Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Pen Testers Break Into Gov't Agency With Fake Social Media ID

timothy posted about a year ago | from the open-government dept.

Security 109

itwbennett writes "Security experts used fake Facebook and LinkedIn profiles to penetrate the defenses of an (unnamed) U.S. government agency with a high level of cybersecurity awareness. The attack was part of a sanctioned penetration test performed in 2012 and its results were presented Wednesday at the RSA Europe security conference in Amsterdam. The testers built a credible online identity for a fictional woman named Emily Williams and used that identity to pose as a new hire at the targeted organization. The attackers managed to launch sophisticated attacks against the agency's employees, including an IT security manager who didn't even have a social media presence. Within the first 15 hours, Emily Williams had 60 Facebook connections and 55 LinkedIn connections with employees from the targeted organization and its contractors. After 24 hours she had 3 job offers from other companies."

cancel ×

109 comments

Sorry! There are no comments related to the filter you selected.

Pen testers? (5, Funny)

Anonymous Coward | about a year ago | (#45291019)

What does the average slashdotter know about penetration?

Re:Pen testers? (-1)

Anonymous Coward | about a year ago | (#45291135)

Swing and a miss!

Re:Pen testers? (-1)

Anonymous Coward | about a year ago | (#45291181)

I penetrated your dad's asshole last night while your mom gave me a RIM job.

Re:Pen testers? (1, Offtopic)

Stargoat (658863) | about a year ago | (#45291343)

Good. It's nice that they're having a good time. And I'm pleased to meet their friends on Slashdot!

Re: Pen testers? (-1)

Anonymous Coward | about a year ago | (#45291547)

Did you even have the common decency to give his dad a reach-around?

Re: Pen testers? (-1)

Anonymous Coward | about a year ago | (#45291631)

No, little cuck sissies don't get reacharounds.

Prime Numbers (1)

nanospook (521118) | about a year ago | (#45291287)

We are actually quite good at it, as we do in everything, we apply a deep level of analysis to how we are doing it.. 5 quick 5 slow ;) make sure you use a prime number!

Re:Pen testers? (0)

Anonymous Coward | about a year ago | (#45291383)

besides computer related stuff, NOTHING;-)

28, with 10 years experience (0)

Anonymous Coward | about a year ago | (#45292945)

So she graduated MIT at the tender age of 18 and no-one suspected anything funny? It must be the result of the math deficit caused by no child left behind publiek skooling.

Re:28, with 10 years experience (1)

Cramer (69040) | about a year ago | (#45293347)

It's not unheard of. But a few google searches or a single phone call could've answered that one. (It's hard to attend MIT and not leave an internet fingerprint.)

Re:28, with 10 years experience (0)

Anonymous Coward | about a year ago | (#45294891)

You mean you don't list the requisite "ten years experience" on the technologies that HR demands to see on your resume, even the ones that were only developed five years ago?

Into the trash it goes!

Re:Pen testers? (1)

Nephandus (2953269) | about a year ago | (#45292979)

Oh, they've encyclopedic knowledge ABOUT it. They just never actually DO it.

Security? (5, Insightful)

Anonymous Coward | about a year ago | (#45291075)

Forget security, the real headline should be "How to get 3 job offers in 24 hours". She must have had some serious (fake) qualifications and/or a smoking hot profile pic.

Re:Security? (4, Insightful)

Joining Yet Again (2992179) | about a year ago | (#45291105)

Yeah, I imagine by "job offer" they mean "recruiter spam".

And by "high level of cybersecurity awareness" they mean that some cunt installed Norton on the desktops.

Re:Security? (-1)

Anonymous Coward | about a year ago | (#45291273)

I installed my babby batter in your mom's tight, wet cunt. Unfortunately 9 months later your dumb ass was born.

Re:Security? (2, Funny)

Joining Yet Again (2992179) | about a year ago | (#45291523)

So you're to blame for everything that's wrong with me!

Re:Security? (0)

Anonymous Coward | about a year ago | (#45291865)

They actually sent her a work laptop and network login and this went on for three months....

I'm a nerdy chick with a degree from MIT {my facebook pics look suspiciously like Katee Sackhoff or Alessandra Torresani at comic con}, I need a 250k/yr telecomuter job.

Re:Security? (1)

Cramer (69040) | about a year ago | (#45293413)

Yes. And you should hire "her" without a face-to-face interview, or an actual background check. (and given the apparent nature of the job, a security check / validate "her" security clearance.)

Re:Security? (1)

minstrelmike (1602771) | about a year ago | (#45291627)

Forget security, the real headline should be "How to get 3 job offers in 24 hours". She must have had some serious (fake) qualifications and/or a smoking hot profile pic.

I'm on LinkedIn and I get lots of fake job offers.
Oh wait, that's not what you were talking about.

Re:Security? (1)

jythie (914043) | about a year ago | (#45293147)

Given that these people specialized in social engineering, it would not surprise me if they managed to BS their way into multiple legitimate offers quickly. They could probably make a good side business out of teaching those skills to job seekers. If I recall correctly they did fabricate some impressive credentials and used her connections to other known figures to lend authority to them.

