
Fake femme fatale dupes IT guys at US government agency - timw6n
http://nakedsecurity.sophos.com/2013/11/03/fake-femme-fatale-dupes-it-guys-at-us-government-agency/
======
Amadou
There was a comment in the story that I think is misleading - _Attractive
women can open locked doors in the male-dominated IT industry._ Attractive
women can do that in _any_ industry, it doesn't need to be male dominated. Men
are stupid that way (if we weren't stupid that way birth rates would probably
be 1/100th of what they are now), you only need a handful of men to have a
good probability of finding at least one who is thinking with more than one
brain.

~~~
beachstartup
> (if we weren't stupid that way birth rates would probably be 1/100th of what
> they are now)

uh, no. very attractive women don't have kids with the legions of dorks that
give them unearned help throughout their life. in any industry.

women aren't stupid. they're actually very smart.

~~~
Amadou
Your assumption does not follow from what I wrote, in fact it is practically
the reverse since my point was that _any_ industry is vulnerable.

It isn't just "dorks" who give even marginally attractive women special
treatment - there are very few categories of men who don't (primarily gay
men). Try this experiment out in real life - any time you see a man helping a
female stranger with _anything_ consider if he would do the same for a male
stranger. The number of times a straight guy will go out of his way for
another man who isn't a friend is practically zero.

 _women aren 't stupid. they're actually very smart._

The idea that women deliberately take advantage of "dorks" sounds vaguely
bitter and misogynistic.

~~~
beachstartup
> there are very few categories of men who don't.

yeah, exactly. those are the guys who are getting with the attractive women.

specifically, high value men who don't give handouts.

also, dorks isn't exclusive to IT. every industry has dorks.

~~~
gaius
Oh, you're a "PUA". Good luck with that.

~~~
beachstartup
i'm not really sure what you're referring to, but i'm talking about pretty
basic human psychology.

------
Theodores
In the outlined scenario there is some basement-dwelling-geek tricked into
giving away the keys to the castle by some allegedly mega-fit-babe who is
outside the company. This is not the only scenario where this can go horribly
wrong.

A few years ago I worked at some company where the computers were well and
truly locked down. No facebook, no YouTuBe, no nothing. If it could not be
accessed on Internet Explorer 6 for the strict purposes of getting the job
done then you was not having it.

However, a charming young lady in some admin department was able to work her
charms on the IT department. Somehow it became imperative that, unique in the
company, she was able to access all the tedious sites of the internets. It
only took a week or two before her computer was well and truly soiled with
viruses, e-coli, everything. She did her own 'social engineering' to wreck her
computer, however, someone on the outside, had they known that her computer
was the weak one, could have social engineered her to install whatever.

Times have moved on since IE6. Nowadays everyone has a smartphone in their
pocket and they can do whatever they need to do on that. We also now know that
computers are vulnerable. People understand this, they did not back then (IE6
days).

So maybe it is time for offices where confidential stuff gets done to tighten
up the firewalls, block the websites and make the office internet access a bit
more locked down, with no need to pander to people who 'need' Facebook access
at work. Reasons can be provided as to why this has to be and people can be
encouraged to use their gadgets for anything social-network-y.

~~~
daemin
I read the article as saying that she worked at the secure (target) agency,
hence the fake profile was for someone that already worked at the agency. It
was just using a photo of the waitress.

So there's some assumption on the part of the employees that she is already
employed by the company, and hence she's been vetted somehow. That would also
explain the job offers since other companies would want to poach employees.

Though my take away from this is that there are a lot of men that think that
niceness at work is a way into a hot girl's pants.

~~~
xerophtye
>a lot of men that think that niceness at work is a way into a hot girl's
pants.

I am tempted to ask, if niceness isn't, what is?

~~~
kazagistar
Being an awesome enough human being that it happens the other way around.

~~~
xerophtye
I dont get it. isn't being nice part of the whole "be awesome" thing. I mean
why are males being discouraged from being nice and helpful? O.o i mean i
understand it's extremely wrong to be nice for the sole purpose of getting
into someone's pants (and equally wrong for people to take advantage of people
for being nice to them), but why discourage being nice as a whole? i thought
we all went thru HS and college and learned to recognize people who take
advantage of our niceness. Just avoid them, and be nice to everyone else

~~~
daemin
Do you think in the article that the men in the target agency were just being
nice? If that were the case then the fake male profile the security company
created would have received as much help, job offers, and other attention as
the female, but clearly that was not the case.

Women, especially attractive women, can easily distinguish genuine niceness
and this get-in-your-pants niceness, and while they will take advantage of it
all (it would be foolish and stupid not to), they will not sleep with such
people.

------
AndrewKemendo
As someone who has worked in the security field the desire to want to help
people is still overwhelming. I love PenTests and have had successful ones run
on me even when I was vigilant and in the testers faces.

The key reason why I think most confidence penetrations work is because in
most cases the "system" doesn't work smoothly enough to not have usability
issues. So when you know of credible people who are vetted but are still not
"in the system" that becomes an instance of the "system" not working.

