from Hacker News

Fake femme fatale dupes IT guys at US government agency

by timw6n on 11/3/13, 7:23 PM with 92 comments

  • by Amadou on 11/3/13, 9:10 PM

    There was a comment in the story that I think is misleading - Attractive women can open locked doors in the male-dominated IT industry. Attractive women can do that in any industry, it doesn't need to be male dominated. Men are stupid that way (if we weren't stupid that way birth rates would probably be 1/100th of what they are now), you only need a handful of men to have a good probability of finding at least one who is thinking with more than one brain.

  • by Theodores on 11/3/13, 9:18 PM

    In the outlined scenario there is some basement-dwelling-geek tricked into giving away the keys to the castle by some allegedly mega-fit-babe who is outside the company. This is not the only scenario where this can go horribly wrong.

    A few years ago I worked at some company where the computers were well and truly locked down. No facebook, no YouTuBe, no nothing. If it could not be accessed on Internet Explorer 6 for the strict purposes of getting the job done then you was not having it.

    However, a charming young lady in some admin department was able to work her charms on the IT department. Somehow it became imperative that, unique in the company, she was able to access all the tedious sites of the internets. It only took a week or two before her computer was well and truly soiled with viruses, e-coli, everything. She did her own 'social engineering' to wreck her computer, however, someone on the outside, had they known that her computer was the weak one, could have social engineered her to install whatever.

    Times have moved on since IE6. Nowadays everyone has a smartphone in their pocket and they can do whatever they need to do on that. We also now know that computers are vulnerable. People understand this, they did not back then (IE6 days).

    So maybe it is time for offices where confidential stuff gets done to tighten up the firewalls, block the websites and make the office internet access a bit more locked down, with no need to pander to people who 'need' Facebook access at work. Reasons can be provided as to why this has to be and people can be encouraged to use their gadgets for anything social-network-y.

  • by AndrewKemendo on 11/4/13, 5:09 AM

    As someone who has worked in the security field the desire to want to help people is still overwhelming. I love PenTests and have had successful ones run on me even when I was vigilant and in the testers faces.

    The key reason why I think most confidence penetrations work is because in most cases the "system" doesn't work smoothly enough to not have usability issues. So when you know of credible people who are vetted but are still not "in the system" that becomes an instance of the "system" not working.

    Then, inevitably in the few boundary cases where it doesn't work, you get to the point that you know how it will break and will wave over anyone in that specific sitution. If someone knows of these specific "breaks" then by definition they will exploit those knowing that it is a common issue.

    If however you stick to the "I don't care what you say, you aren't in the system" then you are now "the inflexible security nazi." Security really is an ethos and it takes only a few pinpricks to make it crumble.

  • by dguido on 11/3/13, 8:46 PM

    If clicking one link leads to your company losing all of its intellectual property, then you have a technology problem. Lazy security "professionals" who can't design good solutions are far too quick to blame users.

  • by justinmk on 11/3/13, 11:31 PM

    > How do you solve a problem like overly friendly, helpful employees?

    > ... training employees to: Question suspicious behavior and report it to the human relations department.

    > Refrain from sharing work-related details on social networks.

    > Not use work devices for personal activities.

    This reminds me of something Cory Doctorow[1] said regarding the NSA. Paraphrasing: the more locked-down an organization becomes, the more ineffective it becomes. When you can't trust your employees to the point that it becomes actual institutional policy to discourage information-sharing (communication), you are guaranteed to be dysfunctional.

    There is a parallel, of course, regarding the red tape surrounding procurement for large government projects in order to mitigate corruption.

    Addressing symptoms, not causes, is the theme.

    ---

    [1] correction, Julian Assange: "the more secretive or unjust an organization is, the more leaks induce fear and paranoia in its leadership and planning coterie". Which isn't precisely applicable to my comments above, so I guess that's my own conjecture.

  • by verteu on 11/3/13, 11:45 PM

    It's interesting that the fake female profile received multiple job offers, while the male one did not. Doesn't this contradict the popular opinion that tech giants discriminate against women when hiring?

  • by mattdeboard on 11/3/13, 11:57 PM

    Missed a shot at a golden headline: "Fake femme fatale fools feds"

  • by smsm42 on 11/3/13, 8:33 PM

    So the head of IT sec uses unpatched browser, un-updated Java and allows applets from sites he sees first time in his life? Well, good enough for government work, I guess.

  • by judk on 11/3/13, 8:18 PM

    The real security fail here is letting company devices run java applets.

  • by 001sky on 11/3/13, 11:00 PM

    Here's how popular Emily Williams proved within just 24 hours of her birth:

        She had 60 Facebook connections.
    She garnered 55 LinkedIn connections with employees from
    the targeted organization and its contractors.
    She had three job offers from other companies.

    The 3x job offers seems a bit rich...wtf

  • by gaius on 11/3/13, 8:49 PM

    I like it, proper old-skool James Bond-esque spy antics, none of this modern NSA nonsense.

  • by dcJoker on 11/3/13, 9:56 PM

    For what it's worth, if she duped them, she wasn't a fake femme fatale. She was a real one.

  • by rbanffy on 11/3/13, 11:40 PM

    I offer this discussion two movie/TV quotes:

    "Silly little planet. Anyone could take over the place with the right set of mammary glands."

    "I always thought the opposable thumb was... overrated"

    I don't think much more needs to be said.

  • by jloughry on 11/3/13, 9:27 PM

    There was a similar story a few years ago (2010). The "Robin Sage" profile was constructed as a honeypot across a number of social networks. Ultimately, the problem was the originators couldn't spoof the MIT alumni network:

    http://www.computerworld.com/s/article/9179507/Fake_i_femme_...

    http://en.wikipedia.org/wiki/Robin_Sage

  • by PhasmaFelis on 11/4/13, 5:54 AM

    > People are trusting and want to help others. How do you solve a problem like overly friendly, helpful employees?

    Ah, I'm so glad I don't work in security. In the library field, you seldom hear people say "Our employees are decent human beings. How can we fix this?" with a straight face.

  • by xerophtye on 11/4/13, 6:11 AM

    So my take is, the industry is heavily male dominated, and thus that becomes a vulnerability. So we need to counter this. How do we do this? Get more Hot chicks recruited!! If there's enough of them to be commonplace, this wouldn't be a problem right?

  • by Paul12345534 on 11/4/13, 1:47 AM

    Isolate activities in virtual machines. Ideally use something like Qubes OS. At the very least, fire up Virtualbox. My password safe runs in my Virtualbox host OS. Nothing else unnecessary runs there. I do my browsing and daily work in various virtual machines.

  • by TwoBit on 11/4/13, 6:36 AM

    Well that Java exploit wouldn't work on me because I have Java uninstalled and disabled on all my computers.

    That's not to say I an confident I wouldn't screw up in some other way, but Java should not be on the computers of anybody who cares about security.

  • by monksy on 11/4/13, 11:39 AM

    That sounds like a duplicate of what Jordan Harbenger did: http://www.securitytube.net/video/5825

  • by jokoon on 11/4/13, 1:00 AM

    Yeah, compare a java vulnerability with a sexy chick, that's totally it.

    If the trick worked, it was because java had vulnerabilities and because they were male, so how should it be fixed ?

    DUH

  • by sp332 on 11/4/13, 3:40 AM

    10 year experience at age 28 is maybe unusual but not unheard-of. I'm 27 and I have 13 years professional programming experience.

  • by Bulkington on 11/4/13, 4:42 AM

    Seriously, I get a kick out of weekend HN. Not that there's anything wrong with that.