It was the birthday of the head of information security at a US government agency that isn’t normally stupid about cyber security.
He didn’t have any accounts on social media websites, but two of his employees were talking about his special day on Facebook.
A penetration testing team sent the infosec head an email with a birthday card, spoofing it to look like the card came from one of his employees.
The recipient opened it and clicked on the link inside.
After the head of information security opened what was, of course, a malicious birthday card link, his computer was compromised.
That gave his attackers the front-door keys, according to Aamir Lakhani, who works for World Wide Technology, the company that performed the penetration test:
This guy had access to everything. He had the crown jewels in the system.
ITWorld’s Lucian Constantin wrote up Lakhani’s account of the successful pen test, which was performed in 2012 and sanctioned by a US government agency that Lakhani neglected to name.
Lakhani, a counter-intelligence and cyber defense specialist who works as a solutions architect for World Wide Technology, presented the results on Wednesday at the RSA Europe security conference in Amsterdam.
How did World Wide Tech crack open a US government agency that Lakhani described as being, as Constantin paraphrased it, “a very secure one that specializes in offensive cybersecurity and protecting secrets and for which [World Wide Technology] had to use zero-day attacks in previous tests in order to bypass its strong defenses”?
The linchpin, it turns out, was a spoof new hire at the agency: an attractive, smart, female graduate of MIT named Emily Williams whom World Wide Technology invented for the test.
According to the pen-test team’s fake social media profiles, Emily Williams, 28 years old, had 10 years of experience. They used a picture of a real woman, with her approval.
In fact, the real woman works as a waitress at a restaurant frequented by many of the targeted agency’s employees, Constantin reports.
Nonetheless, nobody recognized her.
Not only did the government employees not recognize their waitress, they flocked to the fake persona bearing her likeness.
Here’s how popular Emily Williams proved within just 24 hours of her birth:
- She had 60 Facebook connections.
- She garnered 55 LinkedIn connections with employees from the targeted organization and its contractors.
- She had three job offers from other companies.
As time went on, Emily Williams received LinkedIn endorsements for skills, while male staffers at the agency offered to help her out with short-cuts around the normal channels set up for new hires that would net her a work laptop and network access (which the penetration testing team obtained but did not use).
Around Christmas, the pen-test team rigged Emily Williams’s profiles with a link to a site with a Christmas card.
Visitors were prompted to execute a signed Java applet that in turn launched an attack that enabled the team to use privilege escalation exploits and thereby gain administrative rights.
They also managed to sniff passwords, install other applications and steal sensitive documents, including information about state-sponsored attacks and country leaders.
But what about those 10 years of experience at the tender age of 28? Didn’t that sound any alarms?
The bit about Emily Williams having 10 years of experience well might have been a tip of the hat to the inspiration for the ruse: namely, a fictional cyber threat analyst by the name of Robin Sage, crafted by Thomas Ryan, a US security specialist and white-hat hacker from New York, in 2009.
Like Emily Williams, Robin Sage was also set up to have 10 years of experience, though she was only 25 years old.
Ryan cooked up Robin Sage profiles on Facebook, LinkedIn, Twitter, etc., using them to contact nearly 300 people, most of whom were security specialists, military personnel, staff at intelligence agencies and defense contractors.
Despite the completely fake profile, which was populated with photos taken from an amateur pornography site, and despite the character’s name being taken from a US Army exercise, Sage was offered work at many companies, including Google and Lockheed Martin.
She was also asked out to dinner by her male friends, was invited to speak at a private-sector security conference in Miami, and was asked to review an important technical paper by a NASA researcher, the Washington Times reported.
For “her” part, Emily Williams managed to reach the very top of the government agency’s information security team.
But the attack started out low, targeting employees in sales and accounting, before hitting that high mark.
As the character’s social network grew, the attack team managed to target technical staff including security people and even executives.
Lakhani pointed out a few lessons from the experiment:
- Attractive women can open locked doors in the male-dominated IT industry. A parallel test with a fake male social media profile resulted in no useful connections. A majority of those who offered to help Emily Williams were men. The gender disparity in social engineering has shown up in other situations, including, for example, the 2012 Capture the Flag social engineering contest at Defcon. Anecdotal evidence from the Defcon contest suggested that females might have more compunction than males about duping others, but they may be better at sniffing out a con.
