Slashdot Mirror
'Robin Sage' Social Hoax Duped Military, Security Pros
ancientribe writes "A social networking experiment of a phony female military security professional known as 'Robin Sage' (named after a US Army Special Forces training exercise) worked way too well, fooling even the most security-savvy professionals on LinkedIn, Facebook, and Twitter. It also led to the leakage of sensitive military information after an Army Ranger accepted 'Robin's' friend request on Facebook and his photos from Afghanistan exposed geolocation information accessible to 'Robin.' The researcher who conducted the experiment will show off his findings at the upcoming Black Hat USA conference in Las Vegas, where the real woman pictured in the profiles is scheduled to introduce him for his presentation."
Is the fake facebook profile: http://www.facebook.com/robin.sage.641a
Posts not to be taken literally. Almost everything is sarcasm.
i thought that facebook resized all uploaded photos... i don't have a facebook account to test... is facebook purposefully copying over the geolocation information from camera-phones into the resized images, or was location determined by surrounding land features?
fooling even the most security-savvy professionals
Obligatory: I don't think that word means what you think it means.
Cool!
...but anyone who has ever thought about going for the long tab would catch that name. Robin Sage, really? Come on!
THL phish sticks
that anyone in Iraq and Afghanistan could tell you where the soldiers are. It's not like they're hiding or something. The "geolocation" stuff is just silly.
Don't take life so seriously. No one makes it out alive.
If there is sensitive military information on twitter, facebook, or linkedin, its already compromised, and badly. I mean come on, this is a non story.
What he can't kill, he has sex on. Trent.
It's obvious to me that what we think of as a "modern army" is more obselete than Windows ME. They are extremely expensive to maintain, prone to misadventure, and they often become nothing more than tools to enrich corporations at the expense of native peoples and the soldiers themselves.
We need a distributed, open-source approach to self defense. Look at the successes of Hezbollah against the Israeli army in the 2006 assault on Lebanon. For the first time, a native militia completely broke the advance of a modern Western army. And we will see this pattern occur again, and again, and again, until we learn that the most effective form of military action is motivated people defending their own land against a foreign invader.
Political power comes out of the barrel of a gun, which is why the government has no interest in allowing you to own RPGs or Stingers. It's funny how you never hear of some disgruntled Shi'a in Lebanon taking a rocket launcher to a school and slaughtering a bunch of kids. But of course, that would make it more difficult for the Federal Empire to incarcerate all the Jews or Japanese or Muslims or whoever the flavor of the week evil is.
Government is the answer to a question nobody should have asked. The answer to, "What will protect me?" or "What will lead to my prosperity?" is ALWAYS AND ONLY YOURSELF.
When a true genius appears, you can know him by this sign: that all the dunces are in a confederacy against him.
sage goes in all fields.
Just another indicator that "social networking" sites are complete bollocks and that (stupid) users (are everywhere and) will click on just about everything. "Friend? Sure .. Whatever ... CLICK" ... and if it is a porn model emo goth chick there will be even more clicks.
That was used to dupe all these people again?
If someone is putting up classified information in a publicly accessible location (even if it's restricted by the user giving explicit permission), isn't that the source of the information leak? Hasn't it already escaped the secure environment? Jeremiah Grossman even points this out. (I do like how they indicate he was duped, when he indicates that it's an automatic facebook bot that runs on his behalf that accepts all requests automatically - that isn't 'his' account.)
Of course, this assumes that the information was considered secure in the first place. I'm not sure you'd call it a security leak if the policy is to allow that information to be accessible to the public.
That aside, isn't this just an online-only update of the standard telephony scam that the military actually sponsored and publicized back in the late 60's/early 70's? To show how social engineering worked, they sat a woman down in a room with a phonebook and a phone, and asked her to get some general's schedule or something, and it took about 40 minutes?
We are already aware of the fact that organizations have social structures which allow for manipulation. Was there anything constructive about this, like a 'policies to avoid this' list? Or was this just another fluff piece, reiterating what was already well established?
Life imitating art:
http://en.wikipedia.org/wiki/Tuttle_(M*A*S*H)
The world's burning. Moped Jesus spotted on I50. Details at 11.
I thought Facebook sanitized uploaded photos of their metadata in the process of resizing them for display on the internet?
I just checked an uploaded JPG against an original, and yes indeed Facebook does sanitize the metadata. I wonder where the geolocation info came from?