Re:Security? (1)

Darinbob (1142669) | about a year ago | (#45294265)

Wait, a job OFFER in 24 hours, without even an interview or a meeting? Sure, I can see getting 3 requests from recruiters in 24 hours, although that number would be somewhat low.

What else do we expect to do? (5, Funny)

Anonymous Coward | about a year ago | (#45291097)

And yet when I accuse people I just met at the company of being Chinese spies, I am the one who is sent to HR. There is some kind of double standard here.

Re:What else do we expect to do? (1, Troll)

crakbone (860662) | about a year ago | (#45291253)

Heh, Chinese spies. It's the Canadian ones that you have to watch out for. They look just like us but like bad beer and hockey.

Re:What else do we expect to do? (2)

CreatureComfort (741652) | about a year ago | (#45291385)

So...they are indistinguishable from Minnesoatans?

Re:What else do we expect to do? (0)

Anonymous Coward | about a year ago | (#45291485)

And don't forget the yoopers, eh?

Re:What else do we expect to do? (0)

Anonymous Coward | about a year ago | (#45291515)

oh yah, you betcha.

Re:What else do we expect to do? (2, Funny)

Anonymous Coward | about a year ago | (#45291707)

We don't like bad beer. We just drink American beer when we're spying on you in an attempt to fit in...

Re:What else do we expect to do? (0)

Anonymous Coward | about a year ago | (#45291715)

Heh, Chinese spies. It's the Canadian ones that you have to watch out for. They look just like us but like bad beer and hockey.

And they don't know what bacon is.

Re:What else do we expect to do? (4, Insightful)

Minwee (522556) | about a year ago | (#45291725)

They look just like us but like bad beer and hockey.

And the ones who like good beer stay in Canada.

Re:What else do we expect to do? (0)

Anonymous Coward | about a year ago | (#45292725)

The only people who like Canadian beer are Canadians. GUINESS FOREVER!!

Re:What else do we expect to do? (0)

Anonymous Coward | about a year ago | (#45294881)

The only people who call Guiness beer are, well, I don't think there's a word to describe those sort of people, it'sw best just to avoid them.

Re:What else do we expect to do? (1)

pspahn (1175617) | about a year ago | (#45293117)

Canada had what, like six or eight medals (out of about 300) in the 2012 World Beer Cup? I guess they did sweep the gluten-free category, so there's that.

Yeah, I know American brewers greatly outnumber other countries, so of course they will dominate the medal count. Still, Canada had almost 50 entrants in 2012 and were barely a blip on the radar and 2/3 of the judges are from outside the US.

Point? The best beer in the world likely comes from the brewery that is near where you live.

Re:What else do we expect to do? (0)

Anonymous Coward | about a year ago | (#45293411)

Canada had what, like six or eight medals (out of about 300) in the 2012 World Beer Cup? I guess they did sweep the gluten-free category, so there's that.

Yeah, I know American brewers greatly outnumber other countries, so of course they will dominate the medal count. Still, Canada had almost 50 entrants in 2012 and were barely a blip on the radar and 2/3 of the judges are from outside the US.

Maybe you should mention that 75% of the beer categories aren't found outside the US. Fruit beer, coffee beer, chocolate beer, specialty beer, honey beer, ... Not to mention all the american style ... categories.

Point? The best beer in the world likely comes from the brewery that is near where you live.

Seems so. The real beer categories have winners from europe.

Re:What else do we expect to do? (1)

pspahn (1175617) | about a year ago | (#45293727)

Do you post AC because you like to make up statistics?

75% is a gross exaggeration. There seems to be 20 "American Style" categories (out of 95), and fruit beer, coffee beer, chocolate beer, speciality beer, and honey beer does not add up.

You probably also missed all the non-European beers that won European style categories as well. Marzen, Vienna Lager, Kolsch, German Brown Ale, Hefeweizen, Witbier, Saison, a good handful of Belgian styles, a good handful of English styles (including a win for the local Saturday morning hangover pub in English IPA, Bull & Bush!!!), and the list goes on.

I'm betting that by "real beer categories" you mean something regional to you that may simply not be found outside of that region (save a few craft brewers). So it seems what you're saying in the end is "the beer I like is better than the beer you like". Considering you like to post AC and make false claims, your opinion amounts to roughly nil.

Re:What else do we expect to do? (1)

oreiasecaman (2466136) | about a year ago | (#45294119)

Point? The best beer in the world likely comes from the brewery that is near where you live.

Here in Brazil?! Wow...

Re:What else do we expect to do? (1)

Minwee (522556) | about a year ago | (#45294185)

Yes, and American baseball teams also swept the World Series. Over 90% of the winners of the Miss Universe competition were born on Earth. Is that supposed to impress anyone?

