Dating guru resurrects Robin Sage by social engineering TS/SCI holders on LinkedIn
LinkedIn is still the "safest," most-trusted social media site to connect with people, right? One DEF CON presentation proves it could be the riskiest network of all
By Steve Ragan, Staff Writer
August 05, 2013 — CSO —
LAS VEGAS (DEF CON) — Jordan Harbinger, co-founder of The Art of Charm, a dating and social dynamics instruction school, isn't a hacker. But he used his basic knowledge of the social scene in order to social engineer people with Top Secret / Sensitive Compartmentalized Information (TS/SCI) clearances on LinkedIn.
Social media is a major asset to people and organizations, at the same time, it can also pose a serious risk, because once something is online, it remains there forever. However, when it comes to people, social media can be a social engineer's dream come true. Instant access to data, and human interaction, can create a cocktail of disaster for those who are quick to befriend a friendly face.
Years ago, the Robin Sage Experiment demonstrated how easily a person can be connected, either directly or indirectly (the friend of a friend scenario), with someone who may not be what they claim to be.
When the Robin Sage experiment concluded, hundreds of seasoned security professionals, officials and staffers from the Department of Defense, as well as others from various three-letter agencies, were linked to a false persona, and many of them violated OPSEC (Operational Security) and divulged somewhat sensitive, if not personal, information. They told a complete stranger the type of things that a malicious actor could later use against them.
At DEF CON on Friday, in the social engineering village, Jordan Harbinger resurrected Robin Sage in a way, as he explained how he used LinkedIn, a cleverly created recruiter profile, and his assistant's image on Facebook, to get military and intelligence workers (all with some type of clearance), to discuss themselves and the types of projects they were working on. He then discussed how all of that information, when collected bit by bit, and be used to gain access to this person. Interestingly enough, the idea for his experiment came from a discussion he had with students.
During his talk, Harbinger explained that some of his clients, Top Secret cleared missile scientists, were discussing their projects in front of him. Nothing overly secret, but given the nature of their work, everything they do falls under the cloak of secrecy for the most part. Initially confused by the disclosures, he wondered why it had happened in the first place.
"Then I realized, that the same trust triggers that we use with women, with people, and friendships, are the same triggers you can use to get sensitive information from people," Harbinger explained to CSO in an interview.