I think the point may be that they tought the photo to be safe to publish, but forgot to strip them out of geotagging data
Most people are aware that high explosives generate powerful and destructive shockwaves, and can fling shrapnel for startling distances at frightening velocities. However, they'll still watch Mythbusters, because actually seeing high explosives demonstrated is cool.
Anyone who doesn't find a real-world demonstration of social engineering fascinating and instructive is either waaaay too jaded, or is trying waaaay too hard to pose as being jaded because of a mistaken association between cynicism and cool.
Besides, a reminder of the ongoing effectiveness of social engineering is always good, especially in light of all the interesting vectors now available.
Welcome to the Panopticon. Used to be a prison, now it's your home.
Like everyone else I'm not suprised I find this to be pretty funny. Units in the army are "required" to have facebook pages and put up pictures of everything that they do. It's not all that hard to know everything you want to know about a commander and his family where he lives and what he drives without leaving your home.
So right now it's not a big concern but just wait until we have another war and I mean a country-on-country someone who can stand up to the USA war and this stuff will become a HUGE problem.
Linkedin profile is gone
It is unwise to ascribe motive
Social engineering works - who knew?
Not Fucking Up 101 incorporates not believing some random person on the Internet (or in real life) who says they have a particular position. It would also encompass not posting pictures of your location to the Internet.
So the question we really need to ask is not, "How could the military/government be so dumb?" but, "What connections do these researchers have with the government, and what are they actually trying to achieve with this theatre?"
It would be so enticing for the "hacker community" to believe the story because it inflates their already unwarrantedly large egos: we're just so much smarter than the average person at solving puzzles, right? The government surely only employs easily duped idiots - even in significant security positions - whereas we are geniuses operating from our basements.
Bullshit.
All we've learnt from this is that Robin isn't what Robin's page initially claimed she is. As for what's actually going on, independent evidence is appropriately lacking.
Use the hormone appeal weapon of mass population. Works really well with isolated soldiers.
This isn't really surprising, nor do I think it's worthy of time at Black Hat, IMHO. The U.S. Military set themselves up for failure already a couple months back by allowing soldiers to openly use Twit-Face-book and any other blogging/social-network internet-enabled apparatus on their NIPRNET network and not enforcing any, for a lack of better terms, real punishment for being stupid and giving away whatever the military defines as OPSEC-level information.
I was surprised myself, being a Iraqi war veteran when I got back home that all the time I was told to be very illusive when talking about where you are located overseas was a joke. Giving up that information, like geo-location, really isn't something to piss your pants over considering all the local middle easterners already know where the hell all our camps/FOBs/bases are at and the fact that it's online already. Just another case of a lonely horn-dog Army bush-wacker, flexing his muscles and telling his war stories online, looking to get some 'tang.
Keep your troll comments to yourself, I did my time in the military (and was deployed to Iraq), I know, as well as anyone with any amount of common sense, that this is plausible truth.
Security Nerds 0 Fake Pussy 1
EGOTIST, n. A person of low taste, more interested in himself than in me.
The researcher who conducted the experiment will show off his findings at the upcoming Black Hat USA conference in Las Vegas, where the real woman pictured in the profiles is scheduled to introduce him for his presentation.
when you have to specify that the woman is real ...
I've long wondered if this profile is a sham... m.facebook.com/profile.php?id=1769812164&rf03ff7fd&refid=7
I dont even live in the states, when I got out of the service as an EOD this profile sent me a friends request. At first I thought one of my buddies were pranking me but its been well over three years. She could very well be a model decidedly from her profile pics and seems to only befriend military men... You be the judge.
ON KINKEDIN, FAILBOOK AND TWATTER ????
I don't think there really are any, my dear.
Man she's hot, I was going to ask her to marry me after seeing FB picture. What testosterone driven male wouldn't accept her friend request. Heck even the chick that looks like a dude on her friends list probably wants to bang her.
Geolocation info posted on Facebook is probably already old or completely useless to enemies. They aren't posting where they are RIGHT AT THIS VERY MINUTE (unless it's an airbase in which case the Taliban probably already knows the location). Non-story that gets you kudos at Black Hat. That's the real story in this mishmash of data.
