Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pen Testers Break Into Gov't Agency With Fake Social Media ID

Posted by timothy on from the open-government dept.

itwbennett writes "Security experts used fake Facebook and LinkedIn profiles to penetrate the defenses of an (unnamed) U.S. government agency with a high level of cybersecurity awareness. The attack was part of a sanctioned penetration test performed in 2012 and its results were presented Wednesday at the RSA Europe security conference in Amsterdam. The testers built a credible online identity for a fictional woman named Emily Williams and used that identity to pose as a new hire at the targeted organization. The attackers managed to launch sophisticated attacks against the agency's employees, including an IT security manager who didn't even have a social media presence. Within the first 15 hours, Emily Williams had 60 Facebook connections and 55 LinkedIn connections with employees from the targeted organization and its contractors. After 24 hours she had 3 job offers from other companies."

31 of 109 comments (clear)

  1. Pen testers? by Anonymous Coward · · Score: 5, Funny

    What does the average slashdotter know about penetration?

  2. Security? by Anonymous Coward · · Score: 5, Insightful

    Forget security, the real headline should be "How to get 3 job offers in 24 hours". She must have had some serious (fake) qualifications and/or a smoking hot profile pic.

    1. Re:Security? by Joining+Yet+Again · · Score: 4, Insightful

      Yeah, I imagine by "job offer" they mean "recruiter spam".

      And by "high level of cybersecurity awareness" they mean that some cunt installed Norton on the desktops.

    2. Re:Security? by Joining+Yet+Again · · Score: 2, Funny

      So you're to blame for everything that's wrong with me!

  3. What else do we expect to do? by Anonymous Coward · · Score: 5, Funny

    And yet when I accuse people I just met at the company of being Chinese spies, I am the one who is sent to HR. There is some kind of double standard here.

    1. Re:What else do we expect to do? by CreatureComfort · · Score: 2

      So...they are indistinguishable from Minnesoatans?

      --
      "Unheard of means only it's undreamed of yet,
      Impossible means not yet done." ~~ Julia Ecklar
    2. Re:What else do we expect to do? by Anonymous Coward · · Score: 2, Funny

      We don't like bad beer. We just drink American beer when we're spying on you in an attempt to fit in...

    3. Re:What else do we expect to do? by Minwee · · Score: 4, Insightful

      They look just like us but like bad beer and hockey.

      And the ones who like good beer stay in Canada.

  4. Re:Job offers? by Anonymous Coward · · Score: 3, Insightful

    Probably just headhunters. I get those all the time through Linkedin.

  5. Because they used an attractive woman. by EMG+at+MU · · Score: 5, Interesting

    The IT world article explains that the fake account was an attractive woman. The victims who exposed their organizations to attack were men who were trying to "help" this attractive woman in her new position.

    New security measure: male employees are castrated upon hire. They tried the same attack with a male profile and received no hits.

    Aside from that interesting bit, we have heard this story over and over again: Large organizations contain at least a few stupid people. Those stupid people, who are mostly well intentioned, work around security measures and run Java applets to see the company Christmas card, a card that is actually an attack.

    1. Re:Because they used an attractive woman. by jsepeta · · Score: 5, Insightful

      so really the title should be "attractive women more likely to get job offers." move along, no story here.

      --
      Remember kids, if you're not paying for the service, YOU ARE THE PRODUCT THAT IS BEING SOLD.
    2. Re:Because they used an attractive woman. by Zontar_Thing_From_Ve · · Score: 4, Informative

      The IT world article explains that the fake account was an attractive woman. The victims who exposed their organizations to attack were men who were trying to "help" this attractive woman in her new position.

      Executive summary:
      Fake Facebook and Linkedin accounts created for a non-existent attractive 28 year old female who was supposedly a new employee. Apparently the account sent out a lot of friend invitations which were accepted by (seemingly mostly) men who never questioned the invitation or why they had never met this person in real life. The men fell all over themselves to "help" this new employee with some even offering to bypass official channels to get her working sooner. So basically lonely nerds take a shot that friending and helping a hot new chick at work might get them something down the road. The fact that she got job offers means nothing as everybody I know who uses Linkedin (for the record I do not use it) gets job offers all the time. One more thing - they made some fake postings from her so that an internet search would seem to indicate she was a real person. And her Facebook account had a link to an external site with a Java security attack that got some suckers to click on it.

