Fake femme fatale dupes IT guys at US government agency

Filed Under: Data loss, Facebook, Featured, Malware, Phishing, Security threats, Social networks

Femme FataleIt was the birthday of the head of information security at a US government agency that isn't normally stupid about cyber security.

He didn't have any accounts on social media websites, but two of his employees were talking about his special day on Facebook.

A penetration testing team sent the infosec head an email with a birthday card, spoofing it to look like the card came from one of his employees.

The recipient opened it and clicked on the link inside.

After the head of information security opened what was, of course, a malicious birthday card link, his computer was compromised.

That gave his attackers the front-door keys, according to Aamir Lakhani, who works for World Wide Technology, the company that performed the penetration test:

This guy had access to everything. He had the crown jewels in the system.

ITWorld's Lucian Constantin wrote up Lakhani's account of the successful pen test, which was performed in 2012 and sanctioned by a US government agency that Lakhani neglected to name.

Lakhani, a counter-intelligence and cyber defense specialist who works as a solutions architect for World Wide Technology, presented the results on Wednesday at the RSA Europe security conference in Amsterdam.

How did World Wide Tech crack open a US government agency that Lakhani described as being, as Constantin paraphrased it, "a very secure one that specializes in offensive cybersecurity and protecting secrets and for which [World Wide Technology] had to use zero-day attacks in previous tests in order to bypass its strong defenses"?

The lynchpin, it turns out, was a spoof new hire at the agency: an attractive, smart, female graduate of MIT named Emily Williams whom World Wide Technology invented for the test.

According to the pen-test team's fake social media profiles, Emily Williams, 28 years old, had 10 years of experience. They used a picture of a real woman, with her approval.

In fact, the real woman works as a waitress at a restaurant frequented by many of the targeted agency's employees, Constantin reports.

Nonetheless, nobody recognized her.

Not only did the government employees not recognize their waitress, they flocked to the fake persona bearing her likeness.

Here's how popular Emily Williams proved within just 24 hours of her birth:

  • She had 60 Facebook connections.
  • She garnered 55 LinkedIn connections with employees from the targeted organization and its contractors.
  • She had three job offers from other companies.

As time went on, Emily Williams received LinkedIn endorsements for skills, while male staffers at the agency offered to help her out with short-cuts around the normal channels set up for new hires that would net her a work laptop and network access (which the penetration testing team obtained but did not use).

Around Christmas, the pen-test team rigged Emily Williams's profiles with a link to a site with a Christmas card.

Visitors were prompted to execute a signed Java applet that in turn launched an attack that enabled the team to use privilege escalation exploits and thereby gain administrative rights.

They also managed to sniff passwords, install other applications and steal sensitive documents, including information about state-sponsored attacks and country leaders.

Good grief.

But what about those 10 years of experience at the tender age of 28? Didn't that sound any alarms?

Apparently not.

The bit about Emily Williams having 10 years of experience well might have been a tip of the hat to the inspiration for the ruse: namely, a fictional cyber threat analyst by the name of Robin Sage, crafted by Thomas Ryan, a US security specialist and white-hat hacker from New York, in 2009.

Like Emily Williams, Robin Sage was also set up to have 10 years of experience, though she was only 25 years old.

Ryan cooked up Robin Sage profiles on Facebook, LinkedIn, Twitter, etc., using them to contact nearly 300 people, most of whom were security specialists, military personnel, staff at intelligence agencies and defense contractors.

Despite the completely fake profile, which was populated with photos taken from an amateur pornography site, and despite the character's name being taken from a US Army exercise, Sage was offered work at many companies, including Google and Lockheed Martin.

She was also asked out to dinner by her male friends, was invited to speak at a private-sector security conference in Miami, and was asked to review an important technical paper by a NASA researcher, the Washington Times reported.

For "her" part, Emily Williams managed to reach the very top of the government agency's information security team.

But the attack started out low, targeting employees in sales and accounting, before hitting that high mark.

As the character's social network grew, the attack team managed to target technical staff including security people and even executives.

