I read this article today, thought it was quite funny. Basically, a picture of a cute waitress got enough permissions to own a huge IT department in the federal government.
What’s YOUR weakest link?
According to the pen-test team’s fake social media profiles, Emily Williams, 28 years old, had 10 years of experience. They used a picture of a real woman, with her approval.
In fact, the real woman works as a waitress at a restaurant frequented by many of the targeted agency’s employees, Constantin reports.
Nonetheless, nobody recognized her.
Not only did the government employees not recognize their waitress, they flocked to the fake persona bearing her likeness.
Here’s how popular Emily Williams proved within just 24 hours of her birth:
- She had 60 Facebook connections.
- She garnered 55 LinkedIn connections with employees from the targeted organization and its contractors.
- She had three job offers from other companies.
As time went on, Emily Williams received LinkedIn endorsements for skills, while male staffers at the agency offered to help her out with short-cuts around the normal channels set up for new hires that would net her a work laptop and network access (which the penetration testing team obtained but did not use).
Around Christmas, the pen-test team rigged Emily Williams’s profiles with a link to a site with a Christmas card.
Visitors were prompted to execute a signed Java applet that in turn launched an attack that enabled the team to use privilege escalation exploits and thereby gain administrative rights.
They also managed to sniff passwords, install other applications and steal sensitive documents, including information about state-sponsored attacks and country leaders.
But what about those 10 years of experience at the tender age of 28? Didn’t that sound any alarms?
The bit about Emily Williams having 10 years of experience well might have been a tip of the hat to the inspiration for the ruse: namely, a fictional cyber threat analyst by the name of Robin Sage, crafted by Thomas Ryan, a US security specialist and white-hat hacker from New York, in 2009.
Like Emily Williams, Robin Sage was also set up to have 10 years of experience, though she was only 25 years old.
Ryan cooked up Robin Sage profiles on Facebook, LinkedIn, Twitter, etc., using them to contact nearly 300 people, most of whom were security specialists, military personnel, staff at intelligence agencies and defense contractors.
Despite the completely fake profile, which was populated with photos taken from an amateur pornography site, and despite the character’s name being taken from a US Army exercise, Sage was offered work at many companies, including Google and Lockheed Martin.
She was also asked out to dinner by her male friends, was invited to speak at a private-sector security conference in Miami, and was asked to review an important technical paper by a NASA researcher, the Washington Times reported.
For “her” part, Emily Williams managed to reach the very top of the government agency’s information security team.
But the attack started out low, targeting employees in sales and accounting, before hitting that high mark.
As the character’s social network grew, the attack team managed to target technical staff including security people and even executives.
Lakhani pointed out a few lessons from the experiment:
- Attractive women can open locked doors in the male-dominated IT industry. A parallel test with a fake male social media profile resulted in no useful connections. A majority of those who offered to help Emily Williams were men. The gender disparity in social engineering has shown up in other situations, including, for example, the 2012 Capture the Flag social engineering contest at Defcon. Anecdotal evidence from the Defcon contest suggested that females might have more compunction than males about duping others, but they may be better at sniffing out a con.
- People are trusting and want to help others. Unfortunately, low-level employees don’t always think that they could be targets for social engineering because they’re not important enough in the organization. They’re often unaware of how a simple action like friending somebody on Facebook, for example, could help attackers establish credibility.
How do you solve a problem like overly friendly, helpful employees?