Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Robin Sage' Social Hoax Duped Military, Security Pros

Posted by timothy on from the keep-mum-about-this-job dept.

ancientribe writes "A social networking experiment of a phony female military security professional known as 'Robin Sage' (named after a US Army Special Forces training exercise) worked way too well, fooling even the most security-savvy professionals on LinkedIn, Facebook, and Twitter. It also led to the leakage of sensitive military information after an Army Ranger accepted 'Robin's' friend request on Facebook and his photos from Afghanistan exposed geolocation information accessible to 'Robin.' The researcher who conducted the experiment will show off his findings at the upcoming Black Hat USA conference in Las Vegas, where the real woman pictured in the profiles is scheduled to introduce him for his presentation."

26 of 191 comments (clear)

  1. Only link that matters by Spazztastic · · Score: 4, Informative

    Is the fake facebook profile: http://www.facebook.com/robin.sage.641a

    --
    Posts not to be taken literally. Almost everything is sarcasm.
    1. Re:Only link that matters by RollingThunder · · Score: 4, Insightful

      Sadly, for a lot of the targets, that picture was probably all the social engineering that was needed.

    2. Re:Only link that matters by MBGMorden · · Score: 4, Insightful

      I actually find it rather odd that they choose that picture. I know pretty much instantly that if I get a friend request of a girl in a bikini - unless I know her instantly I know it's just spam and ignore it. The harder ones are the ones showing people in regular everyday clothing (and a pic that doesn't look like it's a professional modeling pic). For that, you have to start thinking whether or not you met this persona casually at a party or something once, or if you know them from a class or something.

      Just IMHO, I think it would make a lot more sense if they had simply used an attractive girl wearing a t-shirt/jeans or a sweater or something in a regular candid shot - maybe even doing the typical "myspace I'm taking a picture of myself" pose.

      --
      "People who think they know everything are very annoying to those of us who do."-Mark Twain
    3. Re:Only link that matters by xant · · Score: 3, Insightful

      > For that, you have to start thinking whether or not you met this persona casually at a party or something once, or if you know them from a class or something.

      No, you don't. They're called Facebook friends. The only people in my list are people who are really my friends (or close relatives). Even if I know exactly who they are, I don't accept friend requests from anyone I don't have a strong personal relationship with.

      And I know who all of those people are. No hard thinking required.

      --
      It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
    4. Re:Only link that matters by trentblase · · Score: 4, Insightful

      They may be called Facebook "friends", but that is just Facebook's nomenclature for "a person with whom you want to share at least a subset of your Facebook information". News flash: Windows' "folders" aren't real folders, Twitter's "tweets" do not come from little birds, and you are not in physical contact with your Linkedin "connections."

    5. Re:Only link that matters by Tsunayoshi · · Score: 3, Insightful

      Just IMHO, I think it would make a lot more sense if they had simply used an attractive girl wearing a t-shirt/jeans or a sweater or something in a regular candid shot - maybe even doing the typical "myspace I'm taking a picture of myself" pose.

      Based on who friended 'her' and the kind of information 'she' was able to obtain, I'd say the choice of photo worked pretty damn well.

      --
      "Get a bicycle. You will not regret it, if you live." - Mark Twain, "Taming the Bicycle"
    6. Re:Only link that matters by gstoddart · · Score: 3, Funny

      I actually find it rather odd that they choose that picture. I know pretty much instantly that if I get a friend request of a girl in a bikini - unless I know her instantly I know it's just spam and ignore it.

      Dude, TFS says he's a friggin' Army Ranger.

      With that much testosterone, those guys aren't going to immediately assume it's spam. They're just going to assume they don't remember her. These guys walk with swagger because they know they're carrying an Army issued Big Pair (TM), which likely clouds their judgement sometimes.

      I'd say more about TFA, but Firefox is telling me that the URL is redirecting in a way that can never resolve, so I have no idea of what it actually says. :-P

      --
      Lost at C:>. Found at C.
    7. Re:Only link that matters by hannson · · Score: 3, Funny

      News flash: Windows' "folders" aren't real folders, Twitter's "tweets" do not come from little birds, and you are not in physical contact with your Linkedin "connections."

      But cybersex still counts, right?

  2. Did he get to talk to a real girl? by Anonymous Coward · · Score: 3, Funny

    Cool!

  3. duped some military.... by gandhi_2 · · Score: 4, Informative

    ...but anyone who has ever thought about going for the long tab would catch that name. Robin Sage, really? Come on!

