Cyber espionage lure catches some big fish

An undercover cybersecurity expert demonstrates the national security risks posed by social media in government

Oh, the humanity!

One might hope that the men and women employed by the military, the intelligence community and government contractors would be wiser than most when it comes to online scams.

You'd think this would especially be the case with a so-called social engineering scam — one in which an individual assumes a fake identity on Facebook and other social media sites in hopes of finding well-placed “friends” who might inadvertently reveal valuable intelligence data.

That’s the kind of stuff they warn against in Social Media 101.

And yet cybersecurity expert Thomas Ryan — posing as Robin Sage, an attractive “cyber threat analyst” working at the Navy’s Network Warfare Command — managed to find more than 600 friends or followers across Facebook, Twitter and LinkedIn. Ryan’s trap snared employees at some secretive places, including the National Reconnaissance Office, the Navy, Lockheed Martin and Northrop Grumman, according to various media accounts.

“I wanted to see how much intell you could gather from a person just by lurking on a social networking site,” Ryan told Jaikumar Vijayan at Computerworld.

People accepted his/her online overtures despite some obvious red flags, such as the fact that Robin claimed to have 10 years of experience in cybersecurity despite being only 25 years old. And they began sharing information that, if Ryan had not been one of the good guys trying to make a point, could have compromised national security, such as troop locations and movement.

“People also sought Robin’s professional advice, invited her to dinners, and offered her job opportunities,” writes Petty Officer 2nd Class Elliott Fabrizio at the Defense Department’s "Armed with Science" blog. “Not bad in this economy, especially for a person who doesn’t even exist.”

Which just goes to show: Human nature trumps training more often than we would like to think.

“It is not the first time ‘white-hat’ hackers have carried out such a social engineering experiment," writes Shaun Waterman at the Washington Times. "But military and intelligence security specialists [said] the exercise reveals important vulnerabilities in the use of social networking by people in the national security field.”


About the Author

Connect with the FCW staff on Twitter @FCWnow.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Wed, Sep 8, 2010

If these 600 people actually divulged sensitive information to "Robin", doesn't that mean the same info was also available to others (Bad Guys) accessing these sites?

Fri, Aug 6, 2010 JBrentwood

As a security consultant I do not advocate Social media access, despite the supposed benefits of employee access for government employees just simply doesn't hold water when compared to the risks. That being said I'm assuming that these individuals accessed facebook from private computers. I would have put text such as "Any communication by an individual through which the individual identifies themselves as a [Agency Name] employee, approved consultant, service provider or contractor, shall be deemed an official [Agency Name] communication". This type of disclaimer in the paperwork each employee signs as a condition of employment will give the agency legal standing to take disciplinary action even if the communication took place outside of work and while not using agency computing or network resources.

Tue, Jul 27, 2010 Earth

And women don't lie about their age? Hardly the red flag that would cancel interest. And since when is it smart to put one's real age on any web site? Or any other PII for that matter. The real question is how many of these 600 friends are other agents running simular scams. Spy vs. Spy, Spy vs. FBI, ect. ect. The first rule of communication theory: the more unusual the signal the more information it carries, but the information it carries isn't necessarly the signal's standard decoding. Age 25: doesn't signal actual age, mixed with 15 years security experience it signals PII smart. Which means, given the need for security execelence, job prospect. If you assume your opponent is dummer than yourself, your are dummer than sufficient.

Mon, Jul 26, 2010

Again, someone explain to me why you need Facebook access?

Mon, Jul 26, 2010 Dave K

Missing (as always) is the follow-up about the disciplinary action taken against those who fell for these scams. Until the dog has teeth, people will ignore the bark.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group