THE ART OF DECEPTION
Controlling the Human Element of Security
KEVIN D. MITNICK
& William L. Simon
Foreword by Steve Wozniak
For Reba Vartanian, Shelly Jaffe, Chickie Leventhal, and Mitchell
Mitnick, and for the late Alan Mitnick, Adam Mitnick,
and Jack Biello
For Arynne, Victoria, and David, Sheldon,Vincent, and Elena.
Social Engineering
Social Engineering uses influence and persuasion to deceive people
by convincing them that the social engineer is someone he is not,
or by manipulation. As a result, the social engineer is able to take
advantage of people to obtain information with or without the use of
technology.
Contents
Foreword
Preface
Introduction
Part 1 Behind the Scenes
Chapter 1 Security's Weakest Link
Part 2 The Art of the Attacker
Chapter 2 When Innocuous Information Isn't
Chapter 3 The Direct Attack: Just Asking for it
Chapter 4 Building Trust
Chapter 5 "Let Me Help You"
Chapter 6 "Can You Help Me?"
Chapter 7 Phony Sites and Dangerous Attachments
Chapter 8 Using Sympathy, Guilt and Intimidation
Chapter 9 The Reverse Sting
Part 3 Intruder Alert
Chapter 10 Entering the Premises
Chapter 11 Combining Technology and Social Engineering
Chapter 12 Attacks on the Entry-Level Employee
Chapter 13 Clever Cons
Chapter 14 Industrial Espionage
Part 4 Raising the Bar
Chapter 15 Information Security Awareness and Training
Chapter 16 Recommended Corporate Information Security Policies
Security at a Glance
Sources
Acknowledgments
Foreword
We humans are born with an inner drive to explore the nature
of our surroundings. As young men, both Kevin Mitnick and
I were intensely curious about the world and eager to prove
ourselves. We were rewarded often in our attempts to learn new things,
solve puzzles, and win at games. But at the same time, the world around
us taught us rules of behavior that constrained our inner urge toward free
exploration. For our boldest scientists and technological entrepreneurs, as
well as for people like Kevin Mitnick, following this inner urge offers the
greatest thrills, letting us accomplish things that others believe cannot be
done.
Kevin Mitnick is one of the finest people I know. Ask him, and he will
say forthrightly that what he used to do - social engineering - involes
conning people. But Kevin is no longer a social engineer. And even when
he was, his motive never was to enrich himself or damage others. That's
not to say that there aren't dangerous and destructive criminals out there
who use social engineering to cause real harm. In fact, that's exactly why
Kevin wrote this book - to warn you about them.
The Art of Deception shows how vulnerable we all are - government,
business, and each of us personally - to the intrusions of the social
engineer. In this security-conscious era, we spend huge sums on
technology
to protect our computer networks and data. This book points out how easy
it is to trick insiders and circumvent all this technological protection.
Whether you work in business or government, this book provides a
powerful road map to help you understand how social engineers work and
what you can do to foil them. Using fictionalized stories that are both
entertaining and eye-opening, Kevin and co-author Bill Simon bring to
life
the techniques of the social engineering underworld. After each story,
they offer practical guidelines to help you guard against the breaches and
threats they're described.
Technological security leaves major gaps that people like Kevin can help
us close. Read this book and you may finally realize that we all need to
turn to the Mitnick's among us for guidance.
-Steve Wozniak
PREFACE
Some hackers destroy people's files or entire hard drives; they're called
crackers or vandals. Some novice hackers don't bother learning the
technology, but simply download hacker tools to break into computer
systems; they're called script kiddies. More experienced hackers with
programming skills develop hacker programs and post them to the Web
and to bulletin board systems. And then there are individuals who have no
interest in the technology, but use the computer merely as a tool to aid
them in stealing money, goods, or services.
Despite the media-created myth of Kevin Mitnick, I am not a malicious
hacker.
But I'm getting ahead of myself.
STARTING OUT
My path was probably set early in life. I was a happy-go-lucky kid, but
bored. After my father split when I was three, my mother worked as a
waitress to support us. To see me then - an only child being raised by a
mother who put in long, harried days on a sometimes-erratic schedule -
would have been to see a youngster on his own almost all his waking
hours. I was my own babysitter.
Growing up in a San Fernando Valley community gave me the whole of
Los Angeles to explore, and by the age of twelve I had discovered a way
to travel free throughout the whole greater L.A. area. I realized one day
while riding the bus that the security of the bus transfer I had purchased
relied on the unusual pattern of the paper-punch, that the drivers used to
mark day; time, and route on the transfer slips. A friendly driver,
answering my carefully planted question, told me where to buy that
special type of punch.
The transfers are meant to let you change buses and continue a journey to
your destination, but I worked out how to use them to travel anywhere I
wanted to go for free. Obtaining blank transfers was a walk in the park.
The trash bins at the bus terminals were always filled with only-partly
used books of transfers that the drivers tossed away at the end of the
shifts. With a pad of blanks and the punch, I could mark my own transfers
and travel anywhere that L.A. buses went. Before long, I had all but
memorized the bus schedules of the entire system. (This was an early
example of my surprising memory for certain types of information; I can
still, today, remember phone numbers, passwords, and other seemingly
trivial details as far back as my childhood.)
Another personal interest that surfaced at an early age was my fascination
with performing magic. Once I learned how a new trick worked, would
practice, practice, and practice some more until I mastered it. To an
extent, it was through magic that I discovered the enjoyment in gaining
secret knowledge.
From Phone Phreak to Hacker
My first encounter with what I would eventually learn to call social
engineering came about during my high school years when I met another
student who was caught up in a hobby called phone phreakin. Phone
phreaking is a type of hacking that allows you to explore the telephone
network by exploiting the phone systems and phone company employees.
He showed me neat tricks he could do with a telephone, like obtaining any
information the phone company had on any customer, and using a secret
test number to make long-distance calls for free. (Actually it was free only
to us. I found out much later that it wasn't a secret test number at all. The
calls were, in fact, being billed to some poor company's MCI account.)
That was my introduction to social engineering-my kindergarten, so to
speak. My friend and another phone phreaker I met shortly thereafter let
me listen in as they each made pretext calls to the phone company. I heard
the things they said that made them sound believable; I learned about
different phone company offices, lingo, and procedures. But that
"training" didn't last long; it didn't have to. Soon I was doing it all on my
own, learning as I went, doing it even better than my first teachers.
The course my life would follow for the next fifteen years had been set. In
high school, one of my all-time favorite pranks was gaining unauthorized
access to the telephone switch and changing the class of service of a
fellow phone phreak. When he'd attempt to make a call from home, he'd
get a message telling him to deposit a dime because the telephone
company switch had received input that indicated he was calling from a
pay phone.
I became absorbed in everything about telephones, not only the
electronics, switches, and computers, but also the corporate organization,
the procedures, and the terminology. After a while, I probably knew more
about the phone system than any single employee. And I had developed
my social engineering skills to the point that, at seventeen years old, I was
able to talk most telco employees into almost anything, whether I was
speaking with them in person or by telephone.
My much-publicized hacking career actually started when I was in high
school. While I cannot describe the detail here, suffice it to say that one of
the driving forces in my early hacks was to be accepted by the guys in the
hacker group.
Back then we used the term hacker to mean a person who spent a great
deal of time tinkering with hardware and software, either to develop more
efficient programs or to bypass unnecessary steps and get the job done
more quickly. The term has now become a pejorative, carrying the
meaning of "malicious criminal." In these pages I use the term the way I
have always used it - in its earlier, more benign sense.
After high school I studied computers at the Computer Learning Center in
Los Angeles. Within a few months, the school's computer manager
realized I had found vulnerability in the operating system and gained full
administrative privileges on their IBM minicomputer. The best computer
experts on their teaching staff couldn't figure out how I had done this. In
what may have been one of the earliest examples of "hire the hacker," I
was given an offer I couldn't refuse: Do an honors project to enhance the
school's computer security, or face suspension for hacking the system. Of
course, I chose to do the honors project, and ended up graduating cum
laude with honors.
Becoming a Social Engineer
Some people get out of bed each morning dreading their daily work
routine at the proverbial salt mines. I've been lucky enough to enjoy my
work. n particular, you can't imagine the challenge, reward, and pleasure I
had the time I spent as a private investigator. I was honing my talents in
the performance art called social engineering (getting people to do things
they wouldn't ordinarily do for a stranger) and being paid for it.
For me it wasn't difficult becoming proficient in social engineering. My
father's side of the family had been in the sales field for generations, so
the art of influence and persuasion might have been an inherited trait.
When you combine that trait with an inclination for deceiving people, you
have the profile of a typical social engineer.
You might say there are two specialties within the job classification of
con artist. Somebody who swindles and cheats people out of their money
belongs to one sub-specialty, the grifter. Somebody who uses deception,
influence, and persuasion against businesses, usually targeting their
information, belongs to the other sub-specialty, the social engineer. From
the time of my bus-transfer trick, when I was too young to know there
was anything wrong with what I was doing, I had begun to recognize a
talent for finding out the secrets I wasn't supposed to have. I built on that
talent by using deception, knowing the lingo, and developing a wellhoned
skill of manipulation.
One way I worked on developing the skills of my craft, if I may call it a
craft, was to pick out some piece of information I didn't really care about
and see if I could talk somebody on the other end of the phone into
providing it, just to improve my skills. In the same way I used to practice
my magic tricks, I practiced pretexting. Through these rehearsals, I soon
found that I could acquire virtually any information I targeted.
As I described in Congressional testimony before Senators Lieberman and
Thompson years later:
I have gained unauthorized access to computer systems at some of the
largest corporations on the planet, and have successfully penetrated some
of the most resilient computer systems ever developed. I have used both
technical and non-technical means to obtain the source code to various
operating systems and telecommunications devices to study their
vulnerabilities and their inner workings.
All of this activity was really to satisfy my own curiosity; to see what I
could do; and find out secret information about operating systems, cell
phones, and anything else that stirred my curiosity.
FINAL THOUGHTS
I've acknowledged since my arrest that the actions I took were illegal, and
that I committed invasions of privacy.
My misdeeds were motivated by curiosity. I wanted to know as much as I
could about how phone networks worked and the ins-and-outs of
computer security. I went from being a kid who loved to perform magic
tricks to becoming the world's most notorious hacker, feared by
corporations and the government. As I reflect back on my life for the last
30 years, I admit I made some extremely poor decisions, driven by my
curiosity, the desire to learn about technology, and the need for a good
intellectual challenge.
I'm a changed person now. I'm turning my talents and the extensive
knowledge I've gathered about information security and social
engineering tactics to helping government, businesses, and individuals
prevent, detect, and respond to information-security threats.
This book is one more way that I can use my experience to help others
avoid the efforts of the malicious information thieves of the world. I think
you will find the stories enjoyable, eye-opening, and educational.
Introduction
This book contains a wealth of information about information security and
social engineering. To help you find your way, here's a quick look at how
this book is organized:
In Part 1 I'll reveal security's weakest link and show you why you and
your company are at risk from social engineering attacks.
In Part 2 you'll see how social engineers toy with your trust, your desire to
be helpful, your sympathy, and your human gullibility to get what they
want. Fictional stories of typical attacks will demonstrate that social
engineers can wear many hats and many faces. If you think you've never
encountered one, you're probably wrong. Will you recognize a scenario
you've experienced in these stories and wonder if you had a brush with
social engineering? You very well might. But once you've read Chapters 2
through 9, you'll know how to get the upper hand when the next social
engineer comes calling.
Part 3 is the part of the book where you see how the social engineer ups
the ante, in made-up stories that show how he can step onto your
corporate premises, steal the kind of secret that can make or break your
company, and thwart your hi-tech security measures. The scenarios in this
section will make you aware of threats that range from simple employee
revenge to cyber terrorism. If you value the information that keeps your
business running and the privacy of your data, you'll want to read
Chapters 10 through 14 from beginning to end.
It's important to note that unless otherwise stated, the anecdotes in this
book are purely fictional.
In Part 4 I talk the corporate talk about how to prevent successful social
engineering attacks on your organization. Chapter 15 provides a blueprint
for a successful security-training program. And Chapter 16 might just
save your neck - it's a complete security policy you can customize for
your organization and implement right away to keep your company and
information safe.
Finally, I've provided a Security at a Glance section, which includes
checklists, tables, and charts that summarize key information you can use
to help your employees foil a social engineering attack on the job. These
tools also provide valuable information you can use in devising your own
security-training program.
Throughout the book you'll also find several useful elements: Lingo boxes
provide definitions of social engineering and computer hacker
terminology; Mitnick Messages offer brief words of wisdom to help
strengthen your security strategy; and notes and sidebars give interesting
background or additional information.
Part 1
Behind The Scenes
Chapter 1
Security's Weakest Link
A company may have purchased the best security technologies that money
can buy, trained their people so well that they lock up all their secrets
before going home at night, and hired building guards from the best
security firm in the business.
That company is still totally Vulnerable.
Individuals may follow every best-security practice recommended by the
experts, slavishly install every recommended security product, and be
thoroughly vigilant about proper system configuration and applying
security patches.
Those individuals are still completely vulnerable.
THE HUMAN FACTOR
Testifying before Congress not long ago, I explained that I could often get
passwords and other pieces of sensitive information from companies by
pretending to be someone else and just asking for it.
It's natural to yearn for a feeling of absolute safety, leading many people
to settle for a false sense of security. Consider the responsible and loving
homeowner who has a Medico, a tumbler lock known as being pickproof,
installed in his front door to protect his wife, his children, and his home.
He's now comfortable that he has made his family much safer against
intruders. But what about the intruder-who breaks a window, or cracks the
code to the garage door opener? How about installing a robust security
system? Better, but still no guarantee. Expensive locks or no, the
homeowner remains vulnerable.
Why? Because the human factor is truly security's weakest link.
Security is too often merely an illusion, an illusion sometimes made even
worse when gullibility, naivete, or ignorance come into play. The world's
most respected scientist of the twentieth century, Albert Einstein, is
quoted as saying, "Only two things are infinite, the universe and human
stupidity, and I'm not sure about the former." In the end, social
engineering attacks can succeed when people are stupid or, more
commonly, simply ignorant about good security practices. With the same
attitude as our security-conscious homeowner, many information
technology (IT) professionals hold to the misconception that they've made
their companies largely immune to attack because they've deployed
standard security products - firewalls, intrusion detection systems, or
stronger authentication devices such as time-based tokens or biometric
smart cards. Anyone who thinks that security products alone offer true
security is settling for. the illusion of security. It's a case of living in a
world of fantasy: They will inevitably, later if not sooner, suffer a security
incident.
As noted security consultant Bruce Schneier puts it, "Security is not a
product, it's a process." Moreover, security is not a technology problem -
it's a people and management problem.
As developers invent continually better security technologies, making it
increasingly difficult to exploit technical vulnerabilities, attackers will
turn more and more to exploiting the human element. Cracking the human
firewall is often easy, requires no investment beyond the cost of a phone
call, and involves minimal risk.
A CLASSIC CASE OF DECEPTION
What's the greatest threat to the security of your business assets? That's
easy: the social engineer--an unscrupulous magician who has you
watching his left hand while with his right he steals your secrets. This
character is often so friendly, glib, and obliging that you're grateful for
having encountered him.
Take a look at an example of social engineering. Not many people today
still remember the young man named Stanley Mark Rifkin and his little
adventure with the now defunct Security Pacific National Bank in Los
Angeles. Accounts of his escapade vary, and Rifkin (like me) has never
told his own story, so the following is based on published reports.
Code Breaking
One day in 1978, Rifkin moseyed over to Security Pacific's authorizedpersonnel-
only wire-transfer room, where the staff sent and received
transfers totaling several billion dollars every day.
He was working for a company under contract to develop a backup
system for the wire room's data in case their main computer ever went
down. That role gave him access to the transfer procedures, including how
bank officials arranged for a transfer to be sent. He had learned that bank
officers who were authorized to order wire transfers would be given a
closely guarded daily code each morning to use when calling the wire
room.
In the wire room the clerks saved themselves the trouble of trying to
memorize each day's code: They wrote down the code on a slip of paper
and posted it where they could see it easily. This particular November day
Rifkin had a specific reason for his visit. He wanted to get a glance at that
paper.
Arriving in the wire room, he took some notes on operating procedures,
supposedly to make sure the backup system would mesh properly with the
regular systems. Meanwhile, he surreptitiously read the security code
from the posted slip of paper, and memorized it. A few minutes later he
walked out. As he said afterward, he felt as if he had just won the lottery.
There's This Swiss Bank Account...
Leaving the room at about 3 o'clock in the afternoon, he headed straight
for the pay phone in the building's marble lobby, where he deposited a
coin and dialed into the wire-transfer room. He then changed hats,
transforming himself from Stanley Rifkin, bank consultant, into Mike
Hansen, a member of the bank's International Department.
According to one source, the conversation went something like this:
"Hi, this is Mike Hansen in International," he said to the young woman
who answered the phone.
She asked for the office number. That was standard procedure, and he was
prepared: .286. he said.
The girl then asked, "Okay, what's the code?"
Rifkin has said that his adrenaline-powered heartbeat "picked up its pace"
at this point. He responded smoothly, "4789." Then he went on to give
instructions for wiring "Ten million, two-hundred thousand dollars
exactly" to the Irving Trust Company in New York, for credit of the
Wozchod Handels Bank of Zurich, Switzerland, where he had already
established an account.
The girl then said, "Okay, I got that. And now I need the interoffice
settlement number."
Rifkin broke out in a sweat; this was a question he hadn't anticipated,
something that had slipped through the cracks in his research. But he
managed to stay in character, acted as if everything was fine, and on the
spot answered without missing a beat, "Let me check; I'll call you right
back." He changed hats once again to call another department at the bank,
this time claiming to be an employee in the wire-transfer room. He
obtained the settlement number and called the girl back.
She took the number and said, "Thanks." (Under the circumstances, her
thanking him has to be considered highly ironic.)
Achieving Closure
A few days later Rifkin flew to Switzerland, picked up his cash, and
handed over $8 million to a Russian agency for a pile of diamonds. He
flew back, passing through U.S. Customs with the stones hidden in a
money belt. He had pulled off the biggest bank heist in history--and done
it without using a gun, even without a computer. Oddly, his caper
eventually made it into the pages of the Guinness Book of World Records
in the category of "biggest computer fraud."
Stanley Rifkin had used the art of deception--the skills and techniques that
are today called social engineering. Thorough planning and a good gift of
gab is all it really took.
And that's what this book is about--the techniques of social engineering
(at which yours truly is proficient) and how to defend against their being
used at your company.
THE NATURE OF THE THREAT
The Rifkin story makes perfectly clear how misleading our sense of
security can be. Incidents like this - okay, maybe not $10 million heists,
but harmful incidents nonetheless - are happening every day. You may be
losing money right now, or somebody may be stealing new product plans,
and you don't even know it. If it hasn't already happened to your
company, it's not a question of if it will happen, but when.
A Growing Concern
The Computer Security Institute, in its 2001 survey of computer crime,
reported that 85 percent of responding organizations had detected
computer security breaches in the preceding twelve months. That's an
astounding number: Only fifteen out of every hundred organizations
responding were able to say that they had not had a security breach during
the year. Equally astounding was the number of organizations that
reported that they had experienced financial losses due to computer
breaches: 64 percent. Well over half the organizations had suffered
financially. In a single year.
My own experiences lead me to believe that the numbers in reports like
this are somewhat inflated. I'm suspicious of the agenda of the people
conducting the survey. But that's not to say that the damage isn't
extensive; it is. Those who fail to plan for a security incident are planning
for failure.
Commercial security products deployed in most companies are mainly
aimed at providing protection against the amateur computer intruder, like
the youngsters known as script kiddies. In fact, these wannabe hackers
with downloaded software are mostly just a nuisance. The greater losses,
the real threats, come from sophisticated attackers with well-defined
targets who are motivated by financial gain. These people focus on one
target at a time rather than, like the amateurs, trying to infiltrate as many
systems as possible. While amateur computer intruders simply go for
quantity, the professionals target information of quality and value.
Technologies like authentication devices (for proving identity), access
control (for managing access to files and system resources), and intrusion
detection systems (the electronic equivalent of burglar alarms) are
necessary to a corporate security program. Yet it's typical today for a
company to spend more money on coffee than on deploying
countermeasures to protect the organization against security attacks.
Just as the criminal mind cannot resist temptation, the hacker mind is
driven to find ways around powerful security technology safeguards. And
in many cases, they do that by targeting the people who use the
technology.
Deceptive Practices
There's a popular saying that a secure computer is one that's turned off.
Clever, but false: The pretexter simply talks someone into going into the
office and turning that computer on. An adversary who wants your
information can obtain it, usually in any one of several different ways. It's
just a matter of time, patience, personality, and persistence. That's where
the art of deception comes in.
To defeat security measures, an attacker, intruder, or social engineer must
find a way to deceive a trusted user into revealing information, or trick an
unsuspecting mark into providing him with access. When trusted
employees are deceived, influenced, or manipulated into revealing
sensitive information, or performing actions that create a security hole for
the attacker to slip through, no technology in the world can protect a
business. Just as cryptanalysts are sometimes able to reveal the plain text
of a coded message by finding a weakness that lets them bypass the
encryption
technology, social engineers use deception practiced on your employees
to bypass security technology.
ABUSE OF TRUST
In most cases, successful social engineers have strong people skills.
They're charming, polite, and easy to like--social traits needed for
establishing rapid rapport and trust. An experienced social engineer is
able to gain access to virtually any targeted information by using the
strategies and tactics of his craft.
Savvy technologists have painstakingly developed information-security
solutions to minimize the risks connected with the use of computers, yet
left unaddressed the most significant vulnerability, the human factor.
Despite our intellect, we humans - you, me, and everyone else - remain
the most severe threat to each other's security.
Our National Character
We're not mindful of the threat, especially in the Western world. In the
United States most of all, we're not trained to be suspicious of each other.
We are taught to "love thy neighbor" and have trust and faith in each
other. Consider how difficult it is for neighborhood watch organizations
to get people to lock their homes and cars. This sort of vulnerability is
obvious, and yet it seems to be ignored by many who prefer to live in a
dream world - until they get burned.
We know that all people are not kind and honest, but too often we live as
if they were. This lovely innocence has been the fabric of the lives of
Americans and it's painful to give it up. As a nation we have built into our
concept of freedom that the best places to live are those where locks and
keys are the least necessary.
Most people go on the assumption that they will not be deceived by
others, based upon a belief that the probability of being deceived is very
low; the attacker, understanding this common belief, makes his request
sound so reasonable that it raises no suspicion, all the while exploiting the
victim's trust.
Organizational Innocence
That innocence that is part of our national character was evident back
when computers were first being connected remotely. Recall that the
ARPANet (the Defense Department's Advanced Research Projects
Agency
Network), the predecessor of the Internet, was designed as a way of
sharing research information between government, research, and
educational institutions. The goal was information freedom, as well as
technological advancement. Many educational institutions therefore set up
early computer systems with little or no security. One noted software
libertarian, Richard Stallman, even refused to protect his account with a
password.
But with the Internet being used for electronic commerce, the dangers of
weak security in our wired world have changed dramatically. Deploying
more technology is not going to solve the human security problem.
Just look at our airports today. Security has become paramount, yet we're
alarmed by media reports of travelers who have been able to circumvent
security and carry potential weapons past checkpoints. How is this
possible during a time when our airports are on such a state of alert? Are
the metal detectors failing? No. The problem isn't the machines. The
problem is the human factor: The people manning the machines. Airport
officials can marshal the National Guard and install metal detectors and
facial recognition systems, but educating the frontline security staff on
how to properly screen passengers is much more likely to help.
The same problem exists within government, business, and educational
institutions throughout the world. Despite the efforts of security
professionals, information everywhere remains vulnerable and will
continue to be seen as a ripe target by attackers with social engineering
skills, until the weakest link in the security chain, the human link, has
been strengthened.
Now more than ever we must learn to stop wishful thinking and become
more aware of the techniques that are being used by those who attempt to
attack the confidentiality, integrity, and availability of our computer
systems and networks. We've come to accept the need for defensive
driving; it's time to accept and learn the practice of defensive computing.
The threat of a break-in that violates your privacy, your mind, or your
company's information systems may not seem real until it happens. To
avoid such a costly dose of reality, we all need to become aware,
educated, vigilant, and aggressively protective of our information assets,
our own personal information, and our nation's critical infrastructures.
And we must implement those precautions today.
TERRORISTS AND DECEPTION
Of course, deception isn't an exclusive tool of the social engineer.
Physical terrorism makes the biggest news, and we have come to realize
as never
before that the world is a dangerous place. Civilization is, after all, just a
thin veneer.
The attacks on New York and Washington, D.C., in September 2001
infused sadness and fear into the hearts of every one of us - not just
Americans, but well-meaning people of all nations. We're now alerted to
the fact that there are obsessive terrorists located around the globe, well -
trained and waiting to launch further attacks against us.
The recently intensified effort by our government has increased the levels
of our security consciousness. We need to stay alert, on guard against all
forms of terrorism. We need to understand how terrorists treacherously
create false identities, assume roles as students and neighbors, and melt
into the crowd. They mask their true beliefs while they plot against us -
practicing tricks of deception similar to those you will read about in these
pages.
And while, to the best of my knowledge, terrorists have not yet used
social engineering ruses to infiltrate corporations, water-treatment plants,
electrical generation facilities, or other vital components of our national
infrastructure, the potential is there. It's just too easy. The security
awareness and security policies that I hope will be put into place and
enforced by corporate senior management because of this book will come
none too soon.
ABOUT THIS BOOK
Corporate security is a question of balance. Too little security leaves your
company vulnerable, but an overemphasis on security gets in the way of
attending to business, inhibiting the company's growth and prosperity.
The challenge is to achieve a balance between security and productivity.
Other books on corporate security focus on hardware and software
technology, and do not adequately cover the most serious threat of all:
human deception. The purpose of this book, in contrast, is to help you
understand how you, your co-workers, and others in your company are
being manipulated, and the barriers you can erect to stop being victims.
The book focuses mainly on the non-technical methods that hostile
intruders use to steal information, compromise the integrity of information
that is believed to be safe but isn't., or destroy company work product.
My task is made more difficult by a simple truth: Every reader will have
been manipulated by the grand experts of all time in social engineering -
their parents. They found ways to get you - "for your own good" - to do
what they thought best. Parents become great storytellers in the same way
that social engineers skillfully develop very plausible stories, reasons, and
justifications for achieving their goals. Yes, we were all molded by our
parents: benevolent (and sometimes not so benevolent) social engineers.
Conditioned by that training, we have become vulnerable to manipulation.
We would live a difficult life if we had to be always on our guard,
mistrustful of others, concerned that we might become the dupe of
someone trying to take advantage of us. In a perfect world we would
implicitly trust others, confident that the people we encounter are going to
be honest and trustworthy. But we do not live in a perfect world, and so
we have to exercise a standard of vigilance to repel the deceptive efforts
of our adversaries.
The main portions of this book, Parts 2 and 3, are made up of stories that
show you social engineers in action. In these sections you'll read about:
. What phone phreaks discovered years ago: A slick method for getting
an unlisted phone number from the telephone company.
. Several different methods used by attackers to convince even alert,
suspicious employees to reveal their computer usernames and
passwords.
. How an Operations Center manager cooperated in allowing an attacker
to steal his company's most secret product information.
. The methods of an attacker who deceived a lady into downloading
software that spies on every keystroke she makes and emails the
details to him.
. How private investigators get information about your company, and
about you personally, that I can practically guarantee will send a chill
up your spine.
You might think as you read some of the stories in Parts 2 and 3 that
they're not possible, that no one could really succeed in getting away with
the lies, dirty tricks, and schemes de, scribed in these pages. The reality is
that in every case, these stories depict events that can and do happen;
many of them are happening every day somewhere on the planet, maybe
even to your business as you read this book.
The material in this book will be a real eye-opener when it comes to
protecting your business, but also personally deflecting the advances of a
social engineer to protect the integrity of information in your private life.
In Part 4 of this book I switch gears. My goal here is to help you create
the necessary business policies and awareness training to minimize the
chances of your employees ever being duped by a social engineer.
Understanding the strategies, methods, and tactics of the social engineer
will help prepare you to deploy reasonable controls to safeguard your IT
assets, without undermining your company's productivity.
In short, I've written this book to raise your awareness about the serious
threat posed by social engineering, and to help you make sure that your
company and its employees are less likely to be exploited in this way.
Or perhaps I should say, far less likely to be exploited ever again.
Part 2
The Art Of The Attacker
Chapter 2
When Innocuous Information Isn't
What do most people think is the real threat from social engineers? What
should you do to be on your guard?
If the goal is to capture some highly valuable prize--say, a vital
component of the company's intellectual capital - then perhaps what's
needed is, figuratively, just a stronger vault and more heavily armed
guards. Right?
But in reality penetrating a company's security often starts with the bad
guy obtaining some piece of information or some document that seems so
innocent, so everyday and unimportant, that most people in the
organization wouldn't see any reason why the item should be protected
and restricted
HIDDEN VALUE OF INFORMATION
Much of the seemingly innocuous information in a company's possession
is prized
by a social engineering attacker because it can play a vital role in his
effort to dress himself in a cloak of believability.
Throughout these pages, I'm going to show you how social engineers do
what they do by letting you "witness" the attacks for yourself--sometimes
presenting the action from the viewpoint of the people being victimized,
allowing you to put yourself in their shoes and gauge how you yourself
(or maybe one of your employees or co-workers) might have responded.
In many cases you'll also experience the same events from the perspective
of the social engineer.
The first story looks at a vulnerability in the financial industry.
CREDITCHEX
For a long time, the British put up with a very stuffy banking system. As
an ordinary, upstanding citizen, you couldn't walk in off the street and
open a bank account. No, the bank wouldn't consider accepting you as a
customer unless some person already well established as a customer
provided you with a letter of recommendation.
Quite a difference, of course, in the seemingly egalitarian banking
world of today. And our modern ease of doing business is nowhere more
in evidence than in friendly, democratic America, where almost anyone
can walk into a bank and easily open a checking account, right? Well, not
exactly. The truth is that banks understandably have a natural reluctance
to open. an account for somebody who just might have a history of
writing bad checks--that would be about as welcome as a rap sheet of
bank robbery or embezzlement charges. So it's standard practice at many
banks to get a quick thumbs-up or thumbs-down on a prospective new
customer.
One of the major companies that banks contract with for this information
is an outfit we'll call CreditChex. They provide a valuable service to their
clients, but like many companies, can also unknowingly provide a handy
service to knowing social engineers.
The First Call: Kim Andrews
"National Bank, this is Kim. Did you want to open an account today?"
"Hi, Kim. I have a question for you. Do you guys use CreditChex?"
"Yes."
"When you phone in to CreditChex, what do you call the number you give
them--is it a 'Merchant ID'?"
A pause; she was weighing the question, wondering what this was about
and whether she should answer.
The caller quickly continued without missing a beat:
"Because, Kim, I'm working on a book. It deals with private
investigations."
"Yes," she said, answering the question with new confidence, pleased to
be helping a writer.
"So it's called a Merchant ID, right?"
"Uh huh."
"Okay, great. Because I wanted to male sure I had the lingo right. For the
book. Thanks for your help. Good-bye, Kim."
The Second Call: Chris Talbert
"National Bank, New Accounts, this is Chris."
"Hi, Chris. This is Alex," the caller said. "I'm a customer service rep
with CreditChex. We're doing a survey to improve our services. Can you
spare me a couple of minutes?"
She was glad to, and the caller went on:
"Okay - what are the hours your branch is open for business?" She
answered, and continued answering his string of questions.
"How many employees at your branch use our service?"
"How often do you call us with an inquiry?"
"Which of our 800-numbers have we assigned you for calling us?"
"Have our representatives always been courteous?"
"How's our response time?"
"How long have you been with the bank?"
"What Merchant ID are you currently using?"
"Have you ever found any inaccuracies with the information we've
provided you?"
"If you had any suggestions for improving our service, what would they
be?"
And:
"Would you be willing to fill out periodic questionnaires if we send them
to your branch?"
She agreed, they chatted a bit, the caller rang off, and Chris went back to
work.
The Third Call: Henry McKinsey
"CreditChex, this is Henry McKinsey, how can I help you?"
The caller said he was from National Bank. He gave the proper Merchant
ID and then gave the name and social security number of the person he
was looking for information on. Henry asked for the birth date, and the
caller gave that, too.
After a few moments, Henry read the listing from his computer screen.
"Wells Fargo reported NSF in 1998, one time, amount of $2,066." NSF .
non sufficient funds - is the familiar banking lingo for checks that have
been written when there isn't enough money in the account to cover them.
"Any activities since then?"
"No activities."
"Have there been any other inquiries?"
"Let's see. Okay, two of them, both last month. Third United Credit Union
of Chicago." He stumbled over the next name, Schenectady Mutual
Investments, and had to spell it. "That's in New York State," he added.
Private Investigator at Work
All three of those calls were made by the same person: a private
investigator we'll call Oscar Grace. Grace had a new client, one of his
first. A cop until a few months before, he found that some of this new
work came naturally, but some offered a challenge to his resources and
inventiveness. This one came down firmly in the challenge category.
