has ever thought about going for the long tab would catch that name. Robin Sage, really? Come on! [wikipedia.org]

      Well, it's not unusual for people to use fake names on Facebook, especially in the light of recent security issues. I have a sizable fraction of friends (and they are actual friends) who use fake names because they don't want all their data, photos, etc being so easily available to potential employers, family, or strangers. Such a fake name as Robin Sage probably worked in the h

    • by jbezorg (1263978)

      Imagine these four people's [linkedin.com] shock and horror as they poofed out of existence because of gandhi_2's logic.

      • by gandhi_2 (1108023)

        I don't doubt that there are people in the world with the name, but it would certainly ring a bell with many in the military world... not just US, either.

        But if they poofed out of existence, they would experience neither shock, nor horror.

  • I'm pretty sure (Score:5, Insightful)

    by jim_v2000 (818799) on Wednesday July 07, 2010 @12:21PM (#32827676)
    that anyone in Iraq and Afghanistan could tell you where the soldiers are. It's not like they're hiding or something. The "geolocation" stuff is just silly.
    • Re: (Score:3, Insightful)

      by Mushdot (943219)

      They probably could, but it is still sheer stupidity to post things like that on Facebook or any other site for that matter: Loose lips sink ships!

    • Two of my friends have been over in Iraq for all this recent shit. In many cases, they had Internet access. Usually it was at a net cafe or the like. Where they were was no big secret, and probably could have been traced by IP. In general it wasn't a secret where they were, you could find out where their unit was deployed overall.

      Now, when they were out doing something? Well then not so much probably. Could well be classified. However, they weren't posting online about it as, well, they were out doing somet

  • This is silly (Score:5, Insightful)

    by Darkman, Walkin Dude (707389) on Wednesday July 07, 2010 @12:21PM (#32827678) Homepage
    If there is sensitive military information on twitter, facebook, or linkedin, its already compromised, and badly. I mean come on, this is a non story.
    • Re: (Score:2, Insightful)

      by Haffner (1349071)
      I don't understand why facebook, twitter, and social media in general isn't explicitly banned by the army. Given access to the average person's facebook page (even as a non-friend, and especially with the "suggested" privacy settings) any slightly skilled user can quickly discern who their good friends are, what they do, where they work, where they live, and most importantly, what they look like.

      Think of how easy it would be to get the intel to kidnap the good friend/significant other of important militar

      • by tibman (623933)

        They shouldn't have to ban anything though. People can keep their work and social lives seperate.. there's no need to ban anyone's online social life.

        I would say celebrities are more at risk from online stalkers/weirdos than military guys.

    • by jdgeorge (18767)

      What!?! Now where am I going to keep my password list?

  • That was used to dupe all these people again?
    • Re: (Score:3, Insightful)

      by garcia (6573)

      An apparent [facebook.com] gorgeous, six-pack stomached, bikini wearing, beauty queen interested in bi-sexual encounters.

      Fuck, I knew what this was and I almost clicked "Add as Friend" too.

  • by quietwalker (969769) <pdughi@gmail.com> on Wednesday July 07, 2010 @12:34PM (#32827864)

    If someone is putting up classified information in a publicly accessible location (even if it's restricted by the user giving explicit permission), isn't that the source of the information leak? Hasn't it already escaped the secure environment? Jeremiah Grossman even points this out. (I do like how they indicate he was duped, when he indicates that it's an automatic facebook bot that runs on his behalf that accepts all requests automatically - that isn't 'his' account.)

    Of course, this assumes that the information was considered secure in the first place. I'm not sure you'd call it a security leak if the policy is to allow that information to be accessible to the public.

    That aside, isn't this just an online-only update of the standard telephony scam that the military actually sponsored and publicized back in the late 60's/early 70's? To show how social engineering worked, they sat a woman down in a room with a phonebook and a phone, and asked her to get some general's schedule or something, and it took about 40 minutes?

    We are already aware of the fact that organizations have social structures which allow for manipulation. Was there anything constructive about this, like a 'policies to avoid this' list? Or was this just another fluff piece, reiterating what was already well established?

    • by idontgno (624372) on Wednesday July 07, 2010 @12:44PM (#32828030) Journal

      Most people are aware that high explosives generate powerful and destructive shockwaves, and can fling shrapnel for startling distances at frightening velocities. However, they'll still watch Mythbusters, because actually seeing high explosives demonstrated [discovery.com] is cool.

      Anyone who doesn't find a real-world demonstration of social engineering fascinating and instructive is either waaaay too jaded, or is trying waaaay too hard to pose as being jaded because of a mistaken association between cynicism and cool.

      Besides, a reminder of the ongoing effectiveness of social engineering is always good, especially in light of all the interesting vectors now available.

