In the Robin Sage story, a red team hacker created the fake profile, showing how it could track troop movements and even get job offers:
In the IDF story, soldiers simply created a Facebook group for their unit to share photos, etc.
"Lockheed and other firms made job offers to Robin, some inviting her to dinner to discuss employment prospects. "I was surprised at how people in her same command friended her -- people actually in the same command and the same building," Ryan says."
I did not see the group, but I am certain there were a few messages telling members to "keep their mouths shut" about key issues, maintaining security.
The Robin Sage account social-engineered its way into the updates of "colleagues" -- this group mapped that there is a base and who serves there -- at the very least. Whatever information the soldiers shared is just topping. (I don't think much of anything was shared.)
It is time for government circles to understand that disallowing Facebook and similar sites, or telling people how they are evil, is not going to work. User education is not going to help. Two options remain: Either ban it and enforce that action, or as an alternative start monitoring your employees' Facebook accounts (with their explicit consent).
Follow Gadi Evron on Twitter: http://twitter.com/gadievron.
Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.