The hardboiled private eyes of fiction - the Sam Spades and the Philip
Marlowes - spend long night time hours sitting in cars waiting to catch a
cheating spouse. Real-life PIs do the same. They also do a less written
about, but no less important kind of snooping for warring spouses, a
method that leans more heavily on social engineering skills than on
fighting off the boredom of night time vigils.
Grace's new client was a lady who looked as if she had a pretty
comfortable budget for clothes and jewelry. She walked into his office
one day and took a seat in the leather chair, the only one that didn't have
papers piled on it. She settled her large Gucci handbag on his desk with
the logo turned to face him and announced she was planning to tell her
husband that she wanted a divorce, but admitted to "just a very little
problem."
It seemed her hubby was one step ahead. He had already pulled the cash
out of their savings account and an even larger sum from their brokerage
account. She wanted to know where their assets had been squirreled away,
and her divorce lawyer wasn't any help at all. Grace surmised the lawyer
was one of those uptown, high-rise counselors who wouldn't get his hands
dirty on something messy like where did the money go.
Could Grace help?
He assured her it would be a breeze, quoted a fee, expenses billed at cost,
and collected a check for the first payment.
Then he faced his problem. What do you do if you've never handled a
piece of work like this before and don't quite know how to go about
tracking down a money trail? You move forward by baby steps. Here,
accord- mg to our source, is Grace's story.
I knew about CreditChex and how banks used the outfit - my ex-wife used
to work at a bank. But I didn't know the lingo and procedures, and trying
to ask my ex- would be a waste of time.
Step one: Get the terminology straight and figure out how to make the
request so it sounds like I know what I'm talking about. At the bank I
called, the first young lady, Kim, was suspicious when I asked about how
they identify themselves when they phone CreditChex. She hesitated; she
didn't know whether to tell me. Was I put off by that? Not a bit. In fact,
the hesitation gave me an important clue, a sign that I had to supply a
reason she'd find believable. When I worked the con on her about doing
research for a book, it relieved her suspicions. You say you're an author or
a movie writer, and everybody opens up.
She had other knowledge that would have helped - things like what
reformation CreditChex requires to identify the person you're calling
about, what information you can ask for, and the big one, what was Kim's
bank Merchant ID number. I was ready to ask those questions, but her
hesitation sent up the red flag. She bought the book research story, but she
already had a few niggling suspicions. If she'd been more willing right
way, I would have asked her to reveal more details about their procedures.
LINGO
MARK:
The victim of a con.BURN THE SOURCE:
An attacker is said to have burned the sourcewhen he allows a victim to recognize that an attack has taken place. Once
the victim becomes aware and notifies other employees or management of
the attempt, it becomes extremely difficult to exploit the same source in
future attacks.
You have to go on gut instinct, listen closely to what the mark is saying
and how she's saying it. This lady sounded smart enough for alarm bells
to start going off if I asked too many unusual questions. And even though
she didn't know who I was or what number I was calling from, still in this
business you never want anybody putting out the word to be on the look
out for someone calling to get information about the business. That.s
because you don't want to burn the source - you may want to call same
office back another time.
I'm always on the watch for little signs that give me a read on how
cooperative a person is, on a scale that runs from "You sound like a nice
person and I believe everything you're saying" to "Call the cops, alert the
National Guard, this guy's up to no good."
I read Kim as a little bit on edge, so I just called somebody at a different
branch. On my second call with Chris, the survey trick played like a
charm. The tactic here is to slip the important questions in among
inconsequential ones that are used to create a sense of believability.
Before I dropped the question about the Merchant ID number with
CreditChex, I ran a little last-minute test by asking her a personal question
about how long she'd been with the bank.
A personal question is like a land mine - some people step right over it
and never notice; for other people, it blows up and sends them scurrying
for safety. So if I ask a personal question and she answers the question
and the tone of her voice doesn't change, that means she probably isn't
skeptical about the nature of the request. I can safely ask the sought after
question without arousing her suspicions, and she'll probably give me the
answer I'm looking for.
One more thing a good PI knows: Never end the conversation after getting
the key information. Another two or three questions, a little chat, and then
it's okay to say good-bye. Later, if the victim remembers anything about
what you asked, it will probably be the last couple of questions. The rest
will usually be forgotten.
So Chris gave me their Merchant ID number, and the phone number they
call to make requests. I would have been happier if I had gotten to ask
some questions about how much information you can get from
CreditChex. But it was better not to push my luck.
It was like having a blank check on CreditChex. I could now call and get
information whenever I wanted. I didn't even have to pay for the service.
As it turned out, the CreditChex rep was happy to share exactly the
information I wanted: two places my client's husband had recently applied
to open an account. So where were the assets his soon-to-be ex-wife was
looking for? Where else but at the banking institutions the guy at
CreditChex listed?
Analyzing the Con
This entire ruse was based on one of the fundamental tactics of social
engineering: gaining access to information that a company employee
treats as innocuous, when it isn't.
The first bank clerk confirmed the terminology to describe the identifying
number used when calling CreditChex: the Merchant ID. The second
provided the phone number for calling CreditChex, and the most vital
piece of information, the bank's Merchant ID number. All this information
appeared to the clerk to be innocuous. After all, the bank clerk thought
she was talking to someone from CreditChex -so what could be the harm
in disclosing the number?
All of this laid the groundwork for the third call. Grace had everything he
needed to phone CreditChex, pass himself off as a rep from one of their
customer banks, National, and simply ask for the information he was
after.
With as much skill at stealing information as a good swindler has at
stealing your money, Grace had well-honed talents for reading people. He
knew the common tactic of burying the key questions among innocent
ones. He knew a personal question would test the second clerk's
willingness to cooperate, before innocently asking for the Merchant ID
number.
The first clerk's error in confirming the terminology for the CreditChex ID
number would be almost impossible to protect against. The information is
so widely known within the banking industry that it appears to be
unimportant - the very model of the innocuous. But the second clerk,
Chris, should not have been so willing to answer questions without
positively verifying that the caller was really who he claimed to be. She
should, at the very least, have taken his name and number and called
back; that way, if any questions arose later, she may have kept a record of
what phone number the person had used. In this case, making a call like
that would have made it much more difficult for the attacker to
masquerade as a representative from CreditChex.
MITNICK MESSAGE
A Merchant ID in this situation is analogous to a password. If bank
personnel treated it like an ATM PIN, they might appreciate the sensitive
nature of the information. Is there an internal code or number in your
organization that people aren't treating with enough care?
Better still would have been a call to CreditChex using a nun bank already
had on record - not a number provided by the caller . to verify that the
person really worked there, and that the company was really doing a
customer survey. Given the practicalities of the real world and the time
pressures that most people work under today, though, this kind of
verification phone call is a lot to expect, except when an employee is
suspicious that some kind of attack is being made.
THE ENGINEER TRAP
It is widely known that head-hunter firms use social engineering to recruit
corporate talent. Here's an example of how it can happen.
In the late 1990s, a not very ethical employment agency signed a new
client, a company looking for electrical engineers with experience in the
telephone industry. The honcho on the project was a lady endowed with a
throaty voice and sexy manner that she had learned to use to develop
initial trust and rapport over the phone.
The lady decided to stage a raid on a cellular phone service provider to
see if she could locate some engineers who might be tempted to walk
across the street to a competitor. She couldn't exactly call the switch board
and say, "Let me talk to anybody with five years of engineering
experience." Instead, for reasons that will become clear in a moment, she
began the talent assault by seeking a piece of information that appeared to
have no sensitivity at all, information that company people give out to
almost anybody who asks.
The First Call: The receptionist
The attacker, using the name Didi Sands, placed a call to the corporate
offices of the cellular phone service. In part, the conversation went like
this:
Receptionist: Good afternoon. This is Marie, how may I help you?
Didi: Can you connect me to the Transportation Department?
R: I'm not sure if we have one, I'll look in my directory. Who's calling?
D: It's Didi.
R: Are you in the building, or... ?
D: No, I'm outside the building.
R: Didi who?
D: Didi Sands. I had the extension for Transportation, but I forgot what
it was.
R: One moment.
To allay suspicions, at this point Didi asked a casual, just making
conversation question designed to establish that she was on the "inside,"
familiar with company locations.
D: What building are you in - Lakeview or Main Place?
R: Main Place. (pause) It's 805 555 6469.
To provide herself with a backup in case the call to Transportation didn't
provide what she was looking for, Didi said she also wanted to talk to
Real Estate. The receptionist gave her that number, as well. When Didi
asked to be connected to the Transportation number, the receptionist tried,
but the line was busy.
At that point Didi asked for a third phone number, for Accounts
Receivable, located at a corporate facility in Austin, Texas. The
receptionist asked her to wait a moment, and went off the line. Reporting
to Security that she had a suspicious phone call and thought there was
something fishy going on? Not at all, and Didi didn't have the least bit of
concern. She was being a bit of a nuisance, but to the receptionist it was
all part of a typical workday. After about a minute, the receptionist came
back on the line, looked up the Accounts Receivable number, tried it, and
put Didi through.
The Second Call: Peggy
The next conversation went like this:
Peggy: Accounts Receivable, Peggy.
Didi: Hi, Peggy. This is Didi, in Thousand Oaks.
P: Hi, Didi.
D: How ya doing?
P: Fine.
Didi then used a familiar term in the corporate world that describes the
charge code for assigning expenses against the budget of a specific
organization or workgroup:
D: Excellent. I have a question for you. How do I find out the cost center
for a particular department?
P: You'd have to get a hold of the budget analyst for the department.
D: Do you know who'd be the budget analyst
for Thousand Oaks - headquarters? I'm trying to
fill out a form and I don't know the proper cost
center.
P: I just know when y'all need a cost center number, you call your
budget analyst.
D: Do you have a cost center for your department there in Texas?
P: We have our own cost center but they don't give us a complete list of
them.
D: How many digits is the cost center? FOr example, what's your cost
center?
P: Well, like, are you with 9WC or with SAT?
Didi had no idea what departments or groups these referred to, but it
didn't matter. She answered:
D: 9WC.
P: Then it's usually four digits. Who did you say you were with?
D: Headquarters--Thousand Oaks.
P: Well, here's one for Thousand Oaks. It's 1A5N, that's N like in
Nancy.
By just hanging out long enough with somebody willing to be helpful,
Didi had the cost center number she needed - one of those pieces of
information that no one thinks to protect because it seems like something
that couldn't be of any value to an outsider.
The Third Call: A Helpful Wrong Number
Didi's next step would be to parlay the cost center number into something
of real value by using it as a poker chip.
She began by calling the Real Estate department, pretending she had
reached a wrong number. Starting with a "Sorry to bother you, but .... "
she claimed she was an employee who had lost her company directory,
and asked who you were supposed to call to get a new copy. The man said
the print copy was out of date because it was available on the company
intranet site.
Didi said she preferred using a hard copy, and the man told her to call
Publications, and then, without being asked - maybe just to keep the sexysounding
lady on the phone a little longer - helpfully looked up the
number and gave it to her.
The Fourth Call: Bart in Publications
In Publications, she spoke with a man named Bart. Didi said she was from
Thousand Oaks, and they had a new consultant who needed a copy of the
company directory. She told him a print copy would work better for the
consultant, even if it was somewhat out of date. Bart told her she'd have to
fill out a requisition form and send the form over to him.
Didi said she was out of forms and it was a rush, and could Bart be a
sweetheart and fill out the form for her? He agreed with a little too much
enthusiasm, and Didi gave him the details. For the address of the fictional
contractor, she drawled the number of what social engineers call a mail
drop
, in this case a Mail Boxes Etc.-type of commercial business whereher company rented boxes for situations just like this.
The earlier spadework now came in handy: There would be a charge for
the cost and shipping of the directory. Fine - Didi gave the cost center for
Thousand Oaks:
"IA5N, that's N like in Nancy."
A few days later, when the corporate directory arrived, Didi found it was
an even bigger payoff than she had expected: It not only listed the names
and phone numbers, but also showed who worked for whom - the
corporate structure of the whole organization.
The lady of the husky voice was ready to start making her head-hunter,
people-raiding phone calls. She had conned the information she needed to
launch her raid using the gift of gab honed to a high polish by every
skilled social engineer. Now she was ready for the payoff.
LINGO
MAIL DROP:
The social engineer.s term for a rental mailbox, typicallyrented under an assumed name, which is used to deliver documents or
packages the victim has been duped into sending
MITNICK MESSAGE
Just like pieces of a jigsaw puzzle, each piece of information may be
irrelevant by itself. However, when the pieces are put together, a clear
picture emerges. In this I case, the picture the social engineer saw was the
entire internal structure of the company .
Analyzing the Con
In this social engineering attack, Didi started by getting phone numbers
for three departments in the target company. This was easy, because the
numbers she was asking for were no secret, especially to employees. A
social engineer learns to sound like an insider, and Didi was skilled at this
game. One of the phone numbers led her to a cost center number, which
she then used to obtain a copy of the firm's employee directory.
The main tools she needed: sounding friendly, using some corporate
lingo, and, with the last victim, throwing in a little verbal eyelash-batting.
And one more tool, an essential element not easily acquired - the
manipulative skills of the social engineer, refined through extensive
practice and the unwritten lessons of bygone generations of confidence
men.
MORE "WORTHLESS" INFO
Besides a cost center number and internal phone extensions, what other
seemingly useless information can be extremely valuable to your enemy?.
Peter Abel.s Phone Call
"Hi," the voice at the other end of the line says. "This is Tom at Parkhurst
Travel. Your tickets to San Francisco are ready. Do you want us to deliver
them, or do you want to pick them up?"
"San Francisco?" Peter says. "I'm not going to San Francisco." "Is this
Peter Abels?"
"Yes, but I don't have any trips coming up."
"Well," the caller says with a friendly laugh, "you sure you don't want to
go to San Francisco?"
"If you think you can talk my boss into it..." Peter says, playing along
with the friendly conversation.
"Sounds like a mix-up," the caller says. "On our system, we book travel
arrangements under the employee number. Maybe somebody used the
wrong number. What's your employee number?"
Peter obligingly recites his number. And why not? It goes on just about
every personnel form he fills out, lots of people in the company have
access to it - human resources, payroll, and, obviously, the outside travel
agency. No one treats an employee number like some sort of secret. What
difference could it make?
The answer isn't hard to figure out. Two or three pieces of information
might be all it takes to mount an effective impersonation - the social
engineer cloaking himself in someone else's identity. Get hold of an
employee's name, his phone number, his employee number--and maybe,
for good measure, his manager's name and phone number--and a halfwaycompetent
social engineer is equipped with most of what he's likely to
need to sound authentic to the next target he calls.
If someone who said he was from another department in your company
had called yesterday, given a plausible reason, and asked for your
employee number, would you have had any reluctance in giving it to him?
And by the way, what is your social security number?
MITNICK MESSAGE
The moral of the story is, don't give out any personal or internal company
information or identifiers to anyone, unless his or her voice is
recognizable and the requestor has a need to know.
PREVENTING THE CON
Your company has a responsibility to make employees aware of how a
serious mistake can occur from mishandling non public information. A
well thought-out information security policy, combined with proper
education and training, will dramatically increase employee awareness
about the proper handling of corporate business information. A data
classification policy will help you to implement proper controls with
respect to disclosing information. Without a data classification policy, all
internal information must be considered confidential, unless otherwise
specified.
Take these steps to protect your company from the release of seemingly
innocuous information:
The Information Security Department needs to conduct awareness training
detailing the methods used by social engineers. One method, as described
above, is to obtain seemingly non sensitive information and use it as a
poker chip to gain short-term trust. Each and every employee needs to be
aware that when a caller has knowledge about company procedures, lingo,
and internal identifiers it does not in any way, shape, or form authenticate
the requestor or authorize him or her as having a need to know. A caller
could be a former employee or
contractor with the requisite insider information. Accordingly, each
corporation has a responsibility to determine the appropriate
authentication method to be used when employees interact with people
they don't recognize in person or over the telephone.
The person or persons with the role and responsibility of drafting a data
classification policy should examine the types of details that may be used
to gain access for legitimate employees that seem innocuous, but could
lead to information that is, sensitive. Though you'd never give out the
access codes for your ATM card, would you tell somebody what server
you use to develop company software products? Could that information
be used by a person pretending to be somebody who has legitimate access
to the corporate network?
Sometimes just knowing inside terminology can make the social engineer
appear authoritative and knowledgeable. The attacker often relies on this
common misconception to dupe his or her victims into compliance. For
example, a Merchant ID is an identifier that people in the New Accounts
department of a bank casually use every day. But such an identifier
exactly the same as a password. If each and every employee understands
the nature of this identifier - that it is used to positively authenticate a
requestor--they might treat it with more respect.
MITNICK MESSAGE
As the old adage goes - even real paranoids probably have enemies. We
must assume that every business has its enemies, too - attackers that target
the network infrastructure to compromise business secrets. Don't end up
being a statistic on computer crime - it's high time to shore up the
necessary defenses by implementing proper controls through wellthought-
out security policies and procedures.
No companies - well, very few, at least - give out the direct dial phone
numbers of their CEO or board chairman. Most companies, though, have
no concern about giving out phone numbers to most departments and
workgroups in the, organization - especially to someone who is, or
appears to be, an employee. A possible countermeasure: Implement a
policy
that prohibits giving internal phone numbers of employees, contractors,
consultants, and temps to outsiders. More importantly, develop a step-bystep
procedure to positively identify whether a caller asking for phone
numbers is really an employee.
Accounting codes for workgroups and departments, as well as copies of
the corporate directory (whether hard copy, data file, or electronic phone
book on the intranet) are frequent targets of social engineers. Every
company needs a written, well-publicized policy on disclosure of this type
of information. The safeguards should include maintaining an audit log
that records instances when sensitive information is disclosed to people
outside of the company.
Information such as an employee number, by itself, should not be used as
any sort of authentication. Every employee must be trained to verify not
just the identity of a requestor, but also the requestor's need to know.
In your security training, consider teaching employees this approach:
Whenever asked a question or asked for a favor by a stranger, learn first
to politely decline until the request can be verified. Then - before giving
in to the natural desire to be Mr. or Ms. Helpful - follow company policies
and procedures with respect to verification and disclosure of non public
information. This style may go against our natural tendency to help
others, but a little healthy paranoia may be necessary to avoid being the
social engineer's next dupe.
As the stories in this chapter have shown, seemingly innocuous
information can be the key to your company's most prized secrets.
Chapter 3
The Direct Attack: Just Asking for It
Many social engineering attacks are intricate, involving a number of steps
and elaborate planning, combining a mix of manipulation and
technological know-how.
But I always find it striking that a skillful social engineer can often
achieve his goal with a simple, straightforward, direct attack. Just asking
outright for the information may be all that's needed - as you'll see.
AN MLAC QUICKIE
Want to know someone's unlisted phone number? A social engineer can
tell you half a dozen ways (and you'll find some of them described in
other stories in these pages), but probably the simplest scenario is one that
uses a single phone call, like this one.
Number, Please
The attacker dialed the private phone company number for the MLAC, the
Mechanized Line Assignment Center. To the woman who answered, he
said:
"Hey, this is Paul Anthony. I'm a cable splicer. Listen, a terminal box out
here got fried in a fire. Cops think some creep tried to burn his own house
down for the insurance. They got me out here alone trying to rewire this
entire two hundred-pair terminal. I could really use some help right now.
What facilities should be working at 6723 South Main?"
In other parts of the phone company, the person called would know that
reverse lookup information on non pub (non published) numbers is
supposed to be given out only to authorized phone company MLAC is
supposed to be known only to company employees. And while they'd
never give out information to the public, who would want to refuse a little
help to a company man coping with that heavy-duty assignment?. She
feels sorry for him, she's had bad days on the job herself, and she.ll
bend the rules a little to help out a fellow employee with a problem. She
gives him the cable and pairs and each working number assigned to the
address.
MITNICK MESSAGE
It's human nature to trust our fellow man, especially when the request
meets the test of being reasonable. Social engineers use this knowledge to
exploit their victims and to achieve their goals.
Analyzing the Con
As you'll notice repeatedly in these stories, knowledge of a company.s
lingo, and of its corporate structure - its various offices and departments
what each does and what information each has - is part of the essential
bag of tricks of the successful social engineer.
YOUNG MAN ON THE RUN
A man we'll call Frank Parsons had been on the run for years, still wanted
by the federal government for being part of an underground antiwar group
in the 1960s. In restaurants he sat facing the door and he had a way of
glancing over his shoulder every once in a while that other people found
disconcerting. He moved every few years.
At one point Frank landed in a city he didn't know, and set about job
hunting. For someone like Frank, with his well-developed computer skills
(and social engineering skills as well, even ,though he never listed those
on a job application), finding a good job usually wasn't a problem. Except
in times when the economy is very tight, people with good technical
computer knowledge usually find their talents in high demand and they
have little problem landing on their feet. Frank quickly located a well .
paying job opportunity at a large, upscale, long-term care facility near
where he was living.
Just the ticket, he thought. But when he started plodding his way through
the application forms, he came upon an uh-oh: The employer required the
applicant to provide a copy of his state criminal history record, which he
had to obtain himself from the state police. The stack of employment
papers included a form to request this document, and the form had a little
box for providing a fingerprint. Even though they were asking for a print
of just the right index finger, if they matched his print with one in the
FBI's database, he'd probably soon be working in food service at a
federally funded resort.
On the other hand, it occurred to Frank that maybe, just maybe, he might
still be able to get away with this. Perhaps the state didn't send those
fingerprint samples to the FBI at all. How could he find out?
How? He was a social engineer--how do you think he found out? He
placed a phone call to the state patrol: "Hi. We're doing a study for the
State Department of Justice. We're researching the requirements to
implement a new fingerprint identification system. Can I talk to
somebody there that's really familiar with what you're doing who could
maybe help us out?"
And when the local expert came on the phone, Frank asked a series of
questions about what systems they were using, and the capabilities to
search and store fingerprint data. Had they had any equipment problems?
Were they tied into the National Crime Information Center's (NCIC)
Fingerprint Search or just within the state? Was the equipment pretty easy
for everybody to learn to use?
Slyly, he sneaked the key question in among the rest.
The answer was music to his ears: No they weren't tied into the NCIC,
they only checked against the state's Criminal Information Index (CII).
MITNICK MESSGAE
Savvy information swindlers have no qualms about ringing up federal,
state, or local government officials to learn about the procedures of law
enforcement. With such information in hand, the social engineer may be
able to circumvent your company's standard security checks.
That was all Frank needed to know. He didn't have any record in that
state, so he submitted his application, was hired for the job, and nobody
ever showed up at his desk one day with the greeting, "These gentlemen,
are from the FBI and they'd like to have a little talk with you."
And, according to him, he proved to be a model employee.
ON THE DOORSTEP
In spite of the myth of the paperless office, companies continue to print
out reams of paper every day. Information in print at your company may
be vulnerable, even if you use security precautions and stamp it
confidential.
Here's one story that shows you how social engineers might obtain your
most secret documents.
Loop-Around Deception
Every year the phone company publishes a volume called the Test
Number Directory (or at least they used to, and because I am still on
supervised release, I'm not going to ask if they still do). This document
was highly prized by phone phreaks because it was packed with a list of
all the closely guarded phone numbers used by company craftsmen,
technicians, a others for things like trunk testing or checking numbers that
always ring busy.
One of these test numbers, known in the lingo as a
loop-around, wasparticularly useful. Phone phreaks used it as a way to find other phone
phreaks to chat with, at no cost to them. Phone phreaks also used it a way
to create a call back number to give to, say, a bank. A social engineer
would tell somebody at the bank the phone number to call to reach at his
office. When the bank called back to the test number (loop-around) the
phone phreak would be able to receive the call, yet he had the protection
of having used a phone number that could not be traced back to him.
A Test Number Directory provided a lot of neat information that could be
used by any information-hungry, testosteroned, phone phreak. So when
the new directories were published each year, they were coveted by a lot
of youngsters whose hobby was exploring the telephone network.
MITNICK MESSAGE
Security training with respect to company policy designed to protect
information assets needs to be for everyone in the company, not just any
employee who has electronic or physical access to the company's IT
assets.
Stevie.s Scam
Naturally phone companies don't make these books easy to get hold of, so
phone phreaks have to be creative to get one. How can they do this? An
eager youngster with a mind bent on acquiring the directory might enact a
scenario like this.
Late one day, a mild evening in the southern California autumn, a guy I'll
call him Stevie phones a small telephone company central office, which is
the building from which phone lines run to all the homes and businesses
in the established service area.
When the switchman on duty answers the call, Stevie announces that he's
from the division of the phone company that publishes and distributes
printed materials. "We have your new Test Number Directory," he says.
"But for security reasons, we cant deliver your copy until we pick up the
old one. And the delivery guy is running late. If you wanna leave your
copy just outside your door, he can swing by, pick up yours, drop the new
one and be on his way."
The unsuspecting switchman seems to think that sounds reasonable. He
does exactly as asked, putting out on the doorstep of the building his copy
of the directory, its cover clearly marked in big red letters with the
"
COMPANY CONFIDENTIAL - WHEN NO LONGER NEEDEDTHIS DOCUMENT MUST BE SHREDDED."
Stevie drives by and looks around carefully to spot any cops or phone
company security people who might be lurking behind trees or watching
for him from parked cars. Nobody in sight. He casually picks up the
coveted directory and drives away.
Here's just one more example of how easy it can be for a social engineer
to get what he wants by following the simple principle of "just ask for it."
GAS ATTACK
Not only company assets are at risk in a social engineering scenario.
Sometimes it's a company's customers who are the victims.
Working as a customer-service clerk brings its share of frustrations, its
share of laughs, and its share of innocent mistakes - some of which can
have unhappy consequences for a company's customers.
Janie Acton's Story
Janie Acton had been manning a cubicle as a customer service rep f
Hometown Electric Power, in Washington, D.C., for just over three years.
She was considered to be one of the better clerks, smart and conscientious
It was Thanksgiving week when this one particular call came in. The
caller, said, "This is Eduardo in the Billing Department. I've got a lady on
hold, she's a secretary in the executive offices that works for one of the
vice presidents, and she's asking for some information and I can't use my
computer I got an email from this girl in Human Resources that said
'ILOVEYOU.. and when I opened the attachment, I couldn't use my
machine any more. A virus. I got caught by a stupid virus. Anyways,
could you look up some customer information for me?"
"Sure," Janie answered. "It crashed your computer? That's terrible."
"Yeah."
"How can I help?" Janie asked.
Here the attacker called on information from his advance research to
make himself sound authentic. He had learned that the information he,
wanted was stored in something called the Customer Billing Information
System, and he had found out how employees referred to the system. He
asked, "Can you bring up an account on CBIS?"
"Yes, what's the account number.? "
"I don't have the number; I need you to bring it up by name."
"Okay, what's the name?"
"It's Heather Marning." He spelled the name, and Janie typed it in.
"Okay, I have it up."
"Great. Is the account current?"
"Uh huh, it's current."
"What's the account number?" he asked.
"Do you have a pencil?"
"Ready to write."
"Account number BAZ6573NR27Q."
He read the number back and then said, "And what's the service
address?"
She gave him the address.
"And what's the phone?"
Janie obligingly read off that information, too.
The caller thanked her, said good-bye, and hung up. Janie went on to the
next call, never thinking further about it.
Art Sealy's Research Project
Art Sealy had given up working as a freelance editor for small publishing
houses when he found he could make more money doing research for
writers and businesses. He soon figured out that the fee he could charge
went up in proportion to how close the assignment took him to the
sometimes hazy line between the legal and the illegal. Without ever
realizing it, certainly without ever giving it a name, Art became a social
engineer, using techniques familiar to every information broker. He
turned out to have a native talent for the business, figuring out for himself
techniques that most social engineers had to learn from others. After a
while, he crossed the line without the least twinge of guilt.
A man contacted me who was writing a book about the Cabinet in the
Nixon years, and was looking for a researcher who could get the inside
scoop on William E. Simon, who had been Nixon's Treasury secretary.
Mr. Simon had died, but the author had the name of a woman who had
been on his staff. He was pretty sure she still lived in D.C., but hadn't
been able to get an address. She didn't have a telephone in her name, or at
least none that was listed. So that's when he called me. I told him, sure, no
problem.
This is the kind of job you can usually bring off in a phone call or two, if
you know what you're doing. Every local utility company can generally
be counted on to give the information away. Of course, you have to BS a
little. But what's a little white lie now and then - right?
I like to use a different approach each time, just to keep things interesting.
"This is so-and-so in the executive offices" has always worked well for
me. So has "I've got somebody on the line from Vice President
Somebody's office," which worked this time, too.
MITNICK MESSAGE
Never think all social engineering attacks need to be
elaborate ruses so complex that they're likely to be
recognized before they can be completed. Some are in- andout,
strike-and-disappear, very simple attacks that are no
more than.., well, just asking for it.
You have to sort of develop the social engineer's instinct, get a sense of
how cooperative the person on the other end is going to be with you. This
time I lucked out with a friendly, helpful lady. In a single phone call, I had
the address and phone number. Mission accomplished.
Analyzing the Con
Certainly Janie knew that customer information is sensitive. She would
never discuss one customer's account with another customer, or give out
private information to the public.
But naturally, for a caller from within the company, different rules apply.
For a fellow employee it's all about being a team player and helping each
other get the job done. The man from Billing could have looked up the
details himself if his computer hadn't been down with a virus, and she was
glad to be able to help a co-worker.
Art built up gradually to the key information he was really after, asking
questions along the way about things he didn't really need, such as the
account number. Yet at the same time, the account number information
provided a fallback: If the clerk had become suspicious, he'd call a
second
time and stand a better chance of success, because knowing the account
number would make him sound all the more authentic to the next clerk
he reached.
It never occurred to Janie that somebody might actually lie about some
thing like this, that the caller might not really be from the billing
department
at all. Of course, the blame doesn't lie at Janie's feet. She wasn't well
versed in the rule about making sure you know who you're talking to
before discussing information in a customer's file. Nobody had ever told
her about the danger of a phone call like the one from Art. It wasn't in the
company policy, it wasn't part of her training, and her supervisor had
never mentioned it.
PREVENTING THE CON
A point to include in your security training: Just because a caller or visitor
knows the names of some people in the company, or knows some of the
corporate lingo or procedures, doesn't mean he is who he claims to be.
And it definitely doesn't establish him as anybody authorized to be given
internal information, or access to your computer system or network.
Security training needs to emphasize: When in doubt, verify, verify,
verify.
In earlier times, access to information within a company was a mark of
rank and privilege. Workers stoked the furnaces, ran the machines, typed
the letters, and filed the reports. The foreman or boss told them what to
do, when, and how. It was the foreman or boss who knew how many
widgets each worker should be producing on a shift, how many and in
what colors and sizes the factory needed to turn out this week, next week,
and by the end of the month.
Workers handled machines and tools and materials, and bosses handled
information. Workers needed only the information specific to their
specific jobs.
The picture is a little different today, isn't it? Many factory workers use
some form of computer or computer-driven machine. For a large part of
the workforce, critical information is pushed down to the users' desktops
so that they can fulfill their responsibility to get their work done. In
today's environment, almost everything employees do involves the
handling of information.
That's why a company's security policy needs to be distributed enterprisewide,
regardless of position. Everybody must understand that it's not just
the bosses and executives who have the information that an attacker might
be after. Today, workers at every level, even those who don't use a
computer, are liable to be targeted. The newly hired rep in the customer
service group may be just the weak link that a social engineer breaks to
achieve his objective.
Security training and corporate security policies need to strengthen that
link.
Chapter 4
Building Trust
Some of these stories might lead you to think that I believe everyone in
business is a complete idiot, ready, even eager, to give away every secret
in his or her possession. The social engineer knows isn't true. Why are
social engineering attacks so successful? It isn't because people are stupid
or lack common sense. But we, as human beings are all vulnerable to
being deceived because people can misplace their trust if manipulated in
certain ways.
The social engineer anticipates suspicion and resistance, and he's always
prepared to turn distrust into trust. A good social engineer plans his attack
like a chess game, anticipating the questions his target might ask so he can
be ready with the proper answers.
One of his common techniques involves building a sense of trust on the
part of his victims. How does a con man make you trust him? Trust me,
he can.
TRUST: THE KEY TO DECEPTION
The more a social engineer can make his contact seem like business as
usual, the more he allays suspicion. When people don't have a reason to
be suspicious, it's easy for a social engineer to gain their trust.
Once he's got your trust, the drawbridge is lowered and the castle door
thrown open so he can enter and take whatever information he wants.
NOTE
You may notice I refer to social engineers, phone phreaks, and congame
operators as 'he" through most of these stories. This is not
chauvinism; it simply reflects the truth that most practitioners in
these fields are male. But though there aren.t many women social
engineers, the number is growing. There are enough female social
engineers out there that you shouldn.t let your guard down just
because you hear a women.s voice. In fact, female social engineers
have a distinct advantage because they can use their sexuality to
obtain cooperation. You.ll find a small number of the so-called
gentler sex represented in these pages
The First Call: Andrea Lopez
Andrea Lopez answered the phone at the video rental store where she
worked, and in a moment was smiling: It's always a pleasure when a
customer takes the trouble to say he's happy about the service. This caller
said he had had a very good experience dealing with the store, and he
wanted to send the manager a letter about it.
He asked for the manager's name and the mailing address, and she told
him it was Tommy Allison, and gave him the address. As he was about to
hang up, he had another idea and said, "I might want to write to your
company headquarters, too. What's your store number?" She gave him
that information, as well. He said thanks, added something pleasant about
how helpful she had been, and said goodbye.