More than half of all beer sold and consumed in the USA is either Budweiser, Bud Light, or Coors Light. Claiming that craft beers, with less than a 5% market share between them, are somehow representative of beer in the USA is at best wilful ignorance and at worst, marketing.

Re:What else do we expect to do? (0)

Anonymous Coward | about a year ago | (#45294911)

I'm not going to defend Miller or anything, but Unibroue makes a damn solid beer.

Of course, that's from the Frenchified parts of Canada, so that's even worse.

Re:What else do we expect to do? (1)

Darinbob (1142669) | about a year ago | (#45294289)

Or they try to get you to join their curling club...

Job offers? (1)

nurb432 (527695) | about a year ago | (#45291101)

How good can a company be if they offer you a job solely on your so-called resume?

No interview, no verification..

Re:Job offers? (3, Insightful)

Anonymous Coward | about a year ago | (#45291141)

Probably just headhunters. I get those all the time through Linkedin.

Re:Job offers? (4, Interesting)

tompaulco (629533) | about a year ago | (#45291359)

I have over 200 contacts and have never had a job offer from linkedin. Maybe it is because I don't accept connections from people I don't know.
I do regularly get contacted by Indian firms via e-mail or even by phone, but as soon as they find out I am a citizen and not an H1b, then they lose interest.

Re:Job offers? (1)

Bigbutt (65939) | about a year ago | (#45293985)

Yea, I've had quite a few headhunter's trying to get me to submit my resume to them but no actual Job Offers.

[John]

Re:Job offers? (1)

LordNacho (1909280) | about a year ago | (#45294539)

The worst is when they tell you one of your colleagues is leaving, and they've recommended you to them, so they need your CV.

I turned around and asked my three partners what they were selling their shares for. Recruiter hung up while they were laughing.

Re:Job offers? (4, Insightful)

Austrian Anarchy (3010653) | about a year ago | (#45291405)

How good can a company be if they offer you a job solely on your so-called resume?

No interview, no verification..

I suspect they are grossly misusing the term "job offer." Could be an indication of just what sort of people they have working in their own organization.

Re:Job offers? (1)

CanHasDIY (1672858) | about a year ago | (#45291617)

How good can a company be if they offer you a job solely on your so-called resume?

No interview, no verification..

I suspect they are grossly misusing the term "job offer."

I concur; they're probably referring to those mass-spam-emails that go something like "I was looking at your [systems administration focused] resume, and thought you would be a perfect fit for the insurance salesman/financial advisor at some random company that remains nameless."

I get no less than 3 of those a day myself.

Re:Job offers? (0)

Anonymous Coward | about a year ago | (#45291437)

I received my current job without applying or even looking for that matter... They called me up and said "We just purchased a building owned by your previous employer and they dropped your name."

Because they used an attractive woman. (5, Interesting)

EMG at MU (1194965) | about a year ago | (#45291179)

The IT world article explains that the fake account was an attractive woman. The victims who exposed their organizations to attack were men who were trying to "help" this attractive woman in her new position.

New security measure: male employees are castrated upon hire. They tried the same attack with a male profile and received no hits.

Aside from that interesting bit, we have heard this story over and over again: Large organizations contain at least a few stupid people. Those stupid people, who are mostly well intentioned, work around security measures and run Java applets to see the company Christmas card, a card that is actually an attack.

Re:Because they used an attractive woman. (5, Insightful)

jsepeta (412566) | about a year ago | (#45291243)

so really the title should be "attractive women more likely to get job offers." move along, no story here.

Re:Because they used an attractive woman. (1, Insightful)

Anonymous Coward | about a year ago | (#45291389)

so really the title should be "attractive women more likely to get job offers." move along, no story here.

More hires and more everything. I was once surprised by how cute was the Dell representative for HPC in my region. Then I saw the one from IBM. And then the one from HP. By then I had gotten the pattern: they all get cute girls to try to get the geeks to buy their stuff.

Re:Because they used an attractive woman. (2)

minstrelmike (1602771) | about a year ago | (#45291669)

Booth babes attract attention. Sex sells. Watch commercials during a football game or prime time.
They even sell drugs such as Viagra and alcohol to help you have sex (with partners).

Re:Because they used an attractive woman. (1)

pspahn (1175617) | about a year ago | (#45293161)

The women I always see in Viagra (or other ED meds) commercials are in their mid 50's and up.

Not to say older women cannot be attractive, but I wouldn't really call them "booth babes".

Re:Because they used an attractive woman. (1)

Ol Olsoc (1175323) | about a year ago | (#45296413)

The women I always see in Viagra (or other ED meds) commercials are in their mid 50's and up.

Not to say older women cannot be attractive, but I wouldn't really call them "booth babes".

That's who they are trying to appeal to. Mother's been taking hormones to avoid menopause, and the old man's little soldier isn't saluting like it used to, so she trots him off to the dangler Doc.

If you showed them young women, she'd just get pissed.

Re:Because they used an attractive woman. (1)

TheCarp (96830) | about a year ago | (#45293783)

> By then I had gotten the pattern: they all get cute girls to try to get the geeks to buy their stuff.

