There was a comment in the story that I think is misleading - Attractive women can open locked doors in the male-dominated IT industry. Attractive women can do that in any industry, it doesn't need to be male dominated. Men are stupid that way (if we weren't stupid that way birth rates would probably be 1/100th of what they are now), you only need a handful of men to have a good probability of finding at least one who is thinking with more than one brain.
I doubt a pretty girl would have so many employees bending over backward to help her if they were all women. You're kidding yourself if you think a female-dominated industry wouldn't have handled her more appropriately.
I can't comment how how commonplace it is, but having worked in an office with many women there seemed to be a lot of animosity towards the more attractive women from the less attractive women. Could have just been that office.
Another friend who ran a support department told me she refused to hire a quite attractive candidate because she felt that the attractive woman would 'distract the men'. My personal feelings were that she liked being the only woman in the department. To be fair she also refused to hire candidates based on their age. We stopped talking shortly after that conversation.
>>I can't comment how how commonplace it is, but having worked in an office with many women there seemed to be a lot of animosity towards the more attractive women from the less attractive women. Could have just been that office.
Nah, this is incredibly common. It goes even further: if an attractive woman is successful, her entire success will be attributed to her attractiveness, rather than her intelligence or skill. It's a major factor that contributes to the glass ceiling they inevitably hit.
Her? Sure. What if instead of her you put Alain Delon or the next beautiful, skilled, attractive in multiple ways male on the frame. See how women start acting stupidly just to get into his pants... It's human nature.
Instead of bringing the conversation down to a question of pretty-woman-duped-the-gullible-man, which isn't productive for anyone, I'm sure this could have been achieved many other ways, e.g 'Leaked new Tesla car' or "Cupcakes downstairs now!". The issue at hand is the security failure, not how the person in question was duped.
If you find this topic beneath you, why did you read it? The article is precisely about a specific type of social engineering, which is a worthy topic of interest even if you find it insufficiently cerebral.
I think the point was that _because_ men dominate the computer industry, you will have an easier time targeting IT systems for exploitation with this method.
Forget about attractive women. The focus should be on the fact that in any system or process that needs to be secure, humans are by far the weakest link. The legendary/infamous hacker Kevin Mitnick wrote about his social engineering practices in his book Art of Deception. Everyone here should give it a read.
For an entertaining dramatization of social engineered IT infiltration (that does include tradecraft by femmes fatale), there is 2003's Battlestar Galactica.
Your assumption does not follow from what I wrote, in fact it is practically the reverse since my point was that any industry is vulnerable.
It isn't just "dorks" who give even marginally attractive women special treatment - there are very few categories of men who don't (primarily gay men). Try this experiment out in real life - any time you see a man helping a female stranger with anything consider if he would do the same for a male stranger. The number of times a straight guy will go out of his way for another man who isn't a friend is practically zero.
women aren't stupid. they're actually very smart.
The idea that women deliberately take advantage of "dorks" sounds vaguely bitter and misogynistic.
I would hardly call not falling over yourself to help a pretty member of the opposite sex purely because of their attractiveness the same as the targeted psychological games pick up artists use. One is manipulation, the other is having some self respect.
Women are people. Some are very smart, some are stupid, in the same proportions as men. For every male IT worker who's been duped by an attractive women, there's a female secretary who thinks her boss is really going to leave his wife for her.
I believe this was in reference to the girls duped by guys into giving up sex. Where girls think that now that they have had sex, they are bound together. Like that comment about the secretary hoping for the boss to leave his wife
What does the number of women in science or business have to do with smartness?
Most businesses are pretty stupid, if you think about it - buy cheap sell high, or produce something people need.
As for science, it's mostly tedious research by poor PhD students with professors taking most of the credit. Occasionally there's a breakthrough, a cause for celebration (and hopefully real world application).
In the outlined scenario there is some basement-dwelling-geek tricked into giving away the keys to the castle by some allegedly mega-fit-babe who is outside the company. This is not the only scenario where this can go horribly wrong.
A few years ago I worked at some company where the computers were well and truly locked down. No facebook, no YouTuBe, no nothing. If it could not be accessed on Internet Explorer 6 for the strict purposes of getting the job done then you was not having it.
However, a charming young lady in some admin department was able to work her charms on the IT department. Somehow it became imperative that, unique in the company, she was able to access all the tedious sites of the internets. It only took a week or two before her computer was well and truly soiled with viruses, e-coli, everything. She did her own 'social engineering' to wreck her computer, however, someone on the outside, had they known that her computer was the weak one, could have social engineered her to install whatever.
Times have moved on since IE6. Nowadays everyone has a smartphone in their pocket and they can do whatever they need to do on that. We also now know that computers are vulnerable. People understand this, they did not back then (IE6 days).