"A call like that," she thought, "always seems to make the shift go by
faster. How nice it would be if people did that more often."
The Second Call: Ginny
"Thanks for calling Studio Video. This is Ginny, how can I help you?"
"Hi, Ginny," the caller said enthusiastically, sounding as if he talked to
Ginny every week or so. "It's Tommy Allison, manager at Forest Park,
Store 863. We have a customer in here who wants to rent
Rocky 5 andwe're all out of copies. Can you check on what you've got?"
She came back on the line after a few moments and said, "Yeah, we've
got three copies."
"Okay, I'll see if he wants to drive over there. Listen, thanks. If you ever
need any help from our store, just call and ask for Tommy. I'll be glad to
do whatever I can for you."
Three or four times over the next couple of weeks, Ginny got calls from
Tommy for help with one thing or another. They were seemingly
legitimate requests, and he was always very friendly without sounding
like he was trying to come on to her. He was a little chatty along the way,
as well - "Did you hear about the big fire in Oak Park? Bunch of streets
closed over there," and the like. The calls were a little break from the
routine of the day, and Ginny was always glad to hear from him.
One day Tommy called sounding stressed. He asked, "Have
you guys been having trouble with your computers?"
"No," Ginny answered. "Why?"
"Some guy crashed his car into a telephone pole, and the phone company
repairman says a whole part of the city will lose their phones and Internet
connection till they get this fixed."
"Oh, no. Was the man hurt?"
"They took him away in an ambulance. Anyway, I could use a little help.
I've got a customer of yours here who wants to rent
Godfather II anddoesn't have his card with him. Could you verify his information for me?"
"Yeah, sure."
Tommy gave the customer's name and address, and Ginny
found him in the computer. She gave Tommy the
account number.
"Any late returns or balance owed?" Tommy asked.
"Nothing showing."
"Okay, great. I'll sign him up by hand for an account here and put it in our
database later on when the computers come back up again. And he wants
to put this charge on the Visa card he uses at your store, and he doesn't
have it with him. What's the card number and expiration date?"
She gave it to him, along with the expiration date. Tommy said, "Hey,
thanks for the help. Talk to you soon," and hung up.
Doyle Lonnegan's Story
Lonnegan is not a young man you would want to find waiting when you
open your front door. A one-time collection man for bad gambling debts,
he still does an occasional favor, if it doesn't put him out very much. In
this case, he was offered a sizable bundle of cash for little more than
making
some phone calls to a video store. Sounds easy enough. It's just that none
of his "customers" knew how to run this con; they needed somebody with
Lonnegan's talent and know-how.
People don't write checks to cover their bets when they're unlucky or
stupid
at the poker table. Everybody knows that. Why did these friends of
mine keep on playing with a cheat that didn't have green out on the table?
Don't ask. Maybe they're a little light in the IQ department. But they're
friends of mine--what can you do?
This guy didn't have the money, so they took a check. I ask you! Should
of drove him to an ATM machine, is what they should of done. But no,
a check. For $3,230.
Naturally, it bounced. What would you expect? So then they call me;
can I help? I don't close doors on people's knuckles any more. Besides,
there are better ways nowadays. I told them, 30 percent commission, I'd
see what I could do. So they give me his name and address, and I go up
on the computer to see what's the closest video store to him.
I wasn't in a big hurry. Four phone calls to cozy up to the store manager,
and then, bingo, I've got the cheat's Visa card number.
Another friend of mine owns a topless bar. For fifty bucks, he put the
guy's poker money through as a Visa charge from the bar. Let the cheat
explain that to his wife. You think he might try to tell Visa it's not his
charge? Think again. He knows we know who he is. And if we could get
his Visa number, he'll figure we could get a lot more besides. No worries
on that score.
Analyzing the Con
Tommy's initial calls to Ginny were simply to build up trust. When time
came for the actual attack, she let her guard down and accepted Tommy
for who he claimed to be, the manager at another store in the chain.
And why wouldn't she accept him--she already knew him. She'd only
met him over the telephone, of course, but they had established a business
friendship that is the basis for trust. Once she had accepted him as an
authority figure, a manager in the same company, the trust had been
established and the rest was a walk in the park.
MITNICK MESSAGE
The sting technique of building trust is one of the most effective social
engineering tactics. You have to think whether you really know the person
you're talking to. In some rare instances, the person might not be who he
claims to be. Accordingly, we all have to learn to observe, think, and
question authority.
VARIATION ON A THEME: CARD CAPTURE
Building a sense of trust doesn't necessarily demand a series of phone
calls with the victim, as suggested by the previous story. I recall one
incident I witnessed where five minutes was all it took.
Surprise, Dad
I once sat at a table in a restaurant with Henry and his father. In the course
of conversation, Henry scolded his father for giving out his credit card
number as if it were his phone number. "Sure, you have to give your card
number when you buy something," he said. "But giving it to a store that
files your number in their records - that's real dumb."
The only place I do that is at Studio Video," Mr. Conklin said, naming
the same chain of video stores. "But I go over my Visa bill every month.
If they started running up charges, I'd know it.
Sure," said Henry, "but once they have your number, it's so easy for
somebody to steal it "
You mean a crooked employee."
No, anybody - not just an employee."
You're talking through your hat," Mr. Conklin said.
I can call up right now and get them to tell me your Visa number," Henry
shot back.
No, you can't, "his father said.
"I can do it in five minutes, right here in front of you without ever leaving
the table."
Mr. Conklin looked tight around the eyes, the look of somebody feeling
sure of himself, but not wanting to show it. "I say you don't know that
you're talking about," he barked, taking out his wallet and slapping fifty
dollar bill down on the table. "If you can do what you say, that's
yours.
"I don't want your money, Dad," Henry said.
He pulled out his cell phone, asked his father which branch he used, and
called Directory Assistance for the phone number, as well as the number
of the store in nearby Sherman Oaks.
He then called the Sherman Oaks store. Using pretty much the same
approach described in the previous story, he quickly got the manager's
name and the store number.
Then he called the store where his father had an account. He pulled the
old impersonate-the-manager trick, using the manager's name as his own
and giving the store number he had just obtained. Then he used the same
ruse: "Are your computers working okay? Ours have been up and down."
He listened to her reply and then said, "Well, look, I've got one of your
customers here who wants to rent a video, but our computers are down
right now. I need you to look up the customer account and make sure he's
a customer at your branch."
Henry gave him his father's name. Then, using only a slight variation in
technique, he made the request to read off the account information:
address, phone number, and date the account was opened. And then he
said, "Hey, listen, I'm holding up a long line of customers here. What's
the
credit card number and expiration date?"
Henry held the cell phone to his ear with one hand while he wrote on a
paper napkin with the other. As he finished the call, he slid the napkin in
front of his father, who stared at it with his mouth hanging open. The
to poor guy looked totally shocked, as if his whole system of trust had
just
gone down the drain.
Analyzing the Con
Think of your own attitude when somebody you don't know asks you for
something. If a shabby stranger comes to your door, you're not likely to
let him in; if a stranger comes to your door nicely dressed, shoes shined,
hair perfect, with polite manner and a smile, you're likely to be much less
suspicious. Maybe he's really Jason from the
Friday the 13th movies, butyou're willing to start out trusting that person as long as he looks normal
and doesn't have a carving knife in his hand.
What's less obvious is that we judge people on the telephone the same
way. Does this person sound like he's trying to sell me something? Is he
friendly and outgoing or do I sense some kind of hostility or pressure?
Does he or she have the speech of an educated person? We judge these
things and perhaps a dozen others unconsciously, in a flash, often in the
first few moments of the conversation.
MITNICK MESSAGE
It's human nature to think that it's unlikely you're being deceived in any
particular transaction, at least until you have some reason to believe
otherwise. We weigh the risks and then, most of the time, give people the
benefit of the doubt. That's the natural behavior of civilized people.., at
least civilized people who have never been conned or manipulated or
cheated out of a large amount of money.
As children our parents taught us not to trust strangers. Maybe we should
all heed this age-old principle in today's workplace.
At work, people make requests of us all the time. Do you have an email
address for this guy? Where's the latest version of the customer list?
Who's the subcontractor on this part of the project? Please send me the
latest project update. I need the new version of the source code.
And guess what: Sometimes people who make those requests are people
your don't personally know, folks who work for some other part of the
company, or claim they do. But if the information they give checks out,
and they appear to be in the know ("Marianne said . . ."; "It's on the K-16
server..."; "... revision 26 of the new product plans"), we extend our circle
of trust to include them, and blithely give them what they're asking for.
Sure, we may stumble a little, asking ourselves "Why does somebody in
the Dallas plant need to see the new product plans?" or "Could it hurt
anything to give out the name of the server it's on?" So we ask another
question or two. If the answers appear reasonable and the person's manner
is reassuring, we let down our guard, return to our natural inclination to
trust our fellow man or woman, and do (within reason) whatever it is
we're being asked to do.
And don't think for a moment that the attacker will only target people 'ho
use company computer systems. What about the guy in the mail room?
"Will you do me a quick favor? Drop this into the intra company mail
pouch?" Does the mail room clerk know it contains a floppy disk with a
special little program for the CEO's secretary? Now that attacker gets his
own personal copy of the CEO's email. Wow! Could that really happen at
your company? The answer is, absolutely.
THE ONE-CENT CELL PHONE
Many people look around until the); find a better deal; social engineers
don't look for a better deal, they find a way to make a deal better. For
example, sometimes a company launches a marketing campaign that's so
you can hardly bear to pass it up, while the social engineer looks at the
offer and wonders how he can sweeten the deal.
Not long ago, a nationwide wireless company had a major promotion
underway offering a brand-new phone for one cent when you signed up
for one of their calling plans.
As lots of people have discovered too late, there are a good many
questions a prudent shopper should ask before signing up for a cell phone
calling plan whether the service is analog, digital, or a combination; the
number of anytime minutes you can use in a month; whether roaming
charges are included.., and on, and on. Especially important to understand
up front is the contract term of commitment--how many months or years
will you have to commit to?
Picture a social engineer in Philadelphia who is attracted by a cheap
phone model offered by a cellular phone company on sign-up, but he
hates the calling plan that goes with it. Not a problem. Here's one way he
might handle the situation.
The First Call: Ted
First, the social engineer dials an electronics chain store on West Girard.
"Electron City. This is Ted."
"Hi, Ted. This is Adam. Listen, I was in a few nights ago talking to a
sales guy about a cell phone. I said I'd call him back when I decided on
the plan I wanted, and I forgot his name. Who's the guy who works in that
department on the night shift?
"There's more than one. Was it William?"
"I'm not sure. Maybe it was William. What's he look like?" "Tall guy.
Kind of skinny."
"I think that's him. What's his last name, again?
"Hadley. H--A--D--L--E-- Y."
"Yeah, that sounds right. When's he going to be on?"
"Don't know his schedule this week, but the evening people come in about
five."
"Good. I'll try him this evening, then. Thanks, Ted."
The Second Call: Katie
The next call is to a store of the same chain on North Broad Street.
"Hi, Electron City. Katie speaking, how can I help you?"
"Katie, hi. This is William Hadley, over at the West Girard store. How're
you today?"
"Little slow, what's up?"
"I've got a customer who came in for that one-cent cell phone program.
You know the one I mean?"
"Right. I sold a couple of those last week."
"You still have some of the phones that go with that plan?"
"Got a stack of them."
"Great. 'Cause I just sold one to a customer. The guy passed credit; we
signed him up on the contract. I checked the damned inventory and we
don't have any phones left. I'm so embarrassed. Can you do me a favor?
I'll send him over to your store to pick up a phone. Can you sell him the
phone for one cent and write him up a receipt? And he's supposed to call
me back once he's got the phone so I can talk him through how to
program it."
"Yeah, sure. Send him over."
"Okay. His name is Ted. Ted Yancy."
When the guy who calls himself Ted Yancy shows up at the
North Broad St. store, Katie writes up an invoice and sells him
the cell phone for one cent, just as she had been asked to do
by her "co worker." She fell for the con hook, line, and sinker.
When it's time to pay, the customer doesn't have any pennies in his
pocket, so he reaches into the little dish of pennies at the cashier's counter,
takes one out, and gives it to the girl at the register. He gets the phone
without paying even the one cent for it.
He's then free to go to another wireless company that uses the same model
of phone, and choose any service plan he likes. Preferably one on a
month-to-month basis, with no commitment required.
Analyzing the Con
Its natural for people to have a higher degree of acceptance for anyone
who claims to be a fellow employee, and who knows company procedures
,d lingo. The social engineer in this story took advantage of that by
finding out the details of a promotion, identifying himself as a company
employee, and asking for a favor from another branch. This happens
between branches of retail stores and between departments in a company,
people are physically separated and deal with fellow employees they have
never actually met day in and day out.
HACKING INTO THE FEDS
People often don't stop to think about what materials their organization is
making available on the Web. For my weekly show on KFI Talk Radio in
Los Angeles, the producer did a search on line and found a copy of an
instruction manual for accessing-the database of the National Crime
Information Center. Later he found the actual NCIC manual itself on line,
a sensitive document that gives all the instructions for retrieving
information from the FBI's national crime database.
The manual is a handbook for law enforcement agencies that gives the
formatting and codes for retrieving information on criminals and crimes
from the national database. Agencies all over the country can search the
same database for information to help solve crimes in their own
jurisdiction. The manual contains the codes used in the database for
designating everything from different kinds of tattoos, to different boat
hulls, to denominations of stolen money and bonds.
Anybody with access to the manual can look up the syntax and the
commands to extract information from the national database. Then,
following instructions from the procedures guide, with a little nerve,
anyone can extract information from the database. The manual also gives
phone numbers to call for support in using the system. You may have
similar manuals in your company offering product codes or codes for
retrieving sensitive information.
The FBI almost certainly has never discovered that their sensitive manual
and procedural instructions are available to anyone on line, and I don't
think they'd be very happy about it if they knew. One copy was posted by
a government department in Oregon, the other by a law enforcement
agency in Texas. Why? In each case, somebody probably thought the
information was of no value and posting it couldn't do any harm. Maybe
somebody posted it on their intranet just as a convenience to their own
employees, never realizing that it made the information available to
everyone on the Internet who has access to a good search engine such as
Google - including the just-plain-curious, the wannabe cop, the hacker,
and the organized crime boss.
Tapping into the System
The principle of using such information to dupe someone in the
government or a business setting is the same: Because a social engineer
knows how to access specific databases or applications, or knows the
names of a company's computer servers, or the like, he gains credibility.
Credibility leads to trust.
Once a social engineer has such codes, getting the information he needs
is an easy process. In this example, he might begin by calling a clerk in a
local state police Teletype office, and asking a question about one of the
codes in the manual - for example, the offense code. He might say
something like, "When I do an OFF inquiry in the NCIC, I'm getting a
"System is down' error. Are you getting the same thing when you do an
OFF? Would you try it for me?" Or maybe he'd say he was trying to look
up a wpf - police talk for a wanted person's file.
The Teletype clerk on the other end of the phone would pick up the cue
that the caller was familiar with the operating procedures and the
commands to query the NCIC database. Who else other than someone
trained in using NCIC would know these procedures?
After the clerk has confirmed that her system is working okay, the
conversation
might go something like this:
"I could use a little help." "What're you looking for?"
"I need you to do an OFF command on Reardon, Martin. DOB
10118/66."
"What's the sosh?" (Law enforcement people sometimes refer to the
social security number as the sosh.)
"700-14-7435."
After looking for the listing, she might come back with something like,
"He's got a 2602."
The attacker would only have to look at the NCIC on line to find the
meaning of the number: The man has a case of swindling on his record.
Analyzing the Con
An accomplished social engineer wouldn't stop for a minute to ponder
ways of breaking into the NCIC database. Why should he, when a simple
call to his local police department, and some smooth talking so he sounds
convincingly like an insider, is all it takes to get the information he wants?
And the next time, he just calls a different police agency and uses the
same pretext.
LINGO
SOSH: Law enforcement slang for a social security number
You might wonder, isn't it risky to call a police department, a sheriff's
station, or a highway patrol office? Doesn't the attacker run a huge risk?
The answer is no . . . and for a specific reason. People in law enforcement,
like people in the military, have ingrained in them from the first day in the
academy a respect for rank. As long as the social engineer is posing as a
sergeant or lieutenant--a higher rank than the person he's talking to - the
victim will be governed by that well-learned lesson that says you don't
question people who are in a position of authority over you. Rank, in
other words, has its privileges, in particular the privilege of not being
challenged by people of lower rank.
But don't think law enforcement and the military are the only places
where this respect for rank can be exploited by the social engineer. Social
engineers often use authority or rank in the corporate hierarchy as a
weapon in their attacks on businesses - as a number of the stories in these
pages demonstrate.
PREVENTING THE CON
What are some steps your organization can take to reduce the likelihood
that social engineers will take advantage of your employees' natural
instinct to trust people? Here are some suggestions.
Protect Your Customers
In this electronic age many companies that sell to the consumer keep
credit cards on file. There are reasons for this: It saves the customer the
nuisance of having to provide the credit card information each time he
visits the store or the Web site to make a purchase. However, the practice
should be discouraged.
If you must keep credit card numbers on file, that process needs to be
accompanied by security provisions that go beyond encryption or using
access control. Employees need to be trained to recognize social
engineering scams like the ones in this chapter. That fellow employee
you've never met in person but who has become a telephone friend may
not be who he or she claims to be. He may not have the "need to know" to
access sensitive customer information, because he may not actually work
for the company at all.
MITNICK MESSAGE
Everyone should be aware of the social engineer's modus operandi:
Gather as much information about the target as possible, and use that
information to gain trust as an insider. Then go for the jugular!
Trust Wisely
It's not just the people who have access to clearly sensitive information -
the software engineers, the folks in R&D, and so on - who need to be on
the defensive against intrusions. Almost everyone in your organization
needs training to protect the enterprise from industrial spies and
information thieves.
Laying the groundwork for this should begin with a survey of enterprisewide
information assets, looking separately at each sensitive, critical, or
valuable asset, and asking what methods an attacker might use to
compromise those assets through the use of social engineering tactics.
Appropriate training for people who have trusted access to such
information should be designed around the answers to these questions.
When anyone you don't know personally requests some information or
material, or asks you to perform any task on your computer, have your
employees ask themselves some. questions. If I gave this information to
my worst enemy, could it be used to injure me or my company? Do I
completely understand the potential effect of the commands I am being
asked to enter into my computer?
We don't want to go through life being suspicious of every new person we
encounter. Yet the more trusting we are, the more likely that the next
social engineer to arrive in town will be able to deceive us into giving up
our company's proprietary information.
What Belongs on Your Intranet?
Parts of your intranet may be open to the outside world, other parts
restricted to employees. How careful is your company in making sure
sensitive information isn't posted where it's accessible to audiences you
meant to protect it from? When is the last time anyone in your
organization checked to see if any sensitive information on your
company's intranet had inadvertently been made available through the
public-access areas of your Web site?
If your company has implemented proxy servers as intermediaries to
protect the enterprise from electronic security threats, have those servers
been checked recently to be sure they're configured properly?
In fact, has anyone
ever checked the security of your intranet?Chapter 5
"Let Me Help You"
We're all grateful when we're plagued by a problem and somebody with
the knowledge, skill, and willingness comes along offering to lend us a
hand. The social engineer understands that, and knows how to take
advantage of it.
He also knows how to
cause a problem for you.., then make you gratefulwhen he resolves the problem.., and finally play on your gratitude to
extract some information or a small favor from you that will leave your
company (or maybe you, individually) very much worse off for the
encounter. And you may never even know you've lost something of value.
Here are some typical ways that social engineers step forward to "help."
THE NETWORK OUTAGE
Day/Time: Monday, February 12, 3:25 p.m.
Place: Offices of Starboard Shipbuilding
The First Call: Tom Delay
"Tom DeLay, Bookkeeping."
"Hey, Tom, this is Eddie Martin from the Help Desk. We're trying to
troubleshoot a computer networking problem. Do you know if anyone in
your group has been having trouble staying on line?"
"Uh, not that I know of."
"And you're not having any problems yourself."
"No, seems fine."
"Okay, that's good. Listen, we're calling people who might be affected
'cause itLs important you let us know right away if you lose your network
connection."
"That doesn't sound good. You think it might happen?"
"We hope not, but you'll call if it does, right?"
"You better believe it."
"Listen, sounds like having your network connection go down would be a
problem for you..."
"You
bet it would.""... so while
we're working on this, let me give you my cell phonenumber. Then you can reach me directly if you need to."
"That'd be great. Go ahead."
"It's 555 867 5309."
"555 867 5309. Got it. Hey, thanks. What was your name again?"
"It's Eddie. Listen, one other thing--I need to check which port your
computer is connected to. Take a look on your computer and see if there's
a sticker somewhere that says something like 'Port Number'."
"Hang on No, don't see anything like that."
"Okay, then in the back of the computer, can you recognize the network
cable."
"Yeah."
"Trace it back to where it's plugged in. See if there's a label on the jack it's
plugged into."
"Hold on a second. Yeah, wait a minute - I have to squat down here so I
can get close enough to read it. Okay - it says Port 6 dash 47."
"Good - that's what we had you down as, just making sure."
The Second Call: The IT Guy
Two days later, a call came through to the same company's Network
Operations Center.
"Hi, this is Bob; I'm in Tom DeLay's office in Bookkeeping. We're trying
to troubleshoot a cabling problem. I need you to disable Port 6-47."
The IT guy said it would be done in just a few minutes, and to let them
know when he was ready to have it enabled.
The Third Call: Getting Help from the Enemy
About an hour later, the guy who called himself Eddie Martin was
shopping at Circuit City when his cell phone rang. He checked the caller
ID, saw the call was from the shipbuilding company, and hurried to a
quiet spot before answering.
"Help Desk, Eddie."
"Oh, hey, Eddie. You've got an echo, where are you?"
"I'm, uh, in a cabling closet. Who's this?
"It's Tom DeLay. Boy, am I glad I got ahold of you. Maybe you
remember you called me the other day? My network connection just went
down like you said it might, and I'm a little panicky here."
"Yeah, we've got a bunch of people down right now. We should have it
taken care of by the end of the day. That okay?"
"NO! Damn, I'll get way behind if I'm down that long. What's the best you
can do for me?"
"How pressed are you?"
"I could do some other things for right now. Any chance you could take
care of it in half an hour?"
"HALF AN HOUR! You don't want much. Well, look, I'll drop what I'm
doing and see if I can tackle it for you."
"Hey, I really appreciate that, Eddie."
The Fourth Call: Gotcha!
Forty-five minutes later...
"Tom? It's Eddie. Go ahead and try your network connection."
After a couple of moments:
"Oh, good, it's working. That's just great."
"Good, glad I could take care of it for you."
"Yeah, thanks a lot."
"Listen, if you want to make sure your connection doesn't go down again,
there's some software you oughta be running. Just take a couple of
minutes."
"Now's not the best time."
"I understand... It could save us both big headaches the next time this
network problem happens."
"Well . . . if it's only a few minutes."
"Here's what you do..."
Eddie then took Tom through the steps of downloading a small
application from a Web site. After the program had downloaded, Eddie
told Tom to double-click on it. He tried, but reported:
"It's not working. It's not doing anything."
"Oh, what a pain. Something must be wrong with the program. Let's just
get rid of it, we can try again another time." And he talked Tom through
the steps of deleting the program so it couldn't be recovered.
Total elapsed time, twelve minutes.
The Attacker's Story
Bobby Wallace always thought it was laughable when he picked up a
good assignment like this one and his client pussyfooted around the
unasked but obvious question of why they wanted the information. In this
case he could only think of two reasons. Maybe they represented some
outfit that was interested in buying the target company, Starboard
Shipbuilding, and wanted to know what kind of financial shape they were
really in - especially all the stuff the target might want to keep hidden
from a potential buyer. Or maybe they represented investors who thought
there was something fishy about the way the money was being handled
and wanted to find out whether some of the executives had a case of
hands-in-the cookie-jar.
And maybe his client also didn't want to tell him the real reason because,
if Bobby knew how valuable the information was, he'd probably want
more money for doing the job.
There are a lot of ways to crack into a company's most secret files. Bobby
spent a few days mulling over the choices and doing a little checking
around before he decided on a plan. He settled on one that called for an
approach he especially liked, where the target is set up so that he asks the
attacker for help.
For starters, Bobby picked up a $39.95 cell phone at a convenience store.
He placed a call to the man he had chosen as his target, passed himself off
as being from the company help desk, and set things up so the man would
call Bobby's cell phone any time he found a problem with his network
connection.
He left a pause of two days so as not to be too obvious, and then made a
call to the network operations center (NOC) at the company. He claimed
he was trouble-shooting a problem for Tom, the target, and asked to have
Tom's network connection disabled. Bobby knew this was the trickiest
part of the whole escapade - in many companies, the help desk people
work closely with the NOC; in fact, he knew the help desk is often part of
the IT organization. But the indifferent NOC guy he spoke with treated
the call as routine, didn't ask for the name of the help desk person who
was supposedly working on the networking problem, and agreed to
disable the target's network port. When done, Tom would be totally
isolated from the company's intranet, unable to retrieve files from the
server, exchange files with his co-workers, download his email, or even
send a page of data to the printer. In today's world, that's like living in a
cave.
As Bobby expected, it wasn't long before his cell phone rang. Of course
he made himself sound eager to help this poor "fellow employee" in
distress. Then he called the NOC and had the man's network connection
turned back on. Finally, he called the man and manipulated him once
again, this time making him feel guilty for saying no after Bobby had
done him a favor. Tom agreed to the request that he download a piece of
software to his computer.
Of course, what he agreed to wasn't exactly what it seemed. The software
that Tom was told would keep his network connection from going down,
was really a Trojan Horse, a software application that did for Tom's
computer what the original deception did for the Trojans: It brought the
enemy inside the camp. Tom reported that nothing happened when he
double-clicked on the software icon; the fact was that, by design, he
couldn't see anything happening, even though the small application was
installing a secret program that would allow the infiltrator covert access to
Tom's computer.
With the software running, Bobby was provided with complete control
over Tom's computer, an arrangement known as a remote command shell
.When Bobby accessed Tom's computer, he could look for the accounting
files that might be of interest and copy them. Then, at his leisure, he'd
examine them for the information that would give his clients what they
were looking for.
LINGO
TROJAN HORSE: A program containing malicious or harmful code,
designed to damage the victim's computer or files, or obtain information
from the victim's computer or network. Some Trojans are designed to hide
within the computer's operating system and spy on every keystroke or
action, or accept instruction over a network connection to perform some
function, all without the victim being aware of its presence.
And that wasn't all. He could go back at any time to search through the
email messages and private memos of the company's executives, running
a text search for words that might reveal any interesting tidbits of
information.
Late on the night that he conned his target into installing the Trojan Horse
software, Bobby threw the cell phone into a Dumpster. Of course he was
careful to clear the memory first and pull the battery out before he tossed
it - the last thing he wanted was for somebody to call the cell phone's
number by mistake and have the phone start ringing!
Analyzing the Con
The attacker spins a web to convince the target he has a problem that, in
fact, doesn't really exist - or, as in this case, a problem that hasn't
happened yet, but that the attacker knows will happen because he's going
to cause it. He then presents himself as the person who can provide the
solution.
The setup in this kind of attack is particularly juicy for the attacker:
Because of the seed planted in advance, when the target discovers he has
a problem, he himself makes the phone call to plead for help. The attacker
just sits and waits for the phone to ring, a tactic fondly known in the trade
as reverse social engineering
. An attacker who can make the target callhim
gains instant credibility: If I place a call to someone I think is on the help
desk,
I'm not going to start asking him to prove his identity. That's when the
attacker has it made.
LINGO
REMOTE COMMAND SHELL: A non graphical interface that accepts
text based commands to perform certain functions or run programs. An
attacker who exploits technical vulnerabilities or is able to install a Trojan
Horse program on the victims computer may be able to obtain remote
access to a command shell
REVERSE SOCIAL ENGINEERING: A social
engineering attack in which the attacker sets up a
situation where the victim encounters a problem and
contacts the attacker for help. Another form of reverse
social engineering turns the tables on the attacker. The
target recognizes the attack, and uses psychological
principles of influence to draw out as much information
as possible from the attacker so that the business can
safeguard targeted assets.
MITNICK MESSAGE
If a stranger does you a favor, then asks you for a favor,
don't reciprocate without thinking carefully about what
he's asking for.
In a con like this one, the social engineer tries to pick a target who is
likely to have limited knowledge of computers. The more he knows, the
more likely that he'll get suspicious, or just plain figure out that he's being
manipulated. What I sometimes call the computer-challenged worker,
who is less knowledgeable about technology and procedures, is more
likely to comply. He's all the more likely to fall for a ruse like "Just
download this little program," because he has no idea of the potential
damage a software program can inflict. What's more, there's a much
smaller chance he'll understand the value of the information on the
computer network that he's placing at risk.
A LITTLE HELP FOR THE NEW GAL
New employees are a ripe target for attackers. They don't know many
people yet, they don't know the procedures or the dos and don'ts of the
company. And, in the name of making a good first impression, they're
eager show how cooperative and quick to respond they can be.
Helpful Andrea
"Human Resources, Andrea Calhoun."
"Andrea, hi, this is Alex, with Corporate Security."
"Yes?"
"How're you doing today?"
"Okay. What can I help you with?"
"Listen, we're developing a security seminar for new employees and we
need to round up some people to try it out on. I want to get the name and
phone number of all the new hires in the past month. Can you help me
with that?"
"I won't be able to get to it 'til this afternoon. Is that okay?
"What's your extension?"
"Sure, okay, it's 52 . . . oh, uh, but I'll be in meetings most of today. I'll
call you when I'm back in my office, probably after four."
When Alex called about 4:30, Andrea had the list ready, and read him the
names and extensions.
A Message for Rosemary
Rosemary Morgan was delighted with her new job. She had never worked
for a magazine before and was finding the people much friendlier than she
expected, a surprise because of the never-ending pressure most of the staff
was always under to get yet another issue finished by the monthly
deadline. The call she received one Thursday morning reconfirmed that
impression of friendliness.
"Is that Rosemary Morgan?"
"Yes."
"Hi, Rosemary. This is Bill Jorday, with the Information Security
group."
"Yes?"
"Has anyone from our department discussed best security practices with
you?"
"I don't think so."
"Well, let's see. For starters, we don't allow anybody to install software
brought in from outside the company. That's because we don't want any
liability for unlicensed use of software. And to avoid any problems with
software that might have a worm or a virus."
"Okay."
"Are you aware of our email policies?"
"No."
"What's your current email address?" "Rosemary@ttrzine.net."
"Do you sign in under the username Rosemary?"
"No, it's R underscore Morgan."
"Right. We like to make all our new employees aware that it can be
dangerous to open any email attachment you aren't expecting. Lots of
viruses and worms get sent around and they come in emails that seem to
be from people you know. So if you get an email with an attachment you
weren't expecting you should always check to be sure the person listed as
sender really did send you the message. You understand?"
"Yes, I've heard about that."
"Good. And our policy is that you change your password every ninety
days. When did you last change your password?"
"I've only been here three weeks; I'm still using the one I first set."
"Okay, that's fine. You can wait the rest of the ninety days. But we need
to be sure people are using passwords that aren't too easy to guess. Are
you using a password that consists of both letters and numbers?"
"No."
We need to fix that. What password are you using now?"
"It's my daughter's name - Annette."
"That's really not a secure password. You should never choose a password
that's based on family information. Well, let's see.., you could do the same
thing I do. It's okay to use what you're using now as the first part of the
password, but then each time you change it, add a number for the current
month."
"So if I did that now, for March, would I use three, or oh-three."
"That's up to you. Which would you be more comfortable with?"
"I guess Annette-three."
"Fine. Do you want me to walk you through how to make the change?"
"No, I know how."
"Good. And one more thing we need to talk about. You have anti-virus
software on your computer and it's important to keep it up to date. You
should never disable the automatic update even if your computer slows
down every once in a while. Okay?"
"Sure."
"Very good. And do you have our phone number over here,
so you can call us if you have any computer problems?"
She didn't. He gave her the number, she wrote it down carefully, and went
back to work, once again, pleased at how well taken care of she felt.
Analyzing the Con
This story reinforces an underlying theme you'll find throughout this
book: The most common information that a social engineer wants from an
employee, regardless of his ultimate goal, is the target's authentication
credentials. With an account name and password in hand from a single
employee in the right area of the company, the attacker has what he needs
to get inside and locate whatever information he's after. Having this
information is like finding the keys to the kingdom; with them in hand, he
can move freely around the corporate landscape and find the treasure he
seeks.
MITNICK MESSAGE
Before new employees are allowed access to any company
computer systems, they must be trained to follow good security
practices, especially policies about never disclosing their
passwords.
NOT AS SAFE AS YOU THINK
"The company that doesn't make an effort to protect its sensitive
information is just plain negligent." A lot of people would agree with that
statement. And the world would be a better place if life were so obvious
and so simple. The truth is that even those companies that do make an
effort to protect confidential information may be at serious risk.
Here's a story that illustrates once again how companies fool themselves
every day into thinking their security practices, designed by experienced,
competent, professionals, cannot be circumvented.