- People are trusting and want to help others. Unfortunately, low-level employees don’t always think that they could be targets for social engineering because they’re not important enough in the organization. They’re often unaware of how a simple action like friending somebody on Facebook, for example, could help attackers establish credibility.
How do you solve a problem like overly friendly, helpful employees?
Lakhani said that social engineering awareness training can help, but doing it on an annual basis doesn’t cut it. Rather, it needs to be constant, so employees develop instincts.
Other training tips from Lakhani, via Constantin, include training employees to:
- Question suspicious behavior and report it to the human relations department.
- Refrain from sharing work-related details on social networks.
- Not use work devices for personal activities.
On the systems front, he recommended:
- Protecting access to different types of data with strong and separate passwords.
- Segmenting the network so that if attackers compromise an employee with access to one network segment they can’t access more sensitive ones.
We think that your defence against social engineering should also include someone that you can call to report phishing expeditions, whether by phone or email.
Attackers using the phone have a habit of working through the organizational phone book. If you can’t report a suspicious call to someone who can send out a warning, each phone call will stand alone. If the attacker fails to trick the first user they call you’ll want the next user to have been alerted in advance that an attack is going on.
This advice also needs to be integrated into a strategy of defence in depth.
Your existing security software and procedures can help to prevent or limit damage from a social engineering attack and of course attackers won’t necessarily limit themselves to just using social engineering, or indeed any one vector.
For more thoughts on planning your security, including defending against social engineering, read our Practical IT guide to planning against threats to your business.
16 comments on “Fake femme fatale dupes IT guys at US government agency”
Isolate activities in different VMs. Do untrusted browsing in throwaway VMs. Use less trusted programs in isolated VMs. Don't let them compromise the crown jewels just by owning your browser.
This is good advice as is DON'T USE ADMIN LEVEL ACCOUNTS AS YOUR DAILY USER ACCOUNT
“While male staffers.”
Does not mention pigmentation.
"People are trusting and want to help others. How do you solve a problem like overly friendly, helpful employees?"
Ah, I'm so glad I don't work in security. In the library field, you seldom hear people say "Our employees are decent human beings. How can we fix this?" with a straight face.
O, believe me, I didn't have a straight face—I meant that with all the wry I got! Shoulda put quotation marks around the word "problem!"
Why do idiots keep running email on the same session where they use their admin credentials. For that matter, why does the head if the department need them? He should be delegating and leading. Lots more wrong with this situation, that is just what jumped out at me first.
I can’t tell that he had admin creds — he had access to various files and systems, but I thought the pen testers used a java-based privilege escalation exploit to get admin rights.
Man, I like security – at large ! !
Isn't the main line of defense simple? don't accept a friend request from someone you have not met in person. I never do.
where was the paranoia when it was needed?
what a bunch of lemming hound dogs. unbelieveable (and hard up).
So much sexual favoritism. I would be interested in seeing the results of a parallel account of a woman even more qualified than "Emily" but not physically attractive. These guys need to be fired..and laid in that order.
I would put money on the table betting that an unattractive female security researcher wouldn't receive this type of special treatment.
We are reminded once again that beneath our cultural exterior we are still mammals.
But it goes much deeper than just sex appeal. Much of the advice in this column as well as the security business in general goes deeply against our social nature. We are expected to live our (professional at least) lives in a state of constant distrust, being coldly skeptical of friendliness. Trust no one, view everyone as a potential threat, either now or in the future. Remain aloof, even cold.
In short it's behavior antithetical to the type of person most of us would like to spend time with.
To quote Linkin Park, “Do I trust some and get fooled by phoniness? Or do I trust nobody and live in loneliness?”
I just want to say that for an MIT alumna, “10 years of experience at the tender age of 28” wouldn’t be totally surprising. We have a great undergraduate research program that would allow an 18-year-old to start gaining experience from her first year on campus. For a 25-year-old, like Robin Sage, it would be more of a feat, but still in the realm of possibility. Some students start MIT having already done some amazing work, like filing patents, or starting companies.