In what is perhaps the greatest example of “fake it ’til you make it,” a third-generation Navy veteran decided to put America’s cybersecurity infrastructure to the test. The results were hilarious. Unless you care about maintaining the United States’ information security. Using just a porn photo and charisma, his test engineered violations of OPSEC and PERSEC procedures to someone who didn’t exist, in less than a month.Also Read: Patton’s famous speech was way more vulgar than the one in the movieThomas Ryan was working as a “white-hat hacker” and cybersecurity analyst in 2009, when he decided to test “information leakage” in the U.S. cybersecurity infrastructure. To do this, he created an entirely online social media background and history for Robin Sage, a “young, attractive, and edgy” 25-year-old girl who claimed to be a cyber threat analyst at the Naval Network Warfare Command in Norfolk, Virginia. Her Twitter bio read: “Sorry to say, I’m not a Green Beret! Just a cute girl stopping by to say hey! My life is about infosec all the way!”“Robin” had great credentials for a 25-year-old woman. She was a graduate of MIT with a decade of experience in cybersecurity, and she knew how to network very effectively, gaining contacts that included executives at prominent government entities like NASA, the NSA, DOD, and other defense intelligence agencies. In his final report, Ryan said he purposely chose an attractive woman because he wanted to prove how sex and appearance play a role in trust and someone’s willingness to connect. So he pulled a photo from an amateur porn site, looking for someone who didn’t look American. Some other possibilities considered by Ryan. “Robin” then added 300 friends from places like military intelligence, defense contractors, and other security specialists. She also connected on LinkedIn with people working for a former Chairman of the Joint Chiefs of Staff and at the National Reconnaissance Office, the U.S. spy satellite agency. The most vital information, it turned out, would be leaked through LinkedIn.Ryan, as Robin, duped men and women alike (but mostly men), without showing any real biographical information. Over the course of the 28-day experiment, he/she acquired access to e-mail accounts (one NRO contractor posted information on social media, which revealed answers to security questions on his personal e-mail), as well as home addresses, family information, and bank accounts. Sage learned the locations of secret military installations and was also able to successfully determine their missions. She received documents to review, was invited to speak at conferences, and was even offered consulting work at Google and Lockheed. Not bad for never existing. Of course, there were many red flags. And they were intentional. First and foremost was Sage’s claim to work in INFOSEC with a decade of experience, which would have made her 15 years old when her security career began. Moreover, her job title didn’t exist. Her online identity could only be traced back 30 days. Her name is even based on a famed U.S. Army Special Forces training exercise, which should have raised more red flags than a parade through Tiananmen Square. Ryan says some people in the INFOSEC community were skeptical and tried to verify her identity. Some even confirmed she was fake, but no real alerts were made about just how deceptive the Robin Sage profile really was. So Ryan went on as Robin and continued to win friends and influence people. When all was said and done, however, the exercise was not popular with everyone in the INFOSEC community. That is some extreme butthurt. Ryan wrote a paper, called “Getting in Bed With Robin Sage,” that described the extent to which the seemingly harmless details in social media posts were as damaging as the information given to her freely by those who sought her opinion. “In conjunction with her look, Robin Sage’s credentials listed on her profile resulted in selection perception; people’s tendency to draw unwarranted conclusions in their attempt to make a quick decision,” Ryan wrote in his abstract. “By acquiring a large number of connections, Robin had the ability to identify the individual who was positioned to provide the most intelligence based on their involvement in multiple government agencies. The false identity, combined with carefully chosen false credentials, led to a false trust that could have resulted in the breach of multiple security protocols.”Robin Sage, despite being fake and having the look of an amatuer porn starlet, was more successful at networking and getting job offers than most recent college graduates. You truly can be anything. The only agencies with people who never took the bait were the FBI and the CIA. Ryan told the Guardian, “The big takeaway is not to befriend anybody unless you really know who they are.” Don’t Miss the Best of We Are The Mighty • Legendary actor, Army veteran, and Navy brat Robert Duvall dies at 95• Curtis LeMay: World War II bomber, cold warrior, and judo champion• A World War II POW who defied Nazis to protect Jewish soldiers will receive the Medal of Honor  Featured Feature A ‘white-hat’ hacker catfished defense information security experts with a photo and personal networking By Blake Stilwell Medal of Honor The first Medals of Honor received for a foreign conflict happened in Korea By Blake Stilwell History How a trip underwater propelled Teddy Roosevelt to improve submariners’ pay By Stephen Ruiz World War I That time MacArthur promised to capture a hill or die on it By Logan Nye World War II How I teach the rise of dictators and America’s uneasy road to World War II By Daniel Tobias Flint The post A ‘white-hat’ hacker catfished defense information security experts with a photo and personal networking appeared first on We Are The Mighty.