Steve Cramer's Story
It wasn't a big lawn, not one of those expensively seeded spreads. It
garnered no envy. And it certainly wasn't big enough to give him an
excuse for buying a sit-down mower, which was fine because he wouldn't
have used one anyway. Steve enjoyed cutting the grass with a handmower
because it took longer, and the chore provided a convenient excuse
to focus on his own thoughts instead of listening to Anna telling him
stories about the people at the bank where she worked or explaining
errands for him to do. He hated those honey-do lists that had become an
integral part of his weekends. It flashed though his mind that 12-year-old
Pete was damn smart to join the swimming team. Now he'd have to be at
practice or a meet every Saturday so he wouldn't get stuck with Saturday
chores.
Some people might think Steve's job designing new devices for
GeminiMed Medical Products was boring; Steve knew he was saving
lives. Steve thought of himself as being in a creative line of work. Artist,
music composer, engineer - in Steve's view they all faced the same kind
of challenge he did: They created something that no one had ever done
before. And his latest, an intriguingly clever new type of heart stent,
would be his proudest achievement yet.
It was almost 11:30 on this particular Saturday, and Steve was annoyed
because he had almost finished cutting the grass and hadn't made any real
progress in figuring out how to reduce the power requirement on the heart
stent, the last remaining hurdle. A perfect problem to mull over while
mowing, but no solution had come.
Anna appeared at the door, her hair covered in the red paisley cowboy
scarf she always wore when dusting. "Phone call," she shouted to him.
"Somebody from work."
"Who?" Steve shouted back.
"Ralph something. I think."
Ralph? Steve couldn't remember anybody at GeminiMed named Ralph
who might be calling on a weekend. But Anna probably had the name
wrong.
"Steve, this is Ramon Perez in Tech Support." Ramon - how in the world
did Anna get from a Hispanic name to Ralph, Steve wondered.
"This is just a courtesy call,, Ramon was saying. "Three of the servers
are down, we think maybe a worm, and we have to wipe the drives and
restore from backup. We should be able to have your files up and running
by Wednesday or Thursday. If we're lucky."
"Absolutely unacceptable," Steve said firmly, trying not to let his
frustration take over. How could these people be so stupid? Did they
really think he could manage without access to his files all weekend and
most of next week? "No way. I'm going to sit down at my home terminal
in just about two hours and I will need access to my files. Am I making
this clear?"
"Yeah, well, everybody I've called so far wants to be at the top of the list.
I gave up my weekend to come in and work on this and it's no fun having
everybody I talk to get pissed at me."
"I'm on a tight deadline, the company is counting on this; I've got to get
work done this afternoon. What part of this do you not understand?"
"I've still got a lot of people to call before I can even get started," Ramon
laid. "How about we say you'll have your files by Tuesday?"
"Not Tuesday, not Monday, today. NOW!" Steve said, wondering who he
was going to call if he couldn't get his point through this guy's thick skull.
"Okay, okay," Ramon said, and Steve could hear him breathe a sigh of
annoyance. "Let me see what I can do to get you going. You use the
RM22 server, right?"
"RM22 and the GM16. Both."
"Right. Okay, I can cut some corners, save some time--I'll need your
username and password."
Uh oh, Steve thought. What's going on here? Why would he need my pass
word? Why would IT, of all people, ask for it?
"What did you say your last name was? And who's your supervisor?"
"Ramon Perez. Look, I tell you what, when you were hired, there was a
form you had to fill out to get your user account, and you had to put
down a password. I could look that up and show you we've got it on file
here. Okay?"
Steve mulled that over for a few moments, then agreed. He hung on
with growing impatience while Ramon went to retrieve documents from
a file cabinet. Finally back on the phone, Steve could hear him shuffling
through a stack of papers.
"Ah, here it is," Ramon said at last. "You put down the password
'Janice.'"
Janice, Steve thought. It was his mother's name, and he had indeed
sometimes used it as a password. He might very well have put that down
for his password when filling out his new-hire papers.
"Yes, that's right," he acknowledged.
"Okay, we're wasting time here. You know I'm for real, you want me to
use the shortcut and get your files back in a hurry, you re gonna have to
help me out here."
"My ID is s, d, underscore, cramer--c-r-a-m-e-r. The password is 'pelican
1 .'"
"I'll get right on it," Ramon said, sounding helpful at last. "Give me a
couple of hours."
Steve finished the lawn, had lunch, and by the time he got to his
computer found that his files had indeed been restored. He was pleased
with himself for handling that uncooperative IT guy so forcefully, and
hoped Anna had heard how assertive he was. Would be good to give the
guy or
his boss an attaboy, but he knew it was one of those things he'd never get
around to doing.
Craig Cogburne's Story
Craig Cogburne had been a salesman for a high-tech company, and done
well at it. After a time he began to realize he had a skill for reading a
customer, understanding where the person was resistant and recognizing
some weakness or vulnerability that made it easy to close the sale. He
began to think about other ways to use this talent, and the path eventually
led him into a far more lucrative field: corporate espionage.
This one was a hot assignment. Didn't look to take me very long and
worth enough to pay for a trip to Hawaii. Or maybe Tahiti.
The guy that hired me, he didn't tell me the client, of course, but it figured
to be some company that wanted to catch up with the competition in one
quick, big, easy leap. All I'd have to do is get the designs and product
specs for a new gadget called a heart stent, whatever that was. The
company was called GeminiMed. Never heard of it, but it was a Fortune
500 outfit with offices in half a dozen locations - which makes the job
easier than a smaller company where there's a fair chance the guy you're
talking to knows the guy you're claiming to be and knows you're not him.
This, like pilots say about a midair collision, can ruin your whole day.
My client sent me a fax, a bit from some doctor's magazine that said
GeminiMed was working on a stent with a radical new design and it
would be called the STH-IO0. For crying out loud, some reporter has
already done a big piece of the legwork for me. I had one thing I needed
even before I got started, the new product name.
First problem: Get names of people in the company who worked on the
STH-100 or might need to see the designs. So I called the switchboard
operator and said, "I promised one of the people in your engineering
group I'd get in touch with him and I don't remember his last name, but
his first name started with an S." And she said, "We have a Scott Archer
and a Sam Davidson." I took a long shot. "Which one works in the
STH100 group?" She didn't know, so I just picked Scott Archer at
random, and she rang his phone.
When he answered, I said, "Hey, this is Mike, in the mail room. We've got
a FedEx here that's for the Heart Stent STH-100 project team. Any idea
who that should go to?" He gave me the name of the project leader, Jerry
Mendel. I even got him to look up the phone number for me.
I called. Mendel wasn't there but his voice mail message said he'd be on
vacation till the thirteenth, which meant he had another week left for
skiing or whatever, and anybody who needed something in the meantime
should call Michelle on 9137. Very helpful, these people. Very helpful.
I hung up and called Michelle, got her on the phone and said, "This is Bill
Thomas. Jerry told me I should call you when I had the spec ready
that he wanted the guys on his team to review. You're working on the
heart stent, right?" She said they were.
Now we were getting to the sweaty part of the scam. If she started
sounding suspicious, I was ready to play the card about how I was just
trying to
do a favor Jerry had asked me for. I said, "Which system are you on?"
"System?"
"Which computer servers does your group use?"
"Oh," she said, "RM22. And some of the group also use GM16." Good. I
needed that, and it was a piece of information I could get from her without
making her suspicious. Which softened her up for the next bit, done as
casually as I could manage. "Jerry said you could give me a list of email
addresses for people on the development team," I said, and held my
breath.
"Sure. The distribution list is too long to read off, can I email it to you?"
Oops. Any email address that didn't end in GeminiMed.com would be
a huge red flag. "How about you fax it to me?" I said.
She had no problem with doing that.
"Our fax machine is on the blink. I'll have to get the number of another
one. Call you back in a bit," I said, and hung up.
Now, you might think I was saddled with a sticky problem here, but it's
just another routine trick of the trade. I waited a while so my voice
wouldn't sound familiar to the receptionist, then called her and said, "Hi,
it's Bill Thomas, our fax machine isn't working up here, can I have a fax
sent to your machine?" She said sure, and gave me the number.
Then I just walk in and pick up the fax, right? Of course not. First rule:
Never visit the premises unless you absolutely have to. They have a hard
time identifying you if you're just a voice on the telephone. And if they
can't identify you, they can't arrest you. It's hard to put handcuffs around a
voice. So I called the receptionist back after a little while and asked her,
did my fax come? "Yes," she said.
"Look," I told her, "I've got to get that to a consultant we're using. Could
you send it out for me?" She agreed. And why not--how could any
receptionist be expected to recognize sensitive data? While she sent the
fax out to the "consultant," I had my exercise for the day walking over to
a stationery store near me, the one with the sign out front "Faxes
Sent/Rcvd." My fax was supposed to arrive before I did, and as expected,
it was there waiting for me when I walked in. Six pages at $1.75. For a
$10 bill and change, I had the group's entire list of names and email
addresses.
Getting Inside
Okay, so I had by now talked to three or four different people in only a
few hours and was already one giant step closer to getting inside the
company's computers. But I'd need a couple more pieces before I was
home.
Number one was the phone number for dialing into the Engineering server
from outside. I called GeminiMed again and asked the switchboard
operator for the IT Department, and asked the guy who answered for
somebody who could give me some computer help. He transferred me,
and I put on an act of being confused and kind of stupid about anything
technical. "I'm at home, just bought a new laptop, and I need to set it up o
I can dial in from outside."
The procedure was obvious but I patiently let him talk me through it until
he got to the dial-in phone number. He gave me the number like it was
just another routine piece of information. Then I made him wait while I
tried it. Perfect.
So now I had passed the hurdle of connecting to the network. I dialed in
and found they were set up with a terminal server that would let a caller
connect to any computer on their internal network. After a bunch of tries
I stumbled across somebody's computer that had a guest account with no
password required. Some operating systems, when first installed, direct
the user to set up an ID and password, but also provide a guest account.
The user is supposed to set his or her own password for the guest account
or disable it, but most people don't know about this, or just don't bother.
This system was probably just set up and the owner hadn't bothered to
disable the guest account.
LINGO
PASSWOPRD HASH: A string of gibberish that results from processing a password
through a one way encryption process. The process is supposedly irreversible; that is,
its believed that it is not possible to reconstruct the password from the hash
Thanks to the guest account, I now had access to one computer, which
turned out to be running an older version of the UNIX operating system.
Under UNIX, the operating system maintains a password file which conrains
the encrypted passwords of everybody authorized to access that
computer. The password file contains the one-way hash (that is, a form of
encryption that is irreversible) of every user's password. With a one-way
hash an actual password such as, say, "justdoit" would be represented by a
hash in encrypted form; in this case the hash would be converted by
UNIX to thirteen alphanumeric characters.
When Billy Bob down the hall wants to transfer some files to a computer,
he's required to identify himself by providing a username and password.
The system program that" checks his authorization encrypts the password
he enters, and then compares the result to the encrypted password (the
hash) contained in the password file; if the two match, he's given access.
Because the passwords in the file were encrypted, the file itself was made
available to any user on the theory that there's no known way to decrypt
the passwords. That's a laugh - I downloaded the file, ran a dictionary
attack on it (see Chapter 12 for more about this method) and found that
one of the engineers on the development team, a guy named Steven
Cramer, currently had an account on the computer with the password
"Janice." Just on the chance, I tried entering his account with that
password on one of the development servers; if it had worked, it would
have saved me some time and a little risk. It didn't.
That meant I'd have to trick the guy into telling me his username and
password. For that, I'd wait until the weekend. 70 You already know the
rest. On Saturday I called Cramer and walked him through a ruse about a
worm and the servers having to be restored from backup to overcome his
suspicions.
What about the story I told him, the one about listing a password when he
filled out his employee papers? I was counting on him not remembering
that had never happened. A new employee fills out so many forms that,
years later, who would remember? And anyway, if I had struck out with
him, I still had that long list of other names.
With his username and password, I got into the server, fished around for a
little while, and then located the design files for the STH-100. I wasn't
exactly sure which ones were key, so I just transferred all the files to a
dead drop, a free FTP site in China, where they could be stored without
anybody getting suspicious. Let the client sort through the junk and find
what he wants.
LINGO
DEAD DROP A place for leaving information where it is unlikely to be
found by others. In the world of traditional spies, this might be behind a
loose stone in a wall; in the world of the computer hacker, it's commonly
an Internet site in a remote country.
Analyzing the Con
For the man we're calling Craig Cogburne, or anyone like him equally
skilled in the larcenous-but-not-always-illegal arts of social engineering,
the challenge presented here was almost routine. His goal was to locate
and download files stored on a secure corporate computer, protected by a
firewall and all the usual security technologies.
Most of his work was as easy as catching rainwater in a barrel. He began
by posing as somebody from the mail room and furnished an added sense
of urgency by claiming there was a FedEx package waiting to be
delivered. This deception produced the name of the team leader for the
heart-stent engineering group, who was on vacation, but - convenient for
any social engineer trying to steal information - he had helpfully left the
name and phone number of his assistant. Calling her, Craig defused any
suspicions by claiming that he was responding to a request from the team
leader. With the team leader out of town, Michelle had no way to verify
his claim. She accepted it as the truth and had no problem providing a list
of people in the group - for Craig, a necessary and highly prized set of
information.
She didn't even get suspicious when Craig wanted the list sent by fax
instead of by email, ordinarily more convenient on both ends. Why was
she so gullible? Like many employees, she didn't want her boss to return
to town and find she had stonewalled a caller who was just trying to do
something the boss had asked him for. Besides, the caller said that the
boss had not just authorized the request, but asked for his assistance. Once
again, here's an example of someone displaying the strong desire to be a
team player, which makes most people susceptible to deception.
Craig avoided the risk of physically entering the building simply by
having the fax sent to the receptionist, knowing she was likely to be
helpful. Receptionists are, after all, usually chosen for their charming
personalities and their ability to make a good impression. Doing small
favors like receiving a fax and sending it on comes with the receptionist's
territory, a fact that Craig was able to take advantage of. What she was
ending out happened to be information that might have raised alarm bells
with anyone knowing the value of the information - but how could
receptionist be expected to know which information is benign and which
sensitive?
Using a different style of manipulation, Craig acted confused and naive
to convince the guy in computer operations to provide him with the dial
up access number to the company's terminal server, the hardware used as
a connection point to other computer systems within the internal network.
MITNICK MESSAGE
Everybody's first priority at work is to get the job done. Under that
pressure, security practices often take second place and are overlooked or
ignored. Social engineers rely on this when practicing their craft.
Craig was able to connect easily by trying a default password that had
never been changed, one of the glaring, wide-open gaps that exist
throughout many internal networks that rely on firewall security. In fact,
the default passwords for many operating systems, routers, and other
types
of products, including PBXs, are made available on line. Any social
engineer, hacker, or industrial spy, as well as the just plain curious, can
find the list at http://www.phenoelit.de/dpl/dpl.html. (It's absolutely
incredible
how easy the Internet makes life for those who know where to look. And
now you know, too.)
Cogburne then actually managed to convince a cautious, suspicious
man ("What did you say your last name was? Who's your supervisor?")
to
divulge his username and password so that he could access servers used
by
the heart-stent development team. This was like leaving Craig with an
open door to browse the company's most closely guarded secrets and
download the plans for the new product.
What if Steve Cramer had continued to be suspicious about Craig's call?
It was unlikely he would do anything about reporting his suspicions until
he showed up at work on Monday morning, which would have been too
late to prevent the attack.
One key to the last part of the ruse: Craig at first made himself sound
lackadaisical and uninterested in Steve's concerns, then changed his tune
and sounded as if he was trying to help so Steve could get his work done.
Most of the time, if the victim believes you're trying to help him or do
him
some kind of favor, he will part with confidential information that he
would have otherwise protected carefully.
PREVENTING THE CON
One of the most powerful tricks of the social engineer involves turning the
tables. That's what you've seen in this chapter. The social engineer creates
the problem, and then magically solves the problem, deceiving the victim
into providing access to the company's most guarded secrets. Would your
employees fall for this type of ruse? Have you bothered to draft and
distribute specific security rules that could help to prevent it?
Educate, Educate, and Educate...
There's an old story about a visitor to New York who stops a man on the
street and asks, "How do I get to Carnegie Hall?" The man answers,
"Practice, practice, practice." Everyone is so vulnerable to social
engineering attacks that a company's only effective defense is to educate
and train your people, giving them the practice they need to spot a social
engineer. And then keep reminding people on a consistent basis of what
they learned in the training, but are all too apt to forget.
Everyone in the organization must be trained to exercise an appropriate
degree of suspicion and caution when contacted by someone he or she
doesn't personally know, especially when that someone is asking for any
sort of access to a computer or network. It's human nature to want to trust
others, but as the Japanese say, business is war. Your business cannot
afford to let down its guard. Corporate security policy must clearly define
appropriate and inappropriate behavior.
Security is not one-size-fits-all. Business personnel usually have disparate
roles and responsibilities and each position has associated vulnerabilities.
There should be a base level of training that everyone in the company is
required to complete, and then people must also be trained according to
their job profile to adhere to certain procedures that will reduce the chance
that they will become part of the problem. People who work with
sensitive information or are placed in positions of trust should be given
additional specialized training.
Keeping Sensitive Information Safe
When people are approached by a stranger offering to help, as seen in the
stories in this chapter, they have to fall back on corporate security policy
that is tailored as appropriate to the business needs, size, and culture of
your company.
NOTE
Personally, I don.t believe any business should allow any exchange of
passwords. Its much easier to establish a hard rule that forbids personnel
from ever sharing or exchanging confidential passwords. Its safer, too.
But each business has to assess its own culture and security concerns in
making this choice
Never cooperate with a stranger who asks you to look up information,
enter unfamiliar commands into a computer, make changes to software
settings or - the most potentially disastrous of all - open an email
attachment
or download unchecked software. Any software program - even one that
appears to do nothing at all - may not be as innocent as it appears to be.
There are certain procedures that, no matter how good our training, we
tend to grow careless about over time. Then we forget about that training
at crunch time, just when we need it. You would think that not giving out
your account name and password is something that just about everybody
knows (or should know) and hardly needs to be told: it's simple common
sense. But in fact, every employee needs to be reminded frequently that
giving out the account name and password to their office computer, their
home computer, or even the postage machine in the mail room is
equivalent to giving out the PIN number for their ATM card.
There is occasionally - very occasionally - a quite valid circumstance
when it's necessary, perhaps even important, to give someone else
confidential information. For that reason, it's not appropriate to make an
absolute rule about "never." Still, your security policies and procedures do
need to be very specific about circumstances under which an employee
may give out his or her password and - most importantly--who is
authorized to ask for the information.
Consider the Source
In most organizations, the rule should be that any information that can
possibly cause harm to the company or to a. fellow employee may be
given only to someone who is known on a face-to-face basis, or whose
voice is so familiar that you recognize it without question.
In high-security situations, the only requests that should be granted are
ones delivered in person or with a strong form of authentication--for
example, two separate items such as a shared secret and a time-based
token.
Data classification procedures must designate that no information be
provided from a part of the organization involved with sensitive work to
anyone not personally known or vouched for in some manner.
NOTE
Incredibly, even looking up the name and phone number of the caller in
the company's employee database and calling him back is not an absolute
guarantee social engineers know ways of planting names in a corporate
database or redirecting telephone calls.
So how do you handle a legitimate-sounding request for information from
another company employee, such as the list of names and email addresses
of people in your group? In fact, how do you raise awareness so that an
item like this, which is clearly less valuable than, say, a spec sheet for a
product under development, is recognized as something for internal use
only? One major part of the solution: Designate employees in each
department who will handle all requests for information to be sent outside
the group. An advanced security-training program must then be
provided to make these designated employees aware of the special
verification procedures they should follow.
Forget Nobody
Anyone can quickly rattle off the identity of organizations within her
company that need a high degree of protection against malicious attacks.
But we often overlook other places that are less obvious, yet highly
vulnerable. In one of these stories, the request for a fax to be sent to a
phone number within the company seemed innocent and secure enough,
yet the attacker took advantage of this security loophole. The lesson here:
Everybody from secretaries and administrative assistants to company
executives and high-level managers needs to have special security training
so that they can be alert to these types of tricks. And don't forget to guard
the front door: Receptionists, too, are often prime targets for social
engineers and must also be made aware of the deceptive techniques used
by some visitors and callers.
Corporate security should establish a single point of contact as a kind of
central clearinghouse for employees who think they may have been the
target of a social engineering ruse. Having a single place to report security
incidents will provide an effective early-warning system that will make it
dear when a coordinated attack is under way, so that any damage can be
controlled immediately.
Chapter 6
"Can You Help Me?"
You.ve seen how social engineers trick people by offering to help.
Another favorite approach turns the tables: The social engineer
manipulates by pretending he needs the other person to help
him. We can all sympathize with people in a tight spot, and the approach
proves effective over and over again in allowing a social engineer to
reach
his goal.
THE OUT-OF TOWNER
A story in Chapter 3 showed how an attacker can talk a victim into
revealing his employee number. This one uses a different approach for
achieving the same result, and then shows how the attacker can make use
of that
Keeping Up with the Joneses
In Silicon Valley there is a certain global company that shall be nameless.
The scattered sales offices and other field installations around the world
are all connected to that company's headquarters over a WAN, a wide area
network. The intruder, a smart, feisty guy named Brian Atterby, knew
it was almost always easier to break into a network at one of the remote
sites where security is practically guaranteed to be more lax than at
headquarters.
The intruder phoned the Chicago office and asked to speak with Mr Jones.
The receptionist asked if he knew Mr. Jones's first name; he
answered, "I had it here, I'm looking for it. How many Joneses do you
have?" She said, "Three. Which department would he be in?"
He said, "If you read me the names, maybe I'll recognize it." So she did:
"Barry, Joseph, and Gordon."
"Joe. I'm pretty sure that was it," he said. "And he was in . . . which
department?"
"Business Development."
"Fine. Can you connect me, please?"
She put the call through. When Jones answered, the attacker said, "Mr.
Jones? Hi, this is Tony in Payroll. We just put through your request to
have your paycheck deposited directly to your credit union account."
"WHAT???!!! You've got to be kidding. I didn't make any request like
that. I don't even have an account at a credit union."
"Oh, damn, I already put it through."
Jones was more than a little upset at the idea that his paycheck might be
going to someone else's account, and he was beginning to think the guy
on the other end of the phone must be a little slow. Before he could even
reply, the attacker said, "I better see what happened. Payroll changes are
entered by employee number. What's your employee number?"
Jones gave the number. The caller said, "No, you're right, the request
wasn't from you, then." They get more stupid every year, Jones thought.
"Look, I'll see it's taken care of. I'll put in a correction right now. So
don't worry - you'll get your next paycheck okay," the guy said
reassuringly.
A Business Trip
Not long after, the system administrator in the company's Austin, Texas,
sales office received a phone call. "This is Joseph Jones," the caller
announced. "I'm in Business Development at corporate. I'll be in to, for
the week, at the Driskill Hotel. I'd like to have you set me up with a
temporary account so I can access my email without making a long
distance call."
"Let me get that name again, and give me your employee number," the
sys admin said. The false Jones gave the number and went on, "Do you
have any high speed dial-up numbers.
"Hold on, buddy. I gotta verify you in the database." After a bit, he said,
"Okay, Joe. Tell me, what's your building number?" The attacker had
done his homework and had the answer ready
MITNICK MESSAGE
Don't rely on network safeguards and firewalls to protect your
information. Look to your most vulnerable spot. You'll usually find that
vulnerability lies in your people.
"Okay," the sys admin told him, "you convinced me."
It was as simple as that. The sys admin had verified the name Joseph
Jones, the department, and the employee number, and "Joe" had given the
right answer to the test question. "Your username's going to be the same
as your corporate one, jbjones," the sys admin said, "and I'm giving you
an initial password of 'changeme.'"
Analyzing the Con
With a couple of phone calls and fifteen minutes of time, the attacker had
gained access to the company's wide area network. This was a company
that, like many, had what I refer to as candy security, after a description
first used by two Bell Labs researchers, Steve Bellovin and Steven
Cheswick. They described such security as "a hard crunchy shell with a
oft chewy center" - like an M&M candy. The outer shell, the firewall,
Bellovin and Cheswick argued, is not sufficient protection, because once
an intruder is able to circumvent it, the internal computer systems have
soft, chewy security. Most of the time, they are inadequately protected.
This story fits the definition. With a dial-up number and an account,
the attacker didn't even have to bother trying to defeat an Internet firewall,
and, once inside, he was easily able to compromise most of the systems
on the internal network.
Through my sources, I understand this exact ruse was worked on one of
the largest computer software manufacturers in the world. You would
think the systems administrators in such a company would be trained to
detect this type of ruse. But in my experience, nobody is completely safe
if a social engineer is clever and persuasive enough.
LINGO
CANDY SECURITY A term coined by Bellovin and
Cheswick of Bell Labs to describe a security scenario
where the outer perimeter, such as firewall, is strong,
but the infrastructure behind it is weak. The term
refers to M&M candy, which has a hard outer shell
and soft center.
LINGO
SPEAKEASY SECURITY
Security that relies on knowing wheredesired information is, and using a word or name to gain access to that
information or computer system.
SPEAKEASY SECURITY
In the old days of speakeasies - those Prohibition-era nightclubs where socalled
bathtub gin flowed--a would-be customer gained admission by
showing up at the door and knocking. After a few moments, a small flap
in the door would swing open and a tough, intimidating face would peer
out. If the visitor was in the know, he would speak the name of some
frequent patron of the place ("Joe sent me" was often enough), whereupon
the bouncer inside would unlatch the door and let him in.
The real trick lay in knowing the location of the speakeasy because the
door was unmarked, and the owners didn't exactly hang out neon signs to
mark their presence. For the most part, just showing up at the right place
was about all it took to get in. The same degree of safekeeping is,
unhappily, practiced widely in the corporate world, providing a level of
non protection that I call speakeasy security.
I Saw It at the Movies
Here's an illustration from a favorite movie that many people will
remember. In Three Days of the Condor the central character, Turner
(played by Robert Redford), works for a small research firm contracted by
the CIA. One day he comes back from a lunch run to find that all his co
workers have been gunned down. He's left to figure out who has done this
and why, all the while knowing that the bad guys, whoever they are, are
looking for him.
Late in the story, Turner manages to get the phone number of one the bad
guys. But who is this person, and how can Turner pin down his location?
He's in luck: The screenwriter, David Rayfiel, has happily given Turner a
background that includes training as a telephone lineman with the Army
Signal Corps, making him knowledgeable about techniques and practices
of the phone company. With the bad guy's phone number in hand, Turner
knows exactly what to do. In the screenplay, the scene reads like this:
TURNER RECONNECTS and TAPS OUT ANOTHER NUMBER.
RING! RING! Then:
WOMAN'S
VOICE (FILTER) CNA, Mrs. Coleman speaking.TURNER (into test set)
This is Harold Thomas, Mrs. Coleman. Customer Service.
CNA on 202-555-7389, please.
WOMAN'S
VOICE (FILTER) One moment, please. (almost at once)Leonard Atwood, 765 MacKensie Lane, Chevy Chase, Maryland.
Ignoring the fact that the screenwriter mistakenly uses a Washington,
D.C., area code for a Maryland address, can you spot what just happened
here?
Turner, because of his training as a telephone lineman, knew what number
to dial in order to reach a phone company office called CNA, the
Customer Name and Address bureau. CNA is set up for the convenience
of installers and other authorized phone company personnel. An installer
could call CNA, and give them a phone number. The CNA clerk would
respond by providing the name of the person the phone belongs to and
his address.
Fooling the Phone Company
In the real world, the phone number for CNA is a closely guarded secret.
Although the phone companies finally caught on and these days are less
generous about handing out information so readily, at the time they
operated
on a variation of speakeasy security that security professionals call
security through obscurity. They presumed that anybody who called
CNA
and knew the proper lingo ("Customer service. CNA on 555-1234,
please for example) was a person authorized to have the information.
LINGO
SECURITY THROUGH OBSCURITY
An ineffective method ofcomputer security that relies on keeping secret the details of how the
system works (protocols, algorithms, and internal systems). Security
through obscurity relies on the false assumption that no one outside a
trusted group of people will be able to circumvent the system.
MITNICK MESSGAE
Security through obscurity does not have any effect in blocking social
engineering attacks. Every computer system in the world has at least one
human that use it. So, if the attacker is able to manipulate people who use
the systems, the obscurity of the system is irrelevant.
There was no need to verify or identify oneself, no need to give an
employee number, no need for a password that was changed daily. If you
knew the number to call and you sounded authentic, then you must be
entitled to the information.
That was not a very solid assumption on the part of the telephone
company. Their only effort at security was to change the phone number
on l periodic basis, at least once a year. Even so, the current number at
any particular moment was very widely known among phone phreaks,
who delighted in taking advantage of this convenient source of
information and in sharing the how-to-do-it with their fellow phreaks. The
CN,' Bureau trick was one of the first things I learned when I was in to the
hobby of phone phreaking as a teenager.
Throughout the world of business and government, speakeasy security. is
still prevalent. It's likely that
about your company's departments, people, and lingo. Sometimes les to
than that: Sometimes an internal phone number is all it takes.
THE CARELESS COMPUTER MANAGER
Though many employees in organizations are negligent, unconcerned, or
unaware of security dangers, you'd expect someone with the title manager
in the computer center of a Fortune 500 corporation to be thoroughly
knowledgeable about best security practices, right?
You would not expect a computer center manager - someone who is part
of his company's Information Technology department - to fall victim to a
simplistic and obvious social engineering con game. Especially not the
social engineer is hardly more than a kid, barely out of his teens. But
sometimes your expectations can be wrong.
Tuning In
Years ago it was an amusing pastime for many people to keep a radio
tuned to the local police or fire department frequencies, listening in on the
occasional highly charged conversations about a bank robbery in progress,
an office building on fire, or a high-speed chase as the event unfolded.
The radio frequencies used by law enforcement agencies and fire
departments used to be available in books at the corner bookstore; today
they're provided in listings on the Web, and from a book you can buy at
Radio Shack frequencies for local, county, state, and, in some cases, even
federal agencies.
Of course, it wasn't just the curious who were listening in. Crooks robbing
a store in the middle of the night could tune in to hear if a police car was
being dispatched to the location. Drug dealers could keep a check on
activities of the local Drug Enforcement Agency agents. An arsonist could
enhance his sick pleasure by lighting a blaze and then listening to all the
radio traffic while firemen struggled to put it out.
Over recent years developments in computer technology have made it
possible to encrypt voice messages. As engineers found ways to cram
more and more computing power onto a single microchip, they began to
build small, encrypted radios for law enforcement that kept the bad guys
and the curious from listening in.
Danny the Eavesdropper
A scanner enthusiast and skilled hacker we'll call Danny decided to see if
he couldn't find a way to get his hands on the super-secret encryption
software - the source code - from one of the top manufacturers of secure
radio systems. He was hoping a study of the code would enable him to
learn how to eavesdrop on law enforcement, and possibly also use the
technology so that even the most powerful government agencies would
find it difficult to monitor his conversations with his friends.
The Dannys of the shadowy world of hackers belong to a special category
that falls somewhere in between the merely-curious but-entirely- benign
and the dangerous. Dannys have the knowledge of the expert, combined
with the mischievous hacker's desire to break into systems and networks
for the intellectual challenge and for the pleasure of gaining insight into
how technology works. But their electronic breaking-and- entering stunts
are just that--stunts. These folks, these benign hackers, illegally enter sites
for the sheer fun and exhilaration of proving they can do it. They don't
steal anything, they don't make any money from their exploits; they don't
destroy any files, disrupt any network connections, or crash any computer
system. The mere fact of their being there, snaring copies of files and
searching emails for passwords behind the backs of curity and network
administrators, tweaks the noses of the people
responsible for keeping out intruders like them. The one-upmanship is a
big part of the satisfaction.
In keeping with this profile, our Danny wanted to examine the details of
his target company's most closely guarded product just to satisfy his own
burning curiosity and to admire whatever clever innovations the
manufacturer might have come up with.
The product designs were, needless to say, carefully guarded trade secrets,
as precious and protected as just about anything in the company's
possession. Danny knew that. And he didn.t care a bit. After all, it was
just some big, nameless company.
But how to get the software source code? As it turned out, grabbing the
crown jewels of the company's Secure Communications Group proved to
be all too easy, even though the company was one of those that used twofactor
authentication, an arrangement under which people are required to
use not one but two separate identifiers to prove their identity.
Here's an example you're probably already familiar with. When your
renewal credit card arrives, you're asked to phone the issuing company to
let them know that the card is in possession of the intended customer, and
not somebody who stole the envelope from the mail. The instructions with
the card these days generally tell you to call from home. When you
call, software at the credit card company analyzes the ANI, the automatic
number identification, which is provided by the telephone switch on tollfree
calls that the credit card company is paying for.
A computer at the credit card company uses the calling party's number
provided by the ANI, and matches that number against the company's
database of cardholders. By the time the clerk comes on the line, her or
his display shows information from the database giving details about the
customer. So the clerk already knows the call is coming from the home of
a customer; that's one form of authentication.
LINGO
TWO-FACTOR AUTHENTICATION
The use of two different typesof authentication to verify identity. For example, a person might have to
identify himself by calling from a certain identifiable location and
knowing a password.
