I recently posted about that RSO who wanted to know about all your Facebook contacts. I also mentioned in that post a piece about a fake femme fatale made up by Thomas Ryan to shows the risks of social networking. Well, I did not make it to Las Vegas but was able to find Ryan’s paper at the July BlackHat USA 2010 conference. Excerpts below:
- Some of Robin’s male connections took a more assertive approach by offering her tickets to security conferences, complimenting her pictures, and presenting available job opportunities. Whether these same reactions would have been elicited towards another male is questionable.
- With no experience at all, Robin was asked to review papers written by professionals with over 10 years experience. For example, a fellow lecturer at the NASA Ames Research Center sought out Sage’s knowledge and opinions pertaining to some of his papers and presentations.
- The success of a network is directly tied to the people and connections that one forms. Effectively targeting a person can be done in various indirect ways. For example, one connection messaged Robin, “I’ve never met you, but I saw you had Marty on your Facebook list, so that was good enough for me.” This message encompasses the dangers of social networking when people fail to do their own research and instead, rely on other’s judgment.
- Sage’s multiple security credentials combined with her occupation would lead one to believe that she had TS/SCI (Top Secret/Sensitive Compartment Information) Clearance with Polygraph. People’s trust in this identity could have very easily led to the sharing of information under the false premise that Robin Sage had expertise in the field.
Bottom line according to Ryan (and we’re most glad this was not the real thing like the one most recently returned to Russia):
Much of the information revealed to Robin Sage violated OPSEC and PERSEC procedures. The deliberate choice of an attractive young female appears to have exposed the role that sex and appearance plays in trust and people’s eagerness to connect with someone. In conjunction with her look, Robin Sage’s credentials listed on her profile resulted in selection perception; people’s tendency to draw unwarranted conclusions in their attempt to make a quick decision. By acquiring a large number of connections, Robin had the ability to identify the individual who was positioned to provide the most intelligence based on their involvement in multiple government agencies. The false identity combined with carefully chosen false credentials led to a false trust that could have resulted in the breach of multiple security protocols.
Read the whole paper here.
Related articles by Zemanta