You can never have too many friends – or CAN you? (Hint: you can). A recent social engineering experiment conducted by Thomas Martin of Provide Security showed the dangers of blindly accepting connection requests from people on social networks. Martin set up multiple social network profiles for a fictitious person named Robin Sage who supposedly worked in US military intelligence circles. “Robin” then sent connection requests to a variety of people in the security and intel communities (people who should know better, in other words). The result? In an interview with CSO Magazine, he stated that:
By the end of the 28-day experiment, Robin finished the month having accumulated hundreds of connections through various social networking sites. Contacts included executives at government entities such as the NSA, DOD and Military Intelligence groups. Other friends came from Global 500 corporations. Throughout the experiment Robin was offered gifts, government and corporate jobs, and options to speak at a variety of security conferences, said Ryan.
More alarmingly, according to an article from DarkReading,
Robin actually duped an Army Ranger into friending her. The Ranger then inadvertently exposed information about his coordinates in Afghanistan to Robin with his uploaded photos from the field that contained GeoIP data from the camera.
Can you spell “bad operational security?”
Martin will be revealing all of his findings from the Robin Sage experiment in a talk at Black Hat later this month – should be quite entertaining for most and deeply embarrassing for a few.
There are some lessons learned to be learned from this incident for those of us who are not part of the military:
If you get a friend/connection request from someone you don’t know, don’t blindly accept it. When you bring someone into your online network, you are also granting them access to information about you (contact information, status updates, photos, etc.) as well as your organization (in the case of professional networking sites like LinkedIn)
Just because a “new friend” is already connected to some of your current friends does not mean that you should connect to them. All it takes is one careless connection to start an “avalanche of (misplaced) trust” and give an evildoer lots of information about yourself and your organization. Trust me – I have seen this happen. You know who you are.
Review the privacy settings for your social networking accounts and be sure that you are aware of and comfortable with the information that is shared with the public at large and with your “friends.” The privacy settings in Facebook and Linked In are rather complex. I recommend using a privacy scanner tool to keep an eye on who can see what on your profiles… I really like one called Privacy Defender for Facebook, which allows you to easily see and modify who can and cannot see your info. For LinkedIn, it seems like the only way to manage your privacy is manually via the Settings menu; it is sort of a pain, but the explanations provided by the site are pretty good.
And Robin Sage ain’t your friend.
PS – “Robin Sage” is the code name for the last training exercise that Army Rangers must complete before they are truly “Green Berets” – and none of the military folks (including at least one Ranger) caught on. Sigh…