The clerk then picks an item from the information displayed about
you - most often social security number, date of birth, or mother's maiden
name - and asks you for this piece of information. If you give the right
answer, that's a second form of authentication - based on information you
should know.
At the company manufacturing the secure radio systems in our story,
every employee with computer access had their usual account name and
password, but in addition was provided with a small electronic device
called Secure ID. This is what's called a time-based token. These devices
come in two types: One is about half the size of a credit card but a little
thicker; another is small enough that people simply attach it to their key
chains.
Derived from the world of cryptography, this particular gadget has a small
window that displays a series of six digits. Every sixty seconds, the
display changes to show a different six-digit number. When an authorized
person needs to access the network from offsite, she must first identify
herself as an authorized user by typing in her secret PIN and the digits
displayed on her token device. Once verified by the internal system, she
then authenticates with her account name and password.
For the young hacker Danny to get at the source code he so coveted, he
would have to not only compromise some employee's account name and
password (not much of a challenge for the experienced social engineer)
but also get around the time-based token.
Defeating the two-factor authentication of a time-based token combined
with a user's secret PIN code sounds like a challenge right out of Mission
Impossible. But for social engineers, the challenge is similar to that aced
by a poker player who has more than the usual skill at reading his
opponents. With a little luck, when he sits down at a table he knows he's
likely to walk away with a large pile of other people's money.
Storming the Fortress
Danny began by doing his homework. Before long he had managed to put
together enough pieces to masquerade as a real employee. He had an
employee's name, department, phone number, and employee number, as
well as the manager's name and phone number.
Now was the calm before the storm. Literally. Going by the plan he had
worked out, Danny needed one more thing before he could take the next
step, and it was something he had no control over: He needed a snowstorm.
Danny needed a little help from Mother Nature in the form of
weather so bad that it would keep workers from getting into the office. In
the winter in South Dakota, where the manufacturing plant in question
was located, anyone hoping for bad weather did not have very long
to wait. On Friday night, a storm arrived. What had begun as snow
quickly turned to freezing rain so that, by morning, the roads were coated
with a slick, dangerous sheet of ice. For Danny, this was a perfect
opportunity.
He telephoned the plant, asked for-the computer room and reached one of
the worker bees of IT, a computer operator who announced himself as
Roger Kowalski.
Giving the name of the real employee he had obtained, Danny said, "This
is Bob Billings. I work in the Secure Communications Group. I'm at home
right now and I can't drive in because of the storm. And the problem is
that I need to access my workstation and the server from home, and I left
my Secure ID in my desk. Can you go fetch it for me? Or can somebody?
And then read off my code when I need to get in? Because my team has a
critical deadline and there's no way I can get my work done. And there's
no way I can get to the office--the roads are much too dangerous up my
way.
The computer operator said, "I can't leave the Computer Center." Danny
jumped right in: "Do you have a Secure ID yourself?."
"There's one here in the Computer Center," he said. "We keep one for the
operators in case of an emergency."
"Listen," Danny said. "Can you do me a big favor? When I need to dial
into the network, can you let me borrow your Secure ID? Just until it's
safe to drive in."
"Who are you again?" Kowalski asked.
"Who do you work for.
"For Ed Trenton."
"Oh, yeah, I know him."
When he's liable to be faced with tough sledding, a good social engineer
does more than the usual amount of research. "I'm on the second floor,"
Danny went on. "Next to Roy Tucker."
He knew that name, as well. Danny went back to work on him. "It'd be
much easier just to go to my desk and fetch my Secure ID for me."
Danny was pretty certain the guy would not buy into this. First of all, he
would not want to leave in the middle of his shift to go traipsing down
corridors and up staircases to some distant part of the building. He would
also not want to have to paw through someone else's desk, violating
somebody's personal space. No, it was a safe bet he wouldn't want to do
that.
Kowalski didn't want to say no to a guy who needed some help, but he
didn't want to say yes and get in trouble, either. So he sidestepped the
decision: I'll have to ask my boss. Hang on." He put the phone down, and
Danny could hear him pick up another phone, put in the call, and explain
the request. Kowalski then did something unexplainable: He actually
vouched for the man using the name Bob Billings. "I know him," he told
his manager. "He works for Ed Trenton. Can we let him use the Secure ID
in the Computer Center' Danny, holding on to the phone, was amazed to
overhear this extraordinary and unexpected support for his cause. He
couldn't believe his ears or his luck.
After another couple of moments, Kowalski came back on the line and
said, "My manager wants to talk to you himself," and gave him the man's
name and cell phone number.
Danny called the manager and went through the whole story one more
time, adding details about the project he was working or and why his
product team needed to meet a critical deadline. "It'd be easier if someone
just goes and fetches my card," he said. "I don't think the desk is locked,
it should be there in my upper left drawer."
"Well," said the manager, "just for the weekend, I think we can let you
use the one in the Computer Center. I'll tell the guys on duty that when
you call, they should read off the random-access code for you," and he
gave him the PIN number to use with it.
For the whole weekend, every time Danny wanted to get into the
corporate computer system, he only had to call the Computer Center and
ask them to read off the six digits displayed on the Secure ID token.
An Inside Job
Once he was inside the company's computer system, then what? How
would Danny find his way to the server with the software he wanted?
He had already prepared for this.
Many computer users are familiar with newsgroups, that extensive set of
electronic bulletin boards where people can post questions that other
people answer, or find virtual companions who share an interest in music,
computers, or any of hundreds of other topics.
What few people realize when they post any message on a newsgroup
site is that their message remains on line and available for years. Google,
for example, now maintains an archive of seven hundred million
messages,
some dating back twenty years! Danny started by going to the Web
address
http://groups.google.com.
As search terms, Danny entered "encryption radio communications" and
the name of the company, and found a years-old message on the subject
from an employee. It was a posting that had been made back when the
company was first developing the product, probably long before police
departments and federal agencies had considered scrambling radio
signals.
The message contained the sender's signature, giving not just the man's
name, Scott Press, but his phone number and even the name of his
workgroup, the Secure Communications Group.
Danny picked up the phone and dialed the number. It seemed like a long
shot--would he still be working in the same organization years later?
Would he be at work on such a stormy weekend? The phone rang once,
twice, three times, and then a voice came on the line. "This is Scott," he
said.
Claiming to be from the company's IT Department, Danny manipulated
Press (in one of the ways now familiar to you from earlier chapters) into
revealing the names of the servers he used for development work. These
were the servers that could be expected to hold the source code containing
the proprietary encryption algorithm and firmware used in the company's
secure radio products.
Danny was moving closer and closer, and his excitement was building. He
was anticipating the rush, the great high he always felt when he succeeded
at something he knew only a very limited number of people could
accomplish.
Still, he wasn't home free yet. For the rest of the weekend he'd be able to
get into the company's network whenever he wanted to, thanks to that
cooperative computer center manager. And he knew which servers he
wanted to access. But when he dialed in, the terminal server he logged on
to would not permit him to connect to the Secure Communications Group
development systems. There must have been an internal firewall or router
protecting the computer systems of that group. He'd have to find some
other way in.
The next step took nerve: Danny called back to Kowalski in Computer
Operations and complained "My server won't let me connect," and told
the IT guy, "I need you to set me up with an account on one of the
computers in your department so I can use Telnet to connect to my
system."
The manager had already approved disclosing the access code displayed
on the time-based token, so this new request didn't seem unreasonable.
Kowalski set up a temporary account and password on one of the
Operation Center's computers, and told Danny to "call me back when you
don't need it any more and I'll remove it."
Once logged into the temporary account, Danny was able to connect over
the network to the Secure Communications Group's computer systems.
After an hour of on-line searching for a technical vulnerability that would
give him access to a main development server, he hit the jackpot.
Apparently the system or network administrator wasn't vigilant in keeping
up with the latest news on security bugs in the operating system that
allowed remote access. But Danny was.
Within a short time he had located the source code files that he was after
and was transferring them remotely to an e-commerce site that offered
free storage space. On this site, even if the files were ever discovered,
they would never be traced back to him.
He had one final step before signing off: the methodical process of erasing
his tracks. He finished before the Jay Leno show had gone off the air for
the night. Danny figured this had been one very good weekend's work.
And he had never had to put himself personally at risk. It was an
intoxicating thrill, even better than snowboarding or skydiving.
Danny got drunk that night, not on scotch, gin, beer, or sake, but on his
sense of power and accomplishment as he poured through the files he had
stolen, closing in on the elusive, extremely secret radio software.
Analyzing the Con
As in the previous story, this ruse only worked because one company
employee was all too willing to accept at face value that a caller was
really the employee he claimed to be. That eagerness to help out a co
worker with a problem is, on the one hand, part of what greases the
wheels of industry, and part of what makes the employees of some
companies more pleasant to work with than employees of others. But on
the other hand, this helpfulness can be a major vulnerability that a social
engineer will attempt to exploit.
One bit of manipulation Danny used was delicious: When he made the
request that someone get his Secure ID from his desk, he kept saying he
wanted somebody to "fetch" it for him. Fetch is a command you give your
dog. Nobody wants to be told to fetch something. With that one word,
Danny made it all the more certain the request would be refused and some
other solution accepted instead, which was exactly what he wanted.
The Computer Center operator, "Kowalski, was taken in by Danny
dropping the names of people Kowalski happened to know. But why
would Kowalski's manager - an IT manager, no less - allow some stranger
access to the company's internal network? Simply because the call for
help can be a powerful, persuasive tool in the social engineer's arsenal.
MITNICK MESSAGE
This story goes to show that time-based tokens and similar forms of
authentication are not a defense against the wily social engineer. The only
defense is a conscientious employee who follows security policies and
understands how others can maliciously influence his behavior.
Could something like that ever happen in your company? Has it already?
PREVENTING THE CON
It seems to be an often-repeated element in these stories that an attacker
arranges to dial in to a computer network from outside the company,
without the person who helps him taking sufficient measures to verify that
the caller is really an employee and entitled to the access. Why do I return
to this theme so often? Because it truly is a factor in so many social
engineering attacks. For the social engineer, it's the easiest way to reach
his goal. Why should an attacker spend hours trying to break in, when he
can do it instead with a simple phone call?
One of the most powerful methods for the social engineer to carry out
this kind of attack is the simple ploy of pretending to need help - an
approach frequently used by attackers. You don't want to stop your
employees from being helpful to co workers or customers, so you need to
arm them with specific verification procedures to use with anybody
making a request for computer access or confidential information. That
way they can be helpful to those who deserve to be helped, but at the
same time protect the organization's information assets and computer
systems.
Company security procedures need to spell out in detail what kind of
verification mechanisms should be used in various circumstances. Chapter
17 provides a detailed list of procedures, but here are some guidelines to
consider:
One good way to verify the identity of a person making a
request is to call the phone number listed in the company
directory for that person. If the person making the request is
actually an attacker, the verification call will either let you
speak to the real person on the phone while the imposter is on
hold, or you will reach the employee's voice mail so that you
can listen to the sound of his voice, and compare it to the
speech of the attacker.
If employee numbers are used in your company for verifying identity,
then those numbers have to be treated as sensitive information, carefully
guarded and not given out to strangers. The same goes for all other kinds
of internal identifiers, such as internal telephone numbers, departmental
billing identifiers, and even email addresses.
Corporate training should call everyone's attention to the common
practice of accepting unknown people as legitimate employees on the
grounds that they sound authoritative or knowledgeable. Just because
somebody knows a company practice or uses internal terminology is no
reason to assume that his identity doesn't need to be verified in other
ways.
Security officers and system administrators must not narrow their focus so
that they are only alert to how security-conscious everyone else is being.
They also need to make sure they themselves are following the same
rules, procedures, and practices.
Passwords and the like must, of course, never be shared, but the
restriction against sharing is even more important with time-based tokens
and other secure forms of authentication. It should be a matter of common
sense that sharing any of these items violates the whole point of the
company's having installed the systems. Sharing means there can be no
accountability. If a security incident takes place or something goes wrong,
you won't be able to determine who the responsible party is.
As I reiterate throughout this book, employees need to be familiar with
social engineering strategies and methods to thoughtfully analyze requests
they receive. Consider using role-playing as a standard part of security
training, so that employees can come to a better understanding of how the
social engineer works.
Chapter 7
Phony Sites and Dangerous Attachments
There.s an old saying that you never get something for nothing,
Still, the ploy of offering something for free continues to be a big draw for
both legitimate ("But wait--there's more! Call right now and we'll throw in
a set of knives and a popcorn popper!") and not-so- legitimate ("Buy one
acre of swampland in Florida and get a second acre free!") businesses.
And most of us are so eager to get something free that we may be
distracted from thinking clearly about the offer or the promise being
made.
We know the familiar warning, "buyer beware," but it's time to heed
another warning: Beware of come-on email attachments and free
software. The savvy attacker will use nearly any means to break into the
corporate network, including appealing to our natural desire to get a free
gift. Here are a few examples.
WOULDN'T YOU LIKE A FREE (BLANK)?"
Just as viruses have been a curse to mankind and medical practitioners
since the beginning of time, so the aptly named computer virus represents
a similar curse to users of technology. The computer viruses that get most
of the attention and end up in the spotlight, not coincidentally, do the most
damage. These are the product of computer vandals.
Computer nerds turned malicious, computer vandals strive to show off
how clever they are. Sometimes their acts are like a rite of initiation,
meant to impress older and more experienced hackers. These people are
motivated to create a worm or virus intended to inflict damage. If their
work
destroys files, trashes entire hard drives, and emails itself to thousands of
unsuspecting people, vandals puff with pride at their accomplishment. If
the virus causes enough chaos that newspapers write about it and the
network news broadcasts warn against it, so much the better.
Much has been written about vandals and their viruses; books, software
programs, and entire companies have been created to offer protection, and
we won't deal here with the defenses against their technical attacks. Our
interest at the moment is less in the destructive acts of the vandal than in
the more targeted efforts of his distant cousin, the social engineer.
It Came in the Email
You probably receive unsolicited emails every day that carry advertising
messages or offer a free something-or-other that you neither need nor
want. You know the kind. They promise investment advice, discounts on
computers, televisions, cameras, vitamins, or travel, offers for credit cards
you don't need, a device that will let you receive pay television channels
free, ways to improve your health or your sex life, and on and on.
But every once in a while an offer pops up in your electronic mailbox for
something that catches your eye. Maybe it's a free game, an offer of
photos of your favorite star, a free calendar program, or inexpensive
share" ware that will protect your computer against viruses. Whatever the
offer, the email directs you to download the file with the goodies that the
message has convinced you to try.
Or maybe you receive a message with a subject line that reads Don, I miss
you," or "Anna, why haven't you written me," or "Hi, Tim, here's the sexy
photo I promised you." This couldn't be junk advertising mail, you think,
because it has your own name on it and sounds so personal. So you open
the attachment to see the photo or read the message.
All of these actions--downloading software you learned about from an
advertising email, clicking on a link that takes you to a site you haven't
heard of before, opening an attachment from someone you don't really
know--are invitations to trouble. Sure, most of the time what you get is
exactly what you expected, or at worst something disappointing or
offensive, but harmless. But sometimes what you get is the handiwork of
a vandal.
Sending malicious code to your computer is only a small part of the
attack. The attacker needs to persuade you to download the attachment for
the attack to succeed.
NOTE
One type of program know in the computer underground as a RAT, or
Remote Access Trojan, gives the attacker full access to your computer,
just as if he were sitting at your keyboard.
The most damaging forms of malicious code - worms with names like
Love Letter, SirCam, and Anna Kournikiva, to name a few - have all
relied on social engineering techniques of deception and taking advantage
of our desire to get something for nothing in order to be spread. The worm
arrives as an attachment to an email that offers something tempting, such
as confidential information, free pornography, or - a very clever ruse - a
message saying that the attachment is the receipt for some expensive item
you supposedly ordered. This last ploy leads you to open the attachment
for fear your credit card has been charged for an item you didn't order.
It's astounding how many people fall for these tricks; even after being told
and told again about the dangers of opening email attachments, awareness
of the danger fades over time, leaving each of us vulnerable.
Spotting Malicious Software
Another kind of malware - short for malicious software - puts a program
onto your computer that operates without your knowledge or consent, or
performs a task without your awareness. Malware may look innocent
enough, may even be a Word document or PowerPoint presentation, or
any program that has macro functionality, but it will secretly install an
unauthorized program. For example, malware may be a version of the
Trojan Horse talked about in Chapter 6. Once this software is installed on
your machine, it can feed every keystroke you type back to the attacker,
including all your passwords and credit card numbers.
There are two other types of malicious software you may find shocking.
One can feed the attacker every word you speak within range of your
computer microphone, even when you think the microphone is turned off.
Worse, if you have a Web cam attached to your computer, an attacker
using a variation of this technique may be able to capture everything that
takes place in front of your terminal, even when you think the camera is
off, day or night.
LINGO
MALWARE
Slang for malicious software, a computer program, such asa virus, worm, or Trojan Horse, that performs damaging tasks.
MITNICK MESSAGE
Beware of geeks bearing gifts, otherwise your company might endure the
same fate as the city of Troy. When in doubt, to avoid an infection, use
protection.
A hacker with a malicious sense of humor might try to plant a little
program designed to be wickedly annoying on your computer. For
example, it might make your CD drive tray keep popping open, or the file
you're working on keep minimizing. Or it might cause an audio file to
play a scream at full volume in the middle of the night. None of these is
much fun when you're trying to get sleep or get work done.., but at least
they don't do any lasting damage.
MESSAGE FROM A FRIEND
The scenarios can get even worse, despite your precautions. Imagine:
You've decided not to take any chances. You will no longer download any
files except from secure sites that you know and trust, such as
SecurityFocus.com or Amazon.com. You no longer click on links in email
from unknown sources. You no longer open attachments in any email that
you were not expecting. And you check your browser page to make sure
there is a secure site symbol on every site you visit for e-commerce
transactions or to exchange confidential information.
And then one day you get an email from a friend or business associate that
carries an attachment. Couldn't be anything malicious if it comes from
someone you know well, right? Especially since you would know who to
blame if your computer data were damaged.
You open the attachment, and... BOOM! You just got hit with a worm or
Trojan Horse. Why would someone you know do this to you? Because
some things are not as they appear. You've read about this: the worm that
gets onto someone's computer, and then emails itself to everyone in that
person's address book. Each of those people gets an email from someone
he knows and trusts, and each of those trusted emails contains the worm,
which propagates itself like the ripples from a stone thrown into a still
pond.
The reason this technique is so effective is that it follows the theory of
killing two birds with one stone: The ability to propagate to other
unsuspecting victims, and the appearance that it originated from a trusted
person.
MITNICK MESSAGE
Man has invented many wonderful things that have changed the world
and our way of life. But for every good use of technology, whether a
computer, telephone, or the Internet, someone will always find a way to
abuse it for his or her own purposes.
It's a sad fact of life in the current state of technology that you may get an
email from someone close to you and still have to wonder if it's safe to
open.
VARIATIONS ON A THEME
In this era of the Internet, there is a kind of fraud that involves
misdirecting you to a Web site that is not what you expected. This
happens regularly, and it takes a variety of forms. This example, which is
based on an actual scam perpetrated on the Internet, is representative.
Merry Christmas. . .
A retired insurance salesman named Edgar received an email one day
from
PayPal, a company that offers a fast and convenient way of making online
payments. This kind of service is especially handy when a person in one
part of the country (or the world, for that matter) is buying an item from
an individual he doesn't know. PayPal charges the purchaser's credit card
and transfers the money directly to the seller's account.
As a collector of antique glass jars Edgar did a lot of business through
the on-line auction company eBay. He used PayPal often, sometimes
several times a week. So Edgar was interested when he received an email
in
the holiday season of 2001 that seemed to be from PayPal, offering him a
reward for updating his PayPal account. The message read:
Season's Greetings Valued PayPal Customer;
As the New Year approaches and as we all get ready to move a year
ahead, PayPal would like to give you a $5 credit to your account!
All you have to do to claim your $5 gift from us is update your
information on our secure Pay Pal site by January 1st, 2002. A year
brings a lot of changes, by updating your information with us you will
allow for us to continue providing you and our valued customer service
with excellent service and in the meantime, keep our records straight!
To update your information now and to receive $5 in your PayPal account
instantly,
click this link:
http://www, paypal -secure. com/cgi bin
Thank you for using PayPal.com and helping us grow to be the largest of
our kind!
Sincerely wishing you a very "Merry Christmas and Happy New Year,"
PayPal Team
A Note about E.commerce Web Sites
You probably know people who are reluctant to buy goods on line, even
from brand-name companies such as Amazon and eBay, or the Web sites
of Old Navy, Target, or Nike. In a way, they're right to be suspicious. If
your browser uses today's standard of 128-bit encryption, the information
you send to any secure site goes out from your computer encrypted. This
data could be unencrypted with a lot of effort, but probably is not
breakable in a reasonable amount of time, except perhaps by the National
Security Agency (and the NSA, so far 98 as we know, has not shown any
interest in stealing credit card numbers of American citizens or trying to
find out who is ordering sexy videotapes or kinky underwear).
These encrypted files could actually be broken by anyone with the time
and resources. But really, what fool would go to all that effort to steal one
credit card number when many e-commerce companies make the mistake
of storing all their customer financial information unencrypted in their
databases? Worse, a number of e-commerce companies that use a
particular SQL database software badly compound the problem: They
have never changed the default system administrator password for the
program. When they took the software out of the box, the password was
"null," and it's still "null" today. So the contents of the database are
available to anyone on the Internet who decides to try to connect to the
database server. These sites are under attack all the time and information
does get stolen, without anyone being the wiser,
On the other hand, the same people who won't buy on the Internet because
they're afraid of having their credit card information stolen
have no problem buying with that same credit card in a brick-and- mortar
store, or paying for lunch, dinner, or drinks with the card
even in a back-street bar or restaurant they wouldn't take their mother to.
Credit card receipts get stolen from these places all the time, or fished out
of trash bins in the back alley. And any unscrupulous clerk or waiter can
jot down your name and card info, or use a gadget readily available on the
Internet, a card-swiping device that stores data from any credit card
passed through it, for later retrieval.
There are some hazards to shopping on line, but it's probably as safe as
shopping in a bricks-and-mortar store. And the credit card companies
offer you the same protection when using your card on line--if any
fraudulent charges get made to the account, you're only responsible for
the first $50.
So in my opinion, fear of shopping online is just another misplaced
worry.
Edgar didn't notice any of the several tell-tale signs that something was
wrong with this email (for example, the semicolon after the greeting line,
and the garbled text about "our valued customer service with excellent
service"). He clicked on the link, entered the information requested -
name, address, phone number, and credit card information - and sat. back
to wait for the five-dollar credit to show up on his next credit-card bill.
What showed up instead was a list of charges for items he never
purchased.
Analyzing the Con
Edgar had been taken in by a commonplace Internet scam. It's a scam that
comes in a variety of forms. One of them (detailed in Chapter 9) involves
a decoy login screen created by the attacker that looks identical to the real
thing. The difference is that the phony screen doesn't give access to the
computer system that the user is trying to reach, but instead feeds his
username and password to the hacker.
Edgar had been taken in by a scam in which the crooks had registered a
Web site with the name "paypal-secure.com"- which sounds as if it should
have been a secure page on the legitimate PayPal site, but it isn't. When
he entered information on that site, the attackers got just what they
wanted.
MITNICK MESSAGE
While not foolproof (no security is), whenever visiting a site that requests
information you consider private, always ensure that the connection is
authenticated and encrypted. And even more important, do not
automatically click Yes in any dialog box that may indicate a security
issue, such as an invalid, expired, or revoked digital certificate.
VARIATIONS ON THE VARIATION
How many other ways are there to deceive computer users into going to a
bogus Web site where they provide confidential information? I don't
suppose anyone has a valid, accurate answer, but "lots and lots" will serve
the purpose.
The Missing Link
One trick pops up regularly: Sending out an email that offers a tempting
reason to visit a site, and provides a link for going directly to it. Except
that the link doesn't take you to the site you think you're going to, because
the link actually only resembles a link for that site. Here's another exampie
that has actually been used on the Internet, again involving misuse of
the name PayPal:
www. PayPai. com
At a quick glance, this looks as if it says PayPal. Even if the victim
notices, he may think it's just a slight defect in the text that makes the "I"
of Pal look like an "i." And who would notice at a glance that:
www. PayPal. com
uses the number 1 instead of a lowercase letter L? There are enough
people who accept misspellings and other misdirection to make this
gambit continually popular with credit card bandits. When people go to
the phony site, it looks like the site they expected to go to, and they
blithely enter their credit card information. To set up one of these scares,
an attacker only needs to register the phony domain name, send out his
emails, and wait for suckers to show up, ready to be cheated.
In mid-2002, I received an email, apparently part of a mass mailing that
was marked as being from "Ebay@ebay.com." The message is shown in
Figure 8.1.
Figure 8.1. The link in this or any other email should be used with
caution.
-----------------------------------------------------------------------------------------
-------------------------
msg: Dear eBay User,
It has become very noticeable that another party has
been corrupting your eBay account and has violated our User Agreement
policy listed:
4. Bidding and Buying
You are obligated to complete the transaction with the
seller if you purchase an item through one of our fixed price formats or
are the highest bidder as described below. If you are the highest bidder at
the end of an auction (meeting the applicable minimum bid or reserve
requirements) and your bid is accepted by the seller, you are obligated to
complete the transaction with the seller, or the transaction is prohibited by
law or by this Agreement.
You received this notice from eBay because it has come
to our attention that your current account has caused interruptions with
other eBay members and eBay requires immediate verification for your
account. Please verify your account or the account may become disabled.
Click Here To Verify Your Account - http://error ebay.tripod.com
Designated trademarks and brands are the property of
their respective owners, eBay and the eBay logo are trademarks of eBay
Inc.
-----------------------------------------------------------------------------------------
----------------------------
Victims who clicked on the link went to a Web page that looked very
much like an eBay page. In fact, the page was well designed, with an
authentic eBay logo, and "Browse," "Sell" and other navigation links that,
if clicked, took the visitor to the actual eBay site. There was also a
security logo in the bottom right corner. To deter the savvy victim, the
designer had even used HTML encryption to mask where the userprovided
information was being sent.
It was an excellent example of a malicious computer-based social
engineering attack. Still, it was not without several flaws.
The email message was not well written; in particular, the paragraph
beginning "You received this notice" is clumsy and inept (the people
responsible for these hoaxes never hire a professional to edit their copy,
and it always shows). Also, anybody who was paying close attention
would have become suspicious about eBay asking for the visitor's PayPal
information; there is no reason eBay would ask a customer for this private
information involving a different company.
And anyone knowledgeable about the Internet would probably recognize
that the hyperlink connects not to the eBay domain but to tripod.com,
which is a free Web hosting service. This was a dead giveaway that the
email was not legitimate. Still, I bet a lot of people entered their
information, including a credit card number, onto this page.
NOTE
Why are people allowed to register deceptive or inapproprate domain
names?. Because under current law and on-line policy, anyone can
register any site names that. not already in use.
Companies try to fight this use of copycat addresses, but consider what
they.re up against. General Motors filed suit against a company that
registered f**kgeneralmotors.com (but without the asterisks) and pointed
the URL to General Motor's Web site. GM lost.
Be Alert
As individual users of the Internet, we all need to be alert, making a
conscious decision about when it's okay to enter personal information,
passwords, account numbers, PINs, and the like.
How many people do you know who could tell you whether a particular
Internet page they're looking at meets the requirements of a secure page?
How many employees in your company know what to look for?
Everyone who uses the Internet should know about the little symbol that
often appears somewhere on a Web page and looks like a drawing of a
padlock. They should know that when the hasp is closed, the site has been
certified as being secure. When the hasp is open or the lock icon is
missing, the Web site is not authenticated as genuine, and any information
transmitted is in the clear--that is, unencrypted.
However, an attacker who manages to compromise administrative
privileges on a company computer may be able to modify or patch the
operating system code to change the user's perception of what is really
happening. For example, the programming instructions in the browser
software that indicate a Web site's digital certificate is invalid can be
modified to bypass the check. Or the system could be modified with
something called a root kit, installing one or more back doors at the
operating system level, which are harder to detect.
A secure connection authenticates the site as genuine, and encrypts the
information being communicated, so an attacker cannot make use of any
data that is intercepted. Can you trust any Web site, even one that uses a
secure connection? No, because the site owner may not be vigilant about
applying all the necessary security patches, or forcing users or
administrators to respect good password practices. So you can't assume
that any supposedly secure site is invulnerable to attack.
LINGO
BACK DOOR
A covert entry point that provides a secret way into auser.s computer that is unkown to the user. Also used by programmers
while developing a software program so that they can go into the program
to fix problems
Secure HTTP (hypertext transfer protocol) or SSL (secure sockets layer)
provides an automatic mechanism that uses digital certificates not only to
encrypt information being sent to the distant site, but also to provide
authentication (an assurance that you are communicating with the genuine
Web site). However, this protection mechanism does not work for users
who fail to pay attention to whether the site name displayed in the address
bar is in fact the correct address of the site they're trying to access.
Another security issue, mostly ignored, appears as a warning message that
says something like "This site is not secure or the security certificate has
expired. Do you want to go to the site anyway?" Many Internet users don't
understand the message, and when it appears, they simply click Okay or
Yes and go on with their work, unaware that they may be on quicksand.
Be warned: On a Web site that does not use a secure protocol, you should
never enter any confidential information such as your address or phone
number, credit card or bank account numbers, or anything else you want
to keep private.
Thomas Jefferson said maintaining our freedom required "eternal
vigilance." Maintaining privacy and security in a society that uses
information as currency requires no less.
Becoming Virus Savvy
A special note about virus software: It is essential for the corporate
intranet, but also essential for every employee who uses a computer.
Beyond just having anti virus software installed on their machines, users
obviously need to have the software turned on (which many people don't
like because it inevitably slows down some computer functions).
With anti virus software there's another important procedure to keep in
mind, as well: Keeping the virus definitions up to date. Unless your
company is set up to distribute software or updates over the network to
every user, each individual user must carry the responsibility of
downloading the
latest set of virus definitions on his own. My personal recommendation is
to have everyone set the virus software preferences so that new virus
definitions are automatically updated every day.
LINGO
SECURE SOCKETS LAYER
A protocol developed by Netscape thatprovides authentication of both client and server in a secure
communication on the internet.
Simply put, you're vulnerable unless the virus definitions are updated
regularly. And even so, you're still not completely safe from viruses or
worms that the anti virus software companies don't yet know about or
haven't yet published a detection pattern file for.
All employees with remote access privileges from their laptops or home
computers need to have updated virus software and a personal firewall on
those machines at a minimum. A sophisticated attacker will look at the
big picture to seek out the weakest link, and that's where he'll attack.
Reminding people with remote computers regularly about the need for
personal firewalls and updated, active virus software is a corporate
responsibility, because you can't expect that individual workers,
managers, sales people, and others remote from an IT department will
remember the dangers of leaving their computers unprotected.
Beyond these steps, I strongly recommend use of the less common, but no
less important, software packages that guard against Trojan Horse attacks,
so-called anti-Trojan software. At the time of this writing, two of the
better-known programs are The Cleaner (www.moosoft.com), and Trojan
Defense Sweep (www.diamondcs.com.au).
Finally, what is probably the most important security message of all for
companies that do not scan for dangerous emails at the corporate gateway:
Since we all tend to be forgetful or negligent about things that seem
peripheral to getting our jobs done, employees need to be reminded over
and over again, in different ways, about not opening email attachments
unless they are certain that the source is a person or organization they can
trust. And management also needs to remind employees that they must
use active virus software and anti-Trojan software that provides
invaluable protection against the seemingly trustworthy email that may
contain a destructive payload.
Chapter 8
Using Sympathy, Guilt, and Intimidation
As discussed in Chapter 15, a social engineer uses the psychology of
influence to lead his target to comply with his request. Skilled social
engineers are very adept at developing a ruse that stimulates emotions,
such as fear, excitement, or guilt. They do this by using psychological
triggers--automatic mechanisms that lead people to respond to requests
without in-depth analysis of all the available information.
We all want to avoid difficult situations for ourselves and others. Based
on this positive impulse, the attacker can play on a person's sympathy,
make his victim feel guilty, or use intimidation as a weapon.
Here are some graduate-school lessons in popular tactics that play on the
emotions.
A VISIT TO THE STUDIO
Have you ever noticed how some people can walk up to the guard at the
door of, say, a hotel ballroom where some meeting, private party, or booklaunching
function is under way, and just walk past that person without
being asked for his ticket or pass?
In much the same way, a social engineer can talk his way into places that
you would not have thought possible - as the following story about the
movie industry makes clear.
The Phone Call
"Ron Hillyard's office, this is Dorothy."
"Dorothy, hi. My name is Kyle Bellamy. I've just come on board to work
in Animation Development on Brian Glassman's staff. You folks sure do
things different over here."
"I guess. I never worked on any other movie lot so I don't really know.
What can I do for you?"
"To tell you the truth, I'm feeling sort of stupid. I've got a writer coming
over this afternoon for a pitch session and I don't know who I'm supposed
to talk to about getting him onto the lot. The people over here in Brian's
office are really nice but I hate to keep bothering them, how do I do this,
how do I do that. It's like I just started junior high and can't find my way
to the bathroom. You know what I mean?"
Dorothy laughed.