And by the by, this is isn't the be all nor end all of what they do to get the geeks to buy their stuff either. At my previous company, before the bribery scandal, some things were just blatant. In fact, the vendors had us so good, only the new ones (like Rehat when we first were in talks with them) bothered with an attractive rep in a revealing dress.

The rest just funded our open bar Christmas party, invited us to free "conferences" which were basically sales pitches, gave us desk toy goodies, hell, even my current employer got in on the act with some of the non-it departments that used their software.

OTOH it wasn't ALL bad having these cozy relationships. I actually ended up out to lunch with a co-worker and the CEO of one of the companies whose software we used; and was able to get him to go back to my management and inform them of a few things that they wouldn't listen to me about. (seriously: "my management expects your software to do X" and he replies "Our software doesn't do that"... couple of weeks later "out of the blue" we have a project to fill that gap... after I had been trying to tell them for a year or more that their plan was flawed)

Fast forward a couple of years and getting taken out to lunch by vendors was forbidden, and we couldn't even accept pens.

Re:Because they used an attractive woman. (1)

Big Hairy Ian (1155547) | about a year ago | (#45291529)

Obviously the organization was Hooters!

Re:Because they used an attractive woman. (2)

sootman (158191) | about a year ago | (#45292807)

A friend of mine has an attractive wife. Her mom had a document needed to be faxed. Neither had a fax machine so the mom told the daughter to take it to Office Depot and fax. I don't know if the mom mis-spoke or if the girl had a blonde moment (or both) but in any case, she went to Home Depot instead and asked the guy at the customer service counter to fax it. The guy was like "Um, we don't usually do this, but OK."

Re:Because they used an attractive woman. (1)

Anonymous Coward | about a year ago | (#45291257)

bbbbutt I thought Straight White Male was the easiest setting??

Re:Because they used an attractive woman. (-1, Troll)

Anonymous Coward | about a year ago | (#45291557)

You should not buy into this falsehood. Women are the most organized with many many groups that are female specific. Why else are more women graduating from college than guys? Why else can a woman marry, decide she's bored, leave, and still get paid by the guy until she marries again or gets a job? Why else does she get the kids by default which of course means the guy pays. 70% of women initiate divorce proceedings. I have a hard time believing 70% of guys are such assholes that they walk away leaving the woman having to file in order to marry again. And why else is there such a big push on Breast Cancer research when more guys die of Prostate Cancer than women (and men) of Breast Cancer.

It's amusing that women bought into the "I want to work" feminist movement only to find out it's 'work' and really not all that much fun. And now that they want to return to marrying a guy who will support her and the kids, he's hard to find. Because she also bought into the 'my body' philosophy so gives it away because sex is fun. Guys were raised to support a family. He works to make sure the wife and kids are safe and healthy so they can be successful adults. Now guys are looking around and seeing women with jobs "you go girl", owning houses (and making their own repairs), buying cars, and generally able to support themselves without a guy. And the ladies are wondering why they should marry if they can support themselves. And the guys are thinking the same thing. Why get married if I can get free sex, have all the money I earn to spend on myself, and not have to worry that she'll get bored and leave taking half of the stuff with her (and me have to pay her when she leaves) and take their kids making up lies to keep him away from them.

One of the best, and funniest quotes I've read:

"It's bizarre how some guys are in their twenties and have simply zero interest in women. They have literally nothing in common with them and no interest in them. The problem is that games and porn are entertaining, inexpensive, easily accessible, and reliable. Women can be entertaining, but they're expensive, inaccessible for most men, and from the male perspective, shockingly unreliable."

It might _look_ like the easiest setting. But don't be fooled.

Re:Because they used an attractive woman. (1)

neminem (561346) | about a year ago | (#45292519)

I do agree with you in your first paragraph - there are a lot ways our culture still makes it harder to be a woman, but there are some laws around that screw guys and make it easy if you're a woman, too. Ideally, we'd fix both types of laws.

After that it goes right into troll territory, though - "It's bizarre how some guys are in their twenties and have simply zero interest in women. They have literally nothing in common with them and no interest in them." Not bizarre at all, I would have no desire to get married to the vast majority of women on the planet. It's not always easy, but the goal is to find someone you *do* have things in common with, and that's pretty obvious. (And if you think having a relationship as a male must necessarily be "expensive", clearly you haven't taken the right lessons from the feminist movement at all.)

Re:Because they used an attractive woman. (1)

TheCarp (96830) | about a year ago | (#45293989)

I look around at claims like that, and claims of systemic racism and it brings up a term that I didn't know was missing from my vocabulary until recently: Path Dependence

One observation that sticks out in my mind related to this: Children of middle class people who started their lives poor, are more likely to end up poor than middle class children whose parents started out in the middle class.

So, even if you make some sort of change that is supposed to help fix the inequality of opportunity, it doesn't mean you should expect equality of outcome to arise, because outcome is based on the previous conditions.

