Everybody loved Emily Williams. She was an intelligent, attractive, sexy, young woman. She was a new employee at a government agency and just needed a little help adjusting to her new role. To get this help, she used Facebook and LinkedIn to build connections. She was very successful. In 15 hours, she had 60 friends on Facebook and 55 on LinkedIn. Within a day, she had 3 job offers from competing companies. Life looked good for Emily. Soon, she received endorsements for her abilities on LinkedIn, even though she had just begun her career. Men at higher levels within the agency volunteered to help her. They got her a new laptop and managed to arrange a higher level of network access. It was nice that she was with an agency that had so many men willing to give her a hand. To show her thanks, Emily posted a link to a special Christmas card she had created for them. It was the least she could do for all that she had received from her friends.
It’s a nice story with just one hitch. Emily Williams never existed. She was created by two hackers participating in a penetration test (pentest) to see how far they could compromise a government agency that had employees with a “high level of cybersecurity awareness”. In the end, Emily got more than just a new laptop. The interaction with the Christmas card that directed friends to a new site got her access to the agency’s network. Once there, she could steal passwords, sensitive documents, and install applications. The documents could have compromised the security of the US. But it didn’t stop there. Contractors for the agency were also among Emily’s friends. They also went to get their Christmas card from her. Some of these were employees of an antivirus company and one even had access to the agency’s source code. In other words, the contractor’s site could have then been compromised and used to attack the agency or other companies and agencies. In the end, the hackers behind Emily gained access to the computer of one of the agency’s top executives and, thus, had access to the most important of all information, what hackers sometimes refer to as “the crown jewels”.
After the success of this attack became well-known, the hackers were asked to test banks, credit card companies, healthcare organizations, and other firms. The attacks always had the same results. Security collapsed under the attack. But what really was the vulnerability?
In my last post, I presented the idea of something I called, salmon phishing. These were email attacks that targeted a person’s basic human drives, such as the drive for sex, romance, power, and greed. Such attacks are able to bypass the email reader’s normal logic and, thereby, take control of the reader’s brain. I predicted that a well-formed attack based on this principle would be highly effective. When I reviewed the Emily Williams exploit, it seemed clear to me that the success was triggered by the basic appeal of Emily herself. I doubted very much that an old, unattractive male would get similar attention. I then learned that, “the majority of individuals who went out of their way to help Emily Williams were men. The team actually tried a similar test in parallel with a fake male social media profile and got no useful connections.” (PC World article) I have since contacted one of the hackers, Aamir Lakhani, to confirm whether most of the people who befriended Emily were male. He seemed to think that it was about 50-50 but was unsure of the exact numbers. If this is true, then it is possible that women are hooked by the idea of helping someone in need; a salmon phishing angle I had not previously considered. Aamir Lakhani puts the high success rate down to social engineering. “Every time we include social engineering in our penetration tests we have a hundred percent success rate,” he said. “Every time we do social engineering, we get into the systems.” Yes, I have no doubt that a well-designed attack will be most effective, however, at the base of this test you need the initial hook. It seems quite clear to me that the hook, in this case, had two barbs: an attractive young woman who needed help. Once hooked, the social engineering will land the salmon.
Look at the logic that was bypassed. These were all IT savvy professionals. They should have known better. As I’ve written previously, men are biological robots. Was their ultimate goal really philanthropic or did they have something more biological in mind? If they were only interested in being helpful, why did Emily receive so many dinner invitations? I wonder if grilled salmon was on the menu. But there were other warning signs that had been overlooked. Just two years before, a fake profile of a woman named Robin Sage showed how flimsy government security really was.
“Among Robin’s social networking accomplishments: She scored connections with people in the Joint Chiefs of Staff, the CIO of the NSA, an intelligence director for the U.S. Marines, a chief of staff for the U.S. House of Representatives, and several Pentagon and DoD employees. The profiles also attracted defense contractors, such as Lockheed Martin, Northrop Grumman, and Booz Allen Hamilton.” When one security expert became suspicious and asked his friends if they actually knew who she was, “the responses I got back were along the lines of ‘No, but she’s attractive’ “.
And, perhaps, not surprisingly, some of the defense contractors offered to take her to dinner to discuss, “employment opportunities”. Yeah, I bet.
In other posts, I’ve mentioned the danger of spear phishing attacks. They work but they are labor intensive, requiring a good deal of research to spear the targeted person. Salmon phishing depends only on designing a realistic and attractive lure that can appeal to a large number of potential victims. Once the victim is hooked it can be played and landed using a variety of techniques.
This all reminded me of when I used to fish for salmon in the rivers of Oregon. All of us fishing there knew that salmon don’t feed when they are going up river to spawn. They only strike a lure or bait by instinct. I think you get the picture.
A note to government agencies: It is abundantly clear from the information above that government agencies are just as susceptible to cyber attacks as any other enterprise. As many others have pointed out, it is not a matter of if you will be attacked, but when. The one difference here is what is at stake. It is not just about identity theft but about the country’s security. A poorly secured agency could endanger lives. For all these agencies, it is time to look towards a paradigm shift in security from software to hardware-based. You need a system that does not allow employee behavior to compromise your agency’s “crown jewels”. Only the InZero System’s hardware separated security offers this protection. It’s well worth a look.