"You want to talk to Security. Dial 7, and then 6138. If you
get Lauren, tell her Dorothy said she should take good
care of you."
"Thanks, Dorothy. And if I can't find the men's room, I may call you
back!"
They chuckled together over the idea, and hung up.
David Harold's Story
I love the movies and when I moved to Los Angeles, I thought I'd get to
meet all kinds of people in the movie business and they'd take me along
to parties and have me over to lunch at the studios. Well, I was there for
a year, I was turning twenty-six years old, and the closest I got was going
on the Universal Studios tour with all the nice people from Phoenix and
Cleveland. So finally it got to the point where I figured, if they won't
invite me in, I'll invite myself. Which is what I did.
I bought a copy of the Los Angeles Times and read the entertainment
column
for a couple of days, and wrote down the names of some producers
at different studios. I decided I'd try hitting on one of the big studios first.
So I called the switchboard and asked for the office of this producer I
had read about in the paper. The secretary that answered sounded like the
motherly type, so I figured I had gotten lucky; if it was some young girl
who was just there hoping she'd be discovered, she probably wouldn't
have
given me the time of day.
But this Dorothy, she sounded like somebody that would take in a stray
kitten, somebody who'd feel sorry for the new kid that was feeling a little
overwhelmed on the new job. And I sure got just the right touch with her.
It's not every day you try to trick somebody and they give you even more
than you asked for. Out of pity, she not only gave me the name of one of
the people in Security, but said I should tell the lady that Dorothy wanted
her to help me.
Of course I had planned to use Dorothy's name anyway. This made it even
better. Lauren opened right up and never even bothered to look up the
name I gave to see if it was really in the employee database.
When I drove up to the gate that afternoon, they not only had my name on
the visitor's list, they even had a parking space for me. I had a late lunch
at the commissary, and wandered the lot until the end of the day. I even
sneaked into a couple of sound stages and watched them shooting movies.
Didn't leave till 7 o'clock. It was one of my most exciting days ever.
Analyzing the Con
Everybody was a new employee once. We all have memories of what that
first day was like, especially when we were young and inexperienced. So
when a new employee asks for help, he can expect that many people--
especially entry-level people--will remember their own new-kid on-theblock
feelings and go out of their way to lend a hand. The social engineer
knows this, and he understands that he can use it to play on the
sympathies of his victims.
We make it too easy for outsiders to con their way into our company
plants and offices. Even with guards at entrances and sign-in procedures
for anyone who isn't an employee, any one of several variations on the
ruse used in this story will allow an intruder to obtain a visitor's badge and
walk right in. And if your company requires that visitors be escorted?
That's a good rule, but it's only effective if your employees are truly
conscientious about stopping anyone with or without a visitor's badge
who is on his own, and questioning him. And then, if the answers aren't
satisfactory, your employees have to be willing to contact security.
Making it too easy for outsiders to talk their way into your facilities
endangers your company's sensitive information. In today's climate, with
the threat of terrorist attacks hanging over our society, it's more than just
information that could be at risk.
"DO IT NOW"
Not everyone who uses social engineering tactics is a polished social
engineer. Anybody with an insider's knowledge of a particular company
can turn dangerous. The risk is even greater for any company that holds in
its files and databases any personal information about its employees,
which, of course, most companies do.
When workers are not educated or trained to recognize social engineering
attacks, determined people like the jilted lady in the following story can
do things that most honest people would think impossible.
Doug's Story
Things hadn't been going all that well with Linda anyway, and I knew as
soon as I met Erin that she was the one for me. Linda is, like, a little bit...
well, sort of not exactly unstable but she can sort of go off the deep end
when she gets upset.
I told her as gentle as I could that she had to move out, and I helped her
pack and even let her take a couple of the Queensryche CDs that were
really mine. As soon as she was gone I went to the hardware store for a
new Medico lock to put on the front door and put it on that same night.
The next morning I called the phone company and had them change my
phone number, and made it unpublished.
That left me free to pursue Erin.
Linda's Story
I was ready to leave, anyway, I just hadn't decided when. But nobody
likes to feel rejected. So it was just a question of, what could I do to let
him know what a jerk he was?
It didn't take long to figure out. There had to be another girl, otherwise he
wouldn't of sent me packing in such a hurry. So I'd just wait a bit and then
start calling him late in the evening. You know, around the time they
would least want to be called.
I waited till the next weekend and called around 11 o'clock on Saturday
night. Only he had changed his phone number. And the new number was
unlisted. That just shows what kind of SOB the guy was.
It wasn't that big of a setback. I started rummaging through the papers I
had managed to take home just before I left my job at the phone company.
And there it was--I had saved a repair ticket from once when there was a
problem with the telephone line at Doug's, and the printout listed
the cable and pair for his phone. See, you can change your phone number
all you want, but you still have the same pair of copper wires running
from
your house to the telephone company switching office, called the Central
Office, or CO. The set of copper wires from every house and apartment
is identified by these numbers, called the cable and pair. And if you know
how the phone company does things, which I do, knowing the target's
cable and pair is all you need to find out the phone number.
I had a list giving all the COs in the city, with their addresses and phone
numbers. I looked up the number for the CO in the neighborhood where
I used to live with Doug the jerk, and called, but naturally nobody was
there. Where's the switchman when you really need him? Took me all of
about twenty seconds to come up with a plan. I started calling around to
the other COs and finally located a guy. But he was miles away and he
was
probably sitting there with his feet up. I knew he wouldn't want to do
what I needed. I was ready with my plan.
"This is Linda, Repair Center," I said. "We have an emergency. Service
for a paramedic unit has gone down. We have a field tech trying to
restore
service but he can't find the problem. We need you to drive over to the
Webster CO immediately and see if we have dial tone leaving the central
office."
And then I told him, 'I'll call you when you get there," because of
course I couldn't have him calling the Repair Center and asking for me.
I knew he wouldn't want to leave the comfort of the central office to
bundle up and go scrape ice off his windshield and drive through the
slush
late at night. But it was an emergency, so he couldn't exactly say he was
too busy.
When I reached him forty-five minutes later at the Webster CO, I told
him to check cable 29 pair 2481, and he walked over to the flame and
checked and said, Yes, there was dial tone. Which of course I already
knew.
So then I said, "Okay, I need you to do an LV," which means line
verification,
which is asking him to identify the phone number. He does this
by dialing a special number that reads back the number he called from.
He doesn't know anything about if it's an unlisted number or that it's just
been changed, so he did what I asked and I heard the number being
announced over his lineman's test set. Beautiful. The whole thing had
worked like a charm.
I told him, "Well, the problem must be out in the field," like I knew the
,,umber all along. I thanked him and told him we'd keep working on it,
and said good night.
MITNICK MESSAGE
Once a social engineer knows how things work inside the targeted
company, it becomes easy to use that knowledge to develop rapport with
legitimate employees. Companies need to prepare for social engineering
attacks from current or former employees who may have an axe to grind.
Background checks may be helpful to weed out prospects who may have a
propensity toward this type of behavior. But in most cases, these people
will be extremely difficult to detect. The only reasonable safeguard in
these cases is to enforce and audit procedures for verifying identity,
including the person's employment status, prior to disclosing any
information to anyone not personally known to still be with the company.
So much for that Doug and trying to hide from me behind an unlisted
number. The fun was about to begin.
Analyzing the Con
The young lady in this story was able to get the information she wanted to
carry out her revenge because she had inside knowledge: the phone
numbers, procedures, and lingo of the telephone company. With it she
was not only able to find out a new, unlisted phone number, but was able
to do it in the middle of a wintry night, sending a telephone switchman
chasing across town for her.
"MR. BIGG WANTS THIS"
A popular and highly effective form of intimidation--popular in large
measure because it's so simple--relies on influencing human behavior by
using authority.
Just the name of the assistant in the CEO's office can be valuable. Private
investigators and even head-hunters do this all the time. They'll call the
switchboard operator and say they want to be connected to the CEO's
office. When the secretary or executive assistant answers, they'll say they
have a document or package for the CEO, or if they send an email
attachment, would she print it out? Or else they'll ask, what's the fax
number? And by the way, what's your name?
Then they call the next person, and say, "Jeannie in Mr. Bigg's office told
me to call you so you can help me with something."
The technique is called name-dropping, and it's usually used as a method
to quickly establish rapport by influencing the target to believe that the
attacker is connected with somebody in authority. A target is more likely
to do a favor for someone who knows somebody he knows.
If the attacker has his eyes set on highly sensitive information, he may use
this kind of approach to stir up useful emotions in the victim, such as fear
of getting into trouble with his superiors. Here's an example.
Scott's Story
"Scott Abrams."
"Scott, this is Christopher Dalbridge. I just got off the phone with Mr.
Biggley, and he's more than a little unhappy. He says he sent a note ten
days ago that you people were to get copies of all your market penetration
research over to us for analysis. We never got a thing."
"Market penetration research? Nobody said anything to me about it.
What department are you in?"
"We're a consulting firm he hired, and we're already behind schedule."
"Listen, I'm just on my way to a meeting. Let me get your phone number
and . . ."
The attacker now sounded just short of truly frustrated: "Is that what
you want me to tell Mr. Biggley?! Listen, he expects our analysis by
tomorrow morning and we have to work on it tonight. Now, do you want
me to tell him we couldn't do it 'cause we couldn't get the report from you,
or do you want to tell him that yourself?."
An angry CEO can ruin your week. The target is likely to decide that
maybe this is something he better take care of before he goes into that
meeting. Once again, the social engineer has pressed the right button to
get the response he wanted.
Analyzing the Con
The ruse of intimidation by referencing authority works especially well if
the other person is at a fairly low level in the company. The use of an
important person's name not only overcomes normal reluctance or
suspicion, but often makes the person eager to please; the natural instinct
of wanting to be helpful is multiplied when you think that the person
you're helping is important or influential.
The social engineer knows, though, that it's best when running this
particular deceit to use the name of someone at a higher level than the
person's own boss. And this gambit is tricky to use within a small
organization: The attacker doesn't want his victim making a chance
comment to the VP of marketing. "I sent out the product marketing plan
you had that guy call me about," can too easily produce a response of
"What marketing plan? What guy?" And that could lead to the discovery
that the company has been victimized.
MITNICKS MESSAGE
Intimidation can create a fear of punishment, influencing people to
cooperate. Intimidation can also raise the fear of embarrassment or of
being disqualified from that new promotion.
People must be trained that it's not only acceptable but expected to
challenge authority when security is at stake. Information security training
should include teaching people how to challenge authority in customerfriendly
ways, without damaging relationships. Moreover, this expectation
must be supported from the top down. If an employee is not going to be
backed up for challenging people regardless of their status, the normal
reaction is to stop challenging--just the opposite of what you want.
WHAT THE SOCIAL SECURITY ADMINISTRATION KNOWS
ABOUT YOU
We like to think that government agencies with les on us keep the
information safely locked away from people without an authentic need to
know. The reality is that even the federal government isn't as immune to
penetration as we would like to imagine.
May Linn.s Phone Call
Place:
A regional office of the Social Security AdministrationTime:
1 0:1 8 A.M., Thursday morning"Mod Three. This is May Linn Wang."
The voice on the other end of the phone sounded apologetic, almost timid.
"Ms. Wang, this is Arthur Arondale, in the Office of the Inspector
General. Can I call you 'May'?
"It's 'May Linn'," she said.
"Well, it's like this, May Linn. We've got a new guy in here who there's
no computer for yet, and right now he's got a priority project and he's
using mine. We're the government of the United States, for cryin' out
loud, and they say they don't have enough money in the budget to buy a
computer for this guy to use. And now my boss thinks I'm falling behind
and doesn't want to hear any excuses, you know?"
"I know what you mean, all right."
"Can you help me with a quick inquiry on MCS?" he asked, using the
name of the computer system for looking up taxpayer information.
"Sure, what'cha need?"
"The first thing I need you to do is an alphadent on Joseph Johnson, DOB
7/4/69." (Alphadent means to have the computer search for an account
alphabetically by taxpayer name, further identified by date of birth.)
After a brief pause, she asked:
"What do you need to know?"
"What's his account number?" he said, using the insider's
shorthand for the social security number. She read it off.
"Okay, I need you to do a numident on that account number,"
the caller said.
That was a request for her to read off the basic taxpayer data,
and May Linn responded by giving the taxpayer's place of
birth, mother's maiden name, and father's name. The caller
listened patiently while she also gave him the month and year
the card was issued, and the district office it was issued by.
He next asked for a DEQY. (Pronounced "DECK-wee," it's short
for "detailed earnings query.")
The DEQY request brought the response, "For what year?"
The caller replied, "Year 2001 ."
May Linn said, "The amount was $190,286, the payer was Johnson
MicroTech."
"Any other wages?"
"No."
"Thanks," he said. "You've been very kind."
Then he tried to arrange to call her whenever he needed information and
couldn't get to his computer, again using the favorite trick of social
engineers of always trying to establish a connection so that he can keep
going back to the same person, avoiding the nuisance of having to find a
new mark each
time.
"Not next week," she told him, because she was going to Kentucky for her
sister's wedding.' Any other time, she'd do whatever she could.
When she put the phone down, May Linn felt good that she
had been able to offer a little help to a fellow unappreciated
public servant.
Keith Carter's Story
To judge from the movies and from best-selling crime novels, a private
investigator is short on ethics and long on knowledge of how to get the
juicy facts on people. They do this by using thoroughly illegal methods,
while just barely managing to avoid getting arrested. The truth, of course,
is that most PIs run entirely legitimate businesses. Since many of them
started their working lives as sworn law enforcement officers, they know
perfectly well what's legal and what isn't, and most are not tempted to
cross the line.
There are, however, exceptions. Some Pis - more than a few - do indeed
fit the mold of the guys in the crime stories. These guys are known in the
trade as information brokers, a polite term for people who are willing to
break the rules. They know they can get any assignment done a good deal
faster and a good deal easier if they take some shortcuts. That these
shortcuts happen to be potential felonies that might land them behind bars
for a few years doesn't seem to deter the more unscrupulous ones.
Meanwhile the upscale PIs--the ones who work out of a fancy office suite
in a high-rent part of town--don't do this kind of work themselves. They
simply hire some information broker to do it for them.
The guy we'll call Keith Carter was the kind of private eye unencumbered
by ethics.
It was a typical case of "Where's he hiding the money?" Or sometimes it's
"Where's she hiding the money?" Sometimes it was a rich lady who
wanted to know where her husband had hidden her money (though why a
woman with money ever marries a guy without was a riddle Keith Carter
wondered about now and then but had never found a good answer for).
In this case the husband, whose name was Joe Johnson, was the one
keeping the money on ice. He "was a very smart guy who had started a
high-tech company with ten thousand dollars he borrowed from his wife's
family and built into a hundred-million dollar firm. According to her
divorce lawyer, he had done an impressive job of hiding his assets, and
the lawyer wanted a complete rundown.
Keith figured his starting point would be the Social Security
Administration, targeting their files on Johnson, which would be packed
with highly useful information for a situation like this. Armed with their
info, Keith could pretend to be the target and get the banks, brokerage
firms, and offshore institutions to tell him everything.
His first phone call was to a local district office, using the same 800
number that any member of the public uses, the number listed in the local
phone book. When a clerk came on the line, Keith asked to be connected
to someone in Claims. Another wait, and then a voice. Now Keith shifted
gears; "Hi," he began. "This is Gregory Adams, District Office 329.
Listen, I'm trying to reach a claims adjuster that handles an account
number that ends in 6363, and the number I have goes to a fax machine."
"That's Mod 2," the man said. He looked up the number and gave it to
Keith.
Next he called Mod 2. When May Linn answered, he switched hats and
went through the routine about being from the Office of the Inspector
General, and the problem about somebody else having to use his
computer. She gave him the information he was looking for, and agreed to
do whatever she could when he needed help in the future.
Analyzing the Con
What made this approach effective was the play on the employee's
sympathy with the story about someone else using his computer and "my
boss is not happy with me." People don't show their emotions at work
very often; when they do, it can roll right over someone else's ordinary
defenses against social engineering attacks. The emotional ploy of "I'm in
trouble, won't you help me?" was all it took to win the day.
Social Insecurity
Incredibly, the Social Security Administration has posted a copy of their
entire Program Operations Manual on the Web, crammed with
information that's useful for their people, but also incredibly valuable to
social engineers. It contains abbreviations, lingo, and instructions for how
to request what you want, as described in this story.
Want to learn more inside information about the Social Security
Administration? Just search on Google or enter the following address into
your browser: http://policy.ssa.gov/poms.nsf/. Unless the agency has
already read this story and removed the manual by the time you read this,
you'll find on-line instructions that even give detailed information on what
data an SSA clerk is allowed to give to the law enforcement community.
In practical terms, that community includes any social engineer who can
convince an SSA clerk that he is from a law enforcement organization.
The attacker could not have been successful in obtaining this information
from one of the clerks who handles phone calls from the general public.
The kind of attack Keith used only works when the person on the
receiving end of the call is someone whose phone number is unavailable
to the public, and who therefore has the expectation that anyone calling
must be somebody on the inside--another example of speakeasy security'.
The elements that helped this attack to work included:
Knowing the phone number to the Mod.
Knowing the terminology they used--numident, alphadent, and DEQY.
Pretending to be from the Office of the Inspector General, which every
federal government employee knows as a government-wide investigative
agency with broad powers. This gives the attacker an aura of authority.
One interesting sidelight: Social engineers seem to know how to make
requests so that hardly anyone ever thinks, "Why are you calling me.'-
even when, logically; it would have made more sense if the call had gone
to some other person in some completely different department. Perhaps it
simply offers such a break in the monotony of the daily grind to help the
caller that the victim discounts how unusual the call seems.
Finally, the attacker in this incident, not satisfied with getting the
information just for the case at hand, wanted to establish a contact he
could call on regularly. He might otherwise have been able to use a
common ploy for the sympathy attack--"I spilled coffee on my keyboard."
That was no good here, though, because a keyboard can be replaced in a
day.
Hence he used the story about somebody else using his computer, which
he could reasonably string out for weeks: "Yep, I thought he'd have his
own computer yesterday, but one came in and another guy pulled some
kind of deal and got it instead. So this joker is still showing up in my
cubicle." And so on.
Poor me, I need help. Works like a charm.
ONE SIMPLE CALL
One of an attacker's main hurdles is to make his request sound reasonable
something typical of requests that come up in the victim's workday,
something that doesn't put the victim out too much. As with a lot of other
things in life, making a request sound logical may be a challenge one day,
but the next, it may be a piece of cake.
Mary H's Phone Call
Date/Time:
Monday, November 23, 7:49 A.M.Place:
Mauersby & Storch Accounting, New YorkTo most people, accounting work is number crunching and bean counting,
generally viewed as being about as enjoyable as having a root canal.
Fortunately, not everyone sees the work that way. Mary Harris, for
example, found her work as a senior accountant absorbing, part of the
reason she was one of the most dedicated accounting employees at her
firm.
On this particular Monday, Mary arrived early to get a head start on what
she expected to be a long day, and was surprised to find her phone
ringing. She picked it up and gave her name.
"Hi, this is Peter Sheppard. I'm with Arbuclde Support, the company that
does tech support for your firm. We logged a couple of complaints over
the weekend from people having problems with the computers there. I
thought I could troubleshoot before everybody comes into work this
morning. Are you having any problems with your computer or connecting
to the network?"
She told him she didn't know yet. She turned her computer on and while it
was booting, he explained what he wanted to do.
"I'd like to run a couple of tests with you, he said. "I'm able to see on my
screen the keystrokes you type, and I want to make sure they're going
across the network correctly. So every time you type a stroke, I want you
to tell me what it is, and I'll see if the same letter or number is appearing
here. Okay?"
With nightmare visions of her computer not working and a frustrating day
of not being able to get any work done, she was more than happy to have
this man help her. After a few moments, she told him, "I have the login
screen, and I'm going to type in my ID. I'm typing it now--
M...A...R...Y...D."
"Great so far," he said. "I'm seeing that here. Now, go ahead and type
your password but don't tell me what it is. You should never tell anybody
your password, not even tech support. I'll just see asterisks here--your
password is protected so I can't see it.': None of this was true, but it made
sense to Mary. And then he said, "Let me know once your computer has
started up."
When she said it was running, he had her open two of her applications,
and she reported that they launched "just fine."
Mary was relieved to see that everything seemed to be working normally.
Peter said, "I'm glad I could make sure you'll be able to use your computer
okay. And listen," he went on, "we just installed an update that allow
people to change their passwords. Would you be willing to take a couple
of minutes with me so I can see if we got it working right?
She was grateful for the help he had given her and readily agreed. Peter
talked her through the steps of launching the application that allows a user
to change passwords, a standard element of the Windows 2000 operating
system. "Go ahead and enter your password," he told her. "But remember
not to say it out loud."
When she had done that, Peter said, "Just for this quick test, when it asks
for your new password, enter 'test123.' Then type it again in the
Verification box, and click Enter."
He walked her through the process of disconnecting from the server. He
had her wait a couple of minutes, then connect again, this time trying to
log on with her new password. It worked like a charm, Peter seemed very
pleased, and talked her through changing back to her original password or
choosing a new one--once more cautioning her about not saying the
password out loud.
"Well, Mary," Peter told her. "We didn't find any trouble, and that's great.
Listen, if any problems do come up, just call us over here at Arbuckle. I'm
usually on special projects but anybody here who answers can help you."
She thanked him and they said goodbye.
Peter's Story
The word had gotten around about Peter--a number of the people in his
community who had gone to school with him had heard he turned into
some kind of a computer whiz who could often find out useful
information that other people couldn't get. When Alice Conrad came to
him to ask a favor, he said no at first. Why should he help? When he ran
into her once and tried to ask for a date, she had turned him down cold.
But his refusal to help didn't seem to surprise her. She said she didn't think
it was something he could do anyway. That was like a challenge, because
of course he was sure he could. And that was how he came to
agree.
Alice had been offered a contract for some consulting work for a
marketing company, but the contract terms didn't seem very good. Before
she went back to ask for a better deal, she wanted to know what terms
other consultants had on their contracts.
This is how Peter tells the story.
I wouldn't tell Alice but I got off on people wanting me to do something
they didn't think I could, when I knew it would be easy. Well, not easy,
exactly, not this time. It would take a bit of doing. But that was okay.
I could show her what smart was really all about.
A little after 7:30 Monday morning, I called the marketing company's
offices and got the receptionist, said that I was with the company that
handled their pension plans and I need to talk to somebody in Accounting.
Had she noticed if any of the Accounting people had come in yet? She
said, "I think I saw Mary come in a few minutes ago, I'll try her for you."
When Mary picked up the phone, I told her my little story about computer
problems, which was designed to give her the jitters so she'd be glad to
cooperate. As soon as I had talked her through changing her password, I
then quickly logged onto the system with the same temporary password I
had asked her to use, test123.
Here's where the mastery comes in--I installed a small program that
allowed me to access the company's computer system whenever I wanted,
using a secret password of my own. After I hung up with Mary, my first
step was to erase the audit trail so no one would even know I had been on
his or her system. It was easy. After elevating my system privileges, I was
able to download a free program called clearlogs that I found on a
security- related Web site at www.ntsecurity.nu.
Time for the real job. I ran a search for any documents with the word
contract" in the filename, and downloaded the files. Then I searched some
more and came on the mother lode--the directory containing all the
consultant payment reports. So I put together all the contract files and a
list of payments.
Alice could pore through the contracts and see how much they were
paying other consultants. Let her do the donkeywork of poring through all
those files. I had done what she asked me to.
From the disks I put the data onto, I printed out some of the files so I
could show her the evidence. I made her meet me and buy dinner. You
should have seen her face when she thumbed through the stack of papers.
"No way," she said. "No way."
I didn't bring the disks with me. They were the bait. I said she'd have to
come over to get them, hoping maybe she'd want to show her gratitude for
the favor I just did her.
MITNICK MESSAGE
It's amazing how easy it is for a social engineer to get people to do things
based on how he structures the request. The premise is to trigger an
automatic response based on psychological principles, and rely on the
mental shortcuts people take when they perceive the caller as an ally.
Analyzing the Con
Peter's phone call to the marketing company represented the most basic
form of social engineering--a simple attempt that needed little preparation,
worked on the first attempt, and took only a few minutes to bring off.
Even better, Mary, the victim, had no reason to think that any sort of trick
or ruse had been played on her, no reason to file a report or raise a ruckus.
The scheme worked through Peter's use of three social engineering tactics.
First he got Mary's initial cooperation by generating fear--making her
think that her computer might not be usable. Then he took the time to
have her open two of her applications so she could be sure they were
working okay, strengthening the rapport between the two of them, a sense
of being allies. Finally, he got her further cooperation for the essential part
of his task by playing on her gratitude for the help he had provided in
making sure her computer was okay.
By telling her she shouldn't ever reveal her password, should not reveal it
even to him, Peter did a thorough but subtle job of convincing her that he
was concerned about the security of her company's files. This boosted her
confidence that he must be legitimate because he was protecting her and
the company.
THE POLICE RAID
Picture this scene: The government has been trying to lay a trap for a man
named Arturo Sanchez, who has been distributing movies free over the
Internet. The Hollywood studios say he's violating their copyrights, he
says he's just trying to nudge them to recognize an inevitable market so
they'll start doing something about making new movies available for
download. He points out (correctly) that this could be a huge source of
revenue for the studios that they seem to be completely ignoring.
Search Warrant, Please
Coming home late one night, he checks the windows of his apartment
from across the street and notices the lights are off, even though he always
leaves one on when he goes out.
He pounds and bangs on a neighbor's door until he wakes the man up, and
learns that there was indeed a police raid in the building. But they made
the neighbors stay downstairs, and he still isn't sure what apartment they
went into. He only knows they left carrying some heavy things, only they
were wrapped up and he couldn't tell what they were. And they didn't take
anybody away in handcuffs.
Arturo checks his apartment. The bad news is that there's a paper from
the police requiring that he call immediately and set up an appointment
for an interview within three days. The worse news is that his computers
are missing.
Arturo vanishes into the night, going to stay with a friend. But the
uncertainty gnaws at him. How much do the police know? Have they
caught up with him at last, but left him a chance to flee? Or is this about
something else entirely, something he can clear up without having to
leave town?
Before you read on, stop and think for a moment: Can you imagine any
way you could find out what the police know about you? Assuming you
don't have any political contacts or friends in the police department or the
prosecutor s office, do you imagine there's any way that you, as an
ordinary citizen, could get this information? Or that even someone with
social engineering skills could?
Scamming the Police
Arturo satisfied his need to know like this: To start with, he got the phone
number for a nearby copy store, called them, and asked for their fax
number.
Then he called the district attorney's office, and asked for Records. When
he was connected with the records office, he introduced himself as an
investigator with Lake County, and said he needed to speak with the clerk
who files the active search warrants.
"I do," the lady said. "Oh, great," he answered. "Because we raided a
suspect last night and I'm trying to locate the affidavit."
"We file them by address," she told him.
He gave his address, and she sounded almost excited. "Oh, yeah," she
bubbled, "I know about that one. 'The Copyright Caper.'"
"That's the one," he said. "I'm looking for the affidavit and copy of the
warrant.
"Oh, I have it right here."
"Great," he said. "Listen, I'm out in the field and I have a meeting with the
Secret Service on this case if I fifteen minutes. I've been so absentminded
lately, I left the file at home, and I'll never make it there and back in time.
Could I get copies from you?"
"Sure, no problem. I'll make copies; you can come right over and pick
them up."
"Great," he said. "That's great. But listen, I'm on the other side of town. Is
it possible you could fax them to me?"
That created a small problem, but not insurmountable. "We don't have a
fax up here in Records," she said. "But they have one downstairs in the
Clerk's office they might let me use."
He said, "Let me call the Clerk's office and set it up."
The lady in the Clerk's office said she'd be glad to take care of it but
wanted to know "Who's going to pay for it?" She needed an accounting
code.
"I'll get the code and call you back," he told her.
He then called the DA's office, again identified himself as a police officer
and simply asked the receptionist, "What's the accounting code for the
DA's office?" Without hesitation, she told him.
Calling back to the Clerk's office to provide the accounting number gave
him the excuse for manipulating the lady a little further: He talked her
into walking upstairs to get the copies of the papers to be faxed.
NOTE
How does a social engineer know the details of so many operation .
police departments, prosecutors offices, phone company practices, the
organization of specific companies that are in fields useful in his attacks,
such as telecommunications and computers ? Because it.s his business to
find out. This knowledge is a social engineers stock in the trade because
information can aid him in his efforts to deceive.
Covering His Tracks
Arturo still had another couple of steps to take. There was always a
possibility that someone would smell something fishy, and he might
arrive at the copy store to find a couple of detectives, casually dressed and
trying to
look busy until somebody showed up asking for that particular fax. He
waited a while, and then called the Clerk's office back to verify that the
lady had sent the fax. Fine so far.
He called another copy store in the same chain across town and used the
ruse about how he was "pleased with your handling of a job and want to
write the manager a letter of congratulations, what's her name?" With that
essential piece of information, he called the first copy store again and said
he wanted to talk to the manager. When the man picked up the phone,
Arturo said, "Hi, this is Edward at store 628 in Hartfield. My manager,
Anna, told me to call you. We've got a customer who's all upset--
somebody gave him the fax number of the wrong store. He's here waiting
for an important fax, only the number he was given is for your store." The
manager promised to have one of his people locate the fax and send it on
to the Hartfield store immediately.
Arturo was already waiting at the second store when the fax arrived there.
Once he had it in hand, he called back to the Clerk's office to tell the lady
thanks, and 'It's not necessary to bring those copies back upstairs, you can
just throw them away now." Then he called the manager at the first store
and told him, too, to throw away their copy of the fax. This way there
wouldn't be any record of what had taken place, just in case somebody
later came around asking questions. Social engineers know you can never
be too careful.
Arranged this way, Arturo didn't even have to pay charges at the first
copy store for receiving the fax and for sending it out again to the second
store. And if it turned out that the police did show up at the first store,
Arturo would already have his fax and be long gone by the time they
could arrange to get people to the second location.
The end of the story: The affidavit and warrant showed that the police had
well-documented evidence of Arturo's movie-copying activities. That was
what he needed to know. By midnight, he had crossed the state line.
Arturo was on the way to a new life, somewhere else with a new identity,
ready to get started again on his campaign.
Analyzing the Con
The people who work in any district attorney's office, anywhere, are in
constant contact with law enforcement officers--answering questions,
making arrangements, taking messages. Anybody gutsy enough to call
and claim to be a police officer, sheriff's deputy, or whatever will likely
be taken at his word. Unless it's obvious that he doesn't know the
terminology, or if he's nervous and stumbles over his words, or in some
other way
doesn't sound authentic, he may not even be asked a single question to
verify his claim. That's exactly what happened here, with two different
workers.
MITNICK MESSAGE
The truth of the matter is that no one is immune to being duped by a good
social engineer. Because of the pace of normal life, we don't always take
the time for thoughtful decisions, even on matters that are important to us.
Complicated situations, lack of time, emotional state, or mental fatigue
can easily distract us. So we take a mental shortcut, making our decisions
without analyzing the information carefully and completely, a mental
process known as automatic responding. This is even true for federal,
state, and local law enforcement officials. We're all human.
Obtaining a needed charge code was handled with a single phone call.
Then Arturo played the sympathy card with the story about "a meeting
with the Secret Service in fifteen minutes, I've been absent-minded and
left the file at home." She naturally felt sorry for him, and went out of her
way to help.
Then by using not one but two copy stores, Arturo made himself extra
safe when he went to pick up the fax. A variation on this that makes the
fax even more difficult to trace: Instead of having the document sent to
another copy store, the attacker can give what appears to be a fax number,
but is really an address at a free Internet service that will receive a fax for
you and automatically forward it to your email address. That way it can be
downloaded directly to the attacker's computer, and he never has to show
his face anyplace where someone might later be able to identify him. And
the email address and electronic fax number can be abandoned as soon as
the mission has been accomplished.
TURNING THE TABLES
A young man I'll call Michael Parker was one of those people who figured
out a bit late that the better-paying jobs mostly go to people with college
degrees. He had a chance to attend a local college on a partial scholarship
plus education loans, but it meant working nights and weekends to pay his
rent, food, gas, and car insurance. Michael, who always liked to find
shortcuts, thought maybe there was another way, one that paid off faster
and with less effort. Because he had been learning about computers from
the time he got to play with one at age ten and became fascinated with
finding out how they worked, he decided to see if he could "create" his
own accelerated bachelor's degree in computer science.
Graduating--Without Honors
He could have broken into the computer systems of the state university,
found the record of someone who had graduated with a nice B+ or Aaverage,
copied the record, put his own name on it, and added it to the
records of that year's graduating class. Thinking this through, feeling
somehow uneasy about the idea, he realized there must be other records of
a student having been on campus--tuition payment records, the housing
office, and who knows what else. Creating just the record of courses and
grades would leave too many loopholes.
Plotting further, feeling his way, it came to him that he could reach his
goal by seeing if the school had a graduate with the same name as his,
who had earned a computer science degree any time during an appropriate
span of years. If so, he could just put down the other Michael Parker's
social security number on employment application forms; any company
that checked the name and social security number with the university
would be told that, yes, he did have the claimed degree. (It wouldn't be
obvious to most people but was obvious to him that he could put one
social security number on the job application and then, if hired, put his
own real number on the new-employee forms. Most companies would
never think to check whether a new hire had used a different number
earlier in the hiring process.)
