Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

'Robin Sage' Social Hoax Duped Military, Security Pros

timothy posted more than 4 years ago | from the keep-mum-about-this-job dept.

Security 191

ancientribe writes "A social networking experiment of a phony female military security professional known as 'Robin Sage' (named after a US Army Special Forces training exercise) worked way too well, fooling even the most security-savvy professionals on LinkedIn, Facebook, and Twitter. It also led to the leakage of sensitive military information after an Army Ranger accepted 'Robin's' friend request on Facebook and his photos from Afghanistan exposed geolocation information accessible to 'Robin.' The researcher who conducted the experiment will show off his findings at the upcoming Black Hat USA conference in Las Vegas, where the real woman pictured in the profiles is scheduled to introduce him for his presentation."

cancel ×

191 comments

Sorry! There are no comments related to the filter you selected.

Only link that matters (4, Informative)

Spazztastic (814296) | more than 4 years ago | (#32827542)

Is the fake facebook profile: http://www.facebook.com/robin.sage.641a [facebook.com]

Re:Only link that matters (0)

Anonymous Coward | more than 4 years ago | (#32827904)

yes, because much more important than the details of the actual social engineering is a picture of some random chick.

Re:Only link that matters (4, Insightful)

RollingThunder (88952) | more than 4 years ago | (#32827950)

Sadly, for a lot of the targets, that picture was probably all the social engineering that was needed.

Re:Only link that matters (1, Informative)

Anonymous Coward | more than 4 years ago | (#32828038)

Very Hot!

http://www.facebook.com/robin.sage.641a#!/photo.php?pid=35767&id=100000595856619&fbid=101367666559761 [facebook.com

Re:Only link that matters (4, Insightful)

MBGMorden (803437) | more than 4 years ago | (#32828164)

I actually find it rather odd that they choose that picture. I know pretty much instantly that if I get a friend request of a girl in a bikini - unless I know her instantly I know it's just spam and ignore it. The harder ones are the ones showing people in regular everyday clothing (and a pic that doesn't look like it's a professional modeling pic). For that, you have to start thinking whether or not you met this persona casually at a party or something once, or if you know them from a class or something.

Just IMHO, I think it would make a lot more sense if they had simply used an attractive girl wearing a t-shirt/jeans or a sweater or something in a regular candid shot - maybe even doing the typical "myspace I'm taking a picture of myself" pose.

Re:Only link that matters (3, Insightful)

xant (99438) | more than 4 years ago | (#32828274)

> For that, you have to start thinking whether or not you met this persona casually at a party or something once, or if you know them from a class or something.

No, you don't. They're called Facebook friends. The only people in my list are people who are really my friends (or close relatives). Even if I know exactly who they are, I don't accept friend requests from anyone I don't have a strong personal relationship with.

And I know who all of those people are. No hard thinking required.

Re:Only link that matters (1)

Jawnn (445279) | more than 4 years ago | (#32828412)

...No hard thinking required.

Easy for you to say. Some of us are like, ya' know, most Facebook users, you insensitive clod.

Re:Only link that matters (4, Insightful)

trentblase (717954) | more than 4 years ago | (#32828456)

They may be called Facebook "friends", but that is just Facebook's nomenclature for "a person with whom you want to share at least a subset of your Facebook information". News flash: Windows' "folders" aren't real folders, Twitter's "tweets" do not come from little birds, and you are not in physical contact with your Linkedin "connections."

Re:Only link that matters (1)

ElectricTurtle (1171201) | more than 4 years ago | (#32828542)

You and the other 17 people who do that should start a group, except that you don't know each other. I have probably a hundred people who are friends of friends on my profile, and my wife has twice as many. Every profile I've ever seen is the same way.

Re:Only link that matters (3, Insightful)

Tsunayoshi (789351) | more than 4 years ago | (#32828780)

Just IMHO, I think it would make a lot more sense if they had simply used an attractive girl wearing a t-shirt/jeans or a sweater or something in a regular candid shot - maybe even doing the typical "myspace I'm taking a picture of myself" pose.

Based on who friended 'her' and the kind of information 'she' was able to obtain, I'd say the choice of photo worked pretty damn well.

Re:Only link that matters (2, Informative)

Halo- (175936) | more than 4 years ago | (#32828834)

I actually find it rather odd that they choose that picture. I know pretty much instantly that if I get a friend request of a girl in a bikini - unless I know her instantly I know it's just spam and ignore it.

If you read the article, you'll see the picture was intentionally chosen to throw up some red flags. FTFA:

He purposely left several clues that Robin was a fake, including choosing a woman who appeared to be Eastern European and a potential spy, he says.

Re:Only link that matters (3, Funny)

gstoddart (321705) | more than 4 years ago | (#32828962)

I actually find it rather odd that they choose that picture. I know pretty much instantly that if I get a friend request of a girl in a bikini - unless I know her instantly I know it's just spam and ignore it.

Dude, TFS says he's a friggin' Army Ranger.

With that much testosterone, those guys aren't going to immediately assume it's spam. They're just going to assume they don't remember her. These guys walk with swagger because they know they're carrying an Army issued Big Pair (TM), which likely clouds their judgement sometimes.

