Earlier this summer, Thomas Ryan, Co-Founder & Managing Partner of Provide Security, LLC., began an experiment he dubbed Robin Sage with the intent of exploiting the trust that seems to be inherent in social media. The trust that what a person's profile says is true. The trust that, if my friends are friends with someone, that person must be legit. In his 28-day experiment, Thomas built an identity simply by joining mailing lists, Twitter, LinkedIn, and Facebook and by choosing credentials that invoked a notion of status within the INFOSEC community.
In Thomas' words, "Given the vast number of security breaches via the internet, The Robin Sage Experiment seeks to exploit the fundamental levels of information leakage--the outflow of information as a result of people's haphazard and unquestioned trust. The experiment was conducted by creating a blatantly false identity and enrolling on various social networking websites. By joining networks, registering on mailing lists, and listing false credentials, the conditions were then set to research people's decisions to trust and share information with the false identity. The main factors observed were: the ability to exploit other individuals' level of trust based on gender, occupation, education/credentials, and friends (connections)."
For some reason the normal amount of security we take into real life interactions falls away online. In real life, we very rarely talk to strangers about our jobs, especially if those jobs are of importance to national security. Yet in the online world, the Robin Sage identity received job offers from government and corporate sectors and options to speak at a variety of security conferences, with no verification that this person was, in fact, real or even a true expert. However, there were individuals who called Robin out as a fraudster. Omachonu Ogali, security researcher and (full disclosure) good friend, was one of those individuals. I wanted to pick his brain as to how he identified Robin Sage as a fraudster and what happened soon after. Below is an interview I conducted with Omachonu over e-mail after discussing the topic in person:
PrivacyWonk: How long have you been an IT security professional/researcher?
Omachonu:I started out in 1999 at a local ISP in New Jersey. They were just making the foray from dial-up into hosting, Linux was just getting more and more popular by the day, and quite a few folks tried to do it all on their own. So, I naturally got to deal with client servers that were compromised -- picking apart the point of entry, finding rootkits and other goodies left behind, mitigating DoS attacks. Ya know, the basics of infrastructure operations.
PrivacyWonk: Did you have prior knowledge to the experiment before being contacted by Robin Sage?
Omachonu:I didn't have knowledge that it was an experiment, but after reading the profile, it struck me as an information gathering exercise. The only question was who: who's behind this? I know Thomas Ryan of Provide Security, but I don't think I was specifically picked for the exercise. He did target particular individuals in his initial phase, but eventually he cast a large net across the security community -- both past and present actors.
PrivacyWonk: It seems the experiment was to exploit trust relationships. Infosec is a decently tight knit community, when an individual sees a bunch of colleagues and respected professionals as Robin's friend they tend to place trust in those connections and add her on a whim, even though they have never met her. What made you call her out as fraud? What tipped you off? [screen cap of Omachonu's post: http://www.privacywonk.net/images/robinsage.png]
Omachonu:The community isn't necessarily tight-knit in my opinion -- there are some personal and working relationships that intersect at points, but you need a healthy dose of skepticism [not too much, not too little] to filter the excess out. Better yet, you need common sense.
I received a friend request on Facebook from Robin Sage, and immediately I knew it was a fake name -- that part was obvious to most people. But the real question was, is this the pseudonym of a hacker, or someone's imagination? And does this person really know me? I called a few people I trusted, and asked them if they knew who this person was. The responses I got back were along the lines of "No, but she's attractive" or "I think so, I may have met her a while ago, but can't remember". None of those answers instilled confidence in me, so I kept digging.
Robin Sage's profile had elements, that if a normal person quickly glanced over, wouldn't set off any alarms, but with information technology professionals, it's the opposite -- it piques their interest in a positive way, and they want to know more. It was very, very clever the way Tom crafted it -- not too perfect, not too sloppy. Publicly announcing your information security role (and love of it) in the enlisted ranks of the US Navy captured the InfoSec community interest, that combined with stating a hometown of Moyock, NC captured the interest of enlisted soldiers, listing MIT, a top-ranked university, St. Pauls, one of the nation's best private high schools and a rather recent graduation year captured the interest of young geeks (and people who like young geeks), and finally, the racy pictures. Hook, line, and sinker.