Logging In to Trouble
How to find a Michael Parker in the university's records? He went about it
like this:
Going to the main library on the university campus, he sat down at a
computer terminal, got up on the Internet, and accessed the university's
Web site. He then called the Registrar's office. With the person who
answered, he went through one of the by-now-familiar social engineering
routines: "I'm calling from the Computer Center, we're making some
changes to the network configuration and we want to make sure we don't
disrupt your access. Which server do you connect to?"
"What do you mean, server, he was asked.
"What computer do you connect to when you need to look up student
academic information.
The answer, admin.rnu.edu, gave him the name of the computer where
student records were stored. This was the first piece of the puzzle: He now
knew his target machine.
LINGO
DUMB TERMINAL
A terminal that doesn.t contain its ownmicroprocessor. Dumb terminals can only accept simple commands and
display text characters and numbers.
He typed that URL into the computer and got no response--as expected,
there was a firewall blocking access. So he ran a program to see if he
could connect to any of the services running on that computer, and found
an open port with a Telnet service running, which allows one computer to
connect remotely to another computer and access it as if directly
connected using a dumb terminal. All he would need to gain access would
be the standard user ID and password.
He made another call to the registrar's office, this time listening carefully
to make sure he was talking to a different person. He got a lady, and again
he claimed to be from the university's Computer Center. They were
installing a new production system for administrative records, he told her.
As a favor, he'd like her to connect to the new system, still in test mode, to
see if she could access student academic records okay. He gave her the IP
address to connect to, and talked her through the process.
In fact, the IP address took her to the computer Michael was sitting at in
the campus library. Using the same process described in Chapter 8, he had
created a login simulator--a decoy sign-in screen--looking just like the one
she was accustomed to seeing when going onto the system for student
records. "It's not working," she told him. "It keeps saying 'Login incorrect.
By now the login simulator had fed the keystrokes of her account name
and password to Michael's terminal; mission accomplished. He told her,
"Oh, some of the accounts haven't been brought over yet to this machine.
Let me set up your account, and I'll call you back." Careful about tying up
loose ends, as any proficient social engineer needs to be, he would make a
point of phoning later to say that the test system wasn't working right yet,
and if it was okay with her, they'd call back to her or one of the other
folks there when they had figured out what was causing the problem.
The Helpful Registrar
Now Michael knew what computer system he needed to access, and he
had a user's ID and password. But what commands would he need in
order to search the files for information on a computer science graduate
with the right name and graduation date? The student database would be a
proprietary one, created on campus to meet the specific requirements of
the university and the Registrar's office, and would have a unique way of
accessing information in the database.
First step in clearing this last hurdle: Find out who could guide him
through the mysteries of searching the student database. He called the
Registrar's office again, this time reaching a different person. He was
from the office of the Dean of Engineering, he told the lady, and he asked,
"Who are we supposed to call for help when we're having problems
accessing the student academic rues.
Minutes later he was on the phone with the college's database
administrator, pulling the sympathy act: "I'm Mark Sellers, in the
registrar's office. You feel like taking pity on a new guy? Sorry to be
calling you but they're all in a meeting this afternoon and there's no one
around to help me. I need to retrieve a list of all graduates with a
computer science degree, between 1990 and 2000. They need it by the end
of the day and if I don't have it, I may not have this job for long. You
willing to help out a guy in trouble?" Helping people out was part of what
this database administrator did, so he was extra patient as he talked
Michael step by step through the process.
By the time they hung up, Michael had downloaded the entire list of
computer science graduates for those years. Within a few minutes he had
run a search, located two Michael Parkers, chosen one of them, and
obtained the guy's social security number as well as other pertinent
information stored in the database.
He had just become "Michael Parker, B.S. in Computer Science,
graduated with honors, 1998." In this case, the "B.S." was uniquely
appropriate.
Analyzing the Con
This attack used one ruse I haven't talked about before: The attacker
asking the organization's database administrator to walk him through the
steps of carrying out a computer process he didn't know how to do. A
powerful and effective turning of the tables, this is the equivalent of
asking the owner of a store to help you carry a box containing items
you've just stolen from his shelves out to your car.
MITNICK MESSAGE
Computer users are sometimes clueless about the threats and
vulnerabilities associated with social engineering that exist in our world of
technology. They have access to information, yet lack the detailed
knowledge of what might prove to be a security threat. A social engineer
will target an employee who has little understanding of how valuable the
information being sought is, so the target is more likely to grant the
stranger's request.
PREVENTING THE CON
Sympathy, guilt, and intimidation are three very popular psychological
triggers used by the social engineer, and these stories have demonstrated
the tactics in action. But what can you and your company do to avoid
these types of attacks?
Protecting Data
Some stories in this chapter emphasize the danger of sending a file to
someone you don't know, even when that person is (or appears to be) an
employee, and the file is being sent internally, to an email address or tax
machine within the company.
Company security policy needs to be very specific about the safeguards
for surrendering valued data to anyone not personally known to the
sender. Exacting procedures need to be established for transferring files
with sensitive information. When the request is from someone not
personally known, there must be clear steps to take for verification, with
different levels of authentication depending on the sensitivity of the
information.
Here are some techniques to consider:
Establish the need to know (which may require obtaining authorization
from the designated information owner).
Keep a personal or departmental log of these transactions.
Maintain a list of people who have been specially trained in the
procedures and who are trusted to authorize sending out sensitive
information. Require that only these people be allowed to send
information to anyone outside the workgroup.
If a request for the data is made in writing (email, fax, or mail) take
additional security steps to verify that the request actually came from the
person it appears to have come from.
About Passwords
All employees who are able to access any sensitive information--and
today that means virtually every worker who uses a computer--need to
understand that simple acts like changing your password, even for a few
moments, can lead to a major security breach.
Security training needs to cover the topic of passwords, and that has to
focus in part on when and how to change your password, what constitutes
an acceptable password, and the hazards of letting anyone else become
involved in the process. The training especially needs to convey to all
employees that they should be suspicious of any request that involves
their passwords.
On the surface this appears to be a simple message to get across to
employees. It's not, because to appreciate this idea requires that
employees grasp how a simple act like changing a password can lead to a
security compromise. You can tell a child "Look both ways before
crossing the street," but until the child understands why that's important,
you're relying on blind obedience. And rules requiring blind obedience are
typically ignored or forgotten.
NOTE
Passwords are such a central focus of social engineering attacks that we
devote a separate section to the topic in Chapter 16, where you will find
specific recommended policies on managing passwords.
A Central Reporting Point
Your security policy should provide a person or group designated as a
central point for reporting suspicious activities that appear to be attempts
to infiltrate your organization. All employees need to know who to call
any time they suspect an attempt at electronic or physical intrusion. The
phone number of the place to make these reports should always be close
at hand so employees don't have to dig for it if they become suspicious
that an attack is taking place.
Protect Your Network
Employees need to understand that the name of a computer server or
network is not trivial information, but rather it can give an attacker
essential knowledge that helps him gain trust or find the location of the
information he desires.
In particular, people such as database administrators who work with
software belong to that category of those with technology expertise, and
they need to operate under special and very restrictive rules about
verifying the identity of people who call them for information or advice.
People who regularly provide any. kind of computer help need to be well
trained in what kinds of requests should be red flags, suggesting that the
caller may be attempting a social engineering attack.
It's worth noting, though, that from the perspective of the database
administrator in the last story in this chapter, the caller met the criteria for
being legitimate: He was calling from on campus, and he was obviously
on a site that required an account name and password. This just makes
clear once again the importance of having standardized procedures for
verifying the identity of anybody requesting information, especially in a
case like this where the caller was asking for help in obtaining access to
confidential records.
All of this advice goes double for colleges and universities. It's not news
that computer hacking is a favorite pastime for many college students, and
it should also be no surprise that student records--and sometimes faculty
records, as well--are a tempting target. This abuse is so rampant that some
corporations actually consider campuses a hostile environment, and create
firewall rules that block access from educational institutions with
addresses that end in .edu.
The long and short of it is that all student and personnel records of any
kind should be seen as prime targets of attack, and should be well
protected as sensitive information.
Training Tips
Most social engineering attacks are ridiculously easy to defend against...
for anyone who knows what to be on the lookout for.
From the corporate perspective, there is a fundamental need for good
training. But there is also a need for something else: a variety of ways to
remind people of what they've learned.
Use splash screens that appear when the user's computer is turned on, with
a different security message each day. The message should be designed so
that it does not disappear automatically, but requires the user to click on
some kind of acknowledgement that he/she has read it.
Another approach I recommend is to start a series of security reminders.
Frequent reminder messages are important; an awareness program needs
to be ongoing and never-ending. In delivering content, the reminders
should not be worded the same in every instance. Studies have shown that
these messages are more effectively received when they vary in wording
or when used in different examples.
One excellent approach is to use short blurbs in the company newsletter.
This should not be a full column on the subject, although a security
column would certainly be valuable. Instead, design a two- or threecolumn-
wide insert, something like a small display ad in your local
newspaper. In each issue of the newsletter, present a new security
reminder in this short, attention-catching way.
Chapter 9
The Reverse Sting
The sting, mentioned elsewhere in this book (and in my opinion probably
the best movie that s ever been made about a con operation), lays out its
tricky plot in fascinating detail. The sting operation
in the movie is an exact depiction of how top grifters run "the wire," one
of the three types of major swindles referred to as "big cons." If you want
to know how a team of professionals pulls off a scam raking in a great
deal of money in a single evening, there's no better textbook.
But traditional cons, whatever their particular gimmick, run according
to a pattern. Sometimes a ruse is worked in the opposite direction, which
is called a reverse sting. This is an intriguing twist in which the attacker
sets up the situation so that the victim calls on the attacker for help, or a
co worker has made a request, which the attacker is responding to.
How does this work? You're about to find out.
LINGO
REVERSE STING
A con in which the person being attacked asks theattacker for help
THE ART OF FRIENDLY PERSUASION
When the average person conjures up the picture of a computer hacker,
what usually comes to mind is the uncomplimentary image of a lonely,
introverted nerd whose best friend is his computer and who has difficulty
carrying on a conversation, except by instant messaging. The social
engineer, who often has hacker skills, also has people skills at the
opposite end
of the spectrum--well-developed abilities to use and manipulate people
that allow him to talk his way into getting information in ways you would
never have believed possible.
Angela's Caller
Place: Valley branch, Industrial Federal Bank.
Time: 11:27 A.M.
Angela Wisnowski answered a phone call from a man who said he was
just about to receive a sizeable inheritance and he wanted information on
the different types of savings accounts, certificates of deposit, and
whatever other investments she might be able to suggest that would be
safe, but earn decent interest. She explained there were quite a number of
choices and asked if he'd like to come in and sit down with her to discuss
them. He was leaving on a trip as soon as the money arrived, he said, and
had a lot of arrangements to make. So she began suggesting some of the
possibilities and giving him details of the interest rates, what happens if
you sell a CD early, and so on, while trying to pin down his investment
goals.
She seemed to be making progress when he said, "Oh, sorry, I've got to
take this other call. What time can I finish this conversation with you so I
can make some decisions? When do you leave for lunch?" She told him
12:30 and he said he'd try to call back before then or the following day.
Louis.s Caller
Major banks use internal security codes that change every day. When
somebody from one branch needs information from another branch, he
proves he's entitled to the information by demonstrating he knows the
day's code. For an added degree of security and flexibility, some major
banks issue multiple codes each day. At a West Coast outfit I'll call
Industrial Federal Bank, each employee finds a list of five codes for the
day, identified as A through E, on his or her computer each morning.
Place: Same.
Time: 12:48 '.M., same day.
Louis Halpburn didn't think anything of it when a call came in that
afternoon, a call like others he handled regularly several times a week.
'Hello," the caller said. "This is Neil Webster. I'm calling from branch
3182 in Boston. Angela Wisnowski, please."
"She's at lunch. Can I help?"
"Well, she left a message asking us to fax some information on one of our
customers."
The caller sounded like he had been having a bad day.
"The person who normally handles those requests is out sick," he said.
"I've got a stack of these to do, it's almost 4 o'clock here and I'm supposed
to be out of this place to go to a doctor's appointment in half an hour."
The manipulation--giving all the reasons why the other person should feel
sorry for him--was part of softening up the mark. He went on, "Whoever
took her phone message, the fax number is unreadable. It's 213-
something. What's the rest?"
Louis gave the fax number, and the caller said, "Okay, thanks.
Before I can fax this, I need to ask you for Code B."
"But you called me," he said with just enough chill so the man from
Boston would get the message.
This is good, the caller thought. It's so cool when people don't fall over at
the first gentle shove. If the, don't resist a little, the job is too easy and I
could start getting lazy.
To Louis, he said, "I've got a branch manager that's just turned paranoid
about getting verification before we send anything out, is all. But listen, if
you don't need us to fax the information, it's okay. No need to verify."
"Look," Louis said, "Angela will be back in half an hour or so. I can have
her call you back."
"I'll just tell her I couldn't send the information today because you
wouldn't identify this as a legitimate request by giving me the code. If
I'm not out sick tomorrow, I'll call her back then."
"The message says 'Urgent.' Never mind, without verification my hands
are tied. You'll tell her I tried to send it but you wouldn't give the code,
okay?"
Louis gave up under the pressure. An audible sigh of annoyance
came winging its way down the phone line.
"Well," he said, "wait a minute; I have to go to my computer.
Which code did you want?"
"B," the caller said.
He put the call on hold and then in a bit picked up the line again. "It's
3184."
"That's not the right code."
"Yes it is--B is 3184."
"I didn't say B, I said E."
"Oh, damn. Wait a minute."
Another pause while he again looked up the codes.
"E is 9697."
"9697--right. I'll have the fax on the way. Okay?"
"Sure. Thanks."
Walter.s Call
"Industrial Federal Bank, this is Walter."
"Hey, Walter, it's Bob Grabowski in Studio City, branch 38," the caller
said. "I need you to pull a sig card on a customer account and fax it to
me." The sig card, or signature card, has more than just the customer's
signature on it; it also has identifying information, familiar items such as
the social security number, date of birth, mother's maiden name, and
sometimes even a driver's license number. Very handy to a social
engineer.
"Sure thing. What's Code C?"
"Another teller is using my computer right now," the caller said. "But I
just used B and E, and I remember those. Ask me one of those."
"Okay, what's E?"
"E is 9697."
A few minutes later, Walter faxed the sig card as requested.
Donna Plaice.s Call
"Hi, this is Mr. Anselmo."
"How can I help you today?"
"What's that 800 number I'm supposed to call when I want to see if a
deposit has been credited yet?"
"You're a customer of the bank?"
"Yes, and I haven't used the number in a while and now I don't know
where I wrote it down."
"The number is 800-555-8600."
"Okay, thanks."
Vince Capelli's Tale
The son of a Spokane street cop, Vince knew from an early age that he
wasn't going to spend his life slaving long hours and risking his neck for
minimum wage. His two main goals in life became getting out of
Spokane, and going into business for himself. The laughter of his homies
all through high school only fired him up all the more--they thought it was
hilarious that he was so busted on starting his own business but had no
idea what business it might be.
Secretly Vince knew they were right. The only thing he was good at was
playing catcher on the high school baseball team. But not good enough to
capture a college scholarship, no way good enough for professional
baseball. So what business was he going to be able to start?
One thing the guys in Vince's group never quite figured out: Anything
one of them had---a new switchblade knife, a nifty pair of warm gloves, a
sexy new girlfriend if Vince admired it, before long the item was his. He
didn't steal it, or sneak behind anybody's back; he didn't have to. The guy
who had it would give it up willingly, and then wonder afterward how it
had happened. Even asking Vince wouldn't have gotten you anywhere: He
didn't know himself. People just seemed to let him have whatever he
wanted.
Vince Capelli was a social engineer from an early age, even though he
had never heard the term.
His friends stopped laughing once they all had high school diplomas in
hand. While the others slogged around town looking for jobs where you
didn't have to say "Do you want fries with that?" Vince's dad sent him off
to talk to an old cop pal who had left the force to start his own private
investigation business in San Francisco. He quickly spotted Vince's talent
for the work, and took him on.
That was six years ago. He hated the part about getting the goods on
unfaithful spouses, which involved achingly dull hours of sitting and
watching, but felt continually challenged by assignments to dig up asset
information for attorneys trying to figure out if some miserable stiff was
rich enough to be worth suing. These assignments gave him plenty of
chances to use his wits.
Like the time he had to look into the bank accounts of a guy named Joe
Markowitz. Joe had maybe worked a shady deal on a one-time friend of
his, which friend now wanted to know, if he sued, was Markowitz flush
enough that the friend might get some of his money back?
Vince's first step would be to find out at least one, but preferably two, of
the bank's security codes for the day. That sounds like a nearly impossible
challenge: What on earth would induce a bank employee to knock a chink
in his own security system? Ask yourself--if you wanted to do this, would
you have any idea of how to go about it?
For people like Vince, it's too easy.
People trust you if you know the inside lingo of their job and their
company. It's like showing you belong to their inner circle. It's like a
secret handshake.
I didn't need much of that for a job like this. Definitely not brain surgery.
All's I needed to get started was a branch number. When I dialed the
Beacon Street office in Buffalo, the guy that answered sounded like a
teller.
"This is Tim Ackerman," I said. Any name would do, he wasn't going to
write it down. "What's the branch number there?"
"The phone number or the branch number, he wanted to know, which
was pretty stupid because I had just dialed the phone number, hadn't I?
"Branch number."
"3182," he said. Just like that. No, "Whad'ya wanna know for?" or
anything. 'Cause it's not sensitive information, it's written on just about
every piece of paper they use.
Step Two, call the branch where my target did his banking, get the name
of one of their people, and find out when the person would be out for
lunch. Angela. Leaves at 12:30. So far, so good.
Step Three, call back to the same branch during Angela's lunch break, say
I'm calling from branch number such-and-such in Boston, Angela needs
this information faxed, gimme a code for the day. This is the tricky part;
it's where the rubber meets the road. If I was making up a test to be a
social engineer, I'd put something like this on it, where your victim gets
suspicious--for good reason--and you still stick in there until you break
him down and get the information you need. You can't do that by reciting
lines from a script or learning a routine, you got to be able to read your
victim, catch his mood, play him like landing a fish where you let out a
little line and reel in, let out and reel in. Until you get him in the net and
flop him into the boat, splat!
So I landed him and had one of the codes for the day. A big step. With
most banks, one is all they use, so I would've been home flee. Industrial
Federal Bank uses five, so having just one out of five is long odds. With
two out of five, I'd have a much better chance of getting through the next
act of this little drama. I love that part about "I didn't say B, I said E."
When it works, it's beautiful. And it works most of the time.
Getting a third one would have been even better. I've actually managed to
get three on a single call--"B," "D," and "E" sound so much alike that you
can claim they misunderstood you again. But you have to be talking to
somebody who's a real pushover. This man wasn't. I'd go with two.
The day codes would be my trump to get the signature card. I call, and the
guy asks for a code. C he wants, and I've only got B and E. But it's not the
end of the world. You gotta stay cool at a moment like this, sound
confident, keep right on going, Real smooth, I played him with the one
about, "Somebody's using my computer, ask me one of these others."
We're all employees of the same company, we're all in this together, make
it easy on the guy--that's what you're hoping the victim is thinking at a
moment like this. And he played it right by the script. He took one of the
choices I offered, I gave him the right answer, he sent the fax of the sig
card.
Almost home. One more call gave me the 800 number that customers use
for the automated service where an electronic voice reads you off the
information you ask for. From the sig card, I had all of my target's
account numbers and his PIN number, because that bank used the first
five or last four digits of the social security number. Pen in hand, I called
the 800 number and after a few minutes of pushing buttons, I had the
latest balance in all four of the guy's accounts, and just for good measure,
his most recent deposits and withdrawals in each.
Everything my client had asked for and more. I always like to give a little
extra for good measure. Keep the clients happy. After all, repeat business
is what keeps an operation going, right?
Analyzing the Con
The key to this entire episode was obtaining the all-important day codes,
and to do that the attacker, Vince, used several different techniques.
He began with a little verbal arm-twisting when Louis proved reluctant to
give him a code. Louis was right to be suspicious--the codes are designed
to be used in the opposite direction. He knew that in the usual flow of
things, the unknown caller would be giving him a security code. This was
the critical moment for Vince, he hinge on which the entire success of his
effort depended.
In the face of Louis's suspicion, Vince simply laid it on with
manipulation, using an appeal to sympathy ("going to the doctor"), and
pressure ("I've got a stack to do, it's almost 4 o'clock"), and manipulation
("Tell her
you wouldn't give me the code"). Cleverly, Vince didn't actually make a
threat, he just implied one: If you don't give me the security code, I won't
send the customer information that your co worker needs, and I'll tell her I
would have sent it but you wouldn't cooperate.
Still, let's not be too hasty in blaming Louis. After all, the person on the
phone knew (or at least appeared to know) that co worker Angela had
requested a fax. The caller knew about the security codes, and knew they
were identified by letter designation. The caller said his branch manager
was requiring it for greater security. There didn't really seem any reason
not to give him the verification he was asking for.
Louis isn't alone. Bank employees give up security codes to social
engineers every day. Incredible but true.
There's a line in the sand where a private investigator's techniques stop
being legal and start being illegal. Vince stayed legal when he obtained
the branch number. He even stayed legal when he conned Louis into
giving him two of the day's security codes. He crossed the line when he
had confidential information on a bank customer faxed to him.
But for Vince and his employer, it's a low-risk crime. When you steal
money or goods, somebody will notice it's gone. When you steal
information, most of the time no one will notice because the information
is still in their possession.
MITNICK MESSAGE
Verbal security codes are equivalent to passwords in providing a
convenient and reliable means of protecting data. But employees need to
be knowledgeable about the tricks that social engineers use, and trained
not to give up the keys to the kingdom.
COPS AS DUPES
For a shady private investigator or social engineer, there are frequent
occasions when it would be handy to know someone's driver's license
number--for example, if you want to assume another person's identity in
order to obtain information about her bank balances.
Short of lifting the person's wallet or peering over her shoulder at an
opportune moment, finding out the driver's license number ought to be
next to impossible. But for anyone with even modest social engineering
skills, it's hardly a challenge.
One particular social engineer--Eric Mantini, I'll call him, needed to get
driver's license and vehicle registration numbers on a regular basis. Eric
figured it was unnecessarily increasing his risk to call the Department of
Motor Vehicles (DMV) and go through the same ruse time after time
whenever he needed that information. He wondered whether there wasn't
some way to simplify the process.
Probably no one had ever thought of it before, but he figured out a way
to get the information in a blink, whenever he wanted it. He did it by
taking advantage of a service provided by his state's Department of Motor
Vehicles. Many state DMVs (or whatever the department may be called in
your state) make otherwise-privileged information about citizens available
to insurance firms, private investigators, and certain other groups that the
state legislature has deemed entitled to share it for the good of commerce
and the society at large.
The DMV, of course, has appropriate limitations on which types of data
will be given out. The insurance industry can get certain types of
information from the files, but not others. A different set of limitations
applies to PIs, and so on.
For law enforcement officers, a different rule generally applies: The DMV
will supply any information in the records to any sworn peace officer who
properly identifies himself. In the state Eric then lived in, the required
identification was a Requestor Code issued by the DMV, along with the
officer's driver's license number. The DMV employee would always
verify by matching the officer's name against his driver's license number
and one other piece of information--usually date of birth-- before giving
out any information.
What social engineer Eric wanted to do was nothing less than cloak
himself in the identity of a law enforcement officer.
How did he manage that? By running a reverse sting on the cops!
Eric.s Sting
First he called telephone information and asked for the phone number of
DMV headquarters in the state capitol. He was given the number 503555-
5000; that, of course, is the number for calls from the general public. He
then called a nearby sheriff's station and asked for Teletype--the office
where communications are sent to and received from other law
enforcement agencies, the national crime database, local warrants, and so
forth. When he reached Teletype, he said he was looking for the phone
number for law enforcement to use when calling the DMV state
headquarters.
"Who are you?" the police officer in Teletype asked.
"This is Al. I was calling 503-555-5753," he said. This was partly an
assumption, and partly a number he pulled out of thin air; certainly the
special DMV office set up to take law enforcement calls would be in the
same area code as the number gtyen out for the public to call, and it was
almost as certain that the next three digits, the prefix, would be the same.
as well. All he really needed to find out was the last four.
A sheriff's Teletype room doesn't get calls from the public. And the caller
already had most of the number. Obviously he was legitimate.
"It's 503-555-6127," the officer said.
So Eric now had the special phone number for law enforcement officers to
call the DMV. But just the one number wasn't enough to satisfy him; the
office would have a good many more than the single phone line, and Eric
needed to know how many lines there were, and the phone number of
each.
The Switch
To carry out his plan, he needed to gain access to the telephone switch
that handled the law enforcement phone lines into DMV. He called the
state Telecommunications Department and claimed he was from Nortel,
the manufacturer of the DMS-100, one of the most widely used
commercial telephone switches. He said, "Can you please transfer me to
one of the switch technicians that works on the DMS-100?"
When he reached the technician, he claimed to be with the Nortel
Technical Assistance Support Center in Texas, and explained that they
were creating a master database to update all switches with the latest
software upgrades. It would all be done remotely--no need for any switch
technician to participate. But they needed the dial-in number to the switch
so that they could perform the updates directly from the Support Center.
It sounded completely plausible, and the technician gave Eric the phone
number. He could now dial directly into one of the state's telephone
switches.
To defend against outside intruders, commercial switches of this type are
password-protected, just like every corporate computer network. Any
good social engineer with a phone-phreaking background knows that
Nortel switches provide a default account name for software updates:
NTAS (the abbreviation for Nortel Technical Assistance Support; not
very subtle). But what about a password? Eric dialed in several times,
each time
trying one of the obvious and commonly used choices. Entering the same
as the account name, NTAS, didn't work. Neither did "helper." Nor did
"patch."
Then he tried "update" . . . and he was in. Typical. Using an obvious,
easily guessed password is only very slightly better than having no
password at all.
It helps to be up to speed in your field; Eric probably knew as much about
that switch and how to program and troubleshoot it as the technician.
Once he was able to access the switch as an authorized user, he would
gain full control over the telephone lines that were his target. From his
computer, he queried the switch for the phone number he had been given
for law enforcement calls to the DMV, 555-6127. He found there were
nineteen other phone lines into the same department. Obviously they
handled a high volume of calls.
For each incoming call, the switch was programmed to "hunt" through the
twenty lines until it found one that wasn't busy.
He picked line number eighteen in the sequence, and entered the code that
added call forwarding to that line. For the call-forwarding number, he
entered the phone number of his new, cheap, prepaid cell phone, the kind
that drug dealers are so fond of because they're inexpensive enough to
throw away after the job is over.
With call forwarding now activated on the eighteenth line, as soon as the
office got busy enough to have seventeen calls in progress, the next call to
come in would not ring in the DMV office but would instead be
forwarded to Eric's cell phone. He sat back and waited.
A Call to DMV
Shortly before 8 o'clock that morning, the cell phone rang. This part was
the best, the most delicious. Here was Eric, the social engineer, talking to
a cop, someone with the authority to come and arrest him, or get a search
warrant and conduct a raid to collect evidence against him.
And not just one cop would call, but a string of them, one after another.
On one occasion, Eric was sitting in a restaurant having lunch with
friends, fielding a call every five minutes or so, writing the information on
a paper napkin using a borrowed pen. HE still finds this hilarious.
But talking to police officers doesn't faze a good social engineer in the
least. In fact, the thrill of deceiving these law enforcement agencies
probably added to Eric s enjoyment of the act.
According to Eric, the calls went something like this:
"DMV, may I help you?"
"This is Detective Andrew Cole."
"Hi, detective. What can I do for you today?"
"I need a Soundex on driver's license 005602789," he might say, using the
term familiar in law enforcement to ask for a photo--useful, for example,
when officers are going out to arrest a suspect and want to know what he
looks like.
"Sure, let me bring up the record," Eric would say. "And, Detective Cole,
what's your agency?"
"Jefferson County." And then Eric would ask the hot questions:
"Detective, what's your requestor code?
What's your driver's license number. "What's your date of birth"
The caller would give his personal identifying information. Eric would go
through some pretense of verifying the information, and then tell the
caller that the identifying information had been confirmed, and ask for the
details of what the caller wanted to find out from the DMV. He'd pretend
to start looking up the name, with the caller able to hear the clicking of
the keys, and then say something like, "Oh, damn, my computer just
went down again. Sorry, detective, my computer has been on the blink,
all week. Would you mind calling back and getting another clerk to help
you?"
This way he'd end the call tying up the loose ends without arousing any
suspicion about why he wasn't able to assist the officer with his request.
Meanwhile Eric had a stolen identity--details he could use to obtain
confidential DMV information whenever he needed to.
After taking calls for a few hours and obtaining dozens of requestor
codes, Eric dialed into the switch and deactivated the call forwarding.
For months after that, he'd carry on the assignments jobbed out to him by
legitimate PI firms that didn't want to know how he was getting his
information. Whenever he needed to, he'd dial back into the switch, turn
on call forwarding, and gather another stack of police officer credentials.
Analyzing the Con
Let's run a playback on the ruses Eric pulled on a series of people to make
this deceit work. In the first successful step, he got a sheriff's deputy in a
Teletype room to give out a confidential DMV phone number to a
complete stranger, accepting the man as a deputy without requesting any
verification.
Then someone at the state Telecom Department did the same thing,
accepting Eric's claim that he was with an equipment manufacturer, and
providing the stranger with a phone number for dialing into the telephone
switch serving the DMV.
Eric was able to get into the switch in large measure because of weak
security practices on the part of the switch manufacturer in using the same
account name on all their switches. That carelessness made it a walk in
the park for the social engineer to guess the password, knowing once
again that switch technicians, just like almost everybody else, choose
passwords that will be a cinch for them to remember.
With access to the switch, he set up call forwarding from one of the DMV
phone lines for law enforcement to his own cell phone.
And then, the capper and most blatant part, he conned one law
enforcement officer after another into revealing not only their requestor
codes but their own personal identifying information, giving Eric the
ability to impersonate them.
While there was certainly technical knowledge required to pull off this
stunt, it could not have worked without the help of a series of people who
had no clue that they were talking to an imposter.
This story was another illustration of the phenomenon of why people don't
ask "Why me?" Why would the Teletype officer give this information to
some sheriff's deputy he didn't know--or, in this case, a stranger passing
himself off as a sheriff's deputy--instead of suggesting he get the
information from a fellow deputy or his own sergeant? Again, the only
answer I can offer is that people rarely ask this question. It doesn't occur
to them to ask? They don't want to sound challenging and unhelpful?
Maybe. Any further explanation would just be guesswork. But social
engineers don't care why; they only care that this little fact makes it easy
to get information that otherwise might be a challenge to obtain.
MITNICK MESSAGE
If you have a telephone switch at your company facilities, what would the
person in charge do if he received a call from the vendor, asking for the
dial-in number? And by the way, has that person ever changed the default
password for the switch? Is that password an easy-to-guess word found in
any dictionary?
PREVENTING THE CON
A security code, properly used, adds a valuable layer of protection. A
security code improperly used can be worse than none at all because it
gives the illusion of security where it doesn't really exist. What good are
codes if your employees don't keep them. secret?
Any company with a need for verbal security codes needs to spell out
clearly for its employees when and how the codes are used. Properly
trained, the character in the first story in this chapter would not have had
to rely on his instincts, easily overcome, when asked to give a security
code to a stranger. He sensed that he should not be asked for this
information under the circumstances, but lacking a clear security policy--
and good common sense--he readily gave in.
Security procedures should also set up steps to follow when an employee
fields an inappropriate request for a security code. All employees should
be trained to immediately report any request for authentication
credentials, such as a daily code or password, made under suspicious
circumstances. They should also report when an attempt to verify the
identity of a requestor doesn't check out.
At the very least, the employee should record the caller's name, phone
number, and office or department, and then hang up. Before calling back
he should verify that the organization really does have an employee of
that name, and that the call back phone number matches the phone
number in the on-line or hard-copy company directory. Most of the time,
this simple tactic will be all that's needed to verify that the caller is who
he says he is.
Verifying becomes a bit trickier when the company has a published
phone directory instead of an on-line version. People get hired; people
leave; people change departments, job positions, and phone. The hardcopy
directory is already out of date the day after it's published, even
before being distributed. Even on-line directories can't always be relied
on, because social engineers know how to modify them. If an employee
can't verify the phone number from an independent source, she should be
instructed to verify by some other means, such as contacting the
employee's manager.
Part 3
Intruder Alert
Entering the Premises
W
hy is it so easy for an outsider to assume the identity of a companyemployee and carry off an impersonation so convincingly that even
people who are highly security conscious are taken in? Why is it so easy
to dupe individuals who may be fully aware of security procedures,
suspicious of people they don't personally know, and protective of their
company's interests?
Ponder these questions as you read the stories in this chapter.
THE EMBARRASSED SECURITY GUARD
Date/Time:
Tuesday, October 17, 2:16 A.M.Place:
Skywatcher Aviation, Inc. manufacturing plant on the outskirts ofTucson, Arizona.
