Govt. Computers Hacked Thanks to Pretty Face

This is how easy it is to hack into government computers. ZDNet reports:

Government agency compromised by fake Facebook hottie

Using social media profiles and a photo of a real (and consenting) woman, two hackers fooled a government employer into believing she was an employee, conning them out of a company laptop, network credentials, and more.

They used “her” Facebook and LinkedIn connections to send out holiday cards linked to an attack site, which the government employees visited, and scammed one employee into sending her a work laptop – as well as network access credentials and more, such as SalesForce logins.

The researchers used the imaginary pretty girl’s poisoned holiday e-cards to gain administrative rights, obtain passwords, install applications and stole documents with sensitive information – some of which, according to the hackers, included information about state-sponsored attacks and country leaders.

Miss Emily Williams – run by puppetmasters security researchers Aamir Lakhani and Joseph Muniz – even convinced a security team executive to click a javascript exploit masquerading as a birthday card, thus compromising his laptop.

Lakhani told an audience at RSA Europe 2013 on Wednesday, October 30, ”This guy had access to everything. He had the crown jewels in the system.” 

Mr. Lakhani presented the team’s research findings at RSA Europe in a talk titled Social Media Deception, the results of his team’s sanctioned 90-day “Emily Williams” penetration test experiment on a US government agency, conducted at the end of 2012.

Lakhani declined to state which U.S. government agency was infiltrated and compromised by the fictitious Miss Williams. He told the RSA audience that his team’s pre-Snowden attack was performed on a very secure agency that specializes in offensive cybersecurity and protecting secrets, one where previously only zero-day attacks had been successful in pentests leveraged against the unnamed agency.

And what did it take to crack this “very secure agency that specializes in offensive cybersecurtiy?” This woman:

 Feel safer yet about The rest here.