How a Hooters photo helped hackers penetrate a government agency
Sometimes all it takes is a pretty face (and a Facebook profile) to beat even the toughest security.
At least that’s the lesson imparted by the team of cybersecurity experts from Texas-based World Wide Technology at the RSA Europe security conference in Amsterdam last week.
With nothing more than a pair of easy-to-set-up profiles on social-networking sites like Facebook and LinkedIn for a fictional 28-year old University of Texas graduate named Emily Williams, World Wide Technology was able to pose as a new IT employee at an unnamed U.S. government agency. The researchers used a tactic called social engineering to extract extremely sensitive information from the agency with relative ease.
Social engineering is when hackers, criminals, or security consultants take advantage of human behavior to get access to things they shouldn’t be able to. As the rise of social networking sites has allowed Internet users to connect with each other in countless new ways, the ability of social engineers to penetrate otherwise impenetrable systems has grown accordingly.
Network World reports that Aamir Lakhani, a counter-intelligence specialist World Wide Technology, declined to specifically identify the agency but called it ‟a very secure one that specializes in offensive cybersecurity and protecting secrets.”
In just one day after first establishing the profile, Williams already had dozens of Facebook and LinkedIn connections to employees of the agency and its affiliated contractors, as well as multiple job offers from other companies looking to poach her.
She was also apparently given a company laptop and network access—though it's not quite clear how such transactions took place.
Next, the team had Williams post a link on her profile to a webpage displaying a Christmas ecard that also secretly contained an application that, once downloaded, gave them access to the agency’s otherwise secure computer systems. They were able to detect passwords of users on the agency’s system and downloaded a trove of secret documents that ‟included information about state-sponsored attacks and country leaders.”
The entire process took less than a week.
World Wide Technology set up the profile using the picture of a waitress at a nearby Hooters frequented by agency staffers. No one, however, made the connection.
Here’s the photo they used (the face has been blurred to protect Williams’s real identity):
Out of the hundreds of people friended by Williams, only a small handful expressed any skepticism about her encroachment into their lives. In one case, someone asked Williams how they knew each other and the team made something up based on information present on the guy’s Facebook profile. The former skeptic then claimed that he did, in fact, actually remember Williams.
Even so, not everyone accepted Williams’s friend requests. She was denied by the head of the agency, who checked her name against a company directory and didn't find anything.
"After we performed this successful attack we got requests from other companies that wanted to try the same thing," Lakhani told Network World. "So we also did the same type of penetration test for very large financial institutions like banks and credit card companies, healthcare organizations and other firms, and the results were almost exactly the same."
He boasted that his team’s social engineering efforts yielded a 100 percent success rate.
In his presentation, Lakhani noted that the photo his team used for Williams was important in engendering a sense of trust among the agency employees whom they were targeting. "Attractive women get special treatment in a male dominated industry [like IT],” he insisted.
‟The research was made public with the goal of educating employees about security around social networks as well as the current potential threats that could target people like you,” wrote Joseph Muniz, one of the researchers who conducted the test, on the Security Blogger. ‟We had executive approval before conducting the experiment.
‟Social media can be used as a means to compromise targets if users are not educated on common attacks and proper use of public facing network resources,” Muniz added. ‟The risk extends beyond data leakage since many people that use social media also use the same systems for internal use while at work.”
Even with education about social engineering, the Emily Williams experiment shows that dedicated scammers will always ultimately find a way into even the most secure computer systems. At the end of the day, the weakest link any system’s defenses is likely the people using it.
Photo by Spencer E Holtaway/Flickr