What am I getting at? I think things are significantly better for woman than are given credit by most statistics people use, because they keep comparing "woman vs man" where a better comparison would actually be to compare the derivatives of their average salary functions over time. That is, is the average pay for the average woman rising faster or slowe than the average man?

Now why I think things are better than we would expect is partially related to some other trends about changing gender roles. Traditionally we hear, and I even see it amongst some of my own peers at 35, that men prefer more docile women, and are threatened or uninterested in more assertive ones. However, there is some evidence that young men, in the age group that is just starting to think about girls, the stereotypes no longer apply, and those males are talking about wanting a woman who works, or even makes more money than they do.

Its not something thats going to show in equality of outcome statistics for maybe another generation after them, but, it may even be evidence of a flip to the other direction.

Re:Because they used an attractive woman. (0)

Anonymous Coward | about a year ago | (#45291289)

To further accentuate that this actually was a serious security breach, they received a laptop and security credentials from one of the men that was trying to "help". But they didn't even need that to get real access to the secure systems.

Re:Because they used an attractive woman. (2)

minstrelmike (1602771) | about a year ago | (#45291687)

That's probably why 'real' programmers are fairly safe. They don't have any friends ;-)

Re:Because they used an attractive woman. (1)

Anonymous Coward | about a year ago | (#45291487)

New security measure: male employees are castrated upon hire.

Or, hire a bunch of hookers so that male employees stop caring so much.

Large organizations contain at least a few stupid people. Those stupid people, who are mostly well intentioned, work around security measures and run Java applets to see the company Christmas card

Stupid people are the ones who run java :)

Re:Because they used an attractive woman. (4, Informative)

Zontar_Thing_From_Ve (949321) | about a year ago | (#45291555)

The IT world article explains that the fake account was an attractive woman. The victims who exposed their organizations to attack were men who were trying to "help" this attractive woman in her new position.

Executive summary:
Fake Facebook and Linkedin accounts created for a non-existent attractive 28 year old female who was supposedly a new employee. Apparently the account sent out a lot of friend invitations which were accepted by (seemingly mostly) men who never questioned the invitation or why they had never met this person in real life. The men fell all over themselves to "help" this new employee with some even offering to bypass official channels to get her working sooner. So basically lonely nerds take a shot that friending and helping a hot new chick at work might get them something down the road. The fact that she got job offers means nothing as everybody I know who uses Linkedin (for the record I do not use it) gets job offers all the time. One more thing - they made some fake postings from her so that an internet search would seem to indicate she was a real person. And her Facebook account had a link to an external site with a Java security attack that got some suckers to click on it.

So, they didn't really penetrate anything (0)

pscottdv (676889) | about a year ago | (#45291703)

Presumably this attractive 28 year old female would have to eventually show up in person with ID for an interview or at least an employee badge, right? How did they plan to handle that part of the "penetration"?

Re:So, they didn't really penetrate anything (1)

Anonymous Coward | about a year ago | (#45291911)

why do they need to show up in person when they already broke into the computer systems, which was their entire goal?

Re:So, they didn't really penetrate anything (0)

Anonymous Coward | about a year ago | (#45291929)

Presumably this attractive 28 year old female would have to eventually show up in person with ID for an interview or at least an employee badge, right? How did they plan to handle that part of the "penetration"?

Somehow they got a laptop from this unnamed organization. I'm not sure how you move a laptop over a social network. I guess these guys are really good at stuff.

Re:So, they didn't really penetrate anything (0)

Anonymous Coward | about a year ago | (#45292563)

I'm not sure how you move a laptop over a social network. I guess these guys are really good at stuff.

You have to first send a request to all your friends. Hopefully you haven't already asked for something from them today. It also helps to send them a gift, maybe a toaster or a llama. If you can, send them a laptop and then they should send one back. After a few days of this, depending on how many friends you have, you should have enough laptops to construct your data center.

Re:So, they didn't really penetrate anything (0)

Anonymous Coward | about a year ago | (#45292125)

"men working for the targeted agency offered to help her get started faster in her alleged new job within the organization by going around the usual channels to provide her with a work laptop and network access. The level of access she got in this way was higher than what she would have normally received through the proper channels if she had really been a new hire"

The need to show up was apparently not required.

Re:Because they used an attractive woman. (1)

CODiNE (27417) | about a year ago | (#45292935)

I keep seeing people refer to those LinkedIn recruiter contacts as "job offers".

To me they really more look like inquiries, but you still have to pass an interview and prove your endorsements are legit before you get an ACTUAL offer. Not to nit-pick but it's lame when someone gets a recruiter contact and is all "Google offered me a job". Uhhh... NO.

Re:Because they used an attractive woman. (1)

Darinbob (1142669) | about a year ago | (#45294523)

It's not even about "getting something down the road". Men just turn stupid even when they know there's no chance or they're not interested in it anyway. There's a part of the psyche that wants to help someone who looks cute (puppy or child or attractive woman). There's a part who wants to help out the grandmother. But the fat guy in the tee shirt with lunch stains on it gets told "dude, read the documentation." It's human nature.

