Despite the warnings security professionals preach about the dangers of social networking, it appears many aren't taking their own advice. That's one of the messages behind a talk at Black Hat later this month called "Getting in bed with Robin Sage" (Read about another social engineering experiement being presented at DefCon)
The Robin Sage experiment was conducted by Thomas Ryan, the co-founder and Managing Partner of Cyber Operations and Threat Intelligence for Provide Security. The project entailed creating a blatantly false identity of a woman claiming to work for in military intelligence and then enrolling on various social networking websites.
See also Social engineering: The basics
"By joining networks, registering on mailing lists, and listing false credentials, the conditions were then met to research peoples decisions to trust and share information with the false identity," according to the description of the session. Ryan deliberately chose an attractive young female's picture to prove that sex and appearance plays in trust and peoples eagerness to connect with someone.
By the end of the 28-day experiment, Robin finished the month having accumulated hundreds of connections through various social networking sites. Contacts included executives at government entities such as the NSA, DOD and Military Intelligence groups. Other friends came from Global 500 corporations. Throughout the experiment Robin was offered gifts, government and corporate jobs, and options to speak at a variety of security conferences, said Ryan.
What's even more startling: much of the information revealed to Robin Sage violated OPSEC procedures. Ryan spoke to CSO about his mission for the experiment, and what he hopes to teach people when he reveals the results at Black Hat.
Did you conduct this experiment on your own time or through your work with Provide Security? It was something I did on my own and as a concept for the company because my company does cyber security and executive protection. The concept was "What happens when a threat comes to an executive via email or something like that. How easy is it to track a person down?"
What were you trying to prove?
The first thing was the issue of trust and how easily it is given. The second thing was to show how much different information gets leaked out through various networks.
How did you first get connections for Robin?
I started by friending people in the security industry. Once that started it began to propagate. The methodology at first was to go after the most media-driven people in the security community. Dan Kaminsky and Jeremiah Grossman for example, because they are media driven and will always click yes to a request. So if someone sees that you are friends with them, then it begins to build a trust level. How many connections did she get?
It went on for for 28 days and she had close to 300 across several social networks. It began to drop some once people caught on. But ever since the profile went up, because it keeps suggesting friends, she still gets requests every day.
Linked In seems to get the least criticism for security issues, yet you say this experiment yielded the most sensitive information from that network.
The most vital information was leaked out through Linked In. You got home phone numbers, you could see if the person used their personal email address. Linked in does show more information but they have a lot more security controls in place.
When you present this to attendees of Black Hat, what are they supposed to learn from it?
What they are supposed to learn is that you don't just click yes. If you don't know the person maybe you should do some investigation on your own, especially if something seems not so straightforward. If you looked at the Robin Sage profile, it blatantly said it was phony. There were no females in the U.S. named Robin Sage. Second it was named after a military exercise. Third you just look at her pictures and you can tell the ways she is dressed she is not the type of person who would be working in a government office. But people still clicked yes. And there were several offers for jobs, several offers for dinner to go out and discuss working for a company, different things like that.
The takeaway is: Be careful who you choose as your friends. There are patterns people can use to follow you. For instance, on Linked In, what makes it insecure are some of the apps, like Trip Advisor. It will say when you are going away or not at home. That poses a potential threat, especially if you have a key role in a government organization. If someone knows you aren't home, they can potentially do something to your home, like they can tap a phone, for instance. And it doesn't take much to figure out a home address. Once you have a rough idea where they live, if you have a personal email or cell number, you can find out where they live and put their address into, say, Microsoft Bing and do a virtual reconnaissance of their home