I'd say more about TFA, but Firefox is telling me that the URL is redirecting in a way that can never resolve, so I have no idea of what it actually says. :-P

Re:Only link that matters (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32828414)

It will always be this way. Until we are no longer men. Obama is working on it.

Re:Only link that matters (0)

Anonymous Coward | more than 4 years ago | (#32828146)

The social engineering attack only works on idiots. So yes.

Re:Only link that matters (1)

Culture20 (968837) | more than 4 years ago | (#32828268)

I don't know about that. The link to view all of "Robin"'s dupe^Wfriends would be interesting. I kind of want to see if she and I have any friends in common.

Re:Only link that matters (2, Insightful)

gregrah (1605707) | more than 4 years ago | (#32828836)

It appears that her profile pic up until June 27th was much less provocative [facebook.com] .

That makes the people who accepted her friend invites a little less shameful in my opinion.

I was able to discover this tidbit of information by clicking on the racy profile picture in attempt to see more. Given that I already knew at that point that she was a security researcher posing as a Russian spy posing as a Defense Dept. employee - I am inclined to judge myself much more harshly than the folks named in the parent article.

what kind of geolocation information? (2, Interesting)

Michael Kristopeit (1751814) | more than 4 years ago | (#32827564)

i thought that facebook resized all uploaded photos... i don't have a facebook account to test... is facebook purposefully copying over the geolocation information from camera-phones into the resized images, or was location determined by surrounding land features?

Re:what kind of geolocation information? (1, Informative)

Anonymous Coward | more than 4 years ago | (#32827646)

resizing doesn't get rid of exif, dude.

Re:what kind of geolocation information? (1, Redundant)

Michael Kristopeit (1751814) | more than 4 years ago | (#32827880)

well... maybe not in your desktop image editing program that is always working with the same file, but every web application i've ever made or used creates a completely new file with empty headers and copies over just the resized image information.

if the exif information is still intact, facebook is choosing to copy it over and keep it intact on purpose.

Re:what kind of geolocation information? (2, Interesting)

sadness203 (1539377) | more than 4 years ago | (#32828084)

Well obviously, they are keeping it. It's a lot of good information to target you with specific ads, or sell it to other people. They can extrapolate a lot of information from exif meta-data, Geolocation is one of them, but there's a lot more to it.

Savvy? (-1)

Anonymous Coward | more than 4 years ago | (#32827590)

fooling even the most security-savvy professionals

Obligatory: I don't think that word means what you think it means.

Re:Savvy? (0)

peragrin (659227) | more than 4 years ago | (#32827796)

I would have to agree with this AC. If your on facebook you are already lost the idea on computer security.

Re:Savvy? (4, Insightful)

spazdor (902907) | more than 4 years ago | (#32828122)

I have to take issue with this. Just because you play loose with your "personal" life does not mean you play loose with your security or your privacy. Perhaps you only happen to value privacy in a more limited sphere.

Re:Savvy? (0)

Anonymous Coward | more than 4 years ago | (#32829000)

Thats how social engineering works. Sure, maybe you're good enough to never directly compromise working security on your personal facebook account. But if you're a part of special forces command, and stop updating your accounts.. guess what that implies to foreign intelligence agencies?

Even if you manage to avoid that by going long periods without updating randomly, you're still letting information about you out for anybody. Information that can be exploited in an intelligence op to get close to you and the information you guard.

Did he get to talk to a real girl? (3, Funny)

Anonymous Coward | more than 4 years ago | (#32827594)

Cool!

duped some military.... (4, Informative)

gandhi_2 (1108023) | more than 4 years ago | (#32827632)

...but anyone who has ever thought about going for the long tab would catch that name. Robin Sage, really? Come on! [wikipedia.org]

Re:duped some military.... (1)

ElectricTurtle (1171201) | more than 4 years ago | (#32828480)

What's even worse is that when you do a Google image search for "Robin Sage" (with the quotes) the whole page is nothing but pictures of Special Forces in training. If a Google search for the straight term doesn't clue you in you're freaking hopeless.

I think the sad thing is that 'security professionals' at least at the Federal level rely too much on internal systems and don't go looking for anything themselves. 'Oh well they're not in our Super Awesome Database (SAD) so I guess there's no problem and we're done here.' It's lazy and ineffective.

Re:duped some military.... (1)

gknoy (899301) | more than 4 years ago | (#32828896)

Perhaps google image searches are banned. :)

I wonder, does filtering one's access to things like that increase the risk of social engineering?

Re:duped some military.... (1)

Arancaytar (966377) | more than 4 years ago | (#32828918)

Only if they were thinking with their brain at the time.

I'm pretty sure (4, Insightful)

jim_v2000 (818799) | more than 4 years ago | (#32827676)

that anyone in Iraq and Afghanistan could tell you where the soldiers are. It's not like they're hiding or something. The "geolocation" stuff is just silly.