I never get job offers from linkedIn. However I do get lots of recruiters wanting to talk to me about jobs or setting up an interview. I don't think anyone ever gets a job offer over linkedIn unless the employer is an idiot; there's just too much paper work involved in creating a job to do that, everyone will want to meet the prospective employee or at least communicate via email or phone first.

reward over punishhment. (2)

leuk_he (194174) | about a year ago | (#45291659)

Instead of castration you should have an inhouse department that mainly has women so the lonely tech staff does not have to look at the outside. Think of an art/marketing department integrated in the technical department.

Re:Because they used an attractive woman. (2)

jader3rd (2222716) | about a year ago | (#45292157)

They tried the same attack with a male profile and received no hits.

A male wouldn't have helped the organizations diversity quota.

Since when ... (2)

quietwalker (969769) | about a year ago | (#45291207)

...was being added to an employee's facebook or linkedin page a 'Security Attack' or really any sort of real risk? How is making a friend request a "Sophisticated Attack"? Sure, you can start linking information together, but this is an attack in the same way that a honey bee at the pool counts as a deadly swarm of African hornets.

As for the "job offer," why do I suspect that the 'job offers' were not real job offers, but rather requests to apply for a job? You know, like everyone who's on linkedin who has any qualifications or prior experience gets about 3-4x a day, more if you've got a resume with certain keywords in it? Anyway, why is any of that relevant to a security probe?

I read a book a while back about some of the phone phreakers, and at one point they brought a woman in to the pentagon to demonstrate social manipulation. She was given only a normal phone and phonebook, and asked to get the daily schedule of a specific general, and something like 40 minutes later, she had it. They also had examples of people having extra keys made for doors, purchases and deliveries being made, phone systems being rerouted, and so on. Those sorts of things are attacks.

This was just fluff.

Re:Since when ... (5, Informative)

quietwalker (969769) | about a year ago | (#45291251)

(and then I read the article)

Okay, the point where they then use the connections to send out xmas cards linked to an attack site which people went to, and how they somehow scammed someone into sending her a work laptop and network access credentials.

That might be better to lead with the actual attacks in the summary, and not just some sort of information gathering setup.

Re:Since when ... (2)

minstrelmike (1602771) | about a year ago | (#45291729)

I dunno. I think it's still fluff.
When you manipulate people face-to-face to bypass security, it is called social engineering.
When you do _exactly_ the same thing not face-to-face but using a computer, it is suddenly "the system's" fault.

Re:Since when ... (1)

RavenLrD20k (311488) | about a year ago | (#45292335)

Social Engineering is still a hack. It doesn't require nearly the technical know-how in most instances, but it is still a target on one of the most vulnerable points of a system... The User. Information acquired through social engineering is just as damaging as information acquired through technical hacking. Never forget that without the people integrated into it for its self perpetuation, a system would not have a purpose to exist. Any time a person is trained in the operation or management of a system, that person becomes an Agent of the system. An Agent that is social engineered (re-programmed or hacked) into a different way of perceiving the system is the weakest link in breaking the system.

Perhaps the best defense.. (1)

nanospook (521118) | about a year ago | (#45291263)

Is for no one to have any secrets..

Curious... (3, Insightful)

the_skywise (189793) | about a year ago | (#45291265)

"The attack used built-in Java functionality to get the shell instead of exploiting a vulnerability and required user interaction, but despite these technical limitations, it was very successful, according to Lakhani."

I'm curious what the "required user interaction" was...

I'm pretty tech secure savvy - run noscript, only use the computer with condoms on, etc; But I wonder if I would've fallen for this as well...

If I got a "Christmas Card" from somebody on my company's email I would've allowed the java applet to run. There's an automatic assumption of trust *inside the system* and I would've also assumed that the sandbox mode would be reasonably secure. Was the "user interaction" just allowing the applet to run or did it also ask for something like internet access, which would've thrown up a red flag?

Re:Curious... (0)

Anonymous Coward | about a year ago | (#45291427)

only use the computer with condoms on

You're doing it wrong.

Re:Curious... (2)

ShanghaiBill (739463) | about a year ago | (#45291501)

If I got a "Christmas Card" from somebody on my company's email I would've allowed the java applet to run.

So would I. But I work for an open source company, and you can download everything we have from our website. So security isn't a big concern because their is nothing to steal. In the past, I worked for a defense contractor that did classified work. If an employee emailed a co-worker a java applet, or any other executable content, they would receive a written warning. On the second offense, they would likely lose their clearance and their job.

Re:Curious... (0)

Anonymous Coward | about a year ago | (#45291643)

If I got a "Christmas Card" from somebody on my company's email I would've allowed the java applet to run.

You're doing it wrong.

There's an automatic assumption of trust *inside the system*

You're doing it wrong.

