There have been weekly reports of the alleged omnipotence of U. S. intelligence agencies, giving to the impression they are on the leading edge of offensive IT security.
Apparently, however, at least one of those agencies doesn’t know how to play defence. According to a presentation this week at the RSA European security conference, the agency fell for one of the oldest tricks, a person pretending online to be an employee.
Also known as a social engineering attack, it was an authorized test of the unnamed agency’s ability to protect itself. It failed utterly. After getting inside the firewall hackers were able to launch sophisticated attacks.
How’d they do it? The hackers used phony Facebook and LinkedIn profiles to build an online identity for a woman named “Emily” who said she was a new hire at the agency. Then other employees began connecting to her pages.
(Here’s a neat touch – for a photo they used a picture of a waitress at a restaurant used by many of the agency’s staff. No one recognized her.)
Soon helpful staff sent her a work laptop and network access. Normally that would have been a freeway into the agency. However, the hackers had a better idea: They created a Web site with a Christmas card and posted a link to it on Emily’s social media pages. Any agency staffer that clicked on the link executed a signed Java applet that opened a reverse shell back to the hackers, and eventually they gained administrative rights.
The ultimate prize was won by accessing the PC of head of information security, who must have felt invulnerable to these types of attacks because he didn’t have any social media subscriptions. So the hackers sent him an email with a link birthday card that appeared to come from a staffer he knew. He took the bait.
Aside from demonstrating what real penetration testing teams do, the story also shows how social engineering gets people suckered into risky behavior. A person online says they’re an employee of a large organization – who’d doubt that? Especially if those following her online are real colleagues. You do have a birthday this week – why wouldn’t you click on a link to a birthday card from someone who you apparently know?
The lesson: Warn staff about proper security behavior regularly. Even IT pros can be fooled.