Re:I'm pretty sure (1)

Mekkah (1651935) | more than 4 years ago | (#32827734)

Normally that'd be true, but Rangers are a little different, for the most part. A lot of the time, they are in the shit.

That said, having time / connectivity to upload pics to FB or Twitter... you're prolly 15,000% right. This sounds like someone who wants a gold star.

//Former USAF-Intel

Re:I'm pretty sure (2, Insightful)

blair1q (305137) | more than 4 years ago | (#32828900)

When they are in the shit, they are not likely to be hitting on chicks on facebook.

Anyone who has internet connectivity is probably at a base that can be found on the Jane's website or Wikipedia, and Google Mapped to get recent satellite pictures.

Which is pretty pointless, since the "insurgents" already know where the bases are, and what they look like, and way more about their vulnerabilities than a satellite picture is going to reveal.

There's nothing more costly to security than security based on false fears.

Re:I'm pretty sure (2, Insightful)

Mushdot (943219) | more than 4 years ago | (#32827744)

They probably could, but it is still sheer stupidity to post things like that on Facebook or any other site for that matter: Loose lips sink ships!

Re:I'm pretty sure (0)

Anonymous Coward | more than 4 years ago | (#32827922)

Loose lips sink ships!

The navy is in there too? How do they move those ships over the roads?

Re:I'm pretty sure (4, Funny)

twidarkling (1537077) | more than 4 years ago | (#32828010)

Portage. It's not just for birchbark canoes.

Re:I'm pretty sure (4, Funny)

oiron (697563) | more than 4 years ago | (#32828222)

They're compiling ships from source now?

Fascinating!

Re:I'm pretty sure (2, Insightful)

Gabrosin (1688194) | more than 4 years ago | (#32829024)

What the hell else would you compile them from??

Re:I'm pretty sure (1)

AhabTheArab (798575) | more than 4 years ago | (#32828728)

This is just old principles being applied using the Internet/social networking. Loose lips sink ships is not new. Men being easily persuaded by women is not new.

Something doesn't add up here though. Most of the locations of FOBs in Iraq are well known to the locals. I'm sure the same is true in Afghanistan. The article said the pictures with GeoIP data were from the field. They won't bivouac in the same place twice, anyone in the military will tell you that's poor terrorism awareness. Don't use the same routes, don't use the same locations.

Now did they use "GeoIP" as stated in the article or geotagged EXIF data? As most of us here know, there's a difference and neither makes much sense. GeoIP wouldn't be accurate at all, and would probably lead to a location in either Virginia or Germany. At least that was the case when I was in Iraq. "Meet local single women in (some town), Germany!" EXIF data doesn't make sense either - doesn't facebook strip that?? So... where did these supposed coordinates come from?

I'd say you are right (1)

Sycraft-fu (314770) | more than 4 years ago | (#32829008)

Two of my friends have been over in Iraq for all this recent shit. In many cases, they had Internet access. Usually it was at a net cafe or the like. Where they were was no big secret, and probably could have been traced by IP. In general it wasn't a secret where they were, you could find out where their unit was deployed overall.

Now, when they were out doing something? Well then not so much probably. Could well be classified. However, they weren't posting online about it as, well, they were out doing something.

While the specifics of military operations may be classified, the overall operation is usually not. I mean the military will allow reporters to tag along with them for fuck sake. That our troops have bases in Iraq, and where those bases are is no secret. Not that it really could be, the whole "Tanks and soldiers coming and going," thing kinda gives it away.

This is silly (4, Insightful)

Darkman, Walkin Dude (707389) | more than 4 years ago | (#32827678)

If there is sensitive military information on twitter, facebook, or linkedin, its already compromised, and badly. I mean come on, this is a non story.

Re:This is silly (2, Insightful)

Haffner (1349071) | more than 4 years ago | (#32827962)

I don't understand why facebook, twitter, and social media in general isn't explicitly banned by the army. Given access to the average person's facebook page (even as a non-friend, and especially with the "suggested" privacy settings) any slightly skilled user can quickly discern who their good friends are, what they do, where they work, where they live, and most importantly, what they look like.

Think of how easy it would be to get the intel to kidnap the good friend/significant other of important military personnel- and think of what the ramifications are.

Re:This is silly (1)

warGod3 (198094) | more than 4 years ago | (#32828130)

It's a little difficult to implement something like an all out ban on websites by military personnel. If the DOD were to do something like that, you might see all kinds of 'Robin Sage' or 'Leeeeroy Jenkins' names appear.

Military personnel don't always surf the web at work...

Re:This is silly (0)

Anonymous Coward | more than 4 years ago | (#32828256)

Yes, and someone who wants that information can EASILY get it without Facebook.

Re:This is silly (1)

tibman (623933) | more than 4 years ago | (#32828526)

They shouldn't have to ban anything though. People can keep their work and social lives seperate.. there's no need to ban anyone's online social life.

I would say celebrities are more at risk from online stalkers/weirdos than military guys.

