Sure, execs know there’s some corporate information that needs to be kept away from strangers. But what about their online “friends”?
That’s an area where they may not know the boundaries — especially when the friend is young and attractive.
That’s the lesson from a recent experiment conducted by researcher Thomas Ryan, co-founder of Provide Security. In a presentation at this year’s Black Hat security conference in Las Vegas, Ryan explained how he used a fake online profile to gain the trust of some people who should have known better, including government intelligence officers and other security pros.
Ryan created the fiction Robin Sage and set up profiles for her on all the major social networks. He used photos of an attractive young woman and gave her an impressive background, including education at MIT and a prestigious prep school, and work experience at the Naval Network Warfare Command.
From there, Ryan started friending some prominent members of the military and security communities. While some folks did enough research to realize the profile was phony, Ryan was amazed at how many he fooled — despite some obvious red flags, such as the fact that Sage was 25 but had supposedly been working for 10 years.
One reason Ryan cited for the experiment’s success (or failure, depending on your point of view): People trusted Sage because she was already contacts with people they trusted. (And her sex appeal didn’t hurt either, of course.)
After making contact, Ryan said he was able to extract some sensitive information from the subjects and even got notice of job opportunities from companies like Google and Lockhead Martin.
Experts warn this type of cyber-sleuthing could become more common now that nearly everyone is using social media sites.
Creating a fake profile is easy — and hijacking a real person’s profile isn’t all that difficult either. Tell users (especially execs) to approach social networking with caution, and realize that when they share something online, they can never be completely sure who they’re talking to.