Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Robin Sage' Social Hoax Duped Military, Security Pros

Posted by timothy on from the keep-mum-about-this-job dept.

ancientribe writes "A social networking experiment of a phony female military security professional known as 'Robin Sage' (named after a US Army Special Forces training exercise) worked way too well, fooling even the most security-savvy professionals on LinkedIn, Facebook, and Twitter. It also led to the leakage of sensitive military information after an Army Ranger accepted 'Robin's' friend request on Facebook and his photos from Afghanistan exposed geolocation information accessible to 'Robin.' The researcher who conducted the experiment will show off his findings at the upcoming Black Hat USA conference in Las Vegas, where the real woman pictured in the profiles is scheduled to introduce him for his presentation."

17 of 191 comments (clear)

  1. Only link that matters by Spazztastic · · Score: 4, Informative

    Is the fake facebook profile: http://www.facebook.com/robin.sage.641a

    --
    Posts not to be taken literally. Almost everything is sarcasm.
    1. Re:Only link that matters by RollingThunder · · Score: 4, Insightful

      Sadly, for a lot of the targets, that picture was probably all the social engineering that was needed.

    2. Re:Only link that matters by MBGMorden · · Score: 4, Insightful

      I actually find it rather odd that they choose that picture. I know pretty much instantly that if I get a friend request of a girl in a bikini - unless I know her instantly I know it's just spam and ignore it. The harder ones are the ones showing people in regular everyday clothing (and a pic that doesn't look like it's a professional modeling pic). For that, you have to start thinking whether or not you met this persona casually at a party or something once, or if you know them from a class or something.

      Just IMHO, I think it would make a lot more sense if they had simply used an attractive girl wearing a t-shirt/jeans or a sweater or something in a regular candid shot - maybe even doing the typical "myspace I'm taking a picture of myself" pose.

      --
      "People who think they know everything are very annoying to those of us who do."-Mark Twain
    3. Re:Only link that matters by trentblase · · Score: 4, Insightful

      They may be called Facebook "friends", but that is just Facebook's nomenclature for "a person with whom you want to share at least a subset of your Facebook information". News flash: Windows' "folders" aren't real folders, Twitter's "tweets" do not come from little birds, and you are not in physical contact with your Linkedin "connections."

  2. duped some military.... by gandhi_2 · · Score: 4, Informative

    ...but anyone who has ever thought about going for the long tab would catch that name. Robin Sage, really? Come on!

    --
    THL phish sticks
  3. I'm pretty sure by jim_v2000 · · Score: 4, Insightful

    that anyone in Iraq and Afghanistan could tell you where the soldiers are. It's not like they're hiding or something. The "geolocation" stuff is just silly.

    --
    Don't take life so seriously. No one makes it out alive.
    1. Re:I'm pretty sure by twidarkling · · Score: 4, Funny

      Portage. It's not just for birchbark canoes.

      --
      Canada: The US's more awesome sibling.
    2. Re:I'm pretty sure by oiron · · Score: 4, Funny

      They're compiling ships from source now?

      Fascinating!

  4. This is silly by Darkman,+Walkin+Dude · · Score: 4, Insightful

    If there is sensitive military information on twitter, facebook, or linkedin, its already compromised, and badly. I mean come on, this is a non story.

    --
    What he can't kill, he has sex on. Trent.
  5. Re:the army is obselete by couchslug · · Score: 4, Insightful

    "And we will see this pattern occur again, and again, and again, until we learn that the most effective form of military action is motivated people defending their own land against a foreign invader."

    Your military illiteracy is showing. That stuff only works against "foreign invaders" who follow the post-Nuremburg laws that outlaw effective war methods against unconventional opponents. It may help, in concert with other means, tire out an opponent in a non-existential police action, but an opponent who is powerful and free of restraint can make a desolation and call it peace.

    --
    "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
  6. Re:the army is obselete by bsDaemon · · Score: 5, Informative

    I have no idea how this is relevant, and you're probably trolling, but seriously... the 2006 Lebanon war was NOT the first time a guerrilla army turned back regular forces. Look at the Anglo-Irish war from 1918-1921 for an example, or friggin' Vietnam. Or Afghanistan... every time anyone has ever tried to invade Afghanistan (the British twice, the Soviets, Alexander the Great, even). As to the rest of your post, your UID is low enough that you should be old enough to know better. Quit being 16, it's not becoming.

