'Robin Sage' Social Hoax Duped Military, Security Pros 191
ancientribe writes "A social networking experiment of a phony female military security professional known as 'Robin Sage' (named after a US Army Special Forces training exercise) worked way too well, fooling even the most security-savvy professionals on LinkedIn, Facebook, and Twitter. It also led to the leakage of sensitive military information after an Army Ranger accepted 'Robin's' friend request on Facebook and his photos from Afghanistan exposed geolocation information accessible to 'Robin.' The researcher who conducted the experiment will show off his findings at the upcoming Black Hat USA conference in Las Vegas, where the real woman pictured in the profiles is scheduled to introduce him for his presentation."
I'm pretty sure (Score:5, Insightful)
This is silly (Score:5, Insightful)
Re:I'm pretty sure (Score:3, Insightful)
They probably could, but it is still sheer stupidity to post things like that on Facebook or any other site for that matter: Loose lips sink ships!
Re:the army is obselete (Score:5, Insightful)
"And we will see this pattern occur again, and again, and again, until we learn that the most effective form of military action is motivated people defending their own land against a foreign invader."
Your military illiteracy is showing. That stuff only works against "foreign invaders" who follow the post-Nuremburg laws that outlaw effective war methods against unconventional opponents. It may help, in concert with other means, tire out an opponent in a non-existential police action, but an opponent who is powerful and free of restraint can make a desolation and call it peace.
Leaked? You mean 'exposed' ? (Score:4, Insightful)
If someone is putting up classified information in a publicly accessible location (even if it's restricted by the user giving explicit permission), isn't that the source of the information leak? Hasn't it already escaped the secure environment? Jeremiah Grossman even points this out. (I do like how they indicate he was duped, when he indicates that it's an automatic facebook bot that runs on his behalf that accepts all requests automatically - that isn't 'his' account.)
Of course, this assumes that the information was considered secure in the first place. I'm not sure you'd call it a security leak if the policy is to allow that information to be accessible to the public.
That aside, isn't this just an online-only update of the standard telephony scam that the military actually sponsored and publicized back in the late 60's/early 70's? To show how social engineering worked, they sat a woman down in a room with a phonebook and a phone, and asked her to get some general's schedule or something, and it took about 40 minutes?
We are already aware of the fact that organizations have social structures which allow for manipulation. Was there anything constructive about this, like a 'policies to avoid this' list? Or was this just another fluff piece, reiterating what was already well established?
Re:Which emo chick is it (Score:3, Insightful)
An apparent [facebook.com] gorgeous, six-pack stomached, bikini wearing, beauty queen interested in bi-sexual encounters.
Fuck, I knew what this was and I almost clicked "Add as Friend" too.
Re:Only link that matters (Score:5, Insightful)
Sadly, for a lot of the targets, that picture was probably all the social engineering that was needed.
Re:This is silly (Score:2, Insightful)
Think of how easy it would be to get the intel to kidnap the good friend/significant other of important military personnel- and think of what the ramifications are.
Re:Leaked? You mean 'exposed' ? (Score:5, Insightful)
Most people are aware that high explosives generate powerful and destructive shockwaves, and can fling shrapnel for startling distances at frightening velocities. However, they'll still watch Mythbusters, because actually seeing high explosives demonstrated [discovery.com] is cool.
Anyone who doesn't find a real-world demonstration of social engineering fascinating and instructive is either waaaay too jaded, or is trying waaaay too hard to pose as being jaded because of a mistaken association between cynicism and cool.
Besides, a reminder of the ongoing effectiveness of social engineering is always good, especially in light of all the interesting vectors now available.
Re:Savvy? (Score:5, Insightful)
I have to take issue with this. Just because you play loose with your "personal" life does not mean you play loose with your security or your privacy. Perhaps you only happen to value privacy in a more limited sphere.
Re:Only link that matters (Score:5, Insightful)
I actually find it rather odd that they choose that picture. I know pretty much instantly that if I get a friend request of a girl in a bikini - unless I know her instantly I know it's just spam and ignore it. The harder ones are the ones showing people in regular everyday clothing (and a pic that doesn't look like it's a professional modeling pic). For that, you have to start thinking whether or not you met this persona casually at a party or something once, or if you know them from a class or something.
Just IMHO, I think it would make a lot more sense if they had simply used an attractive girl wearing a t-shirt/jeans or a sweater or something in a regular candid shot - maybe even doing the typical "myspace I'm taking a picture of myself" pose.
Re:Only link that matters (Score:3, Insightful)
> For that, you have to start thinking whether or not you met this persona casually at a party or something once, or if you know them from a class or something.
No, you don't. They're called Facebook friends. The only people in my list are people who are really my friends (or close relatives). Even if I know exactly who they are, I don't accept friend requests from anyone I don't have a strong personal relationship with.
And I know who all of those people are. No hard thinking required.
Re:Only link that matters (Score:5, Insightful)
Re:the army is obselete (Score:5, Insightful)
Yes, and for that I'm eternally grateful, in much the same way my mother once got free dental work in France because her father had fought in the war (though mainly in Belgium and the Netherlands, then into Germany) and the dentist thought it was the least he could do to repay the debt he felt he owed to America. I know its fashionable to make fun of France and whatnot, but they're not bad people, and they are America's oldest friend.
Re:Only link that matters (Score:4, Insightful)
Just IMHO, I think it would make a lot more sense if they had simply used an attractive girl wearing a t-shirt/jeans or a sweater or something in a regular candid shot - maybe even doing the typical "myspace I'm taking a picture of myself" pose.
Based on who friended 'her' and the kind of information 'she' was able to obtain, I'd say the choice of photo worked pretty damn well.
Re:Only link that matters (Score:2, Insightful)
That makes the people who accepted her friend invites a little less shameful in my opinion.
I was able to discover this tidbit of information by clicking on the racy profile picture in attempt to see more. Given that I already knew at that point that she was a security researcher posing as a Russian spy posing as a Defense Dept. employee - I am inclined to judge myself much more harshly than the folks named in the parent article.
Re:I'm pretty sure (Score:3, Insightful)
When they are in the shit, they are not likely to be hitting on chicks on facebook.
Anyone who has internet connectivity is probably at a base that can be found on the Jane's website or Wikipedia, and Google Mapped to get recent satellite pictures.
Which is pretty pointless, since the "insurgents" already know where the bases are, and what they look like, and way more about their vulnerabilities than a satellite picture is going to reveal.
There's nothing more costly to security than security based on false fears.
Re:I'm pretty sure (Score:2, Insightful)
What the hell else would you compile them from??