Skip Links

The Robin Sage experiment: Fake profile fools security pros

An experiment that called for creating a fake social networking personality managed to snare even seasoned security veterans

By Joan Goodchild, CSO
July 08, 2010 03:22 PM ET

CSO - Despite the warnings security professionals preach about the dangers of social networking, it appears many aren't taking their own advice. That's one of the messages behind a talk at Black Hat later this month called "Getting in bed with Robin Sage" (Read about another social engineering experiment being presented at DefCon)

The Robin Sage experiment was conducted by Thomas Ryan, the co-founder and Managing Partner of Cyber Operations and Threat Intelligence for Provide Security. The project entailed creating a blatantly false identity of a woman claiming to work for in military intelligence and then enrolling on various social networking websites.

See also Social engineering: The basics

"By joining networks, registering on mailing lists, and listing false credentials, the conditions were then met to research people's decisions to trust and share information with the false identity," according to the description of the session. Ryan deliberately chose an attractive young female's picture to prove that sex and appearance plays in trust and people's eagerness to connect with someone.

By the end of the 28-day experiment, Robin finished the month having accumulated hundreds of connections through various social networking sites. Contacts included executives at government entities such as the NSA, DOD and Military Intelligence groups. Other friends came from Global 500 corporations. Throughout the experiment Robin was offered gifts, government and corporate jobs, and options to speak at a variety of security conferences, said Ryan.

What's even more startling: much of the information revealed to Robin Sage violated OPSEC procedures. Ryan spoke to CSO about his mission for the experiment, and what he hopes to teach people when he reveals the results at Black Hat.

Did you conduct this experiment on your own time or through your work with Provide Security? It was something I did on my own and as a concept for the company because my company does cyber security and executive protection. The concept was "What happens when a threat comes to an executive via email or something like that. How easy is it to track a person down?"

What were you trying to prove?

The first thing was the issue of trust and how easily it is given. The second thing was to show how much different information gets leaked out through various networks.

How did you first get connections for Robin?

I started by friending people in the security industry. Once that started it began to propagate. The methodology at first was to go after the most media-driven people in the security community. Dan Kaminsky and Jeremiah Grossman for example, because they are media driven and will always click yes to a request. So if someone sees that you are friends with them, then it begins to build a trust level.

How many connections did she get?

It went on for 28 days and she had close to 300 across several social networks. It began to drop some once people caught on. But ever since the profile went up, because it keeps suggesting friends, she still gets requests every day.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News