Then, inevitably in the few boundary cases where it doesn't work, you get to
the point that you know how it will break and will wave over anyone in that
specific sitution. If someone knows of these specific "breaks" then by
definition they will exploit those knowing that it is a common issue.

If however you stick to the "I don't care what you say, you aren't in the
system" then you are now "the inflexible security nazi." Security really is an
ethos and it takes only a few pinpricks to make it crumble.

------
dguido
If clicking one link leads to your company losing all of its intellectual
property, then you have a technology problem. Lazy security "professionals"
who can't design good solutions are far too quick to blame users.

~~~
yeukhon
What kind of security mitigation do you propose?

~~~
zhemao
Well, disabling Java applets in everyone's web browsers would probably be a
good start.

~~~
magic_haze
This was a zero day in the jvm. It could very well have been a zero day in the
browser or the OS, if someone was determined enough. I'm not sure the problem
can be solved purely with technology.

~~~
meowface
No, it was not.

>Visitors were prompted to execute a signed Java applet that in turn launched
an attack that enabled the team to use privilege escalation exploits and
thereby gain administrative rights.

This was purely a social engineering attack. Even if their JVMs were all fully
up to date, they would have fallen victim to it. Assuming this test was done
recently, they would have to get through this prompt:
[http://www.mendoweb.be/blog/wp-
content/uploads/2013/04/self-...](http://www.mendoweb.be/blog/wp-
content/uploads/2013/04/self-signed-updated.jpg)

If this test was done a while ago, they would still have to go through a
similar prompt, though it didn't have the scary red letters back then.

This is pure user ignorance in this case, especially considering this was
supposedly an organization that deals with computer security.

That being said, however, any good organization should be monitoring things
like Java applets accessed by employees, and they should receive alerts upon
events like "EXE or binary type file downloaded by a Java applet" (though this
kind of signature can possibly be bypassed if the pentesters were smart).

I work for a medium-sized company, and we would've caught something like this
fairly quickly, even if the user did get infected. We check a list of all Java
applets loaded by users every 12 hours. And we have various rules in place to
look for malicious applet behavior, in addition to our regular screening.

Disabling Java applets is the safest solution, but unfortunately many
enterprise applications still run as Java applets or JNLPs.

~~~
mindcrime
_but unfortunately many enterprise applications still run as Java applets or
JNLPs._

It's not unfortunate that applets or JNLP are used, it's unfortunate that
Oracle have a pretty spotty track-record with JVM security lately. But applets
and JNLP are actually pretty cool and useful technology, in and of themselves.
I just wish Oracle would get their act together...

------
justinmk
> How do you solve a problem like overly friendly, helpful employees?

> ... training employees to: Question suspicious behavior and report it to the
> human relations department.

> Refrain from sharing work-related details on social networks.

> Not use work devices for personal activities.

This reminds me of something Cory Doctorow[1] said regarding the NSA.
Paraphrasing: the more locked-down an organization becomes, the more
ineffective it becomes. When you can't trust your employees to the point that
it becomes actual institutional _policy_ to _discourage_ information-sharing
(communication), you are guaranteed to be dysfunctional.

There is a parallel, of course, regarding the red tape surrounding procurement
for large government projects in order to mitigate corruption.

Addressing symptoms, not causes, is the theme.

\---

[1] correction, Julian Assange: "the more secretive or unjust an organization
is, the more leaks induce fear and paranoia in its leadership and planning
coterie". Which isn't precisely applicable to my comments above, so I guess
that's my own conjecture.

~~~
elsurudo
AFAIK, that was Julian Assange.

~~~
justinmk
I was hoping someone would correct; thank you.

------
verteu
It's interesting that the fake female profile received multiple job offers,
while the male one did not. Doesn't this contradict the popular opinion that
tech giants discriminate against women when hiring?

~~~
mherkender
I doubt it's actual job offers. More like recruiter spam. But even if it was
true, I doubt the enthusiasm towards offering a job to a woman they've never
and know little to nothing about could be considered positive. Hitting on job
candidates isn't good for women's perception of the tech industry.

But if it was recruiters? I work in tech and get spammed by recruiters all the
time. I don't really think it counts for a lot, since I didn't get any until I
was already in tech.

~~~
verteu
If the male candidate got several job offers and the female got none, would
you consider this evidence of gender discrimination? Bayes' Law says you
cannot rationally hold both beliefs simultaneously.

~~~
mherkender
I am suggesting that it is either evidence of discrimination (men hitting on
women) or evidence of nothing (recruiter spam). I'm not sure what you think
I'm saying.

And it's hard to think in terms of Bayes' Law when this is anecdotal anyway.

------
mattdeboard
Missed a shot at a golden headline: "Fake femme fatale fools feds"

------
smsm42
So the head of IT sec uses unpatched browser, un-updated Java and allows
applets from sites he sees first time in his life? Well, good enough for
government work, I guess.

~~~
magic_haze
I thought that article said they used a zero day jvm bug, but your point
stands: why would you execute something unknown, especially from a greeting
card site? (Then again, it's a honey pot... I'm not sure I would be thinking
straight in that situation either.)