Re:This is silly (1)

jdgeorge (18767) | more than 4 years ago | (#32828018)

What!?! Now where am I going to keep my password list?

the army is obselete (-1, Troll)

czarangelus (805501) | more than 4 years ago | (#32827700)

It's obvious to me that what we think of as a "modern army" is more obselete than Windows ME. They are extremely expensive to maintain, prone to misadventure, and they often become nothing more than tools to enrich corporations at the expense of native peoples and the soldiers themselves.

We need a distributed, open-source approach to self defense. Look at the successes of Hezbollah against the Israeli army in the 2006 assault on Lebanon. For the first time, a native militia completely broke the advance of a modern Western army. And we will see this pattern occur again, and again, and again, until we learn that the most effective form of military action is motivated people defending their own land against a foreign invader.

Political power comes out of the barrel of a gun, which is why the government has no interest in allowing you to own RPGs or Stingers. It's funny how you never hear of some disgruntled Shi'a in Lebanon taking a rocket launcher to a school and slaughtering a bunch of kids. But of course, that would make it more difficult for the Federal Empire to incarcerate all the Jews or Japanese or Muslims or whoever the flavor of the week evil is.

Government is the answer to a question nobody should have asked. The answer to, "What will protect me?" or "What will lead to my prosperity?" is ALWAYS AND ONLY YOURSELF.

Re:the army is obselete (1)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#32827782)

Unfortunately, the solution you have identified does not solve the problem that the army as it now exists(for better or for worse) is attempting to solve:

Insurgencies are, particularly if they have the advantage of good suppliers, hostile terrain, culturally clueless enemies, etc. pretty good at holding ground, or at least exacting a nontrivial price for every month the occupying force wishes to "control" the area.

For projecting force into new areas, though, they are nearly useless. Some might argue that this is an advantage; because it keeps foreign military adventurism to a minimum; but it represents a massive change from the capability set of a professional standing army with technology and supply lines and whatnot.

Re:the army is obselete (4, Insightful)

couchslug (175151) | more than 4 years ago | (#32827802)

"And we will see this pattern occur again, and again, and again, until we learn that the most effective form of military action is motivated people defending their own land against a foreign invader."

Your military illiteracy is showing. That stuff only works against "foreign invaders" who follow the post-Nuremburg laws that outlaw effective war methods against unconventional opponents. It may help, in concert with other means, tire out an opponent in a non-existential police action, but an opponent who is powerful and free of restraint can make a desolation and call it peace.

Re:the army is obselete (5, Informative)

bsDaemon (87307) | more than 4 years ago | (#32827844)

I have no idea how this is relevant, and you're probably trolling, but seriously... the 2006 Lebanon war was NOT the first time a guerrilla army turned back regular forces. Look at the Anglo-Irish war from 1918-1921 for an example, or friggin' Vietnam. Or Afghanistan... every time anyone has ever tried to invade Afghanistan (the British twice, the Soviets, Alexander the Great, even). As to the rest of your post, your UID is low enough that you should be old enough to know better. Quit being 16, it's not becoming.

Re:the army is obselete (1)

Nadaka (224565) | more than 4 years ago | (#32827918)

Or the American Revolution, etc.

Re:the army is obselete (3, Informative)

bsDaemon (87307) | more than 4 years ago | (#32827988)

We were actually not doing too very well before regular military discipline was brought in by Von Stueben and some other European career officers who came over to help their Freemason brothers further the Enlightenment. The French naval blockade of the Chesapeake Bay and some bad weather up the York River didn't hurt either.

Re:the army is obselete (5, Funny)

jfoobaz (1844794) | more than 4 years ago | (#32828118)

The French naval blockade of the Chesapeake Bay and some bad weather up the York River didn't hurt either.

Yeah, if it weren't for the French, Americans would be speaking English today.

Re:the army is obselete (0)

Anonymous Coward | more than 4 years ago | (#32828208)

That's hysterical.

Re:the army is obselete (5, Insightful)

bsDaemon (87307) | more than 4 years ago | (#32828516)

Yes, and for that I'm eternally grateful, in much the same way my mother once got free dental work in France because her father had fought in the war (though mainly in Belgium and the Netherlands, then into Germany) and the dentist thought it was the least he could do to repay the debt he felt he owed to America. I know its fashionable to make fun of France and whatnot, but they're not bad people, and they are America's oldest friend.

Re:the army is obselete (1)

czarangelus (805501) | more than 4 years ago | (#32827966)

The IDF never controlled anything of Lebanon except the ground directly under their feet in '06, as opposed to those other examples. To know better than... what? To say a large, bureaucratic organization is not only useless but in fact directly inimical to the interests of its constituents and indeed all of the people of the world? Thus is life - you're allowed to disagree about the conclusion but you're never allowed to question the premises.

Re:the army is obselete (2, Informative)

bsDaemon (87307) | more than 4 years ago | (#32828046)

There could definitely be a reorganization of forces that the country could benefit from, but as attractive as the proposition of some sort of Libertarian Socialist (aka Anarchist) society devoid of central authority is, the chances of that being able to function for any length of time before faltering itself is pretty low. Catalonia when held by FAI/CNT in the Spanish Revolution (concurrent with the Spanish Civil War) is a prime example.

