Jordan Harbinger, a professional social engineer, gave a talk at Def Con about how to get defense contractors to give up sensitive information.
About 1.4 million people in the US have a "top secret" security clearance. But what happens when an attractive man or woman friends them on Facebook, asking for career advice and wondering what they’re working on?
Jordan Harbinger, a dating coach based in Los Angeles, wanted to give a talk at the hacker convention Def Con. He was in his living room chatting with two clients who happen to work for a massive defense corporation that contracts with the US military when the pair started blabbing about their top secret projects. That gave Harbinger an idea for an experiment in social engineering, the dark art of influencing people to act against their own interest: what would it take for a defense contractor to reveal classified information to a total stranger?
Would a defense contractor reveal classified information to a stranger?
The answer is: not much. Harbinger succeeded in getting contractors with top secret security clearances to reveal details of what they were working on, as well as enough personal information to access their bank accounts, credit card statements, and cell phone records. He spent fewer than 10 hours total on the project spread over a few weeks.
"I wanted to do it without breaking any laws, and ideally just with stretching the truth," he said. Marcia Hoffman, a lawyer with the Electronic Frontier Foundation at the time who is now in private practice, advised him in order to ensure he didn’t do anything illegal, such as impersonate a government employee.
He started by crafting a LinkedIn profile for a defense industry recruiter with the help of a headhunter friend. He then found a LinkedIn group for people with top secret security clearances that now has more than 9,500 members. A top secret security clearance requires an extensive background check, reference check, and sometimes a polygraph, but the moderator of the group approved Harbinger’s request to join without question.
From there, Harbinger connected with around 50 members of the group. LinkedIn typically asks for an email address in order to connect with someone, but you’re allowed to make a limited number of requests without an email if the person is a "friend." Being part of the top secret group was enough; everyone accepted Harbinger’s request, enabling him to message them about bogus job opportunities.
"I'm actually going to be in Afghanistan. We should meet face-to-face."
Private contractors, government employees, and active duty military told Harbinger what they were working on and, if they were deployed, where they were stationed. "I’m actually going to be in Afghanistan," he’d write. "We should meet face-to-face." Without thinking, the target would volunteer his or her location — a breach of basic operations security.
Next, Harbinger made a phony Facebook profile for a female engineer named Alara using pictures of his gorgeous assistant, who was in on the scheme. Her profile included a link to a resume and a set of vacation photos, which allowed Harbinger to scrape the target’s location when they visited the page. Harbinger sent friend requests to the male contractors and defense workers he had talked to on LinkedIn, this time as the fake Alara. Her story was that she was applying for a job with their company and needed career advice.
Harbinger carefully crafted each Facebook message, appealing to engineer friends or Wikipedia in order to keep up with all the jargon. Innocent questions such as, "What kind of things should I talk about in my interview?" yielded the location of testing facilities, what projects were being worked on at what facilities, how many people were working on these projects, and even the project budgets. Bizarre statements like, "I really don’t like working with Chinese people," revealed which projects were staffed with mostly Americans and which departments employed foreigners.
Harbinger stopped short of pushing for classified information, he said, but he got close enough to prove how easy it would be to extract very sensitive intel if he’d kept probing. Still, he was able to reset one target’s passwords and access a PayPal account, bank account, credit card statement, and cell phone bill. He learned that one target was in debt, which is grounds for losing a security clearance and therefore a job. (The logic is that debt makes an employee vulnerable to bribes.)
He was able to access a PayPal account, bank account, credit card statement, and cell phone bill
Harbinger was doing all this with just his laptop and some free legal advice. He was careful not to break the law, and he chose to give a talk at Def Con, where social engineering is recognized as a major security threat, rather than use the data to cause harm. Although much of what the bloated defense industry considers "top secret" is not actually that sensitive anymore, a malicious actor with a bigger budget and no scruples could potentially do some high-level espionage.
The attacker could invite the target and his family to a recruiting resort and then tap his phone while he wasn’t home, for example, or pay a fake Alara to show up in person and ask directly for information. "I never got close to the point where somebody was like, ‘hey if you sleep with me, I’ll tell you the secrets to the missile thing I'm working on,'" Harbinger said. "But my theory was, if I flew Alara out to Wisconsin or Virginia, she could get him there in five dates."
Harbinger has used his skill in social engineering to overcome his awkwardness around girls, score a job as a Wall Street lawyer, and build a business around teaching men how to talk to women. (He does not advocate lying to women and does not consider himself a pick-up artist, he says; "those guys are weirdos.") He says protecting against social hacking is extremely difficult.
"Even if you think this can’t happen to you, it can," he told The Verge. "The level of paranoia that you would have to have to protect yourself would make it so that you can’t function as a regular human."