    3. Re:Because they used an attractive woman. by minstrelmike · · Score: 2

      Booth babes attract attention. Sex sells. Watch commercials during a football game or prime time.
      They even sell drugs such as Viagra and alcohol to help you have sex (with partners).

    4. Re:Because they used an attractive woman. by minstrelmike · · Score: 2

      That's probably why 'real' programmers are fairly safe. They don't have any friends ;-)

    5. Re:Because they used an attractive woman. by jader3rd · · Score: 2

      They tried the same attack with a male profile and received no hits.

      A male wouldn't have helped the organizations diversity quota.

    6. Re:Because they used an attractive woman. by sootman · · Score: 2

      A friend of mine has an attractive wife. Her mom had a document needed to be faxed. Neither had a fax machine so the mom told the daughter to take it to Office Depot and fax. I don't know if the mom mis-spoke or if the girl had a blonde moment (or both) but in any case, she went to Home Depot instead and asked the guy at the customer service counter to fax it. The guy was like "Um, we don't usually do this, but OK."

      --
      Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
  6. Since when ... by quietwalker · · Score: 2

    ...was being added to an employee's facebook or linkedin page a 'Security Attack' or really any sort of real risk? How is making a friend request a "Sophisticated Attack"? Sure, you can start linking information together, but this is an attack in the same way that a honey bee at the pool counts as a deadly swarm of African hornets.

    As for the "job offer," why do I suspect that the 'job offers' were not real job offers, but rather requests to apply for a job? You know, like everyone who's on linkedin who has any qualifications or prior experience gets about 3-4x a day, more if you've got a resume with certain keywords in it? Anyway, why is any of that relevant to a security probe?

    I read a book a while back about some of the phone phreakers, and at one point they brought a woman in to the pentagon to demonstrate social manipulation. She was given only a normal phone and phonebook, and asked to get the daily schedule of a specific general, and something like 40 minutes later, she had it. They also had examples of people having extra keys made for doors, purchases and deliveries being made, phone systems being rerouted, and so on. Those sorts of things are attacks.

    This was just fluff.

    1. Re:Since when ... by quietwalker · · Score: 5, Informative

      (and then I read the article)

      Okay, the point where they then use the connections to send out xmas cards linked to an attack site which people went to, and how they somehow scammed someone into sending her a work laptop and network access credentials.

      That might be better to lead with the actual attacks in the summary, and not just some sort of information gathering setup.

    2. Re:Since when ... by minstrelmike · · Score: 2

      I dunno. I think it's still fluff.
      When you manipulate people face-to-face to bypass security, it is called social engineering.
      When you do _exactly_ the same thing not face-to-face but using a computer, it is suddenly "the system's" fault.

  7. Curious... by the_skywise · · Score: 3, Insightful

    "The attack used built-in Java functionality to get the shell instead of exploiting a vulnerability and required user interaction, but despite these technical limitations, it was very successful, according to Lakhani."

    I'm curious what the "required user interaction" was...

    I'm pretty tech secure savvy - run noscript, only use the computer with condoms on, etc; But I wonder if I would've fallen for this as well...

    If I got a "Christmas Card" from somebody on my company's email I would've allowed the java applet to run. There's an automatic assumption of trust *inside the system* and I would've also assumed that the sandbox mode would be reasonably secure. Was the "user interaction" just allowing the applet to run or did it also ask for something like internet access, which would've thrown up a red flag?

    1. Re:Curious... by ShanghaiBill · · Score: 2

      If I got a "Christmas Card" from somebody on my company's email I would've allowed the java applet to run.

      So would I. But I work for an open source company, and you can download everything we have from our website. So security isn't a big concern because their is nothing to steal. In the past, I worked for a defense contractor that did classified work. If an employee emailed a co-worker a java applet, or any other executable content, they would receive a written warning. On the second offense, they would likely lose their clearance and their job.

    2. Re:Curious... by PPH · · Score: 3, Interesting

      If I got a "Christmas Card" from somebody on my company's email I would've allowed the java applet to run.

      When I worked for Boeing, one of the supervisors on my project was a fan of Asian male porn (use your imagination). More than a few e-mails supposedly from him contained malware. Given the firewalls we had, I have to think that the infection was hosted on his system. Probably a laptop he carried back and forth to work.

      Fortunatly, I ran a Linux desktop, so no Asian male porn popups for me.