Re:the army is obselete (0)

easterberry (1826250) | more than 4 years ago | (#32828308)

isn't "Libertarian Socialist" a contradiction? Libertarians (as I understand them) want small government and free markets so that individuals can grow on their own strengths and merits. Us socialists want government services and regulations to help the greater good of the nation. Anarchists want no government at all and a communal sense of camaraderie. Correct me if I'm wrong but this is off topic so please don't use this as a springboard for a political debate.

Re:the army is obselete (3, Informative)

bsDaemon (87307) | more than 4 years ago | (#32828598)

No, Libertarian Socialism is the technical term for Anarchism. One of the founding intellectuals of the movement, Mikhail Bakunin, was an outspoken opponent of Marx in the First International, saying that Marxist Communism would lead to a "Red Bureaucracy" and was a betrayal of Socialist principles.

Basically, the idea in Libertarian Socialism is for free individuals to group themselves on direct democratic principles along lines of free association, rather than submitting to a State that is purely an exercise of force. The Libertarian party in the US was infested by Randism and combines the anti-authoritarian aspect of libertarianism with unfettered capitalistic greed. Libertarian Socialism/Anarchism requires that people act in the group interest for the common good, but getting people to do that isn't exactly easy, which is why it wouldn't work on large scale.

Modern Left-Center type of "Social Democrats" were always viewed by both Anarchists and Communists as "counter-revolutionary," but that's the model that won out in most of Europe and which the US Democratic Party tends to lean as well. It's relatively benign, but seems to scare people on the economic right and let down people on the economic and social left quite often for not going "too far enough"

Re:the army is obselete (1)

Curunir_wolf (588405) | more than 4 years ago | (#32828846)

Libertarian Socialist (aka Anarchist) society

Wat? Did you mean to say Republican Democratic (aka Communist)?

Re:the army is obselete (1)

jfoobaz (1844794) | more than 4 years ago | (#32828024)

It's funny how you never hear of some disgruntled Shi'a in Lebanon taking a rocket launcher to a school and slaughtering a bunch of kids.

You should really read about the history of Lebanese civil war before you stay things like that. And while we're on the subject, look at the situation in Iraq where various sectarian militias are slaughtering one another, as well as innocent civilians.

And we will see this pattern occur again, and again, and again, until we learn that the most effective form of military action is motivated people defending their own land against a foreign invader.

Presumably, we'll also see a corollary pattern - former militants deciding to band together to topple the government and force their ideology on the population, a la the Taliban.

Re:the army is obselete (-1, Offtopic)

rickb928 (945187) | more than 4 years ago | (#32828054)

"most effective form of military action is motivated people defending their own land against a foreign invader"

Um, actually, I want my military to not merely engage in an 'effective form or military action'.. I want them to accomplish their mission.

For the U.S., this is not accomplished by defending our land against a foreign invader. It is accomplished by preventing the mounting of an invasion at all. We are blessed with two borders of oceans, and a friendly nation to our north, leaving only a relatively small southern border to face any likely invasion from at all. Our most obvious military opponents would have to use missles and bombers to attack us directly. Our less obvious but no less real attackers use insurgent tactics, and have have sporadic but significant results. We took the fight to them largely, though the TSA is our last line of defense, and the most prominent to most citizens.

Of course, we are in fact being attacked at our southern border. When we realize the magnitude of that assault, we'll need to do a much better job of repelling the assault. This will take some time, and will be unpopular at first.

Re:the army is obselete (1)

czarangelus (805501) | more than 4 years ago | (#32828160)

I can't imagine why you would find humans from one longitude to be preferable to humans from another longitude.

Re:the army is obselete (2, Funny)

jfoobaz (1844794) | more than 4 years ago | (#32828496)

I can't imagine why you would find humans from one longitude to be preferable to humans from another longitude.

I think you have to allow him some latitude to form his own opinions.

sage (0)

Anonymous Coward | more than 4 years ago | (#32827772)

sage goes in all fields.

Proves what? (1)

lorg (578246) | more than 4 years ago | (#32827816)

Just another indicator that "social networking" sites are complete bollocks and that (stupid) users (are everywhere and) will click on just about everything. "Friend? Sure .. Whatever ... CLICK" ... and if it is a porn model emo goth chick there will be even more clicks.

Re:Proves what? (1)

lorg (578246) | more than 4 years ago | (#32827878)

She scored connections with people in the Joint Chiefs of Staff, the CIO of the NSA, an intelligence director for the U.S. Marines, a chief of staff for the U.S. House of Representatives, and several Pentagon and DoD employees. The profiles also attracted defense contractors, such as Lockheed Martin, Northrop Grumman, and Booz Allen Hamilton.

What the F*** are these people even doing on Linkedin, Facebook and Twitter anyway? Is the CIO of the NSA looking for a new spy job or what?

Which emo chick is it (1)

chanrobi (944359) | more than 4 years ago | (#32827836)

That was used to dupe all these people again?

Re:Which emo chick is it (2, Insightful)

garcia (6573) | more than 4 years ago | (#32827936)

An apparent [facebook.com] gorgeous, six-pack stomached, bikini wearing, beauty queen interested in bi-sexual encounters.