The Security Guard's Story
Hearing his leather heels click against the floor in the halls of the nearly
deserted plant made Leroy Greene feel much better than spending the
night hours of his watch in front of the video monitors in the security
office. There he wasn't allowed to do anything but stare at the screens, not
even read a magazine or his leather-bound Bible. You just had to sit there
looking at the displays of still images where nothing ever moved.
But walking the halls, he was at least stretching his legs, and when he
remembered to throw his arms and shoulders into the walk, it got him a
little exercise, too. Although it didn't really count very much as exercise
for a man who had played right tackle on the All-City champion high
school football team. Still, he thought, a job is a job.
He turned the southwest corner and started along the gallery overlooking
the half-mile-long production floor. He glanced down and saw two people
walking past the line of partly built copters. The pair stopped and seemed
to be pointing things out to each other. A strange sight at this time of
night. 'Better check, "he thought.
Leroy headed for a staircase that would bring him onto the productionline
floor behind the pair, and they didn't sense his approach until he
stepped alongside. "Morning. Can I see your security badges, please," he
said. Leroy always tried to keep his voice soft at moments like this; he
knew that the sheer size of him could seem threatening.
"Hi, Leroy," one of them said, reading the name off his badge. "I'm Tom
Stilton, from the Marketing office at corporate in Phoenix. I'm in town for
meetings and wanted to show my friend here how the world's greatest
helicopters get built."
"Yes, sir. Your badge, please," Leroy said. He couldn't help noticing how
young they seemed. The Marketing guy looked barely out of high school,
the other one had hair down to his shoulders and looked about fifteen.
The one with the haircut reached into his pocket for his badge, then
started patting all his pockets. Leroy was suddenly beginning to have a
bad feeling about this. "Damn," the guy said. "Must've left it in the car. I
can get it--just take me ten minutes to go out to the parking lot and back."
Leroy had his pad out by this time. "What'd you say your name was, sr. he
asked, and carefully wrote down the response. Then he asked them to go
with him to the Security Office. On the elevator to the third floor, Tom
chatted about having been with the company for only six months and
hoped he wasn't going to get in any trouble for this.
In the Security monitoring room, the two others on the night shift with
Leroy joined him in questioning the pair. Stilton gave his telephone
number, and said his boss was Judy Underwood and gave her telephone
number, and the information all checked out on the computer. Leroy took
the other two security people aside and they talked about what to do.
Nobody wanted to get this wrong; all three agreed they better call the
guy's boss even though it would mean waking her in the middle of the
night.
Leroy called Mrs. Underwood himself, explained who he was and did she
have a Mr. Tom Stilton working for her? She sounded like she was still
half-asleep. "Yes," she said.
"Well, we found him down on the production line at 2:30 in the morning
with no ID badge."
Mrs. Underwood said, "Let me talk to him."
Stilton got on the phone and said, "Judy, I'm really sorry about these
guys waking you up in the middle of the night. I hope you're not going to
hold this against me."
He listened and then said, "It was just that I had to be here in the morning
anyway, for that meeting on the new press release. Anyway, did you get
the email about the Thompson deal? We need to meet with Jim on
Monday morning so we don't lose this. And I'm still having lunch with
you on Tuesday, right?"
He listened a bit more and said good-bye and hung up.
That caught Leroy by surprise; he had thought he'd get the phone back
so the lady could tell him everything was okay. He wondered if maybe he
should call her again and ask, but thought better of it. He had already
bothered her once in the middle of the night; if he called a second time,
maybe she might get annoyed and complain to his boss. "Why make
waves?" he thought.
Okay if I show my friend the rest of the production line? Stilton asked
Leroy
You want to come along, keep an eye on us ?
"Go on, Leroy said. "Look around. Just don't forget your badge next
time. And let Security know if you need to be on the plant floor after
hours--it's the rule."
I'll remember that, Leroy," Stilton said. And they left.
Hardly ten minutes had gone by before the phone rang in the Security
Office. Mrs. Underwood was on the line. "Who was that guy?!" she
wanted to know. She said she kept trying to ask questions but he just kept
on talking about having lunch with her and she doesn't know who the hell
he is.
The security guys called the lobby and the guard at the gate to the parking
lot. Both reported the two young men had left some minutes before.
Telling the story later, Leroy always finished by saying, "Lordy, did boss
chew me up one side and down the other. I'm lucky I still have a job."
Joe Harper's Story
Just to see what he could get away with, seventeen-year-old Joe Harper
had been sneaking into buildings for more than a year, sometimes in the
daytime, sometimes at night. The son of a musician and a cocktail
waitress, both working the night shift, Joe had too much time by himself.
His story of that same incident sheds instructive light on how it all
happened.
I have this friend Kenny who thinks he wants to be a helicopter pilot. He
asked me, could I get him into the Skywatcher factory to see the
production line where they make the choppers. He knows I've got into
other places before. It's an adrenaline rush to see if you can slip into
places you're not supposed to be.
But you don't just walk into a factory or office building. Got to think it
through, do a lot of planning, and do a full reconnaissance on the target.
Check the company's Web page for names and titles, reporting structure,
and telephone numbers. Read press clippings and magazine articles.
Meticulous research is my own brand of caution, so I could talk to
anybody that challenged me, with as much knowledge as any employee.
So where to start? First I looked up on the Internet to see where the
company had offices, and saw the corporate headquarters was in Phoenix.
Perfect. I called and asked for Marketing; every company has a marketing
department. A lady answered, and I said I was with Blue Pencil Graphics
and we wanted to see if we could interest them in using our services and
who would I talk to. She said that would be Tom Stilton. I asked for his
phone number and she said they didn't give out that information but she
could put me through. The call rang into voice mail, and his message said,
"This is Tom Stilton in Graphics, extension 3147, please leave a
message." Sure--they don't give out extensions, but this guy leaves his
right on his voice mail. So that was cool. Now I had a name and
extension.
Another call, back to the same office. "Hi, I was looking for Tom Stilton.
He's not in. I'd like to ask his boss a quick question." The boss was out,
too, but by the time I was finished, I knew the boss's name. And she had
nicely left her extension number on her voice mail, too.
I could probably get us past the lobby guard with no sweat, but I've driven
by that plant and I thought I remembered a fence around the parking lot.
A fence means a guard who checks you when you try to drive in. And at
night, they might be writing down license numbers, too, so I'd have to buy
an old license plate at a flea market.
But first I'd have to get the phone number in the guard shack. I waited a
little so if I got the same operator when I dialed back in, she wouldn't
recognize my voice. After a bit I called and said, "We've got a complaint
that the phone at the Ridge Road guard shack has reported intermittent
problems--are they still having trouble?" She said she didn't know but
would connect me.
The guy answered, "Ridge Road gate, this is Ryan." I said, "Hi, Ryan,
this is Ben. Were you having problems with your phones there?" He's just
a low-paid security guard but I guess he had some training because he
right away said, "Ben who--what's your last name?" I just kept right on as
if I hadn't even heard him. "Somebody reported a problem earlier."
I could hear him holding the phone away and calling out, "Hey, Bruce,
Roger, was there a problem with this phone. He came back on and said,
"No, no problems we know about."
"How many phone lines do you have there?"
He had forgotten about my name. "Two," he said. "Which one are you on
now?" "3140."
Gotcha! "And they're both working okay?"
"Seems like."
Okay, I said. Listen, Tom, if you have any phone problems, just call
us in Telecom any time. We're here to help."
My buddy and I decided to visit the plant the very next night. Late that
afternoon I called the guard booth, using the name of the Marketing guy. I
said, "Hi, this is Tom Stilton in Graphics. We're on a crash deadline and I
have a couple of guys driving into town to help out. Probably won't be
here till one or two in the morning. Will you still be on then?"
He was happy to say that, no, he got off at midnight.
I said, "Well, just leave a note for the next guy, okay? When two guys
show up and say they've come to see Tom Stilton, just wave 'em on in--
okay?"
Yes, he said, that was fine. He took down my name, department, and
extension number and said he'd take care of it.
We drove up to the gate a little after two, I gave Tom Stilton's name,
and a sleepy guard just pointed to the door we should go in and where I
should park.
When we walked into the building, there was another guard station in
the lobby, with the usual book for after-hours sign-ins. I told the guard I
had a report that needed to be ready in the morning, and this friend of
mine wanted to see the plant. "He's crazy about helicopters," I said
"Thinks he wants to learn to pilot one." He asked me for my badge. I
reached into a pocket, then patted around and said I must have left it in
car; I.ll go get it. I said, "It'll take about ten minutes." He said, Never
mind, it's okay, just sign in."
Walking down that production line--what a gas. Until that tree-trunk of a
Leroy stopped us.
In the security office, I figured somebody who didn't really belong would
look nervous and frightened. When things get tight, I just start sounding
like I'm really steamed. Like I'm really who I claimed to be and it's
annoying they don't believe me.
When they started talking about maybe they should call the lady I said
was my boss and went to get her home phone number from the computer,
I stood there thinking, "Good time to just make a break for it." But there
was that parking-lot gate--even if we got out of the building, they'd close
the gate and we'd never make it out.
When Leroy called the lady who was Stilton's boss and then gave me the
phone, the lady started shouting at me "Who is this, who are you!" and I
just kept on talking like we were having a nice conversation, and then
hung up.
How long does it take to find somebody who can give you a company
phone number in the middle of the night? I figured we had less than
fifteen minutes to get out of there before that lady was ringing the security
office and putting a bug in their ears.
We got out of there as fast as we could without looking like we were in a
hurry. Sure was glad when the guy at the gate just waved us through.
Analyzing the Con
It's worth noting that in the real incident this story is based on, the
intruders actually were teenagers. The intrusion was a lark, just to see if
they could get away with it. But if it was so easy for a pair of teenagers, it
would have been even easier for adult thieves, industrial spies, or
terrorists.
How did three experienced security officers allow a pair of intruders to
just walk away? And not just any intruders, but a pair so young that any
reasonable person should have been very suspicious?
Leroy was appropriately suspicious, at first. He was correct in taking them
to the Security Office, and in questioning the guy who called
himself Tom Stilton and checking the names and phone numbers he gave.
He was certainly correct in making the phone call to the supervisor.
But in the end he was taken in by the young man's air of confidence and
indignation. It wasn't the behavior he would expect from a thief or
intruder--only a real employee would have acted that way.., or so he
assumed. Leroy should have been trained to count on solid identification,
not perceptions.
Why wasn't he more suspicious when the young man hung up the phone
without handing it back so Leroy could hear the confirmation directly
from Judy Underwood and receive her assurance that the kid had a reason
for being in the plant so late at night?
Leroy was taken in by a ruse so bold that it should have been obvious. But
consider the moment from his perspective: a high-school graduate,
concerned for his job, uncertain whether he might get in trouble for
bothering a company manager for the second time in the middle of the
night. If you had been in his shoes, would you have made the follow-up
call?
But of course, a second phone call wasn't the only possible action. What
else could the security guard have done?
Even before placing the phone call, he could have asked both of the pair
to show some kind of picture identification; they drove to the plant, so at
least one of them should have a driver's license. The fact that they had
originally given phony names would have been immediately obvious (a
professional would have come equipped with fake ID, but these teenagers
had not taken that precaution). In any case, Leroy should have examined
their identification credentials and written down the information. If they
both insisted they had no identification, he should then have walked them
o the car to retrieve the company ID badge that "Tom Stilton" claimed he
had left there.
MITNICK MESSAGE
Manipulative people usually have very attractive personalities. They are
typically fast on their feet and quite articulate. Social engineers are also
skilled at distracting people's thought processes so that they cooperate. To
think that any one particular person is not vulnerable to this manipulation
is to underestimate the skill and the killer instinct of the social engineer.
A good social engineer, on the other hand, never underestimates his
adversary.
Following the phone call, one of the security people should have stayed
with the pair until they left the building. And then walked them to their
car and written down the license-plate number. If he had been observant
enough, he would have noted that the plate (the one that the attacker had
purchased at a flea market) did not have a valid registration sticker - and
that should have been reason enough to detain the pair for further
investigation.
DUMPSTER DIVING
Dumpster diving is a term that describes pawing through a target's
garbage in search of valuable information. The amount of information you
can learn about a target is astounding.
Most people don't give much thought to what they're discarding at home:
phone bills, credit card statements, medical prescription bottles, bank
statements, work-related materials, and so much more.
At work, employees must be made aware that people do look through
trash to obtain information that may benefit them.
During my high school years, I used to go digging through the trash
behind the local phone company buildings--often alone but occasionally
with friends who shared an interest in learning more about the telephone
company. Once you became a seasoned Dumpster diver, you learn a few
tricks, such as how to make special efforts to avoid the bags from the
restrooms, and the necessity of wearing gloves.
Dumpster diving isn't enjoyable, but the payoff was extraordinary--
internal company telephone directories, computer manuals, employee
lists, discarded printouts showing how to program switching equipment,
and more--all there for the taking.
I'd schedule visits for nights when new manuals were being issued,
because the trash containers would have plenty of old ones, thoughtlessly
thrown away. And I'd go at other odd times as well, looking for any
memos, letters, reports, and so forth, that might offer some interesting
gems of information.
On arriving I'd find some cardboard boxes, pull them out and set them
aside. If anyone challenged me, which happened now and then, I'd say
that a friend was moving and I was just looking for boxes to help him
pack. The guard never noticed all the documents I had put in the boxes to
take home. In some cases, he'd tell me to get lost, so I'd just move to
another phone company central office.
LINGO
DUMPSTER DRIVING
Going through a company.s garbage (often inan outside and vulnerable Dumpster) to find discarded information that
either itself has value, or provides a tool to use in a social engineering
attack, such as internal phone numbers or titles
I don't know what it's like today, but back then it was easy to tell which
bags might contain something of interest. The floor sweepings and
cafeteria garbage were loose in the large bags, while the office
wastebaskets were all lined with white disposable trash bags, which the
cleaning crew would lift out one by one and wrap a tie around.
One time, while searching with some friends, we came up with some
sheets of paper torn up by hand. And not just torn up: someone had gone
to the trouble of ripping the sheets into tiny pieces, all conveniently
thrown out in a single five-gallon trash bag. We took the bag to a local
donut shop, dumped the pieces out on a table, and started assembling
them one by one.
We were all puzzle-doers, so this offered the stimulating challenge of a
giant jigsaw puzzle . . . but turned out to have more than a childish
reward. When done, we had pieced together the entire account name and
password list for one of the company's critical computer systems.
Were our Dumpster-diving exploits worth the risk and the effort? You bet
they were. Even more than you would think, because the risk is zero. It
was true then and still true today: As long as you're not trespassing,
poring through someone else's trash is 100 percent legal.
Of course, phone phreaks and hackers aren't the only ones with their
heads in trash cans. Police departments around the country paw through
trash regularly, and a parade of people from Mafia dons to petty
embezzlers have been convicted based in part on evidence gathered from
their rubbish. Intelligence agencies, including our own, have resorted to
this method for years.
It may be a tactic too low down for James Bond--movie-goers would
much rather watch him outfoxing the villain and bedding a beauty than
standing up to his knees in garbage. Real-life spies are less squeamish
when something of value may be bagged among the banana peels and
coffee grounds, the newspapers and grocery lists. Especially if gathering
the information doesn't put them in harm's way.
Cash for Trash
Corporations play the Dumpster-diving game, too. Newspapers had a field
day in June 2000, reporting that Oracle Corporation (whose CEO,
Larry Ellison, is probably the nation's most outspoken foe of Microsoft)
had hired an investigative firm that had been caught with their hands in
the cookie jar. It seems the investigators wanted trash from a Microsoftsupported
lobbying outfit, ACT, but they didn't want to risk getting
caught. According to press reports, the investigative firm sent in a woman
who offered the janitors $60 to let her have the ACT trash. They turned
her down. She was back the next night, upping the offer to $500 for the
cleaners and $200 for the supervisor.
The janitors turned her down and then turned her in.
Leading on-line journalist Declan McCullah, taking a leaf from literature,
titled his Wired News story on the episode, "'Twas Oracle That Spied on
MS." Time magazine, nailing Oracle's Ellison, titled their article simply
"Peeping Larry."
Analyzing the Con
Based on my own experience and the experience of Oracle, you might
wonder why anybody would bother taking the risk of stealing someone's
trash.
The answer, I think, is that the risk is nil and the benefits can be
substantial. Okay, maybe trying to bribe the janitors increases the chance
of consequences, but for anyone who's willing to get a little dirty, bribes
aren't necessary.
For a social engineer, Dumpster diving has its benefits. He can get enough
information to guide his assault against the target company, including
memos, meeting agendas, letters and the like that reveal names,
departments, titles, phone numbers, and project assignments. Trash can
yield company organizational charts, information about corporate
structure, travel schedules, and so on. All those details might seem trivial
to insiders, yet they may be highly valuable information to an attacker.
Mark Joseph Edwards, in his book Internet Security with Windows NT,
talks about "entire reports discarded because of typos, passwords written
on scraps of paper, 'While you were out' messages with phone numbers,
whole file folders with documents still in them, diskettes and tapes that
weren't erased or destroyed--all of which could help a would-be intruder."
The writer goes on to ask, "And who are those people on your cleaning
crew? You've decided that the cleaning crew won't [be permitted to] enter
the computer room but don't forget the other trash cans. If federal
agencies deem it necessary to do background checks on people who have
access to their wastebaskets and shredders, you probably should as well."
MITNICK MESSAGE
Your trash may be your enemy's treasure. We don't give much
consideration to the materials we discard in our personal lives, so why
should we believe people have a different attitude in the workplace? It all
comes down to educating the workforce about the danger (unscrupulous
people digging for valuable information) and the vulnerability (sensitive
information not being shredded or properly erased).
THE HUMILIATED BOSS
Nobody thought anything about it when Harlan Fortis came to work on
Monday morning as usual at the County Highway Department, and said
he'd left home in a hurry and forgotten his badge. The security guard had
seen Harlan coming in and going out every weekday for the two years she
had been working there. She had him sign for a temporary employee's
badge, gave it to him, and he went on his way.
It wasn't until two days later that all hell started breaking loose. The
story spread through the entire department like wildfire. Half the people
who heard it said it couldn't be true. Of the rest, nobody seemed to know
whether to laugh out loud or to feel sorry for the poor soul.
After all, George Adamson was a kind and compassionate person, the
best head of department they'd ever had. He didn't deserve to have this
happen to him. Assuming that the story was true, of course.
The trouble had begun when George called Harlan into his office late
one Friday and told him, as gently as he could, that come Monday Harlan
would be reporting to a new job. With the Sanitation Department. To
Harlan, this wasn't like being fired. It was worse; it was humiliating. He
wasn't going to take it lying down.
That same evening he seated himself on his porch to watch the
homeward- bound traffic. At last he spotted the neighborhood boy named
David who everyone called "The War Games Kid" going by on his moped
on the way home from high school. He stopped David, gave him a Code
Red Mountain Dew he had bought especially for the purpose, and offered
him a deal: the latest video game player and six games in exchange for
some computer help and a promise of keeping his mouth shut.
After Harlan explained the project - without giving any of the
compromising specifics--David agreed. He described what he wanted
Harlan to do. He was to buy a modem, go into the office, find somebody's
computer where there was a spare phone jack nearby, and plug in the
modem. Leave the modem under the desk where nobody would be likely
to see it. Then
came the risky part. Harlan had to sit down at the computer, install a
remote-access software package, and get it running. Any moment the man
who worked in the office might show up, or someone might walk by and
see him in another person's office. He was so uptight that he could hardly
read the instructions that the kid had written down for him. But he got it
done, and slipped out of the building without being noticed.
Planting the Bomb
David stopped over after dinner that night. The two sat down at Harlan's
computer and within in a few minutes the boy had dialed into the
modem, gained access, and reached George Adamson's machine. Not
very
difficult, since George never had time for precautionary things like
changing
passwords, and was forever asking this person or that to download or
email a file for him. In time, everyone in the office knew his password.
A bit of hunting turned up the file called BudgetSlides2002.ppt, which
the boy downloaded onto Harlan's computer. Harlan then told the kid to
go on home, and come back in a couple of hours.
When David returned, Harlan asked him to reconnect to the Highway
Department computer system and put the same file back where they had
found it, overwriting the earlier version. Harlan showed David the video
game player, and promised that if things went well, he'd have it the next
day.
Surprising George
You wouldn't think that something sounding as dull as budget hearings
would be of much interest to anyone, but the meeting chamber of the
County Council was packed, filled with reporters, representatives of
special
interest groups, members of the public, and even two television news
crews.
George always felt much was at stake for him in these sessions. The
County Council held the purse strings, and unless George could put on a
convincing presentation, the Highways budget would be slashed. Then
everyone would start complaining about potholes and stuck traffic lights
and dangerous intersections, and blaming him, and life would be miser
able for the whole coming year. But when he was introduced that
evening,
he stood up feeling confident. He had worked six weeks on this
presentation
and the PowerPoint visuals, which he had tried out on his wife, his
top staff people, and some respected friends. Everyone agreed it was his
best presentation ever.
The first three PowerPoint images played well. For a change, every
Council member was paying attention. He was making his points
effectively.
And then all at once everything started going wrong. The fourth image
was supposed to be a beautiful photo at sunset of the new highway
extension opened last year. Instead it was something else, something very
embarrassing. A photograph out of a magazine like Penthouse or Hustler.
He could hear the audience gasp as he hurriedly hit the button on his
laptop to move to the next image.
This one was worse. Not a thing was left to the imagination.
He was still trying to click to another image when someone in the
audience pulled out the power plug to the projector while the chairman
banged loudly with his gavel and shouted above the din that the meeting
was adjourned.
Analyzing the Con
Using a teenage hacker's expertise, a disgruntled employee managed to
access the computer of the head of his department, download an important
PowerPoint presentation, and replace some of the slides with images
certain to cause grave embarrassment. Then he put the presentation back
on the man's computer.
With the modem plugged into a jack and connected to one of the office
computers, the young hacker was able to dial in from the outside. The kid
had set up the remote access software in advance so that, once connected
to the computer, he would have full access to every file stored on the
entire system. Since the computer was connected to the organization's
network and he already knew the boss's username and password, he could
easily gain access to the boss's files.
Including the time to scan in the magazine images, the entire effort had
taken only a few hours. The resulting damage to a good man's reputation
was beyond imagining.
MITNICK MESSAGE
The vast majority of employees who are transferred, fired, or let go in a
downsizing are never a problem. Yet it only takes one to make a
company realize too late what steps they could have taken to prevent
disaster.
Experience and statistics have clearly shown that the greatest threat to the
enterprise is from insiders. It's the insiders who have intimate knowledge
of where the valuable information resides, and where to hit the company
to cause the most harm.
THE PROMOTION SEEKER
Late in the morning of a pleasant autumn day, Peter Milton walked into
the lobby of the Denver regional offices of Honorable Auto Parts, a
national parts wholesaler for the automobile aftermarket. He waited at the
reception desk while the young lady signed in a visitor, gave driving
directions to a caller, and dealt with the UPS man, all more or less at the
same time.
"So how did you learn to do so many things at once?" Pete said when she
had time to help him. She smiled, obviously pleased he had noticed. He
was from Marketing in the Dallas office, he told her, and said that Mike
Talbott from Atlanta field sales was going to be meeting him. "We have a
client to visit together this afternoon," he explained. I'll just wait here in
the lobby."
"Marketing." She said the word almost wistfully, and Pete smiled at her,
waiting to hear what was coming. "If I could go to college, that's what I'd
take," she said. "I'd love to work in Marketing."
He smiled again. "Kaila," he said, reading her name off the sign on the
counter, "We have a lady in the Dallas office who was a secretary. She
got herself moved over to Marketing. That was three years ago, and now
she's an assistant marketing manager, making twice what she was."
Kaila looked starry-eyed. He went on, "Can you use a computer?" "Sure,"
she said.
"How would you like me to put your name in for a secretary's job in
Marketing.
She beamed. "For that I'd even move to Dallas."
"You're going to love Dallas," he said. "I can't promise an opening right
away, but I'll see what I can do."
She thought that this nice man in the suit and tie and with the neatly
trimmed, well-combed hair might make a big difference in her working
life.
Pete sat down across the lobby, opened his laptop, and started getting
some work done. After ten or fifteen minutes, he stepped back up to the
counter. "Listen," he said, "it looks like Mike must've been held up. Is
there a conference room where I could sit and check my emails while I'm
waiting?"
Kaila called the man who coordinated the conference room scheduling
and arranged for Pete to use one that wasn't booked. Following a pattern
picked up from Silicon Valley companies (Apple was probably the first to
do this) some of the conference rooms were named after cartoon
characters, others after restaurant chains or movie stars or comic book
heroes. He was told to look for the Minnie Mouse room. She had him sign
in, and gave him directions to find Minnie Mouse.
He located the room, settled in, and connected his laptop to the Ethernet
port.
Do you get the picture yet?
Right--the intruder had connected to the network behind the corporate
firewall.
Anthony's Story
I guess you could call Anthony Lake a lazy businessman. Or maybe
"bent" comes closer.
Instead of working for other people, he had decided he wanted to go to
work for himself; he wanted to open a store, where he could be at one
place all day and not have to run all over the countryside. Only he wanted
to have a business that he could be as sure as possible he could make
money at.
What kind of store? That didn't take long to figure out. He knew about
repairing cars, so an auto parts store.
And how do you build in a guarantee of success? The answer came to him
in a flash: convince auto parts wholesaler Honorable Auto Parts to sell
him all the merchandise he needed at their cost.
Naturally they wouldn't do this willingly. But Anthony knew how to con
people, his friend Mickey knew about breaking into other people's
computers, and together they worked out a clever plan.
That autumn day he convincingly passed himself off as an employee
named Peter Milton, and he had conned his way inside the Honorable
Auto Parts offices and had already plugged his laptop into their network.
So far, so good, but that was only the first step. What he still had to do
wouldn't be easy, especially since Anthony had set himself a fifteenminute
time limit--any longer and he figured that the risk of discovery
would be too high.
MITNICK MESSAGE
Train your people not to judge a book solely by its cover--just because
someone is well-dressed and well-groomed he shouldn't be any more
believable.
In an earlier phone call pretexting as a support person from their computer
supplier, he had put on a song-and-dance act. "Your company has
purchased a two-year support plan and we're putting you in the database
so we can know when a software program you're using has come out with
a patch or a new updated version. So I need to have you tell me what
applications you're using." The response gave him a list of programs, and
an accountant friend identified the one called MAS 90 as the target--the
program that would hold their list of vendors and the discount and
payment terms for each.
With that key knowledge, he next used a software program to identifiy,"
all the working hosts on the network, and it didn't take him long to locate
the correct server used by the Accounting department. From the arsenal of
hacker tools on his laptop, he launched one program and used it to
identify all of the authorized users on the target server. With another, he
then ran a list of commonly used passwords, such as "blank," and
"password" itself. "Password" worked. No surprise there. People just lose
all creativity when it comes to choosing passwords.
Only six minutes gone, and the game was half over. He was in.
Another three minutes to very carefully add his new company, address,
phone number, and contact name to the list of customers. And then for the
crucial entry, the one that would make all the difference, the entry that
said all items were to be sold to him at 1 percent over Honorable Auto
Parts' cost.
In slightly under ten minutes, he was done. He stopped long enough to tell
Kaila thanks, he was through checking his emails. And he had reached
Mike Talbot, change of plans, he was on the way to a meeting at a client's
office. And he wouldn't forget about recommending her for that job in
Marketing, either.
Analyzing the Con
The intruder who called himself Peter Milton used two psychological
subversion techniques--one planned, the other improvised on the spur of
the moment.
He dressed like a management worker earning good money. Suit and tie,
hair carefully styled--these seem like small details, but they make an
impression. I discovered this myself, inadvertently. In a short time as a
programmer at GTE California--a major telephone company no longer in
existence--I discovered that if I came in one day without a badge,
neatly dressed but casual--say, sports shirt, chinos, and Dockers--I'd be
stopped and questioned. Where's your badge, who are you, where do you
work? Another day I'd arrive, still without a badge but in a suit and tie,
looking very corporate. I'd use a variation of the age-old piggybacking
technique, blending in with a crowd of people as they walk into a building
or a secure entrance. I would latch onto some people as they approached
the main entrance, and walk in chatting with the crowd as if I was one of
them. I walked past, and even if the guards noticed I was badge-less, they
wouldn't bother me because I looked like management and I was with
people who were wearing badges.
From this experience, I recognized how predictable the behavior of
security guards is. Like the rest of us, they were making judgments based
on appearances--a serious vulnerability that social engineers learn to take
advantage of.
The attacker's second psychological weapon came into play when he
noticed the unusual effort that the receptionist was making. Handling
several things at once, she didn't get testy but managed to make everyone
feel they had her full attention. He took this as the mark of someone
interested in getting ahead, in proving herself. And then when he claimed
to work in the Marketing department, he watched to see her reaction,
looking for clues to indicate if he was establishing a rapport with her. He
was. To the attacker, this added up to someone he could manipulate
through a promise of trying to help her move into a better job. (Of course,
if she had said she wanted to go into the Accounting department, he
would have claimed he had contacts for getting her a job there, instead.)
Intruders are also fond of another psychological weapon used in this
story: building trust with a two-stage attack. He first used that chatty
conversation about the job in Marketing, and he also used "namedropping"--
giving the name of another employee--a real person,
incidentally, just as the name he himself used was the name of a real
employee.
He could have followed up the opening conversation right away with a
request to get into a conference room. But instead he sat down for a while
and pretended to work, supposedly waiting for his associate, another way
of allaying any possible suspicions because an intruder wouldn't hang
around. He didn't hang around for very long, though; social engineers
know better than to stay at the scene of the crime any longer than
necessary.
MITNICK MESSAGE
Allowing a stranger into an area where he can plug a laptop into the
corporate network increases the risk of a security incident. It's perfectly
reasonable for an employee, especially one from offsite, to want to check
his or her email from a conference room, but unless the visitor is
established as a trusted employee or the network is segmented to prevent
unauthorized connections, this may be the weak link that allows company
files to be compromised.
Just for the record: By the laws on the books at the time of this writing,
Anthony had not committed a crime when he entered the lobby. He had
not committed a crime when he used the name of a real employee. He had
not committed a crime when he talked his way into the conference room.
He had not committed a crime when he plugged into the company's
network and searched for the target computer.
Not until he actually broke in to the computer system did he break the
law.
SNOOPING ON KEVIN
Many years ago when I was working in a small business, I began to
notice
that each time I walked into the office that I shared with the three other
computer people who made up the IT department, this one particular guy
(Joe, I'll call him here) would quickly toggle the display on his computer
to a different window. I immediately recognized this as suspicious. When
it happened two more times the same day, I was sure something was
going
on that I should know about. What was this guy up to that he didn't want
me to see?
Joe's computer acted as a terminal to access the company's
minicomputers,
so I installed a monitoring program on the VAX minicomputer
that allowed me to spy on what he was doing. The program acted as if a
TV camera was looking over his shoulder, showing me exactly what he
was seeing on his computer.
My desk was next to Joe's; I turned my monitor as best I could to partly
mask his view, but he could have looked over at any moment and
realized
I was spying on him. Not a problem; he was too enthralled in what he
was
doing to notice.
What I saw made my jaw drop. I watched, fascinated, as the bastard
called up my payroll data. He was looking up my salary!
I had only been there a few months at the time and I guessed Joe couldn't
stand the idea that I might have been making more than he was.
A few minutes later I saw that he was downloading hacker tools used by
less experienced hackers who don't know enough about programming to
devise the tools for themselves. So Joe was clueless, and had no idea that
one of American's most experienced hackers was sitting right next to him.
I thought it was hilarious.
He already had the information about my pay; so it was too late to stop
him. Besides, any employee with computer access at the IRS or the Social
Security Administration can look your salary up. I sure didn't want to tip
my hand by letting him know I'd found out what he was up to. My main
goal at the time was maintaining a low profile, and a good social engineer
doesn't advertise his abilities and knowledge. You always want people to
underestimate you, not see you as a threat.
So I let it go, and laughed to myself that Joe thought he knew some secret
about me, when it was the other way around: I had the upper hand by
knowing what he had been up to.
In time I discovered that all three of my co-workers in the IT group
amused themselves by looking up the take-home pay of this or that cute
secretary or (for the one girl in the group) neat-looking guy they had
spotted. And they were all finding out the salary and bonuses of anybody
at the company they were curious about, including senior management.
Analyzing the Con
This story illustrates an interesting problem. The payroll files were
accessible to the people who had the responsibility of maintaining the
company's computer systems. So it all comes down to a personnel issue:
deciding who can be trusted. In some cases, IT staff might find it
irresistible to snoop around. And they have the ability to do so because
they have privileges allowing them to bypass access controls on those
files.
One safeguard would be to audit any access to particularly sensitive files,
such as payroll. Of course, anyone with the requisite privileges could
disable auditing or possibly remove any entries that would point back to
them, but each additional step takes more effort to hide on the part of an
unscrupulous employee.
PREVENTING THE CON
From pawing through your trash to duping a security guard or
receptionist, social engineers can physically invade your corporate space.
But you'll be glad to hear that there are preventive measures you can take.
Protection After Hours
All employees who arrive for work without their badges should be
required to stop at the lobby desk or security office to obtain a temporary
badge for the day. The incident in the first story of this chapter could have
come to a much different conclusion if the company security guards had
had a specific set of steps to follow when encountering anyone without
the required employee badge.
For compani