New Times,
New Thinking.

15 November 2013

Hacking is easy if you lure security contractors with fake flirting

Two hackers have shown how easy it is to get around sophisticated security systems by going for the weak point - human nature.

By Ian Steadman

There are many ways to approach breaking into a computer network at a government or corporation to grab some sensitive information. One of those is, arguably, easier than the others, and more effective, and requires little in the way of technical skills. It’s pretending to be an attractive woman and flirting with the right people.

Seduction has been used for espionage for years. In the Cold War, so-called ‘honeypots’ were a crude but effective way of trapping foreign agents in compromising situations and using as a way to blackmail them for information. The human capacity to let our genitals override our heads is never worth underestimating.

Aamir Lakhani and Joseph Muniz created a fake female profile on Facebook and LinkedIn, established their credentials – things like fake job histories, making friends, soliciting endorsements, and messaging people in character – and found it was remarkably easy to get people to trust them with confidential information.

Their fake woman, “Emily Williams”, was created in 2011 with the specific aim of hacking into a specific government agency. “She” had graduated from the University of Texas, and had a profile picture voluntarily given by a waitress at a branch of Hooters a few blocks down the street from the target building. ZDNet has the story:

Before zeroing in on the government target’s employees, Lakhani and Muniz built up Miss Williams’ presence on social media, netting her hundreds of connections, with only one man flagging her as suspicious.

Select and enter your email address Your weekly guide to the best writing on ideas, politics, books and culture every Saturday. The best way to sign up for The Saturday Read is via saturdayread.substack.com The New Statesman's quick and essential guide to the news and politics of the day. The best way to sign up for Morning Call is via morningcall.substack.com
Visit our privacy Policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.
THANK YOU

Another man asked how Emily might know him, and when the researchers answered with information they obtained in the man’s profile, he said he did indeed remember the imaginary girl.

Once Wiliams had friends, the hackers updated her Facebook and LinkedIn profiles with just-hired status at the government target, and gave her an engineering title. The attractive, imaginary young woman connected with the target’s employees via social media and connected with Human Resources, IT Support, Engineering and those in executive leadership roles.

The congratulations for “her” new job rolled in.

The so-called “penetration test” was meant to take 90 days, but it only took a week for Emily Williams to be accepted as real by colleagues who had never even met her. Then, the fun began.

“Emily” sent e-cards to colleagues near Christmas, containing a link that downloaded malware onto their computers that let the hackers figure out peoples’ passwords. Male employees, convinced that they were flirting with a real woman, circumvented normal channels to give “her” access to the internal work network, and one man even sent “her” a company laptop. Lakhani and Muniz, presenting their work at RSA Europe 2013 last month, claim they managed to access documents that were above the clearance level for an entry-level employee like Emily Williams quite easily.

The two hackers were influenced by Robin Sage, an infamous fake profile created by security specialist Thomas Ryan in 2009. After creating social media profiles for Robin – an attractive, young woman with unusually impressive IT security experience – and messaging around 300 technology and military firms, “she” was offered consulting jobs and dates by some who failed to verify her identity.

In these cases it’s clear that the security protocols and encryption methods used by these firms – firms that have some very sophisticated tools to try and fed off cyber-attack – are absolutely useless once unreliable, emotional humans get involved. Security is only as good as the weakest link, but there’s quite a fundamental problem if that weakest link is human nature.

Content from our partners
Shaping the future of medicine
Consulting is at the forefront of UK growth
Can green energy solutions deliver for nature and people?