Fuck, I knew what this was and I almost clicked "Add as Friend" too.

Leaked? You mean 'exposed' ? (3, Insightful)

quietwalker (969769) | more than 4 years ago | (#32827864)

If someone is putting up classified information in a publicly accessible location (even if it's restricted by the user giving explicit permission), isn't that the source of the information leak? Hasn't it already escaped the secure environment? Jeremiah Grossman even points this out. (I do like how they indicate he was duped, when he indicates that it's an automatic facebook bot that runs on his behalf that accepts all requests automatically - that isn't 'his' account.)

Of course, this assumes that the information was considered secure in the first place. I'm not sure you'd call it a security leak if the policy is to allow that information to be accessible to the public.

That aside, isn't this just an online-only update of the standard telephony scam that the military actually sponsored and publicized back in the late 60's/early 70's? To show how social engineering worked, they sat a woman down in a room with a phonebook and a phone, and asked her to get some general's schedule or something, and it took about 40 minutes?

We are already aware of the fact that organizations have social structures which allow for manipulation. Was there anything constructive about this, like a 'policies to avoid this' list? Or was this just another fluff piece, reiterating what was already well established?

Re:Leaked? You mean 'exposed' ? (0)

Anonymous Coward | more than 4 years ago | (#32827984)

I think the point may be that they tought the photo to be safe to publish, but forgot to strip them out of geotagging data

Re:Leaked? You mean 'exposed' ? (4, Insightful)

idontgno (624372) | more than 4 years ago | (#32828030)

Most people are aware that high explosives generate powerful and destructive shockwaves, and can fling shrapnel for startling distances at frightening velocities. However, they'll still watch Mythbusters, because actually seeing high explosives demonstrated [discovery.com] is cool.

Anyone who doesn't find a real-world demonstration of social engineering fascinating and instructive is either waaaay too jaded, or is trying waaaay too hard to pose as being jaded because of a mistaken association between cynicism and cool.

Besides, a reminder of the ongoing effectiveness of social engineering is always good, especially in light of all the interesting vectors now available.

But is it really impressive (1)

Sycraft-fu (314770) | more than 4 years ago | (#32828864)

Being able to "social engineer" someone by lying and convincing them you are someone you aren't doesn't really matter much. So they got to see pictures on Facebook... K. If those pictures WERE classified, then that is the real story (morons posting classified dox on Facebook) if not then it is a non-story. It is a big, wide, gap between convincing someone you are a person you are not, and using that to get them to give you access to sensitive data.

For example: I don't imagine you'd have much trouble using social engineering techniques to convince me you were an employee of the university I work at. Do some background research and so on and you could put up a convincing front, convince me you work here and that you know me through a mutual friend. I'd probably trust you, having no reason not to. You could probably use that to get me to reveal some information that I don't normally post online.

However, all that information would be stuff that is not sensitive. It would be information you could find out yourself anyhow with more investigation.

If you then tried to social engineer your way in to getting access to our switches or root on our servers, you'd find I would become a lot more suspicious, and the police would likely get involved in a hurry. I have a good understanding of what is and is not sensitive here. If someone tries to schmooze their way in to sensitive information, and I haven't been told they are explicitly approved for it, alarm bells go off.

So, basic social engineering doesn't impress me, and shouldn't impress anyone. It isn't hard to lie about the basics. Many people trust fairly easily and they don't see the harm in it. However when you start going after sensitive stuff, that is when it gets hard. If you can succeed there, that is impressive. If not, well then don't go writing a press release about it.

Re:Leaked? You mean 'exposed' ? (1)

blair1q (305137) | more than 4 years ago | (#32828932)

I wish someone would blow up social engineering.

Geolocation? (2, Interesting)

pgn674 (995941) | more than 4 years ago | (#32827946)

I thought Facebook sanitized uploaded photos of their metadata in the process of resizing them for display on the internet?

I just checked an uploaded JPG against an original, and yes indeed Facebook does sanitize the metadata. I wonder where the geolocation info came from?

Re:Geolocation? (1)

natehoy (1608657) | more than 4 years ago | (#32828074)

Facebook themselves probably do clean geolocation data, but there are plenty of services that can feed to FB that do not.

A friend of mine used to use a service which I believe was called BrightKite or something like that. She posted pictures from her cell phone, and it in turn posted links to the pictures to her Facebook wall. This service stored higher-quality pictures than Facebook would handle, and also retained all geolocation data for the pictures. And all of her Facebook friends can see both the picture and the geolocation on a map.

I think she stopped using it when Facebook came out with the "email pictures to a unique email address, have them dumped to your wall automagically" feature.

Re:Geolocation? (1)

Fast Thick Pants (1081517) | more than 4 years ago | (#32828174)

Maybe there was a photo of a soldier with a map/GPS/sextant? Maybe triangulation with some recognizable mountain peaks or other landmarks? Maybe just the night sky?

Re:Geolocation? (1)

ColdWetDog (752185) | more than 4 years ago | (#32828978)

Sextant?

Just checking....

