Thursday, July 22, 2010

The Dangers of Friending Strangers: the Robin Sage Experiment

By Petty Officer 2nd Class Elliott Fabrizio

Adding tons of Facebook friends doesn’t necessarily make you popular; it may actually put you and the Defense Department (DoD)’s information security at risk—especially when you have friends you don’t even know.

Provide Security, a cyber security company, illustrated this danger with the Robin Sage Experiment. The experiment created fake Facebook, Twitter and LinkedIn profiles under the alias, “Robin Sage.” A photo of a cute girl (borrowed from an adult website) and the job title “Cyber Threat Analyst” completed the fake profiles.

From there, Thomas Ryan, co-founder & managing partner at Provide Security, posing as Robin, sent requests and established social network connections with more than 300 professionals in the National Security Agency, DoD, and Global 500 corporations.

Robin’s new friends revealed information to Ryan that violated military operational security and personal security restrictions.

“The worst compromises of operational security I had were troops discussing their locations and what time helicopters were taking off,” Ryan said during a phone conversation.

People also sought Robin’s professional advice, invited her to dinners, and offered her job opportunities. Not bad in this economy, especially for a person who doesn’t even exist.

“From one person I was profiling, I was able to get all the security questions for their email and bank account,” Ryan said. “These are questions like ‘what was your first car’?”

I don’t even want people I know to have access to my e-mail or bank account, much less anybody on the Internet with audacity to send out a friend request from a fake profile.

From time to time, I have received a random friend request from a person I don’t know, usually accompanied by a profile picture of a pretty girl, but I have this rule of thumb: if I haven’t met you, we aren’t friends yet. Megan Fox is the only exception to this rule.

My suspicions are that the unknown friend request could lead to anything from phishing scams to something as harmless as trying to get me to fill out annoying surveys—either way the answer is ignore.

Out of curiosity, I still like to confirm they are fake requests. You know, on the off chance it actually is a cute girl that found me out of the blue and is totally into me. Having low amounts of friends is my first clue, as is having only one profile picture.

According to Ryan’s report, an inspection of Robin Sage’s profile would have revealed her claimed ten years of cyber security experience would have put her in the career field at age 15.

During the experiment, one person checked the alumni records of the Massachusetts Institute of Technology (MIT), her claimed educational background, and this effort confirmed that MIT had no record of a Robin Sage.

The danger isn’t social networking itself. The danger is doing it carelessly.

According to DoD’s directive-type memorandum concerning social media and Internet capabilities, it is the responsibility of military leaders on all levels to ensure the safety of DoD and personal information.

All service members are instructed to beware of operational security when using communications such as telephone lines and e-mail; however, service members need to remember that information posted through social media should be regulated the same way, despite the casual feel of many of these sites.

Having a friend you don’t know means virtually anyone could be monitoring your activities and the information in your posts, and if you post as much as some of my friends that means they’d know almost everything about your schedule right down to that “epic cheeseburger” you ate.

Social media is a great tool for networking and communication, if the user is careful about the information he or she is sharing and who has the privileges to view it.

So, for anyone hoping to be my friend in the social media realm, you’ll have to at least buy me dinner first.

No comments:

Post a Comment