~~~
smsm42
They used zero-days perviously, but not this time, according to the article:

The agency's name was not revealed, but Lakhani said it was a very secure one
that specializes in offensive cybersecurity and protecting secrets and for
which they had to use zero-day attacks in previous tests in order to bypass
its strong defenses.

It implies this time they didn't have to because christmas card from cure
facebook profile was enough.

Thinking straight should not be required, that's why policies are around. If
the policy is "no Java on work browsers, ever, for any reason" and "updates
are installed same week they are released by vendor", the chance for somebody
opening Christmas card from cute girl and getting national security
compromised would be much lower.

------
judk
The real security fail here is letting company devices run java applets.

------
001sky
_Here 's how popular Emily Williams proved within just 24 hours of her birth:

    
    
        She had 60 Facebook connections.
        She garnered 55 LinkedIn connections with employees from
        the targeted organization and its contractors.
        She had three job offers from other companies.

_

The 3x job offers seems a bit rich...wtf

~~~
sb23
A related anecdote: I've got both my long-term jobs because of my feminine
sounding, unusual name. They've decided a female on staff would be a change of
pace, then I guess my interviews were good enough to change their minds.

------
gaius
I like it, proper old-skool James Bond-esque spy antics, none of this modern
NSA nonsense.

~~~
stfu
I have to agree. Sounds actually quite a lot of fun to sit around and think
about outsmarting human behavior. Almost like a professional troll-baiting
service.

~~~
qznc
And then you get to use the 5$ wrench. ;)

[http://xkcd.com/538/](http://xkcd.com/538/)

------
dcJoker
For what it's worth, if she duped them, she wasn't a fake femme fatale. She
was a real one.

~~~
jpatokal
Did you read the story? The pen test team created a completely fake female
profile and used it to hack their target.

~~~
nakkiel
I think he was being ironical on the meaning of the French word "fatale":
fatal. Doesn't really matter anyway :)

~~~
gknoy
I suppose it's because the wording is ambiguous, and we must interpret which
precedence on the adjectives is correct:

    
    
      (fake (femme fatale))
      vs 
      ((fake femme) fatale)  ;; preferred

------
rbanffy
I offer this discussion two movie/TV quotes:

"Silly little planet. Anyone could take over the place with the right set of
mammary glands."

"I always thought the opposable thumb was... overrated"

I don't think much more needs to be said.

~~~
xerophtye
Spot on with the first one! Though i don't get the second's relevance...

------
jloughry
There was a similar story a few years ago (2010). The "Robin Sage" profile was
constructed as a honeypot across a number of social networks. Ultimately, the
problem was the originators couldn't spoof the MIT alumni network:

[http://www.computerworld.com/s/article/9179507/Fake_i_femme_...](http://www.computerworld.com/s/article/9179507/Fake_i_femme_fatale_i_shows_social_network_risks)

[http://en.wikipedia.org/wiki/Robin_Sage](http://en.wikipedia.org/wiki/Robin_Sage)

~~~
RexRollman
That was mentioned in the article.

------
PhasmaFelis
> _People are trusting and want to help others. How do you solve a problem
> like overly friendly, helpful employees?_

Ah, I'm so glad I don't work in security. In the library field, you seldom
hear people say "Our employees are decent human beings. How can we fix this?"
with a straight face.

------
xerophtye
So my take is, the industry is heavily male dominated, and thus that becomes a
vulnerability. So we need to counter this. How do we do this? Get more Hot
chicks recruited!! If there's enough of them to be commonplace, this wouldn't
be a problem right?

------
Paul12345534
Isolate activities in virtual machines. Ideally use something like Qubes OS.
At the very least, fire up Virtualbox. My password safe runs in my Virtualbox
host OS. Nothing else unnecessary runs there. I do my browsing and daily work
in various virtual machines.

~~~
Paul12345534
(Not ideal/feasible for every employee, but if you do have important
access/credentials... at least they aren't getting those by owning your
browser in a throwaway VM)

------
TwoBit
Well that Java exploit wouldn't work on me because I have Java uninstalled and
disabled on all my computers.

That's not to say I an confident I wouldn't screw up in some other way, but
Java should not be on the computers of anybody who cares about security.

------
monksy
That sounds like a duplicate of what Jordan Harbenger did:
[http://www.securitytube.net/video/5825](http://www.securitytube.net/video/5825)

------
jokoon
Yeah, compare a java vulnerability with a sexy chick, that's totally it.

If the trick worked, it was because java had vulnerabilities and because they
were male, so how should it be fixed ?

DUH

------
sp332
10 year experience at age 28 is maybe unusual but not unheard-of. I'm 27 and I
have 13 years professional programming experience.

~~~
gotrecruit
how do you define "professional programming experience"?

~~~
tzury
I guess, getting paid for a programming job, and doing so vast majority (or
all) of the time can be considered as _professional programming_

~~~
gaius
It would depend on what degree she claimed to have. You could be working full-
time and cruise Psychology or Geography, good luck doing that and Mech Eng.

------
Bulkington
Seriously, I get a kick out of weekend HN. Not that there's anything wrong
with that.

