Pen Testers Break Into Gov't Agency With Fake Social Media ID 109
itwbennett writes "Security experts used fake Facebook and LinkedIn profiles to penetrate the defenses of an (unnamed) U.S. government agency with a high level of cybersecurity awareness. The attack was part of a sanctioned penetration test performed in 2012 and its results were presented Wednesday at the RSA Europe security conference in Amsterdam. The testers built a credible online identity for a fictional woman named Emily Williams and used that identity to pose as a new hire at the targeted organization. The attackers managed to launch sophisticated attacks against the agency's employees, including an IT security manager who didn't even have a social media presence. Within the first 15 hours, Emily Williams had 60 Facebook connections and 55 LinkedIn connections with employees from the targeted organization and its contractors. After 24 hours she had 3 job offers from other companies."
Security? (Score:5, Insightful)
Forget security, the real headline should be "How to get 3 job offers in 24 hours". She must have had some serious (fake) qualifications and/or a smoking hot profile pic.
Re:Security? (Score:4, Insightful)
Yeah, I imagine by "job offer" they mean "recruiter spam".
And by "high level of cybersecurity awareness" they mean that some cunt installed Norton on the desktops.
Re:Job offers? (Score:3, Insightful)
Probably just headhunters. I get those all the time through Linkedin.
Re:Because they used an attractive woman. (Score:5, Insightful)
so really the title should be "attractive women more likely to get job offers." move along, no story here.
Curious... (Score:4, Insightful)
"The attack used built-in Java functionality to get the shell instead of exploiting a vulnerability and required user interaction, but despite these technical limitations, it was very successful, according to Lakhani."
I'm curious what the "required user interaction" was...
I'm pretty tech secure savvy - run noscript, only use the computer with condoms on, etc; But I wonder if I would've fallen for this as well...
If I got a "Christmas Card" from somebody on my company's email I would've allowed the java applet to run. There's an automatic assumption of trust *inside the system* and I would've also assumed that the sandbox mode would be reasonably secure. Was the "user interaction" just allowing the applet to run or did it also ask for something like internet access, which would've thrown up a red flag?
Re:Because they used an attractive woman. (Score:1, Insightful)
so really the title should be "attractive women more likely to get job offers." move along, no story here.
More hires and more everything. I was once surprised by how cute was the Dell representative for HPC in my region. Then I saw the one from IBM. And then the one from HP. By then I had gotten the pattern: they all get cute girls to try to get the geeks to buy their stuff.
Re:Job offers? (Score:5, Insightful)
How good can a company be if they offer you a job solely on your so-called resume?
No interview, no verification..
I suspect they are grossly misusing the term "job offer." Could be an indication of just what sort of people they have working in their own organization.
Re:What else do we expect to do? (Score:5, Insightful)
They look just like us but like bad beer and hockey.
And the ones who like good beer stay in Canada.
Re:Elaborate social engineering hack != "pen testi (Score:5, Insightful)
How is it *not* a penetration test? They were testing whether they could get in. They got in. How does it matter whether they got in because they tricked a computer into letting them in, or a person? Both avenues are equally important if you want your office to be secure.