Slashdot Mirror
Pen Testers Break Into Gov't Agency With Fake Social Media ID
itwbennett writes "Security experts used fake Facebook and LinkedIn profiles to penetrate the defenses of an (unnamed) U.S. government agency with a high level of cybersecurity awareness. The attack was part of a sanctioned penetration test performed in 2012 and its results were presented Wednesday at the RSA Europe security conference in Amsterdam. The testers built a credible online identity for a fictional woman named Emily Williams and used that identity to pose as a new hire at the targeted organization. The attackers managed to launch sophisticated attacks against the agency's employees, including an IT security manager who didn't even have a social media presence. Within the first 15 hours, Emily Williams had 60 Facebook connections and 55 LinkedIn connections with employees from the targeted organization and its contractors. After 24 hours she had 3 job offers from other companies."
What does the average slashdotter know about penetration?
Forget security, the real headline should be "How to get 3 job offers in 24 hours". She must have had some serious (fake) qualifications and/or a smoking hot profile pic.
And yet when I accuse people I just met at the company of being Chinese spies, I am the one who is sent to HR. There is some kind of double standard here.
How good can a company be if they offer you a job solely on your so-called resume?
No interview, no verification..
---- Booth was a patriot ----
The IT world article explains that the fake account was an attractive woman. The victims who exposed their organizations to attack were men who were trying to "help" this attractive woman in her new position.
New security measure: male employees are castrated upon hire. They tried the same attack with a male profile and received no hits.
Aside from that interesting bit, we have heard this story over and over again: Large organizations contain at least a few stupid people. Those stupid people, who are mostly well intentioned, work around security measures and run Java applets to see the company Christmas card, a card that is actually an attack.
...was being added to an employee's facebook or linkedin page a 'Security Attack' or really any sort of real risk? How is making a friend request a "Sophisticated Attack"? Sure, you can start linking information together, but this is an attack in the same way that a honey bee at the pool counts as a deadly swarm of African hornets.
As for the "job offer," why do I suspect that the 'job offers' were not real job offers, but rather requests to apply for a job? You know, like everyone who's on linkedin who has any qualifications or prior experience gets about 3-4x a day, more if you've got a resume with certain keywords in it? Anyway, why is any of that relevant to a security probe?
I read a book a while back about some of the phone phreakers, and at one point they brought a woman in to the pentagon to demonstrate social manipulation. She was given only a normal phone and phonebook, and asked to get the daily schedule of a specific general, and something like 40 minutes later, she had it. They also had examples of people having extra keys made for doors, purchases and deliveries being made, phone systems being rerouted, and so on. Those sorts of things are attacks.
This was just fluff.
Is for no one to have any secrets..
Have you fscked your local propeller head today?
"The attack used built-in Java functionality to get the shell instead of exploiting a vulnerability and required user interaction, but despite these technical limitations, it was very successful, according to Lakhani."
I'm curious what the "required user interaction" was...
I'm pretty tech secure savvy - run noscript, only use the computer with condoms on, etc; But I wonder if I would've fallen for this as well...
If I got a "Christmas Card" from somebody on my company's email I would've allowed the java applet to run. There's an automatic assumption of trust *inside the system* and I would've also assumed that the sandbox mode would be reasonably secure. Was the "user interaction" just allowing the applet to run or did it also ask for something like internet access, which would've thrown up a red flag?
To "Break Into" you have to get hired, get past security clearance process and then get hired into position that has access to something valuable, then succeed at taking it. When you are willing to manufacture lies "job offer" is an easy part.
We are actually quite good at it, as we do in everything, we apply a deep level of analysis to how we are doing it.. 5 quick 5 slow ;) make sure you use a prime number!
Have you fscked your local propeller head today?
Well, I don't accept connections on Facebook from anyone at work. Too many folks who have distasteful lives (and I don't want them knowing my stuff either). I have received the occasional Facebook chick spam. I figure it's porn and I certainly don't need Facebook to find porn :)
I deleted my Linkedin profile a week or two ago so no connections there either. Way too many headhunter spams ("we have a sysadmin job in New Jersey for 6 months for $20 an hour" or better "we are a temp agency, do you need any accounting people?"), marketing spams ("we have this awesome windows management tool" You do know I'm a Unix admin, right?), folks who have no idea of what I do who think I'm a great C programmer, and quite a few folks I have no idea who they are who want to link. So not seeing any benefit, I bailed.