      • Being able to "social engineer" someone by lying and convincing them you are someone you aren't doesn't really matter much. So they got to see pictures on Facebook... K. If those pictures WERE classified, then that is the real story (morons posting classified dox on Facebook) if not then it is a non-story. It is a big, wide, gap between convincing someone you are a person you are not, and using that to get them to give you access to sensitive data.

        For example: I don't imagine you'd have much trouble using s

      • by blair1q (305137)

        I wish someone would blow up social engineering.

  • Life imitating art:
    http://en.wikipedia.org/wiki/Tuttle_(M*A*S*H) [wikipedia.org]

  • Geolocation? (Score:3, Interesting)

    by pgn674 (995941) on Wednesday July 07, 2010 @12:39PM (#32827946) Homepage
    I thought Facebook sanitized uploaded photos of their metadata in the process of resizing them for display on the internet?

    I just checked an uploaded JPG against an original, and yes indeed Facebook does sanitize the metadata. I wonder where the geolocation info came from?
    • Maybe there was a photo of a soldier with a map/GPS/sextant? Maybe triangulation with some recognizable mountain peaks or other landmarks? Maybe just the night sky?
  • Social engineering works - who knew?

  • by FuckingNickName (1362625) on Wednesday July 07, 2010 @12:52PM (#32828136) Journal

    Not Fucking Up 101 incorporates not believing some random person on the Internet (or in real life) who says they have a particular position. It would also encompass not posting pictures of your location to the Internet.

    So the question we really need to ask is not, "How could the military/government be so dumb?" but, "What connections do these researchers have with the government, and what are they actually trying to achieve with this theatre?"

    It would be so enticing for the "hacker community" to believe the story because it inflates their already unwarrantedly large egos: we're just so much smarter than the average person at solving puzzles, right? The government surely only employs easily duped idiots - even in significant security positions - whereas we are geniuses operating from our basements.

    Bullshit.

    All we've learnt from this is that Robin isn't what Robin's page initially claimed she is. As for what's actually going on, independent evidence is appropriately lacking.

    • Re: (Score:3, Interesting)

      by John Hasler (414242)

      > "How could the military/government be so dumb?"

      By consisting of normal human beings.

      > It would be so enticing for the "hacker community" to believe the story
      > because it inflates their already unwarrantedly large egos: we're just so
      > much smarter than the average person at solving puzzles, right?

      The "hacker community" also consists of normal human beings. People outsmart each other all the time. It's what they do.

      > The government surely only employs easily duped idiots - even in
      > signi

      • People are often gullible. Especially when they have led each other to believe that they are not.

        For example, the guy described in the article has led /. to believe that he has managed independently to fool a heap of significant people in some way.

        And, no, resting on your laurels is precisely the worst thing to do in such an environment. You are arguing that senior surgeons get lazy and start killing patients.

        The fact that you tolerate and even support the government (any government) in its "security" operations is proof that you are also gullible.

        Wait, what? I implied that the government employs a lot of damn smart people in security. I didn't say I tolerated or supported anything.

      • by e2d2 (115622)

        I must be gullible as hell then because I support the US intelligence services. Why? Because as crazy as it sounds, there really are people scheming to take advantage of us. Someone has to stand on the wall, as fucked up as that is. That's what lets us float around acting ignorant, someone out there is doing things on our behalf, sometimes terrible things.

        I just watch like a bystander because the idea that my acceptance makes it legit, is well, ridiculous. I have no say in the matter.

        • by BobMcD (601576)

          'US intelligence' aren't the ones 'standing on the wall'. They have 18 year olds who couldn't find any other form of employment for that, seeing as it involves actual dieing and whatnot.

          Likely, those in 'intelligence' are out meddling in the affairs of other sovereignties, and are presently laying the foundation for our next wall of names dedicated to a pointless 'war'.

          It is one thing to 'support the troops' - as in the guys who couldn't get a better job and whose lives are the first ones laid down when it

    • by Sycraft-fu (314770) on Wednesday July 07, 2010 @01:47PM (#32828752)

      Back when I used to work for the central network operations group on campus, we had a couple of guys on our newly formed security team (this was like 2000, network security was still something we were coming to terms with) who loved to go to all the conferences like Blackhat. Well any time they came back it was with stories of doom and gloom. They talk about the presentations by these people who could do these truly amazing hacks. When this was investigated further, said people turned out to be full of shit.

      The one I remember best was a "security company" who talked about their amazing exploit tool for Windows. They could break in to any Windows domain just with a click. It was all they used anymore when clients needed access to something and had forgot the password. They couldn't release it because MS would sue them, etc, etc. I questioned them more about this and got some sketchy details relating to NT4 and so on. I then went and asked the guy who headed up operations (one of the smartest people I've ever known) if he'd heard about this. He said "Oh ya, it is this old NT4 exploit that only works in certain situation. I've got the tool right here." the security guys were just floored because, indeed it was what had been talked about and it wasn't nearly so cool (more or less you had to have an NT4 domain and not have fixed a problem with it, wouldn't work in our 2k domain).