    --
    THL phish sticks
  4. I'm pretty sure by jim_v2000 · · Score: 4, Insightful

    that anyone in Iraq and Afghanistan could tell you where the soldiers are. It's not like they're hiding or something. The "geolocation" stuff is just silly.

    --
    Don't take life so seriously. No one makes it out alive.
    1. Re:I'm pretty sure by twidarkling · · Score: 4, Funny

      Portage. It's not just for birchbark canoes.

      --
      Canada: The US's more awesome sibling.
    2. Re:I'm pretty sure by oiron · · Score: 4, Funny

      They're compiling ships from source now?

      Fascinating!

  5. This is silly by Darkman,+Walkin+Dude · · Score: 4, Insightful

    If there is sensitive military information on twitter, facebook, or linkedin, its already compromised, and badly. I mean come on, this is a non story.

    --
    What he can't kill, he has sex on. Trent.
  6. Re:the army is obselete by couchslug · · Score: 4, Insightful

    "And we will see this pattern occur again, and again, and again, until we learn that the most effective form of military action is motivated people defending their own land against a foreign invader."

    Your military illiteracy is showing. That stuff only works against "foreign invaders" who follow the post-Nuremburg laws that outlaw effective war methods against unconventional opponents. It may help, in concert with other means, tire out an opponent in a non-existential police action, but an opponent who is powerful and free of restraint can make a desolation and call it peace.

    --
    "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
  7. Re:the army is obselete by bsDaemon · · Score: 5, Informative

    I have no idea how this is relevant, and you're probably trolling, but seriously... the 2006 Lebanon war was NOT the first time a guerrilla army turned back regular forces. Look at the Anglo-Irish war from 1918-1921 for an example, or friggin' Vietnam. Or Afghanistan... every time anyone has ever tried to invade Afghanistan (the British twice, the Soviets, Alexander the Great, even). As to the rest of your post, your UID is low enough that you should be old enough to know better. Quit being 16, it's not becoming.

  8. Leaked? You mean 'exposed' ? by quietwalker · · Score: 3, Insightful

    If someone is putting up classified information in a publicly accessible location (even if it's restricted by the user giving explicit permission), isn't that the source of the information leak? Hasn't it already escaped the secure environment? Jeremiah Grossman even points this out. (I do like how they indicate he was duped, when he indicates that it's an automatic facebook bot that runs on his behalf that accepts all requests automatically - that isn't 'his' account.)

    Of course, this assumes that the information was considered secure in the first place. I'm not sure you'd call it a security leak if the policy is to allow that information to be accessible to the public.

    That aside, isn't this just an online-only update of the standard telephony scam that the military actually sponsored and publicized back in the late 60's/early 70's? To show how social engineering worked, they sat a woman down in a room with a phonebook and a phone, and asked her to get some general's schedule or something, and it took about 40 minutes?

    We are already aware of the fact that organizations have social structures which allow for manipulation. Was there anything constructive about this, like a 'policies to avoid this' list? Or was this just another fluff piece, reiterating what was already well established?

  9. Re:the army is obselete by bsDaemon · · Score: 3, Informative

    We were actually not doing too very well before regular military discipline was brought in by Von Stueben and some other European career officers who came over to help their Freemason brothers further the Enlightenment. The French naval blockade of the Chesapeake Bay and some bad weather up the York River didn't hurt either.

  10. Re:Leaked? You mean 'exposed' ? by idontgno · · Score: 4, Insightful

    Most people are aware that high explosives generate powerful and destructive shockwaves, and can fling shrapnel for startling distances at frightening velocities. However, they'll still watch Mythbusters, because actually seeing high explosives demonstrated is cool.

    Anyone who doesn't find a real-world demonstration of social engineering fascinating and instructive is either waaaay too jaded, or is trying waaaay too hard to pose as being jaded because of a mistaken association between cynicism and cool.

    Besides, a reminder of the ongoing effectiveness of social engineering is always good, especially in light of all the interesting vectors now available.

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  11. Re:the army is obselete by jfoobaz · · Score: 5, Funny

    The French naval blockade of the Chesapeake Bay and some bad weather up the York River didn't hurt either.

    Yeah, if it weren't for the French, Americans would be speaking English today.

  12. Re:Savvy? by spazdor · · Score: 4, Insightful

    I have to take issue with this. Just because you play loose with your "personal" life does not mean you play loose with your security or your privacy. Perhaps you only happen to value privacy in a more limited sphere.

    --
    DRM: Terminator crops for your mind!
  13. I simply do not believe any of this by FuckingNickName · · Score: 4, Interesting

    Not Fucking Up 101 incorporates not believing some random person on the Internet (or in real life) who says they have a particular position. It would also encompass not posting pictures of your location to the Internet.