I also don't click on such attachments or Facebook posts. I have relatives sending me links to such Christmas or Birthday card sites and I choose not to click the link. Just a tad paranoid I guess.
In reading the article:
The experiment also shows that attractive women get special treatment in the male-dominated IT industry. The majority of individuals who went out of their way to help Emily Williams were men. The team actually tried a similar test in parallel with a fake male social media profile and got no useful connections.
I wonder if they though to try it with a plainer woman. Since women are so underrepresented in IT, any woman might have received the "special treatment".
In general though, I think it's true. Social Networking, either by Social Media or in person will certainly eventually gain you access. Folks are helpful. At work the Customer Service folks get the most awards for being helpful. Upper management even had a Customer Service demonstration for our last company wide meeting. I think it'll take a big change to get that sort of behavior changed.
[John]
Shit better not happen!
An elaborate multi-factored social engineering hack (commonly referred as a "heist") is quite different than a penetrate test. Anybody can commit fraud, be it a computer illiterate juvenile or a network security contractor (*cough*Snowden*cough*) by virtue of misleading or reconfiguring enough influential factors (people, systems) to pass whatever security measures are in place.
The same outcome could have occurred by stealing an employee's security badge -- especially if there's an uncanny visual resemblance.
In other words... no news here.
Instead of castration you should have an inhouse department that mainly has women so the lonely tech staff does not have to look at the outside. Think of an art/marketing department integrated in the technical department.
Presumably this attractive 28 year old female would have to eventually show up in person with ID for an interview or at least an employee badge, right? How did they plan to handle that part of the "penetration"?
this signature has been removed due to a DMCA takedown notice
Glad you only care if the technical measures that secure your systems are robust. That is what you are implying by saying this isn't a pen test. It IS a pen test, but it is not a test of technical security.
How is it *not* a penetration test? They were testing whether they could get in. They got in. How does it matter whether they got in because they tricked a computer into letting them in, or a person? Both avenues are equally important if you want your office to be secure.
The answer is 'scope creep'. Penetration testers operate under 'normal use' assumptions and will attack system and interfaces 'head-on'. For example, if you have a password-protected interface then it is assumed that password is not know and cannot be known unless said interface can be manipulated in divulging it. Generally speaking you assume that policy and procedures are followed. While you could always torture sysadmin for passwords "getting in" this way will not tell you much about system security. As such, penetration testing is not about "getting in" but about testing effectiveness of system protection against specific threat level/sophistication.
Social engineering attacks are a bit different. When you test against social engineering attacks it isn't about getting in but about testing effectiveness and rate of compliance with policy.
So what tests mentioned in the OP identified ? Well, they identified that policy and procedures are not being followed in granting access to the network and hardware. Simple "assign asset to employe ID" check would have stopped this, so I suspect that procedures are flawed or outright ignored.
They also identified that spear phishing attack succeeded, this means that a) users have unnecessary privileges and/or b) intrusion detection is inadequate. The OP does not identify how long backdoors they installed remained undetected. They also did not specify if they gained potential access or actually managed to extract useful information. Outright preventing sophisticated spear phishing in a large organization is very very hard, but identifying and mitigating is fairly routine and frequently automated.
With enough effort you could spear phish anyone. For example, if you date, marry me, start a family, and live with me for a decade or two you can get me to divulge my sensitive passwords. If I was head of CIA it might be even worthwhile.
With this type of attacks questions is not how do you prevent attackers from "getting in" with social engineering, but instead mitigating damage and putting roadblocks in place to delaying them.
So she graduated MIT at the tender age of 18 and no-one suspected anything funny? It must be the result of the math deficit caused by no child left behind publiek skooling.
To quote the speaker "Every time we include social engineering in our penetration tests we have a hundred percent success rate,"
That was in big organizations including cybersecurity teams. What this means is that there is a giant freekin SUV wide hole into ALL organizations unless they have smarted up in recent months. Like I am sure they did at healthcare.gov, right?
Most people who work in "security" fields only work in them for the money, not because they have a clue or care. Some dude probably thought he was going to get his dick wet or something when he saw a photo of an attractive woman. Crap like that is exactly how Mossad got Mordechai Vanunu
Can we think a little less with our dicks guys?
They want their "experiment" back...
http://pentest.netragard.com/2009/02/12/facebook-from-the-hackers-perspective/
In my experience, social engineering is part of a thorough pen test, just as physical security is. It's usually the most successful/easiest part, too.
It gripped her hand gently. 'Regret is for humans,' it said.
Thank you, sinij. I was going to respond with something similar (scope creep).