Lakhani pointed out a few lessons from the experiment:

  • Attractive women can open locked doors in the male-dominated IT industry. A parallel test with a fake male social media profile resulted in no useful connections. A majority of those who offered to help Emily Williams were men. The gender disparity in social engineering has shown up in other situations, including, for example, the 2012 Capture the Flag social engineering contest at Defcon. Anecdotal evidence from the Defcon contest suggested that females might have more compunction than males about duping others, but they may be better at sniffing out a con.
  • People are trusting and want to help others. Unfortunately, low-level employees don't always think that they could be targets for social engineering because they're not important enough in the organization. They're often unaware of how a simple action like friending somebody on Facebook, for example, could help attackers establish credibility.

How do you solve a problem like overly friendly, helpful employees?

Lakhani said that social engineering awareness training can help, but doing it on an annual basis doesn't cut it. Rather, it needs to be constant, so employees develop instincts.

Other training tips from Lakhani, via Constantin, include training employees to:

  • Question suspicious behavior and report it to the human relations department.
  • Refrain from sharing work-related details on social networks.
  • Not use work devices for personal activities.

On the systems front, he recommended:

  • Protecting access to different types of data with strong and separate passwords.
  • Segmenting the network so that if attackers compromise an employee with access to one network segment they can't access more sensitive ones.

We think that your defence against social engineering should also include someone that you can call to report phishing expeditions, whether by phone or email.

Attackers using the phone have a habit of working through the organizational phone book. If you can't report a suspicious call to someone who can send out a warning, each phone call will stand alone. If the attacker fails to trick the first user they call you'll want the next user to have been alerted in advance that an attack is going on.

This advice also needs to be integrated into a strategy of defence in depth.

Your existing security software and procedures can help to prevent or limit damage from a social engineering attack and of course attackers won't necessarily limit themselves to just using social engineering, or indeed any one vector.

For more thoughts on planning your security, including defending against social engineering, read our Practical IT guide to planning against threats to your business.

, , ,

You might like

14 Responses to Fake femme fatale dupes IT guys at US government agency

  1. Average Joe · 702 days ago

    Isolate activities in different VMs. Do untrusted browsing in throwaway VMs. Use less trusted programs in isolated VMs. Don't let them compromise the crown jewels just by owning your browser.

  2. Anonymous · 702 days ago

    "While male staffers."

    Does not mention pigmentation.

  3. Phasma Felis · 702 days ago

    "People are trusting and want to help others. How do you solve a problem like overly friendly, helpful employees?"

    Ah, I'm so glad I don't work in security. In the library field, you seldom hear people say "Our employees are decent human beings. How can we fix this?" with a straight face.

    • Lisa Vaas · 702 days ago

      O, believe me, I didn't have a straight face—I meant that with all the wry I got! Shoulda put quotation marks around the word "problem!"

  4. swattz101 · 702 days ago

    Why do idiots keep running email on the same session where they use their admin credentials. For that matter, why does the head if the department need them? He should be delegating and leading. Lots more wrong with this situation, that is just what jumped out at me first.

    • Anonymous · 701 days ago

      I can't tell that he had admin creds -- he had access to various files and systems, but I thought the pen testers used a java-based privilege escalation exploit to get admin rights.

  5. Man, I like security - at large ! !

  6. wrhite · 701 days ago

    Isn't the main line of defense simple? don't accept a friend request from someone you have not met in person. I never do.

  7. Andy · 701 days ago

    where was the paranoia when it was needed?

  8. what a bunch of lemming hound dogs. unbelieveable (and hard up).

  9. So much sexual favoritism. I would be interested in seeing the results of a parallel account of a woman even more qualified than "Emily" but not physically attractive. These guys need to be fired..and laid in that order.

    • Lisa Vaas · 700 days ago

      I would put money on the table betting that an unattractive female security researcher wouldn't receive this type of special treatment.

    • jay · 695 days ago

      We are reminded once again that beneath our cultural exterior we are still mammals.

      But it goes much deeper than just sex appeal. Much of the advice in this column as well as the security business in general goes deeply against our social nature. We are expected to live our (professional at least) lives in a state of constant distrust, being coldly skeptical of friendliness. Trust no one, view everyone as a potential threat, either now or in the future. Remain aloof, even cold.

      In short it's behavior antithetical to the type of person most of us would like to spend time with.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.