Pen Testers Break Into Gov't Agency With Fake Social Media ID

itwbennett writes "Security experts used fake Facebook and LinkedIn profiles to penetrate the defenses of an (unnamed) U.S. government agency with a high level of cybersecurity awareness. The attack was part of a sanctioned penetration test performed in 2012 and its results were presented Wednesday at the RSA Europe security conference in Amsterdam. The testers built a credible online identity for a fictional woman named Emily Williams and used that identity to pose as a new hire at the targeted organization. The attackers managed to launch sophisticated attacks against the agency's employees, including an IT security manager who didn't even have a social media presence. Within the first 15 hours, Emily Williams had 60 Facebook connections and 55 LinkedIn connections with employees from the targeted organization and its contractors. After 24 hours she had 3 job offers from other companies."

Because they used an attractive woman.

[EMG at MU]

The IT world article explains that the fake account was an attractive woman. The victims who exposed their organizations to attack were men who were trying to "help" this attractive woman in her new position.

New security measure: male employees are castrated upon hire. They tried the same attack with a male profile and received no hits.

Aside from that interesting bit, we have heard this story over and over again: Large organizations contain at least a few stupid people. Those stupid people, who are mostly well intentioned, work around security measures and run Java applets to see the company Christmas card, a card that is actually an attack.

Social Media

[Bigbutt]

Well, I don't accept connections on Facebook from anyone at work. Too many folks who have distasteful lives (and I don't want them knowing my stuff either). I have received the occasional Facebook chick spam. I figure it's porn and I certainly don't need Facebook to find porn :)

I deleted my Linkedin profile a week or two ago so no connections there either. Way too many headhunter spams ("we have a sysadmin job in New Jersey for 6 months for $20 an hour" or better "we are a temp agency, do you need any accounting people?"), marketing spams ("we have this awesome windows management tool" You do know I'm a Unix admin, right?), folks who have no idea of what I do who think I'm a great C programmer, and quite a few folks I have no idea who they are who want to link. So not seeing any benefit, I bailed.

I also don't click on such attachments or Facebook posts. I have relatives sending me links to such Christmas or Birthday card sites and I choose not to click the link. Just a tad paranoid I guess.

In reading the article:

The experiment also shows that attractive women get special treatment in the male-dominated IT industry. The majority of individuals who went out of their way to help Emily Williams were men. The team actually tried a similar test in parallel with a fake male social media profile and got no useful connections.

I wonder if they though to try it with a plainer woman. Since women are so underrepresented in IT, any woman might have received the "special treatment".

In general though, I think it's true. Social Networking, either by Social Media or in person will certainly eventually gain you access. Folks are helpful. At work the Customer Service folks get the most awards for being helpful. Upper management even had a Customer Service demonstration for our last company wide meeting. I think it'll take a big change to get that sort of behavior changed.

[John]

Re:Job offers?

[tompaulco]

I have over 200 contacts and have never had a job offer from linkedin. Maybe it is because I don't accept connections from people I don't know.
I do regularly get contacted by Indian firms via e-mail or even by phone, but as soon as they find out I am a citizen and not an H1b, then they lose interest.

Elaborate social engineering hack != "pen testing"

[atom1c]

An elaborate multi-factored social engineering hack (commonly referred as a "heist") is quite different than a penetrate test. Anybody can commit fraud, be it a computer illiterate juvenile or a network security contractor (*cough*Snowden*cough*) by virtue of misleading or reconfiguring enough influential factors (people, systems) to pass whatever security measures are in place.

The same outcome could have occurred by stealing an employee's security badge -- especially if there's an uncanny visual resemblance.

In other words... no news here.

Re:Curious...

[PPH]

If I got a "Christmas Card" from somebody on my company's email I would've allowed the java applet to run.

When I worked for Boeing, one of the supervisors on my project was a fan of Asian male porn (use your imagination). More than a few e-mails supposedly from him contained malware. Given the firewalls we had, I have to think that the infection was hosted on his system. Probably a laptop he carried back and forth to work.

Fortunatly, I ran a Linux desktop, so no Asian male porn popups for me.