      As a more publicly known example, take Joanna Rutkowska who claimed to have invented amazing undetectable malware using virtualization. Slashdot and so on were all a tizzy about it, and people who are actually VM professionals like VMWare said "No, this won't work like you think it will and could be detected even if you could make it work." Here we are years later and what do you know, there are not all sorts of undetectable VM based malwares running around. She vastly oversold the whole thing.

      Shit like this happened all the time, near as I could tell from the stories (I didn't go to the conferences). The haxs0r types going up and crowing about how l33t they are to others and drastically overselling what they were capable of doing. So I am very skeptical. I need to see proof, and not some half-assed presentation where details are kept secret, I mean real proof.

      Generally it is not forthcoming.

      • by Spad (470073)

        Here we are years later and what do you know, there are not all sorts of undetectable VM based malwares running around

        Ah, but if they're undetectable then how do you know that?

        • Three reasons:

          1) It won't work. As I said, see VMWare's comments. They are people who have actually built working VMs and know what they are talking about.

          2) Even if it was, you'd notice the effects. Computer gets rooted, rooted computer is used to do bad shit. That would either trip our IDS's or we'd get an e-mail from people who were getting attacked by said computers (this happens plenty with normal malware).

          3) It cannot be immune to offline diagnostics. Load the disk up in another computer, look at the

      • Yep, this is how it is. Stupidity and ego does not suddenly cease at some magical level of competence. However, your premise that what you have seen is where the ceiling of cracking skills and techniques lie is false. It's just that most people don't bother going above a certain level, since that level of skill gets them what they want - as with your story about the NT4 tool. It's also true that many very advanced techniques are over a decade old, and are hailed as new, as with other things in computing. La
  • by 3seas (184403) on Wednesday July 07, 2010 @12:52PM (#32828140) Journal

    Use the hormone appeal weapon of mass population. Works really well with isolated soldiers.

  • by adosch (1397357) on Wednesday July 07, 2010 @12:52PM (#32828144)

    This isn't really surprising, nor do I think it's worthy of time at Black Hat, IMHO. The U.S. Military set themselves up for failure already a couple months back by allowing soldiers to openly use Twit-Face-book and any other blogging/social-network internet-enabled apparatus on their NIPRNET network [slashdot.org] and not enforcing any, for a lack of better terms, real punishment for being stupid and giving away whatever the military defines as OPSEC-level information.

    I was surprised myself, being a Iraqi war veteran when I got back home that all the time I was told to be very illusive when talking about where you are located overseas was a joke. Giving up that information, like geo-location, really isn't something to piss your pants over considering all the local middle easterners already know where the hell all our camps/FOBs/bases are at and the fact that it's online [globalsecurity.org] already. Just another case of a lonely horn-dog Army bush-wacker, flexing his muscles and telling his war stories online, looking to get some 'tang.

    Keep your troll comments to yourself, I did my time in the military (and was deployed to Iraq), I know, as well as anyone with any amount of common sense, that this is plausible truth.

  • Security Nerds 0 Fake Pussy 1
  • The researcher who conducted the experiment will show off his findings at the upcoming Black Hat USA conference in Las Vegas, where the real woman pictured in the profiles is scheduled to introduce him for his presentation.

    when you have to specify that the woman is real ...

  • Now that you clicked the link and have a new, hot friend, that might be her in the black suburbans dropping by to say "hi"

  • If you read TFA it basically says that a bunch of people were tricked into "Friending" this person. So what? How is that, by itself any more of a security threat than simply being on Facebook etc. at all? Then there's this

    The Ranger then inadvertently exposed information about his coordinates in Afghanistan to Robin with his uploaded photos from the field that contained GeoIP data from the camera.

    . What does that even mean? GeoIP usually seems to translate to "an ip address" but not too many cameras even have an IP address much less embed it in a photo. Some cameras do have a gps and can embed the actual latitude and longitude in the photo but that wouldn't be GeoIP anything

  • It also led to the leakage of sensitive military information after an Army Ranger accepted 'Robin's' friend request on Facebook and his photos from Afghanistan exposed geolocation information accessible to 'Robin.'

    Posting secret military pictures to your Facebook page is a breach of security, even if all your "friends" on Facebook have security clearance. Facebook itself doesn't have clearance. There's no guarantee Facebook staff can't look at the pictures. There's no guarantee someone can't crack Facebook

Everything that can be invented has been invented. -- Charles Duell, Director of U.S. Patent Office, 1899

Working...