Now that you clicked the link and have a new, hot friend, that might be her in the black suburbans dropping by to say "hi"
This is a non story. women,sex has been used for centuries to gather information/trick from the enemy. I just think theses guys want to see who they can fish out using a experiment as an excuse to get personal information like that moron on craigslis did a few years back. You know the old sex sells argument.
Jack of all trades,master of none
Back when I used to work for the central network operations group on campus, we had a couple of guys on our newly formed security team (this was like 2000, network security was still something we were coming to terms with) who loved to go to all the conferences like Blackhat. Well any time they came back it was with stories of doom and gloom. They talk about the presentations by these people who could do these truly amazing hacks. When this was investigated further, said people turned out to be full of shit.
The one I remember best was a "security company" who talked about their amazing exploit tool for Windows. They could break in to any Windows domain just with a click. It was all they used anymore when clients needed access to something and had forgot the password. They couldn't release it because MS would sue them, etc, etc. I questioned them more about this and got some sketchy details relating to NT4 and so on. I then went and asked the guy who headed up operations (one of the smartest people I've ever known) if he'd heard about this. He said "Oh ya, it is this old NT4 exploit that only works in certain situation. I've got the tool right here." the security guys were just floored because, indeed it was what had been talked about and it wasn't nearly so cool (more or less you had to have an NT4 domain and not have fixed a problem with it, wouldn't work in our 2k domain).
As a more publicly known example, take Joanna Rutkowska who claimed to have invented amazing undetectable malware using virtualization. Slashdot and so on were all a tizzy about it, and people who are actually VM professionals like VMWare said "No, this won't work like you think it will and could be detected even if you could make it work." Here we are years later and what do you know, there are not all sorts of undetectable VM based malwares running around. She vastly oversold the whole thing.
Shit like this happened all the time, near as I could tell from the stories (I didn't go to the conferences). The haxs0r types going up and crowing about how l33t they are to others and drastically overselling what they were capable of doing. So I am very skeptical. I need to see proof, and not some half-assed presentation where details are kept secret, I mean real proof.
Generally it is not forthcoming.
Being able to "social engineer" someone by lying and convincing them you are someone you aren't doesn't really matter much. So they got to see pictures on Facebook... K. If those pictures WERE classified, then that is the real story (morons posting classified dox on Facebook) if not then it is a non-story. It is a big, wide, gap between convincing someone you are a person you are not, and using that to get them to give you access to sensitive data.
For example: I don't imagine you'd have much trouble using social engineering techniques to convince me you were an employee of the university I work at. Do some background research and so on and you could put up a convincing front, convince me you work here and that you know me through a mutual friend. I'd probably trust you, having no reason not to. You could probably use that to get me to reveal some information that I don't normally post online.
However, all that information would be stuff that is not sensitive. It would be information you could find out yourself anyhow with more investigation.
If you then tried to social engineer your way in to getting access to our switches or root on our servers, you'd find I would become a lot more suspicious, and the police would likely get involved in a hurry. I have a good understanding of what is and is not sensitive here. If someone tries to schmooze their way in to sensitive information, and I haven't been told they are explicitly approved for it, alarm bells go off.
So, basic social engineering doesn't impress me, and shouldn't impress anyone. It isn't hard to lie about the basics. Many people trust fairly easily and they don't see the harm in it. However when you start going after sensitive stuff, that is when it gets hard. If you can succeed there, that is impressive. If not, well then don't go writing a press release about it.
I wish someone would blow up social engineering.
Two of my friends have been over in Iraq for all this recent shit. In many cases, they had Internet access. Usually it was at a net cafe or the like. Where they were was no big secret, and probably could have been traced by IP. In general it wasn't a secret where they were, you could find out where their unit was deployed overall.
Now, when they were out doing something? Well then not so much probably. Could well be classified. However, they weren't posting online about it as, well, they were out doing something.
While the specifics of military operations may be classified, the overall operation is usually not. I mean the military will allow reporters to tag along with them for fuck sake. That our troops have bases in Iraq, and where those bases are is no secret. Not that it really could be, the whole "Tanks and soldiers coming and going," thing kinda gives it away.
If you read TFA it basically says that a bunch of people were tricked into "Friending" this person. So what? How is that, by itself any more of a security threat than simply being on Facebook etc. at all? Then there's this
The Ranger then inadvertently exposed information about his coordinates in Afghanistan to Robin with his uploaded photos from the field that contained GeoIP data from the camera.