  7. Re:Leaked? You mean 'exposed' ? by idontgno · · Score: 4, Insightful

    Most people are aware that high explosives generate powerful and destructive shockwaves, and can fling shrapnel for startling distances at frightening velocities. However, they'll still watch Mythbusters, because actually seeing high explosives demonstrated is cool.

    Anyone who doesn't find a real-world demonstration of social engineering fascinating and instructive is either waaaay too jaded, or is trying waaaay too hard to pose as being jaded because of a mistaken association between cynicism and cool.

    Besides, a reminder of the ongoing effectiveness of social engineering is always good, especially in light of all the interesting vectors now available.

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  8. Re:the army is obselete by jfoobaz · · Score: 5, Funny

    The French naval blockade of the Chesapeake Bay and some bad weather up the York River didn't hurt either.

    Yeah, if it weren't for the French, Americans would be speaking English today.

  9. Re:Savvy? by spazdor · · Score: 4, Insightful

    I have to take issue with this. Just because you play loose with your "personal" life does not mean you play loose with your security or your privacy. Perhaps you only happen to value privacy in a more limited sphere.

    --
    DRM: Terminator crops for your mind!
  10. I simply do not believe any of this by FuckingNickName · · Score: 4, Interesting

    Not Fucking Up 101 incorporates not believing some random person on the Internet (or in real life) who says they have a particular position. It would also encompass not posting pictures of your location to the Internet.

    So the question we really need to ask is not, "How could the military/government be so dumb?" but, "What connections do these researchers have with the government, and what are they actually trying to achieve with this theatre?"

    It would be so enticing for the "hacker community" to believe the story because it inflates their already unwarrantedly large egos: we're just so much smarter than the average person at solving puzzles, right? The government surely only employs easily duped idiots - even in significant security positions - whereas we are geniuses operating from our basements.

    Bullshit.

    All we've learnt from this is that Robin isn't what Robin's page initially claimed she is. As for what's actually going on, independent evidence is appropriately lacking.

  11. Re:the army is obselete by bsDaemon · · Score: 5, Insightful

    Yes, and for that I'm eternally grateful, in much the same way my mother once got free dental work in France because her father had fought in the war (though mainly in Belgium and the Netherlands, then into Germany) and the dentist thought it was the least he could do to repay the debt he felt he owed to America. I know its fashionable to make fun of France and whatnot, but they're not bad people, and they are America's oldest friend.

  12. I take anything from the haxs0r types with salt by Sycraft-fu · · Score: 4, Interesting

    Back when I used to work for the central network operations group on campus, we had a couple of guys on our newly formed security team (this was like 2000, network security was still something we were coming to terms with) who loved to go to all the conferences like Blackhat. Well any time they came back it was with stories of doom and gloom. They talk about the presentations by these people who could do these truly amazing hacks. When this was investigated further, said people turned out to be full of shit.

    The one I remember best was a "security company" who talked about their amazing exploit tool for Windows. They could break in to any Windows domain just with a click. It was all they used anymore when clients needed access to something and had forgot the password. They couldn't release it because MS would sue them, etc, etc. I questioned them more about this and got some sketchy details relating to NT4 and so on. I then went and asked the guy who headed up operations (one of the smartest people I've ever known) if he'd heard about this. He said "Oh ya, it is this old NT4 exploit that only works in certain situation. I've got the tool right here." the security guys were just floored because, indeed it was what had been talked about and it wasn't nearly so cool (more or less you had to have an NT4 domain and not have fixed a problem with it, wouldn't work in our 2k domain).

    As a more publicly known example, take Joanna Rutkowska who claimed to have invented amazing undetectable malware using virtualization. Slashdot and so on were all a tizzy about it, and people who are actually VM professionals like VMWare said "No, this won't work like you think it will and could be detected even if you could make it work." Here we are years later and what do you know, there are not all sorts of undetectable VM based malwares running around. She vastly oversold the whole thing.

    Shit like this happened all the time, near as I could tell from the stories (I didn't go to the conferences). The haxs0r types going up and crowing about how l33t they are to others and drastically overselling what they were capable of doing. So I am very skeptical. I need to see proof, and not some half-assed presentation where details are kept secret, I mean real proof.

    Generally it is not forthcoming.