So maybe it is time for offices where confidential stuff gets done to tighten up the firewalls, block the websites and make the office internet access a bit more locked down, with no need to pander to people who 'need' Facebook access at work. Reasons can be provided as to why this has to be and people can be encouraged to use their gadgets for anything social-network-y.
Agree 100%. In an era where every office worker probably has a smartphone or a tablet, work machines can be locked down for work and work only and no-one's lifestyle needs suffer.
I'd be interested if there are any stories of attractive men working their charms on the HR department, I bet it happens more than anyone suspects.
I read the article as saying that she worked at the secure (target) agency, hence the fake profile was for someone that already worked at the agency. It was just using a photo of the waitress.
So there's some assumption on the part of the employees that she is already employed by the company, and hence she's been vetted somehow. That would also explain the job offers since other companies would want to poach employees.
Though my take away from this is that there are a lot of men that think that niceness at work is a way into a hot girl's pants.
I dont get it. isn't being nice part of the whole "be awesome" thing. I mean why are males being discouraged from being nice and helpful? O.o i mean i understand it's extremely wrong to be nice for the sole purpose of getting into someone's pants (and equally wrong for people to take advantage of people for being nice to them), but why discourage being nice as a whole? i thought we all went thru HS and college and learned to recognize people who take advantage of our niceness. Just avoid them, and be nice to everyone else
Do you think in the article that the men in the target agency were just being nice? If that were the case then the fake male profile the security company created would have received as much help, job offers, and other attention as the female, but clearly that was not the case.
Women, especially attractive women, can easily distinguish genuine niceness and this get-in-your-pants niceness, and while they will take advantage of it all (it would be foolish and stupid not to), they will not sleep with such people.
As someone who has worked in the security field the desire to want to help people is still overwhelming. I love PenTests and have had successful ones run on me even when I was vigilant and in the testers faces.
The key reason why I think most confidence penetrations work is because in most cases the "system" doesn't work smoothly enough to not have usability issues. So when you know of credible people who are vetted but are still not "in the system" that becomes an instance of the "system" not working.
Then, inevitably in the few boundary cases where it doesn't work, you get to the point that you know how it will break and will wave over anyone in that specific sitution. If someone knows of these specific "breaks" then by definition they will exploit those knowing that it is a common issue.
If however you stick to the "I don't care what you say, you aren't in the system" then you are now "the inflexible security nazi." Security really is an ethos and it takes only a few pinpricks to make it crumble.
If clicking one link leads to your company losing all of its intellectual property, then you have a technology problem. Lazy security "professionals" who can't design good solutions are far too quick to blame users.
Yeah I don't get this one-click phishing either. Does everybody out there have a 0-day javascript exploit, which will happen to run on a Windows XP SP1 machine running internet exploder?
I mean, WTF all these security experts running out-of-date machines or the 0days are more than we can count.
This was a zero day in the jvm. It could very well have been a zero day in the browser or the OS, if someone was determined enough. I'm not sure the problem can be solved purely with technology.
>Visitors were prompted to execute a signed Java applet that in turn launched an attack that enabled the team to use privilege escalation exploits and thereby gain administrative rights.
This was purely a social engineering attack. Even if their JVMs were all fully up to date, they would have fallen victim to it. Assuming this test was done recently, they would have to get through this prompt: http://www.mendoweb.be/blog/wp-content/uploads/2013/04/self-...
If this test was done a while ago, they would still have to go through a similar prompt, though it didn't have the scary red letters back then.
This is pure user ignorance in this case, especially considering this was supposedly an organization that deals with computer security.
That being said, however, any good organization should be monitoring things like Java applets accessed by employees, and they should receive alerts upon events like "EXE or binary type file downloaded by a Java applet" (though this kind of signature can possibly be bypassed if the pentesters were smart).
I work for a medium-sized company, and we would've caught something like this fairly quickly, even if the user did get infected. We check a list of all Java applets loaded by users every 12 hours. And we have various rules in place to look for malicious applet behavior, in addition to our regular screening.
Disabling Java applets is the safest solution, but unfortunately many enterprise applications still run as Java applets or JNLPs.
but unfortunately many enterprise applications still run as Java applets or JNLPs.
It's not unfortunate that applets or JNLP are used, it's unfortunate that Oracle have a pretty spotty track-record with JVM security lately. But applets and JNLP are actually pretty cool and useful technology, in and of themselves. I just wish Oracle would get their act together...
> How do you solve a problem like overly friendly, helpful employees?
> ... training employees to: Question suspicious behavior and report it to the human relations department.
> Refrain from sharing work-related details on social networks.
> Not use work devices for personal activities.
This reminds me of something Cory Doctorow[1] said regarding the NSA. Paraphrasing: the more locked-down an organization becomes, the more ineffective it becomes. When you can't trust your employees to the point that it becomes actual institutional policy to discourage information-sharing (communication), you are guaranteed to be dysfunctional.
