Security Experts Fall Head-Over-Heels for Security ThreatJuly 23, 2010

 

Robin Sage, an attractive and flirtatious 25-year-old "cyber threat analyst" at the U.S. Navy's Network Warfare Command, regularly updated her posts across several social-networking sites with sayings like, "My life is about info sec [information security] all the way!" — coupled with pictures of her posing at a party in revealing clothing. She quickly developed more than 300 social networking connections with security specialists at U.S. intelligence agencies, military personnel and defense contractors.

There was just one problem: She did not exist. Her social network profile was part of a social-engineering experiment to expose the weaknesses in the country’s defense and intelligence communities.

An article in The Washington Times revealed that her list of connections included security specialists working for some of the country’s top military officers or agencies, like the chairman of the Joint Chief of Staff and the National Reconnaissance Office, the secretive agency that runs U.S. spy satellites. She also developed connections with the chief of staff for a U.S. Congressman and a handful of senior executives at defense contractors, including Lockheed Martin and Northrop Grumman.

The incident revealed numerous weaknesses in security communities, including the following:

  • “Sage” received a request by a NASA researcher to review an important technical paper.
  • She was encouraged to apply for jobs. “If I can ever be of assistance with job opportunities here at Lockheed Martin, don't hesitate to contact me, as I'm at your service,” one executive at the company told her, according to the article.
  • A U.S. soldier on patrol in Afghanistan uploaded a picture of himself, which unbeknownst to him also contained his exact location.
  • One contractor at the National Reconnaissance Office connected to her with a misconfigured profile so that it revealed the answers to his security questions on his e-mail accounts. This person plays an important role in the security community and sends and receives emails from other key people in other agencies.
  • Many others accidentally exposed their personal data — like their home addresses.

Surprisingly, most people did not realize the personality was a fake, even though her profile was filled with red flags. One glaring warning: The Naval Network Warfare Command has no job called “cyber threat analyst.” Some people did immediately realize she was a fake but did nothing to expose her, like building a central web site that warned others about her scam, according to the article.

David Wennergren, the deputy chief information officer for the Defense Department, told The Washington Times the Pentagon would continue its effort to "ensure our folks are well trained the on responsible use of the Internet — at work and home."