Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pen Testers Break Into Gov't Agency With Fake Social Media ID

Posted by timothy on from the open-government dept.

itwbennett writes "Security experts used fake Facebook and LinkedIn profiles to penetrate the defenses of an (unnamed) U.S. government agency with a high level of cybersecurity awareness. The attack was part of a sanctioned penetration test performed in 2012 and its results were presented Wednesday at the RSA Europe security conference in Amsterdam. The testers built a credible online identity for a fictional woman named Emily Williams and used that identity to pose as a new hire at the targeted organization. The attackers managed to launch sophisticated attacks against the agency's employees, including an IT security manager who didn't even have a social media presence. Within the first 15 hours, Emily Williams had 60 Facebook connections and 55 LinkedIn connections with employees from the targeted organization and its contractors. After 24 hours she had 3 job offers from other companies."

6 of 109 comments (clear)

  1. Pen testers? by Anonymous Coward · · Score: 5, Funny

    What does the average slashdotter know about penetration?

  2. Security? by Anonymous Coward · · Score: 5, Insightful

    Forget security, the real headline should be "How to get 3 job offers in 24 hours". She must have had some serious (fake) qualifications and/or a smoking hot profile pic.

  3. What else do we expect to do? by Anonymous Coward · · Score: 5, Funny

    And yet when I accuse people I just met at the company of being Chinese spies, I am the one who is sent to HR. There is some kind of double standard here.

  4. Because they used an attractive woman. by EMG+at+MU · · Score: 5, Interesting

    The IT world article explains that the fake account was an attractive woman. The victims who exposed their organizations to attack were men who were trying to "help" this attractive woman in her new position.

    New security measure: male employees are castrated upon hire. They tried the same attack with a male profile and received no hits.

    Aside from that interesting bit, we have heard this story over and over again: Large organizations contain at least a few stupid people. Those stupid people, who are mostly well intentioned, work around security measures and run Java applets to see the company Christmas card, a card that is actually an attack.

    1. Re:Because they used an attractive woman. by jsepeta · · Score: 5, Insightful

      so really the title should be "attractive women more likely to get job offers." move along, no story here.

      --
      Remember kids, if you're not paying for the service, YOU ARE THE PRODUCT THAT IS BEING SOLD.
  5. Re:Since when ... by quietwalker · · Score: 5, Informative

    (and then I read the article)

    Okay, the point where they then use the connections to send out xmas cards linked to an attack site which people went to, and how they somehow scammed someone into sending her a work laptop and network access credentials.

    That might be better to lead with the actual attacks in the summary, and not just some sort of information gathering setup.