Experiment proves users do not follow basic cyber security rules

By Staff Writer Dena O'Dell | 1ID | February 08, 2013

Editor's note: The Antiterrorism theme for the first quarter – January to March – is cyber threat awareness. This is the second article in a series of articles educating readers about the different methods of cyber threats and how to prevent them.

Robin Sage was a fictional American cyber threat analyst created in December 2009 by Thomas Ryan, a security specialist and "White Hat" hacker from New York, as part of an effort to expose weaknesses in the nation's defense and intelligence communities, said Pat Burch, installation antiterrorism officer, Fort Riley.

Sage, according to her Facebook profile, was a flirtatious 25-year-old woman working as a "cyber threat analyst" at the U.S. Navy's Network Warfare Command. Within less than a month, she amassed about 300 social-network connections among security specialists, military personnel and staff at intelligence agencies and defense contractors.

The contacts "Robin Sage" established ignored many of the basic rules of cyber security, which include confirming the identity of someone who contacts you, Burch said.

Sage's connections on LinkedIn included men working for the Joint Chiefs of Staff, National Reconnaissance Office, a senior intelligence official in the U.S. Marine Corps, the chief of staff for a U.S. Congressman and several senior executives at defense contractors.

Through these connections, Ryan – posing as the fictional Sage – gained access to email addresses and bank accounts; learned the locations of secret military units based on Soldiers' Facebook photos; and was able to get connections between different people and organizations, receive private documents for review and was offered the opportunity to speak at several conferences.

Not only did Robin Sage's contacts not follow basic rules for cyber security, Burch said, they ignored several red flags, such as:

• At the age of 25, Sage claimed to have already had 10 years of professional experience in the cyber security field, which would have put her at 15 years of age when she started her career.

• No "cyber threat analyst" job existed at the Naval Network Warfare Command.

• Sage was not dressed like a government professional in any of her profile photographs.

• Robin Sage is the code name of a U.S. Special Forces military exercise.

Several of those she tried to befriend did attempt to verify her identity using her profile phone number, checking email addresses outside of the social networking sites or using the Massachusetts Institute of Technology alumni network to confirm her identity. All information in her profile was false.

The purpose of the Robin Sage experiment was to:

• Reveal important vulnerabilities in the use of social networking by people in the national security field.

• Point out that about 20 percent of all traffic on Department of Defense computer networks involves social networking on public sites, which are unprotected and potentially harmful.

• Although many security breaches in the Robin Sage experiment were unintentional, in the intelligence field, many of the most important leaks are inadvertent.

• Many people entrusted with vital sensitive information will share this information readily with third parties when asked.

• Remind military personnel and DoD employees to be careful who they allow onto their social networking sites. If they do not know the person who attempts to connect with them, they should investigate who they are and why they want to join them on their social network.

• Remind those on social networking sites not to offer personal or professional information, including email addresses, which could open them up for phishing or spear phishing attacks.

• Remind people not to open email attachments, hyperlinks or URLs from anyone whom they don't know personally.

• Train themselves, Soldiers, employees and Family members on responsible use of the Internet at work and at home.

Anyone who receives a suspicious email should not open it. They should notify their security manager immediately. If a security manager is not available, they can contact the installation's Antiterrorism Office 785-239-6303; 902ND MI, 785-239-2268; or submit an iWATCH report at usarmy.riley.imcomcentral.list.iwatch@mail.mil.