    So the question we really need to ask is not, "How could the military/government be so dumb?" but, "What connections do these researchers have with the government, and what are they actually trying to achieve with this theatre?"

    It would be so enticing for the "hacker community" to believe the story because it inflates their already unwarrantedly large egos: we're just so much smarter than the average person at solving puzzles, right? The government surely only employs easily duped idiots - even in significant security positions - whereas we are geniuses operating from our basements.

    Bullshit.

    All we've learnt from this is that Robin isn't what Robin's page initially claimed she is. As for what's actually going on, independent evidence is appropriately lacking.

  14. Re:the army is obselete by bsDaemon · · Score: 5, Insightful

    Yes, and for that I'm eternally grateful, in much the same way my mother once got free dental work in France because her father had fought in the war (though mainly in Belgium and the Netherlands, then into Germany) and the dentist thought it was the least he could do to repay the debt he felt he owed to America. I know its fashionable to make fun of France and whatnot, but they're not bad people, and they are America's oldest friend.

  15. Re:the army is obselete by bsDaemon · · Score: 3, Informative

    No, Libertarian Socialism is the technical term for Anarchism. One of the founding intellectuals of the movement, Mikhail Bakunin, was an outspoken opponent of Marx in the First International, saying that Marxist Communism would lead to a "Red Bureaucracy" and was a betrayal of Socialist principles.

    Basically, the idea in Libertarian Socialism is for free individuals to group themselves on direct democratic principles along lines of free association, rather than submitting to a State that is purely an exercise of force. The Libertarian party in the US was infested by Randism and combines the anti-authoritarian aspect of libertarianism with unfettered capitalistic greed. Libertarian Socialism/Anarchism requires that people act in the group interest for the common good, but getting people to do that isn't exactly easy, which is why it wouldn't work on large scale.

    Modern Left-Center type of "Social Democrats" were always viewed by both Anarchists and Communists as "counter-revolutionary," but that's the model that won out in most of Europe and which the US Democratic Party tends to lean as well. It's relatively benign, but seems to scare people on the economic right and let down people on the economic and social left quite often for not going "too far enough"

  16. I take anything from the haxs0r types with salt by Sycraft-fu · · Score: 4, Interesting

    Back when I used to work for the central network operations group on campus, we had a couple of guys on our newly formed security team (this was like 2000, network security was still something we were coming to terms with) who loved to go to all the conferences like Blackhat. Well any time they came back it was with stories of doom and gloom. They talk about the presentations by these people who could do these truly amazing hacks. When this was investigated further, said people turned out to be full of shit.

    The one I remember best was a "security company" who talked about their amazing exploit tool for Windows. They could break in to any Windows domain just with a click. It was all they used anymore when clients needed access to something and had forgot the password. They couldn't release it because MS would sue them, etc, etc. I questioned them more about this and got some sketchy details relating to NT4 and so on. I then went and asked the guy who headed up operations (one of the smartest people I've ever known) if he'd heard about this. He said "Oh ya, it is this old NT4 exploit that only works in certain situation. I've got the tool right here." the security guys were just floored because, indeed it was what had been talked about and it wasn't nearly so cool (more or less you had to have an NT4 domain and not have fixed a problem with it, wouldn't work in our 2k domain).

    As a more publicly known example, take Joanna Rutkowska who claimed to have invented amazing undetectable malware using virtualization. Slashdot and so on were all a tizzy about it, and people who are actually VM professionals like VMWare said "No, this won't work like you think it will and could be detected even if you could make it work." Here we are years later and what do you know, there are not all sorts of undetectable VM based malwares running around. She vastly oversold the whole thing.

    Shit like this happened all the time, near as I could tell from the stories (I didn't go to the conferences). The haxs0r types going up and crowing about how l33t they are to others and drastically overselling what they were capable of doing. So I am very skeptical. I need to see proof, and not some half-assed presentation where details are kept secret, I mean real proof.

    Generally it is not forthcoming.

  17. Re:Savvy? by Securityemo · · Score: 3, Interesting

    In what way would mere "drunk photos" be a threat to my job security? And, if something was a direct threat to my job security why on earth would I put it on facebook? The greater risk would be that "friends" uploaded embarrasing photos, but it would take something like me dual-swilling crack and vodka while fucking a pig for it to affect me so much as to be blackmail material. Lastly, do you really think that I would be so inane as to use passwords that could be reasonably predicted from knowing such things? Even more lastly, how do you know that I don't use subtly false information on social networks in order to both defend and keep track of if someone tries to use that information against me in an attack?

    --
    Emotions! In your brain!