Re:Curious... (0)

Anonymous Coward | about a year ago | (#45292751)

You trust a Java applet from an external source just because the link to it came from someone you work with?? That's not "tech secure savvy".

Re:Curious... (0)

Anonymous Coward | about a year ago | (#45293369)

I'm curious what the "required user interaction" was...

The only build in functionality to get the shell I can think of is Runtime.exec and that requires additional permissions to run in the applet sandbox. Most likely the users ignored the warning that shows up when an untrusted applet requests more permissions and clicked " I trust the publisher of the applet and accept the risks" followed by clicking accept. There is a reason why some IT departments restrict allowed applications with a white list, users downloading and running malware is a very old problem (and some users never learn, even when told not to do it repeatedly).

Re:Curious... (3, Interesting)

PPH (736903) | about a year ago | (#45293825)

If I got a "Christmas Card" from somebody on my company's email I would've allowed the java applet to run.

When I worked for Boeing, one of the supervisors on my project was a fan of Asian male porn (use your imagination). More than a few e-mails supposedly from him contained malware. Given the firewalls we had, I have to think that the infection was hosted on his system. Probably a laptop he carried back and forth to work.

Fortunatly, I ran a Linux desktop, so no Asian male porn popups for me.

Job offer is not "break into" (0)

sinij (911942) | about a year ago | (#45291281)

To "Break Into" you have to get hired, get past security clearance process and then get hired into position that has access to something valuable, then succeed at taking it. When you are willing to manufacture lies "job offer" is an easy part.

Re:Job offer is not "break into" (3, Informative)

Minwee (522556) | about a year ago | (#45291831)

To "Break Into" you have to get hired, get past security clearance process and then get hired into position that has access to something valuable, then succeed at taking it. When you are willing to manufacture lies "job offer" is an easy part.

Maybe you didn't read all of the article.

[...] men working for the targeted agency offered to help her get started faster in her alleged new job within the organization by going around the usual channels to provide her with a work laptop and network access. The level of access she got in this way was higher than what she would have normally received through the proper channels if she had really been a new hire [...]

If you read very carefully, you will see that "Emily Williams" was given access to the secure but unnamed organization's network without having to do any of those things.

Re:Job offer is not "break into" (0)

sinij (911942) | about a year ago | (#45292137)

I have read the full article, and "...with Fake Social Media ID" actually makes no sense. Social Engineering someone to bypass all procedures and give out access to strangers is a) not penetration testing b) has very little to do with social media. New Year card attack was spear phishing combined with inadequate IDS.

Here is what pen testers succeeding would look like: Leveraging zero-day exploit in the popular social media platform pen testers gained remote access to Gov't Agency's internal network that for some reason was configured to use Facbook Login as an acceptable remote authentication protocol.

Re:Job offer is not "break into" (2)

Minwee (522556) | about a year ago | (#45294079)

I don't think "But she didn't play FAIR!" is an acceptable defense here. Someone from outside of a secure organization was able to gain access to protected assets by doing little more than asking nicely. What little defense there was had been penetrated long before any of the spear phishing took place.

Social Media (4, Interesting)

Bigbutt (65939) | about a year ago | (#45291353)

Well, I don't accept connections on Facebook from anyone at work. Too many folks who have distasteful lives (and I don't want them knowing my stuff either). I have received the occasional Facebook chick spam. I figure it's porn and I certainly don't need Facebook to find porn :)

I deleted my Linkedin profile a week or two ago so no connections there either. Way too many headhunter spams ("we have a sysadmin job in New Jersey for 6 months for $20 an hour" or better "we are a temp agency, do you need any accounting people?"), marketing spams ("we have this awesome windows management tool" You do know I'm a Unix admin, right?), folks who have no idea of what I do who think I'm a great C programmer, and quite a few folks I have no idea who they are who want to link. So not seeing any benefit, I bailed.

I also don't click on such attachments or Facebook posts. I have relatives sending me links to such Christmas or Birthday card sites and I choose not to click the link. Just a tad paranoid I guess.

In reading the article:

The experiment also shows that attractive women get special treatment in the male-dominated IT industry. The majority of individuals who went out of their way to help Emily Williams were men. The team actually tried a similar test in parallel with a fake male social media profile and got no useful connections.

I wonder if they though to try it with a plainer woman. Since women are so underrepresented in IT, any woman might have received the "special treatment".

In general though, I think it's true. Social Networking, either by Social Media or in person will certainly eventually gain you access. Folks are helpful. At work the Customer Service folks get the most awards for being helpful. Upper management even had a Customer Service demonstration for our last company wide meeting. I think it'll take a big change to get that sort of behavior changed.

[John]

Re:Social Media (1)

Amtrak (2430376) | about a year ago | (#45291821)

I also don't click on such attachments or Facebook posts. I have relatives sending me links to such Christmas or Birthday card sites and I choose not to click the link. Just a tad paranoid I guess

That doesn't sound paranoid to me. Most of my relatives don't even know how to shut down their laptops and just leave them in sleep till the battery dies and then wonder why the battery's are shot after a year. They are also way to trusting online, they might get a spam email saying "CHECK OUT R NEW CHRSTMS CARD APP!!!" and click on it and then use the malware site to send all there friends/family a "Christmas Card" which infects there computer an who ever opens it.