Gentleman, to evil (0)

Anonymous Coward | more than 4 years ago | (#32828050)

Like everyone else I'm not suprised I find this to be pretty funny. Units in the army are "required" to have facebook pages and put up pictures of everything that they do. It's not all that hard to know everything you want to know about a commander and his family where he lives and what he drives without leaving your home.

So right now it's not a big concern but just wait until we have another war and I mean a country-on-country someone who can stand up to the USA war and this stuff will become a HUGE problem.

FYI (1)

beschra (1424727) | more than 4 years ago | (#32828062)

Linkedin profile is gone

Who new? (1)

DerekLyons (302214) | more than 4 years ago | (#32828078)

Social engineering works - who knew?

I simply do not believe any of this (4, Interesting)

FuckingNickName (1362625) | more than 4 years ago | (#32828136)

Not Fucking Up 101 incorporates not believing some random person on the Internet (or in real life) who says they have a particular position. It would also encompass not posting pictures of your location to the Internet.

So the question we really need to ask is not, "How could the military/government be so dumb?" but, "What connections do these researchers have with the government, and what are they actually trying to achieve with this theatre?"

It would be so enticing for the "hacker community" to believe the story because it inflates their already unwarrantedly large egos: we're just so much smarter than the average person at solving puzzles, right? The government surely only employs easily duped idiots - even in significant security positions - whereas we are geniuses operating from our basements.

Bullshit.

All we've learnt from this is that Robin isn't what Robin's page initially claimed she is. As for what's actually going on, independent evidence is appropriately lacking.

Re:I simply do not believe any of this (0)

Anonymous Coward | more than 4 years ago | (#32828500)

The problem is you have uncommon sense, I say uncommon sense because not everyone has it. We had a problem with computer viruses on our work computers and I was told this problem had been going on for over a year, it started shortly after we got to iraq. The solution to the problem was simple update the anti-virus software, once I did that the virus problem went away. For over a year no one thought of doing that and this included officers who have college degree's and even went to west point.

Hacking is more of social engineering and manipulating people then computer skills and despite what we want to believe our military is made up of people. But a bigger problem is there ego, some of the high ranking people in our military believe they are god's gift to the army and anything they do is right. Soon they get stuck in circular logic as well as group think and they don't listen to the people below them who are telling them what they are doing is wrong.

As I have said to many people, just because you can preform surgery doesn't mean I should assume you know how to drive a car.

Re:I simply do not believe any of this (1)

FuckingNickName (1362625) | more than 4 years ago | (#32828772)

You pose a fair argument, but if it were true at all levels then wouldn't America be a heap of rubble right now? Trivial social engineering would allow even North Korea to dismantle US security.

The whole "government are humans just like you and I" seems vacuous. Yes they are, but people in significant security positions are humans with heightened acuity and a lot of training to protect them from trivial and non-trivial vulnerabilities (including social engineering hacks). The evidence is the very continued existence of the nation.

Re:I simply do not believe any of this (1)

noidentity (188756) | more than 4 years ago | (#32828608)

Or over the phone. If you get a call supposedly from your bank, say "thanks, I'll contact my bank and find out more." Or if you get mail supposedly from your bank, giving you a website to visit, go to your bank's website, not the URL listed, and see if they mention anything.

Re:I simply do not believe any of this (2, Interesting)

John Hasler (414242) | more than 4 years ago | (#32828640)

> "How could the military/government be so dumb?"

By consisting of normal human beings.

> It would be so enticing for the "hacker community" to believe the story
> because it inflates their already unwarrantedly large egos: we're just so
> much smarter than the average person at solving puzzles, right?

The "hacker community" also consists of normal human beings. People outsmart each other all the time. It's what they do.

> The government surely only employs easily duped idiots - even in
> significant security positions...

No, the government employs people. People are often gullible. Especially when they have led each other to believe that they are not.

> ...whereas we are geniuses operating from our basements.

No, you are also people. The fact that you tolerate and even support the government (any government) in its "security" operations is proof that you are also gullible.

Re:I simply do not believe any of this (1)

FuckingNickName (1362625) | more than 4 years ago | (#32828938)

People are often gullible. Especially when they have led each other to believe that they are not.

For example, the guy described in the article has led /. to believe that he has managed independently to fool a heap of significant people in some way.

And, no, resting on your laurels is precisely the worst thing to do in such an environment. You are arguing that senior surgeons get lazy and start killing patients.

The fact that you tolerate and even support the government (any government) in its "security" operations is proof that you are also gullible.

Wait, what? I implied that the government employs a lot of damn smart people in security. I didn't say I tolerated or supported anything.

I take anything from the haxs0r types with salt (4, Interesting)

Sycraft-fu (314770) | more than 4 years ago | (#32828752)

Back when I used to work for the central network operations group on campus, we had a couple of guys on our newly formed security team (this was like 2000, network security was still something we were coming to terms with) who loved to go to all the conferences like Blackhat. Well any time they came back it was with stories of doom and gloom. They talk about the presentations by these people who could do these truly amazing hacks. When this was investigated further, said people turned out to be full of shit.