There is a parallel, of course, regarding the red tape surrounding procurement for large government projects in order to mitigate corruption.
Addressing symptoms, not causes, is the theme.
---
[1] correction, Julian Assange: "the more secretive or unjust an organization is, the more leaks induce fear and paranoia in its leadership and planning coterie". Which isn't precisely applicable to my comments above, so I guess that's my own conjecture.
It's interesting that the fake female profile received multiple job offers, while the male one did not. Doesn't this contradict the popular opinion that tech giants discriminate against women when hiring?
It does. Popular opinion is wrong. Only feminists believe that stuff, and their propaganda is everywhere, so a lot of normal people end up believing it too because the other side completely lacks political clout.
Women are vastly more attractive applicants than men, due to sex based discrimination policies, higher college graduation rates, gender roles for men that demand they treat women better than men, and also just general curiosity garnered by an atypical applicant. Women stand out from the crowd in IT because there are so few of them. As a result, it's far easier to be noticed.
I doubt it's actual job offers. More like recruiter spam. But even if it was true, I doubt the enthusiasm towards offering a job to a woman they've never and know little to nothing about could be considered positive. Hitting on job candidates isn't good for women's perception of the tech industry.
But if it was recruiters? I work in tech and get spammed by recruiters all the time. I don't really think it counts for a lot, since I didn't get any until I was already in tech.
If the male candidate got several job offers and the female got none, would you consider this evidence of gender discrimination? Bayes' Law says you cannot rationally hold both beliefs simultaneously.
I am suggesting that it is either evidence of discrimination (men hitting on women) or evidence of nothing (recruiter spam). I'm not sure what you think I'm saying.
And it's hard to think in terms of Bayes' Law when this is anecdotal anyway.
I think there are quite a lot of studies showing that discrimination is indeed occurring. But if I allow myself to speculate, maybe that is for the average man vs the average woman. This was presumably a highly attractive woman.
So the head of IT sec uses unpatched browser, un-updated Java and allows applets from sites he sees first time in his life? Well, good enough for government work, I guess.
I thought that article said they used a zero day jvm bug, but your point stands: why would you execute something unknown, especially from a greeting card site? (Then again, it's a honey pot... I'm not sure I would be thinking straight in that situation either.)
They used zero-days perviously, but not this time, according to the article:
The agency's name was not revealed, but Lakhani said it was a very secure one that specializes in offensive cybersecurity and protecting secrets and for which they had to use zero-day attacks in previous tests in order to bypass its strong defenses.
It implies this time they didn't have to because christmas card from cure facebook profile was enough.
Thinking straight should not be required, that's why policies are around. If the policy is "no Java on work browsers, ever, for any reason" and "updates are installed same week they are released by vendor", the chance for somebody opening Christmas card from cute girl and getting national security compromised would be much lower.
Here's how popular Emily Williams proved within just 24 hours of her birth:
She had 60 Facebook connections.
She garnered 55 LinkedIn connections with employees from
the targeted organization and its contractors.
She had three job offers from other companies.
A related anecdote: I've got both my long-term jobs because of my feminine sounding, unusual name. They've decided a female on staff would be a change of pace, then I guess my interviews were good enough to change their minds.
I just hope they keep an eye on the games workshop stores in cheltnam and the ones near the NSA in maryland just in case Natasha with the large "sisters of battle army" is not who she seems :-)
I have to agree. Sounds actually quite a lot of fun to sit around and think about outsmarting human behavior. Almost like a professional troll-baiting service.
There was a similar story a few years ago (2010). The "Robin Sage" profile was constructed as a honeypot across a number of social networks. Ultimately, the problem was the originators couldn't spoof the MIT alumni network:
> People are trusting and want to help others. How do you solve a problem like overly friendly, helpful employees?
Ah, I'm so glad I don't work in security. In the library field, you seldom hear people say "Our employees are decent human beings. How can we fix this?" with a straight face.
So my take is, the industry is heavily male dominated, and thus that becomes a vulnerability. So we need to counter this. How do we do this? Get more Hot chicks recruited!! If there's enough of them to be commonplace, this wouldn't be a problem right?
Isolate activities in virtual machines. Ideally use something like Qubes OS. At the very least, fire up Virtualbox. My password safe runs in my Virtualbox host OS. Nothing else unnecessary runs there. I do my browsing and daily work in various virtual machines.
(Not ideal/feasible for every employee, but if you do have important access/credentials... at least they aren't getting those by owning your browser in a throwaway VM)
Getting paid :) Especially for a full-time position with the job title "Software Engineer". I am fudging a bit on the time though, since in high school I was mostly doing troubleshooting IT crap and only got large software projects in the summers.
It would depend on what degree she claimed to have. You could be working full-time and cruise Psychology or Geography, good luck doing that and Mech Eng.
