A security researcher has infiltrated the highest levels of America's intelligence agencies using nothing more than Facebook, LinkedIn, Twitter and a picture of a pretty woman.
'Robin Sage' appeared on social networking sites in December, claiming to be a 20-something Cyber Threat Analyst at the US Naval Network Warfare Command in Norfolk, Virginia. Within weeks, she had hundreds of friends and followers in the Department of Defense, the National Security Agency (NSA), defence contractors and the British military.
Article continues below
Sassy updates on hacking earned Sage access to sensitive information about intelligence officials, invitations to speak at conferences, and job offers at a bank, a gaming company and even Google.
However, Sage will not be showing up for work at Mountain View – she was invented by US cyber-security expert Thomas Ryan to test the gullibility of the intelligence and military communities.
"I wanted to see how susceptible certain groups were to social engineering," Ryan told PC Plus. "The aim was to research people's decisions to trust and share information based on gender, occupation, education and friends."
Ryan created what he calls a "blatantly false" identity, choosing a woman who fits the stereotype of a Central Asian spy, adding false credentials at MIT and even naming her after a famous US Special Forces training exercise.
Despite this, Sage was able to connect with staff at the offices of the chairman of Joint Chiefs of Staff, the US Marine corps, Lockheed Martin, Northrop Grumman and British military personnel serving alongside Americans.
"Guys at the lower end of the military would talk about stuff on Facebook that they shouldn't," says Ryan. "At the upper end, they would use certain applications that allowed me to track where they were. The NSA was easy. They're out there actively trying to get technology people.
"When I started linking all that information together, I was able to get names, addresses and phone numbers, plus passwords to security questions, bank accounts and email."
Some organisations did prove too tough for Ryan to crack, though. "I didn't manage to make any friends in the CIA, the FBI or Secret Service," he admits. "The mentality there is different: they just don't trust you from the beginning. And it was harder to get friends from colleges than it was from security and intelligence. The universities I picked… were prestigious and kind of cliquey. If they don't remember you, they're not going to talk to you."
One cyber-security professional who did befriend Sage was Chris Nickerson, a 'Red Team' hacker who tests organisations' security using everything from digital attacks to physically breaking into facilities.
"I don't take friend requests lightly," he says. "When I saw Robin Sage was connected to a bunch of people in the security world, I accepted her on Facebook, copied all the intel from the profile and then unfriended her."
Nickerson was immediately suspicious. As he looked into Sage's background, he found that no one called Robin Sage had ever attended MIT, her work address was a shell company, and her home appeared to be controversial security company Blackwater. Nickerson outed Sage on his podcast and the news spread online.
Then strange things happened. "People kept friend requesting Sage," says Nickerson. "We watched her spiral into all these different communities. When it's a hot girl, people have blinders on."
"It kept propagating, even after the end of the [28-day] experiment," says Ryan. "The timing was right around Christmas so everybody was a lot more relaxed, and I guess they just wanted it to be true."
"People can't resist using social networks," says James Lewis of the Centre for Strategic and International Studies in Washington, DC. "Workers in the intelligence community know the security risks but they also know that they can be more productive if they take advantage of these technologies. When you have 100,000 people and 99.9 per cent of them do everything right, that still means you have 100 targets."
Except that, according to The Washington Post newspaper, over 850,000 people in America today have Top Secret clearance.
"One of the beauties of using the internet for espionage is that the odds are in your favour," says Lewis. "At a very low cost, you can troll hundreds of thousands of people."
The problem is hardly limited to America's military intelligence. Last year, the head of MI6 could be seen paddling in his swimming trunks on his wife's Facebook page, while the Chinese recently banned online dating, chatrooms and social networks for anyone in the People's Liberation Army.
Judy Baker, organiser of the UK's first Cyber Security Competition for students, says, "The Robin Sage experiment proves that the most effective security professionals have some vulnerability to a well-spun con. It underlines the importance of the security services to be more aware of tricks that could lead us to bypass security measures."
"It's ridiculous that social networking was ever allowed for anyone in intelligence," says Nickerson. "It's like handing out guns to everybody and saying 'do whatever you want'. With social networks, they have to realise that information is power and packets can kill people just as easily as bullets."