It was the birthday of the head of information security at a US government agency that isn’t normally stupid about cyber security.
He didn’t have any accounts on social media websites, but two of his employees were talking about his special day on Facebook.
A penetration testing team sent the infosec head an email with a birthday card, spoofing it to look like the card came from one of his employees.
The recipient opened it and clicked on the link inside.
After the head of information security opened what was, of course, a malicious birthday card link, his computer was compromised.
That gave his attackers the front-door keys, according to Aamir Lakhani, who works for World Wide Technology, the company that performed the penetration test:
This guy had access to everything. He had the crown jewels in the system.
ITWorld’s Lucian Constantin wrote up Lakhani’s account of the successful pen test, which was performed in 2012 and sanctioned by a US government agency that Lakhani neglected to name.
Lakhani, a counter-intelligence and cyber defense specialist who works as a solutions architect for World Wide Technology, presented the results on Wednesday at the RSA Europe security conference in Amsterdam.
How did World Wide Tech crack open a US government agency that Lakhani described as being, as Constantin paraphrased it, “a very secure one that specializes in offensive cybersecurity and protecting secrets and for which [World Wide Technology] had to use zero-day attacks in previous tests in order to bypass its strong defenses”?
The lynchpin, it turns out, was a spoof new hire at the agency: an attractive, smart, female graduate of MIT named Emily Williams whom World Wide Technology invented for the test.
According to the pen-test team’s fake social media profiles, Emily Williams, 28 years old, had 10 years of experience. They used a picture of a real woman, with her approval.
In fact, the real woman works as a waitress at a restaurant frequented by many of the targeted agency’s employees, Constantin reports.
Nonetheless, nobody recognized her.
Not only did the government employees not recognize their waitress, they flocked to the fake persona bearing her likeness.
Here’s how popular Emily Williams proved within just 24 hours of her birth:
- She had 60 Facebook connections.
- She garnered 55 LinkedIn connections with employees from the targeted organization and its contractors.
- She had three job offers from other companies.
As time went on, Emily Williams received LinkedIn endorsements for skills, while male staffers at the agency offered to help her out with short-cuts around the normal channels set up for new hires that would net her a work laptop and network access (which the penetration testing team obtained but did not use).
Around Christmas, the pen-test team rigged Emily Williams’s profiles with a link to a site with a Christmas card.
Visitors were prompted to execute a signed Java applet that in turn launched an attack that enabled the team to use privilege escalation exploits and thereby gain administrative rights.
They also managed to sniff passwords, install other applications and steal sensitive documents, including information about state-sponsored attacks and country leaders.
But what about those 10 years of experience at the tender age of 28? Didn’t that sound any alarms?
The bit about Emily Williams having 10 years of experience well might have been a tip of the hat to the inspiration for the ruse: namely, a fictional cyber threat analyst by the name of Robin Sage, crafted by Thomas Ryan, a US security specialist and white-hat hacker from New York, in 2009.
Like Emily Williams, Robin Sage was also set up to have 10 years of experience, though she was only 25 years old.
Ryan cooked up Robin Sage profiles on Facebook, LinkedIn, Twitter, etc., using them to contact nearly 300 people, most of whom were security specialists, military personnel, staff at intelligence agencies and defense contractors.
Despite the completely fake profile, which was populated with photos taken from an amateur pornography site, and despite the character’s name being taken from a US Army exercise, Sage was offered work at many companies, including Google and Lockheed Martin.
She was also asked out to dinner by her male friends, was invited to speak at a private-sector security conference in Miami, and was asked to review an important technical paper by a NASA researcher, the Washington Times reported.
For “her” part, Emily Williams managed to reach the very top of the government agency’s information security team.
But the attack started out low, targeting employees in sales and accounting, before hitting that high mark.
As the character’s social network grew, the attack team managed to target technical staff including security people and even executives.
Lakhani pointed out a few lessons from the experiment:
- Attractive women can open locked doors in the male-dominated IT industry. A parallel test with a fake male social media profile resulted in no useful connections. A majority of those who offered to help Emily Williams were men. The gender disparity in social engineering has shown up in other situations, including, for example, the 2012 Capture the Flag social engineering contest at Defcon. Anecdotal evidence from the Defcon contest suggested that females might have more compunction than males about duping others, but they may be better at sniffing out a con.
- People are trusting and want to help others. Unfortunately, low-level employees don’t always think that they could be targets for social engineering because they’re not important enough in the organization. They’re often unaware of how a simple action like friending somebody on Facebook, for example, could help attackers establish credibility.
How do you solve a problem like overly friendly, helpful employees?
Lakhani said that social engineering awareness training can help, but doing it on an annual basis doesn’t cut it. Rather, it needs to be constant, so employees develop instincts.
Other training tips from Lakhani, via Constantin, include training employees to:
- Question suspicious behavior and report it to the human relations department.
- Refrain from sharing work-related details on social networks.
- Not use work devices for personal activities.
On the systems front, he recommended:
- Protecting access to different types of data with strong and separate passwords.
- Segmenting the network so that if attackers compromise an employee with access to one network segment they can’t access more sensitive ones.
We think that your defence against social engineering should also include someone that you can call to report phishing expeditions, whether by phone or email.
Attackers using the phone have a habit of working through the organizational phone book. If you can’t report a suspicious call to someone who can send out a warning, each phone call will stand alone. If the attacker fails to trick the first user they call you’ll want the next user to have been alerted in advance that an attack is going on.
This advice also needs to be integrated into a strategy of defence in depth.
Your existing security software and procedures can help to prevent or limit damage from a social engineering attack and of course attackers won’t necessarily limit themselves to just using social engineering, or indeed any one vector.
For more thoughts on planning your security, including defending against social engineering, read our Practical IT guide to planning against threats to your business at Sophos.