The one I remember best was a "security company" who talked about their amazing exploit tool for Windows. They could break in to any Windows domain just with a click. It was all they used anymore when clients needed access to something and had forgot the password. They couldn't release it because MS would sue them, etc, etc. I questioned them more about this and got some sketchy details relating to NT4 and so on. I then went and asked the guy who headed up operations (one of the smartest people I've ever known) if he'd heard about this. He said "Oh ya, it is this old NT4 exploit that only works in certain situation. I've got the tool right here." the security guys were just floored because, indeed it was what had been talked about and it wasn't nearly so cool (more or less you had to have an NT4 domain and not have fixed a problem with it, wouldn't work in our 2k domain).

As a more publicly known example, take Joanna Rutkowska who claimed to have invented amazing undetectable malware using virtualization. Slashdot and so on were all a tizzy about it, and people who are actually VM professionals like VMWare said "No, this won't work like you think it will and could be detected even if you could make it work." Here we are years later and what do you know, there are not all sorts of undetectable VM based malwares running around. She vastly oversold the whole thing.

Shit like this happened all the time, near as I could tell from the stories (I didn't go to the conferences). The haxs0r types going up and crowing about how l33t they are to others and drastically overselling what they were capable of doing. So I am very skeptical. I need to see proof, and not some half-assed presentation where details are kept secret, I mean real proof.

Generally it is not forthcoming.

How to win the war.... (2, Funny)

3seas (184403) | more than 4 years ago | (#32828140)

Use the hormone appeal weapon of mass population. Works really well with isolated soldiers.

Overhyped Social Engineering (2, Interesting)

adosch (1397357) | more than 4 years ago | (#32828144)

This isn't really surprising, nor do I think it's worthy of time at Black Hat, IMHO. The U.S. Military set themselves up for failure already a couple months back by allowing soldiers to openly use Twit-Face-book and any other blogging/social-network internet-enabled apparatus on their NIPRNET network [slashdot.org] and not enforcing any, for a lack of better terms, real punishment for being stupid and giving away whatever the military defines as OPSEC-level information.

I was surprised myself, being a Iraqi war veteran when I got back home that all the time I was told to be very illusive when talking about where you are located overseas was a joke. Giving up that information, like geo-location, really isn't something to piss your pants over considering all the local middle easterners already know where the hell all our camps/FOBs/bases are at and the fact that it's online [globalsecurity.org] already. Just another case of a lonely horn-dog Army bush-wacker, flexing his muscles and telling his war stories online, looking to get some 'tang.

Keep your troll comments to yourself, I did my time in the military (and was deployed to Iraq), I know, as well as anyone with any amount of common sense, that this is plausible truth.

Final score in today's game (2, Informative)

Blue6 (975702) | more than 4 years ago | (#32828276)

Security Nerds 0 Fake Pussy 1

Re:Final score in today's game (0)

Anonymous Coward | more than 4 years ago | (#32828592)

Apparently she is going to introduce him so ... I don't think it's fake :)

News for Nerds, Indeed (1)

Col. Panic (90528) | more than 4 years ago | (#32828350)

The researcher who conducted the experiment will show off his findings at the upcoming Black Hat USA conference in Las Vegas, where the real woman pictured in the profiles is scheduled to introduce him for his presentation.

when you have to specify that the woman is real ...

Tia ramsey? (0)

Anonymous Coward | more than 4 years ago | (#32828374)

I've long wondered if this profile is a sham... m.facebook.com/profile.php?id=1769812164&rf03ff7fd&refid=7

I dont even live in the states, when I got out of the service as an EOD this profile sent me a friends request. At first I thought one of my buddies were pranking me but its been well over three years. She could very well be a model decidedly from her profile pics and seems to only befriend military men... You be the judge.

The most security-savvy professionals (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32828434)

ON KINKEDIN, FAILBOOK AND TWATTER ????

I don't think there really are any, my dear.

They divulged secrets (0)

Anonymous Coward | more than 4 years ago | (#32828450)

Man she's hot, I was going to ask her to marry me after seeing FB picture. What testosterone driven male wouldn't accept her friend request. Heck even the chick that looks like a dude on her friends list probably wants to bang her.

Info is old (1)

minstrelmike (1602771) | more than 4 years ago | (#32828462)

Geolocation info posted on Facebook is probably already old or completely useless to enemies. They aren't posting where they are RIGHT AT THIS VERY MINUTE (unless it's an airbase in which case the Taliban probably already knows the location). Non-story that gets you kudos at Black Hat. That's the real story in this mishmash of data.

Look outside (1)

Pointy_Hair (133077) | more than 4 years ago | (#32828528)

Now that you clicked the link and have a new, hot friend, that might be her in the black suburbans dropping by to say "hi"

This is a non story (0)

Stan92057 (737634) | more than 4 years ago | (#32828650)

This is a non story. women,sex has been used for centuries to gather information/trick from the enemy. I just think theses guys want to see who they can fish out using a experiment as an excuse to get personal information like that moron on craigslis did a few years back. You know the old sex sells argument.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>