My general rule is, if it's from my Mom, Sisters, or cousin don't click on links. My Dad is fine though he's more security paranoid than I am. My Dad won't even attach his work laptop to his own home network any more because he doesn't trust my Mom or Sisters. LOL

Re:Social Media (0)

Anonymous Coward | about a year ago | (#45294047)

then wonder why the battery's are shot after a year. They are also way to trusting online

God but the educational system sucks. Ever read a book you weren't forced to?

Elaborate social engineering hack != "pen testing" (4, Interesting)

atom1c (2868995) | about a year ago | (#45291511)

An elaborate multi-factored social engineering hack (commonly referred as a "heist") is quite different than a penetrate test. Anybody can commit fraud, be it a computer illiterate juvenile or a network security contractor (*cough*Snowden*cough*) by virtue of misleading or reconfiguring enough influential factors (people, systems) to pass whatever security measures are in place.

The same outcome could have occurred by stealing an employee's security badge -- especially if there's an uncanny visual resemblance.

In other words... no news here.

Re:Elaborate social engineering hack != "pen testi (0)

Anonymous Coward | about a year ago | (#45292369)

Glad you only care if the technical measures that secure your systems are robust. That is what you are implying by saying this isn't a pen test. It IS a pen test, but it is not a test of technical security.

Re:Elaborate social engineering hack != "pen testi (4, Insightful)

neminem (561346) | about a year ago | (#45292405)

How is it *not* a penetration test? They were testing whether they could get in. They got in. How does it matter whether they got in because they tricked a computer into letting them in, or a person? Both avenues are equally important if you want your office to be secure.

Re:Elaborate social engineering hack != "pen testi (1)

sinij (911942) | about a year ago | (#45292887)

The answer is 'scope creep'. Penetration testers operate under 'normal use' assumptions and will attack system and interfaces 'head-on'. For example, if you have a password-protected interface then it is assumed that password is not know and cannot be known unless said interface can be manipulated in divulging it. Generally speaking you assume that policy and procedures are followed. While you could always torture sysadmin for passwords "getting in" this way will not tell you much about system security. As such, penetration testing is not about "getting in" but about testing effectiveness of system protection against specific threat level/sophistication.

Social engineering attacks are a bit different. When you test against social engineering attacks it isn't about getting in but about testing effectiveness and rate of compliance with policy.

So what tests mentioned in the OP identified ? Well, they identified that policy and procedures are not being followed in granting access to the network and hardware. Simple "assign asset to employe ID" check would have stopped this, so I suspect that procedures are flawed or outright ignored.

They also identified that spear phishing attack succeeded, this means that a) users have unnecessary privileges and/or b) intrusion detection is inadequate. The OP does not identify how long backdoors they installed remained undetected. They also did not specify if they gained potential access or actually managed to extract useful information. Outright preventing sophisticated spear phishing in a large organization is very very hard, but identifying and mitigating is fairly routine and frequently automated.

With enough effort you could spear phish anyone. For example, if you date, marry me, start a family, and live with me for a decade or two you can get me to divulge my sensitive passwords. If I was head of CIA it might be even worthwhile.

With this type of attacks questions is not how do you prevent attackers from "getting in" with social engineering, but instead mitigating damage and putting roadblocks in place to delaying them.

Re:Elaborate social engineering hack != "pen testi (2)

Flere Imsaho (786612) | about a year ago | (#45294521)

In my experience, social engineering is part of a thorough pen test, just as physical security is. It's usually the most successful/easiest part, too.

Real New is 100% Break-in Success! (1)

BoRegardless (721219) | about a year ago | (#45293341)

To quote the speaker "Every time we include social engineering in our penetration tests we have a hundred percent success rate,"

That was in big organizations including cybersecurity teams. What this means is that there is a giant freekin SUV wide hole into ALL organizations unless they have smarted up in recent months. Like I am sure they did at healthcare.gov, right?

woo...someone got fooled by a confidenece trick (0)

Anonymous Coward | about a year ago | (#45293717)

Most people who work in "security" fields only work in them for the money, not because they have a clue or care. Some dude probably thought he was going to get his dick wet or something when he saw a photo of an attractive woman. Crap like that is exactly how Mossad got Mordechai Vanunu [wikipedia.org]

Can we think a little less with our dicks guys?

Re:woo...someone got fooled by a confidenece trick (1)

PPH (736903) | about a year ago | (#45293761)

Can we think a little less with our dicks guys?

Penetration Testing: Rule 34.

2007 called.... (0)

Anonymous Coward | about a year ago | (#45293905)

They want their "experiment" back...

http://pentest.netragard.com/2009/02/12/facebook-from-the-hackers-perspective/

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>