. What does that even mean? GeoIP usually seems to translate to "an ip address" but not too many cameras even have an IP address much less embed it in a photo. Some cameras do have a gps and can embed the actual latitude and longitude in the photo but that wouldn't be GeoIP anything. Later in the FA they change to this
Ryan says Robin's Facebook profile was able to view coordinates information on where the troops were located.
. So what did Robin actually have? The IP address of the computer used to upload the photo? Actual coordinates of some picture taken months or years ago? Coordinates of some picture grabbed off the Internet? Now unless Robin really is some sort of super hacker simply having someone's IP is NOT the same as having their Latitude and Longitude. Even here in the US the last time I tried looking up the location of my IP it showed me several hundred miles away and I'm somehow not expecting the situation to be much better in Afghanistan.
"She" sent me a friend request on 2009/12/31, which I accepted, [hey, there's lots of cute hacker women] but we knew in a few days that something was fishy. See my post to "her" facebook wall on 2010/01/07.
http://www.facebook.com/profile.php?id=100000595856619&v=wall&story_fbid=238154768802&ref=mf
After some background discussion with people in security you might recognize, some of us kept her on our friend list, to see what "she" was up to.
Anyway, thanks to all the corporate and government guys who though that someone who was a friend of mine must be trustworthy enough to hire. :!
The latest Slashdot meme.
from the article quoting Jeremiah Grossman, CTO and co-founder at WhiteHat Security
Grossman says he coincidentally was writing a Facebook bot when Robin's friend request showed up on his placeholder Facebook profile, which he doesn't actually use. The bot program then accepted Robin as a friend. "I look at Facebook and LinkedIn as public record," Grossman says. "What difference does it make if you vet them or not -- you shouldn't be disclosing" private information on these profiles, he says.
LOL... Bullshit. Nice attempt to cover your ass though.
Posting secret military pictures to your Facebook page is a breach of security, even if all your "friends" on Facebook have security clearance. Facebook itself doesn't have clearance. There's no guarantee Facebook staff can't look at the pictures. There's no guarantee someone can't crack Facebook security and look at the pictures without authorization. And now obviously that "friend" you let look at the pictures could be someone unauthorized.
There's got to be a military rule prohibiting posting such secret pictures to Facebook, or rather a rule allowing disclosure to only proper sites which don't include Facebook. If there is, the Army ranger was the security hole. If there isn't, the ranger was still the security hole, though there's a bigger one in the loose rules that didn't prevent their failure.
--
make install -not war
pleeeeease let this be Meg Ryan's comeback with a splash...
Judging from that pic, I wish she was my friend too.
I do like how they indicate he was duped, when he indicates that it's an automatic facebook bot that runs on his behalf that accepts all requests automatically - that isn't 'his' account.
Yeah, I thought the facebook bot that accepts all friend requests explanation was brilliant. By the way, this post was written by my bot, in case it turns out that I typed something really dumb.
.. when I got her friend request.. she was wearing a lot more clothing!
I keep hearing about this thing from my pre-teen children and their friends.
Is it like that "myspace" thing my kids used to talk about (but which I've heard nothing of for a while)?
And then there's something called "twitter", which I assumed was something to do with a girl guide Nature badge, but possibly I'm wrong about that.
Ah well, enough with my questions about the obsessions of children, I have work to do.
...yes, Mohammed?
"I am sitting here in my mud hut and checking facebook, and son of a pig! Did you know we have infidels sneaking around our territory"?
"No way"!
"Way! Praise be Allah we have facebook to tell us these things, else, we would not know"!
one look at her abs on facebook and i thought, DAYUM girl!
didn't look like a military intelligence professional to me. too damned young.
Remember kids, if you're not paying for the service, YOU ARE THE PRODUCT THAT IS BEING SOLD.
Except overwhelming force.
And the Spanish Inquisition.
NOBODY expects overwhelming force!
...I'll come in again.
Overwhelming force and a liar on Facebook.
NOBODY expects overwhelming force and a liar on Facebook
and a guy pretending to be a girl on the internet.
I think I said something insightful like "Wow, a decade of network security awareness and we're still surprised that humans are the weak link. Go figure.
Humans are dumb. Humans who are faced with somebody they're sexually attracted to are especially dumb. This is not a revelation.
And for pity's sake get these guys a tool to remove EXIF data from photos.
Finally had enough. Come see us over at https://soylentnews.org/