Fictitious Femme Fatale Fooled Cybersecurity

advertisement
Washington Times
July 19, 2010
Pg. 1
Fictitious Femme Fatale Fooled Cybersecurity
Intel, defense specialists fell for ruse in test
By Shaun Waterman, The Washington Times
Call her the Mata Hari of cyberspace.
Robin Sage, according to her profiles on Facebook and other social-networking websites, was an
attractive, flirtatious 25-year-old woman working as a "cyber threat analyst" at the U.S. Navy's
Network Warfare Command. Within less than a month, she amassed nearly 300 social-network
connections among security specialists, military personnel and staff at intelligence agencies and
defense contractors.
A handful of pictures on her Facebook page included one of her at a party posing in thigh-high
knee socks and a skull-and-crossbones bikini captioned, "doing what I do best."
"Sorry to say, I'm not a Green Beret! Just a cute girl stopping by to say hey!" she rhymingly
proclaimed on her Twitter page, concluding, "My life is about info sec [information security] all
the way!"
And so it apparently was. She was an avid user of LinkedIn - a social-networking site for
professionals sometimes described as "Facebook for grown-ups." Her connections on it included
men working for the nation's most senior military officer, the chairman of the Joint Chiefs of
Staff, and for one of the most secret government agencies of all, the National Reconnaissance
Office (NRO), which builds, launches and runs U.S. spy satellites. Others included a senior
intelligence official in the U.S. Marine Corps, the chief of staff for a U.S. congressman, and
several senior executives at defense contractors, including Lockheed Martin Corp. and Northrop
Grumman Corp. Almost all were seasoned security professionals.
But Robin Sage did not exist.
Her profile was a ruse set up by security consultant Thomas Ryan as part of an effort to expose
weaknesses in the nation's defense and intelligence communities - what Mr. Ryan calls "an
independent 'red team' exercise."
It is not the first time "white-hat" hackers have carried out such a social-engineering experiment,
but military and intelligence security specialists told The Washington Times that the exercise
reveals important vulnerabilities in the use of social networking by people in the national
security field.
Ms. Sage's connections invited her to speak at a private-sector security conference in Miami, and
to review an important technical paper by a NASA researcher. Several invited her to dinner. And
there were many invitations to apply for jobs.
"If I can ever be of assistance with job opportunities here at Lockheed Martin, don't hesitate to
contact me, as I'm at your service," one executive at the company told her.
One soldier uploaded a picture of himself taken on patrol in Afghanistan containing embedded
data revealing his exact location. A contractor with the NRO who connected with her had
misconfigured his profile so that it revealed the answers to the security questions on his personal
e-mail account.
"This person had a critical role in the intelligence community," Mr. Ryan said. "He was
connected to key people in other agencies." He said that he reached out to the individual, and the
misconfiguration was repaired.
But many other connections also inadvertently exposed personal data, including their home
addresses and photos of their families.
"These are all important violations of [operations security] and [personal security]," Mr. Ryan
said.
He added that he was surprised about the success of the effort, especially given that Ms. Sage's
profile was bristling with what should have been red flags.
"Everything in her profile screamed fake," he told The Times. She claimed to have 10 years of
experience in the cybersecurity field - which would mean that she entered it at age 15 - and there
is no such job as "cyber threat analyst" at the Naval Network Warfare Command. Even her name
is taken from the code name of an annual U.S. special-forces military exercise, as a two-second
Google search establishes.
Mr. Ryan chose the photos, which he found on an amateur pornography site, "because she
looked foreign" - which he said was another potential counterintelligence red flag - as well as for
her attractiveness.
Several people with whom she attempted to connect spotted the fakery, Mr. Ryan said, "I was
pretty much busted on Day Two." He said some people with whom Ms. Sage tried to connect
took simple precautions such as trying to call the phone number she provided, or by asking her to
e-mail them from her military account. Others checked public records on her purported National
Security Agency information security qualification or reviewed the college alumni network for
the Massachusetts Institute of Technology, where she claimed to have been educated.
Some even noticed that her profile on every site had been established less than a month earlier.
But Mr. Ryan added that no central place was established for people to warn others about the
scam, and tweets or other commentary questioning her authenticity didn't stop others from
connecting with her.
"The only agencies where I didn't get any connections were the FBI and the CIA," he said.
David Wennergren, the deputy chief information officer for the Department of Defense, said in
an e-mail that the answer was to continue the Pentagon's effort to "ensure our folks are well
trained on responsible use of the Internet - at work and home."
After the department discovered that it was the victim of "long-distance phone abuse ... we didn't
abandon the use of telephones," he said.
"We should address the behavior, not abandon the tool."
"All access to the Internet - not just social-networking sites - involves risk; even accessing
websites and the use of e-mail involves risk," Mr. Wennergren added.
But Paul Strassmann, a professor at George Mason University who was the Pentagon's director
of defense information in the early 1990s, said the unrestricted use of social networking by
Defense Department personnel poses unacceptable risks.
"You are opening the floodgates to a torrent of data, which your adversary can ... sift and turn
into intelligence," he said.
Mr. Strassmann, who said he was recently engaged by a U.S. agency he declined to name to help
develop a policy on social networking, added that it didn't matter that the security breaches in the
case were unintentional. "In intelligence, many of the most important leaks are inadvertent."
Another person involved at a senior level in the U.S. military's cybersecurity efforts, who asked
for anonymity because he was not authorized to speak about the case, called it "an object lesson
in the dangers of social networking."
"People feel they are safe" on the Internet, he said, but in reality, "it is a perfect environment for
preying on people's weaknesses."
Mr. Strassmann was dismissive of a Pentagon policy document on the use of social networking
and other Web 2.0 capabilities by defense personnel. The document, issued in February after
many delays and a lengthy process of internal consultation and review, notes that pre-existing
policy "permits limited personal use of federal government resources," such as phones and
Internet connections.
"When accessing Internet-based capabilities using federal government resources in an authorized
personal or unofficial capacity, individuals shall employ sound operations security (OPSEC)
measures ... and shall not represent the policies or official position of the Department of
Defense," the policy states.
"They just haven't thought about it," said Mr. Strassmann. "They are saying, 'Be careful.' My
grandmother used to say that. ... It's not really useful."
Mr. Strassmann said that after conversations with personnel in Iraq and elsewhere, he thinks that
many, many military personnel are avid users of social-networking sites. Troops often had to
contend with huge levels of boredom, and such sites were "highly habit-forming."
He said he was told by "someone in a position to know" that up to 20 percent of all traffic on
Defense Department computer networks involves social networking on public sites, "which are
unprotected, as well as potentially toxic."
In Israel, where soldiers who had served at a top-secret military base set up a Facebook page, and
allowed a reporter to sign up to it, members of Sayeret 13, the elite naval commando unit that
carried out the botched assault last month on the Gaza-bound aid flotilla, have been ordered to
close their Facebook accounts, according to the Jerusalem Post.
China's military also has issued regulations limiting cell phone and Internet use to prevent
disclosures of military data.
Absent a straightforward ban, Mr. Strassmann said, the only solution would be to try to monitor
social Internet traffic on defense computer systems, using forensic software tools and highly
trained intelligence officers.
"You can trust people, yes; but you must verify also," he said.
Network control centers - essentially hubs where computer traffic can be tracked and analyzed already existed on Defense Department networks, he said, "but do not have the mission" to mine
data from social-networking traffic looking for security breaches.
Download