So here we have a 25-year-old, who works in Navy cyberwar, grew up with Blackwater in her backyard, graduated from a prestigious high school and university, has a very distinctive look in a field predominantly male, but has never been to any computer security conferences in the recent years.
That's where I really started trying to go deeper. I simply did a search for her purported career ("Cyber Intelligence Operator"), and I couldn't find many results, let alone any results that were on military, government, or contractor web sites. That was sketchy. A few days later, the career title on her profile was changed to a different title, and that was strike one confirmed.
The "Moyock, NC" hometown made things more suspicious for me, as that's the headquarters of Xe (formerly Blackwater). It's "cute," but can't be fact.
Almost everyone is on Facebook nowadays, so I searched Facebook for other graduates of St. Paul's from the class of 2003. Then I picked out a handful of people who had a large number of friends, and were friends from others of the class of '03, and messaged them if they remembered a girl named or nicknamed Robin, with a link to Robin Sage's profile. One by one, they came back and said no.
At the time, no one else had said anything publicly, and I wanted to warn people of an infiltrator, so I think about day 3 or 4, I accepted the friend request, and posted to Robin Sage's wall why I thought it was a fake identity. I didn't have confirmation from the St. Paul's graduates yet, so that part was a bluff to get the person behind Robin to respond.
About five minutes later the wall post was deleted from Facebook, and I got a call from Tom Ryan, telling me it's an experiment and asking me not to let anyone else know about it.
PrivacyWonk:Do you think the Robin Sage experiment will be a wake-up call or just another dust-up?
Omachonu: This is just another dust up: I'm very cynical when it comes to privacy/trust and how people treat it (rather recklessly). This will continue on because by nature we judge icebergs from the tip poking out of the water, not for the gigantic mass it is. Like, JPEGs with EXIF tags containing valid geolocation data. [See: http://www.privacywonk.net/2009/11/geotagging-geolocation-and-your-privacy.php]
PrivacyWonk: What are your thoughts on the results of the experiment? [See: Getting Into Bed With Robin Sage]
Omachonu: I think the experiment was great in opening the eyes of traditional institutions to this sort of behavior. I mean, it's nothing new -- the Cold War is over, but that doesn't mean that Cold War attack methods are no longer relevant, let alone, successful. If the larger institutions and government entities can revise their policies to take these things into account, then the experiment was a success.
While Omachonu wasn't the first to out Robin, he was one of the few who insisted on doing the leg work to perform verification on this person instead of blindly clicking "Accept Friend Request" based on questionable trust metrics: common friends, credentials, sex appeal, etc.
From a privacy and security view point, this experiment raises serious concerns for operational security and personal security. From the OPSEC perspective Thomas Ryan, through the Robin Sage identity, was able to build a network of individuals involved in cyber-focused programs for the U.S. Government and private industry. These connections most certainly could have been exploited further by more nefarious actors. A large concern with professionals within the DoD, prior to social networking being allowed, was the risk of spear phishing and the ability to easily profile individuals involved in critical programs. This experiment is a confirmation of those fears.
The experiment is also a wake-up call for social networking and its privacy implications. The Robin Sage identity had access, through those friend connections, to lots of personal data. It is very easy to harvest that information for fun or profit. Look at your connections on various platforms -- twitter, LinkedIn, facebook, etc. Can you verify that you know, personally, each of those people on your list? Do you trust those individuals with knowing personal details of your life that you have chosen to share?
As Omachonu said in the interview above, "you need a healthy dose of skepticism," when dealing with life online. Social networking has proven to be a great tool for connecting people but you must remember that not everyone out there is a good person. A friend should be "a person you know well and regard with affection and trust." Keep that definition in mind the next time you find yourself scratching your head at an odd request from someone you've never met and cannot verify. It may be a person simply looking to harvest information. It may be someone looking specifically to gain greater access to YOUR information.