      --
      Have gnu, will travel.
  8. Social Media by Bigbutt · · Score: 4, Interesting

    Well, I don't accept connections on Facebook from anyone at work. Too many folks who have distasteful lives (and I don't want them knowing my stuff either). I have received the occasional Facebook chick spam. I figure it's porn and I certainly don't need Facebook to find porn :)

    I deleted my Linkedin profile a week or two ago so no connections there either. Way too many headhunter spams ("we have a sysadmin job in New Jersey for 6 months for $20 an hour" or better "we are a temp agency, do you need any accounting people?"), marketing spams ("we have this awesome windows management tool" You do know I'm a Unix admin, right?), folks who have no idea of what I do who think I'm a great C programmer, and quite a few folks I have no idea who they are who want to link. So not seeing any benefit, I bailed.

    I also don't click on such attachments or Facebook posts. I have relatives sending me links to such Christmas or Birthday card sites and I choose not to click the link. Just a tad paranoid I guess.

    In reading the article:

    The experiment also shows that attractive women get special treatment in the male-dominated IT industry. The majority of individuals who went out of their way to help Emily Williams were men. The team actually tried a similar test in parallel with a fake male social media profile and got no useful connections.

    I wonder if they though to try it with a plainer woman. Since women are so underrepresented in IT, any woman might have received the "special treatment".

    In general though, I think it's true. Social Networking, either by Social Media or in person will certainly eventually gain you access. Folks are helpful. At work the Customer Service folks get the most awards for being helpful. Upper management even had a Customer Service demonstration for our last company wide meeting. I think it'll take a big change to get that sort of behavior changed.

    [John]

    --
    Shit better not happen!
  9. Re:Job offers? by tompaulco · · Score: 4, Interesting

    I have over 200 contacts and have never had a job offer from linkedin. Maybe it is because I don't accept connections from people I don't know.
    I do regularly get contacted by Indian firms via e-mail or even by phone, but as soon as they find out I am a citizen and not an H1b, then they lose interest.

    --
    If you are not allowed to question your government then the government has answered your question.
  10. Re:Job offers? by Austrian+Anarchy · · Score: 4, Insightful

    How good can a company be if they offer you a job solely on your so-called resume?

    No interview, no verification..

    I suspect they are grossly misusing the term "job offer." Could be an indication of just what sort of people they have working in their own organization.

    --
    Time Bomber the Book coming soon.
  11. Elaborate social engineering hack != "pen testing" by atom1c · · Score: 4, Interesting

    An elaborate multi-factored social engineering hack (commonly referred as a "heist") is quite different than a penetrate test. Anybody can commit fraud, be it a computer illiterate juvenile or a network security contractor (*cough*Snowden*cough*) by virtue of misleading or reconfiguring enough influential factors (people, systems) to pass whatever security measures are in place.

    The same outcome could have occurred by stealing an employee's security badge -- especially if there's an uncanny visual resemblance.

    In other words... no news here.

  12. reward over punishhment. by leuk_he · · Score: 2

    Instead of castration you should have an inhouse department that mainly has women so the lonely tech staff does not have to look at the outside. Think of an art/marketing department integrated in the technical department.

  13. Re:Job offer is not "break into" by Minwee · · Score: 3, Informative

    To "Break Into" you have to get hired, get past security clearance process and then get hired into position that has access to something valuable, then succeed at taking it. When you are willing to manufacture lies "job offer" is an easy part.

    Maybe you didn't read all of the article.

    [...] men working for the targeted agency offered to help her get started faster in her alleged new job within the organization by going around the usual channels to provide her with a work laptop and network access. The level of access she got in this way was higher than what she would have normally received through the proper channels if she had really been a new hire [...]

    If you read very carefully, you will see that "Emily Williams" was given access to the secure but unnamed organization's network without having to do any of those things.

  14. Re:Elaborate social engineering hack != "pen testi by neminem · · Score: 4, Insightful

    How is it *not* a penetration test? They were testing whether they could get in. They got in. How does it matter whether they got in because they tricked a computer into letting them in, or a person? Both avenues are equally important if you want your office to be secure.

  15. Re:Job offer is not "break into" by Minwee · · Score: 2

    I don't think "But she didn't play FAIR!" is an acceptable defense here. Someone from outside of a secure organization was able to gain access to protected assets by doing little more than asking nicely. What little defense there was had been penetrated long before any of the spear phishing took place.

  16. Re:Elaborate social engineering hack != "pen testi by Flere+Imsaho · · Score: 2

    In my experience, social engineering is part of a thorough pen test, just as physical security is. It's usually the most successful/easiest part, too.

    --
    It gripped her hand gently. 'Regret is for humans,' it said.