آموزش هک ( مهندسی اجتماعی)کوین میتنیک 2

Part 3 is the part of the book where you see how the social engineer ups

the ante, in made-up stories that show how he can step onto your

corporate premises, steal the kind of secret that can make or break your

company, and thwart your hi-tech security measures. The scenarios in this

section will make you aware of threats that range from simple employee

revenge to cyber terrorism. If you value the information that keeps your

business running and the privacy of your data, you’ll want to read

Chapters 10 through 14 from beginning to end.

It’s important to note that unless otherwise stated, the anecdotes in this

book are purely fictional.

In Part 4 I talk the corporate talk about how to prevent successful social

engineering attacks on your organization. Chapter 15 provides a blueprint

for a successful security-training program. And Chapter 16 might just

save your neck – it’s a complete security policy you can customize for

your organization and implement right away to keep your company and

information safe.

Finally, I’ve provided a Security at a Glance section, which includes

checklists, tables, and charts that summarize key information you can use

to help your employees foil a social engineering attack on the job. These

tools also provide valuable information you can use in devising your own

security-training program.

Throughout the book you’ll also find several useful elements: Lingo boxes

provide definitions of social engineering and computer hacker

terminology; Mitnick Messages offer brief words of wisdom to help

strengthen your security strategy; and notes and sidebars give interesting

background or additional information.

Part 1

Behind The Scenes

Chapter 1

Security’s Weakest Link

A company may have purchased the best security technologies that money

can buy, trained their people so well that they lock up all their secrets

before going home at night, and hired building guards from the best

security firm in the business.

That company is still totally Vulnerable.

Individuals may follow every best-security practice recommended by the

experts, slavishly install every recommended security product, and be

thoroughly vigilant about proper system configuration and applying

security patches.

Those individuals are still completely vulnerable.

THE HUMAN FACTOR

Testifying before Congress not long ago, I explained that I could often get

passwords and other pieces of sensitive information from companies by

pretending to be someone else and just asking for it.

It’s natural to yearn for a feeling of absolute safety, leading many people

to settle for a false sense of security. Consider the responsible and loving

homeowner who has a Medico, a tumbler lock known as being pickproof,

installed in his front door to protect his wife, his children, and his home.

He’s now comfortable that he has made his family much safer against

intruders. But what about the intruder-who breaks a window, or cracks the

code to the garage door opener? How about installing a robust security

system? Better, but still no guarantee. Expensive locks or no, the

homeowner remains vulnerable.

Why? Because the human factor is truly security’s weakest link.

Security is too often merely an illusion, an illusion sometimes made even

worse when gullibility, naivete, or ignorance come into play. The world’s

most respected scientist of the twentieth century, Albert Einstein, is

quoted as saying, «Only two things are infinite, the universe and human

stupidity, and I’m not sure about the former.» In the end, social

engineering attacks can succeed when people are stupid or, more

commonly, simply ignorant about good security practices. With the same

attitude as our security-conscious homeowner, many information

technology (IT) professionals hold to the misconception that they’ve made

their companies largely immune to attack because they’ve deployed

standard security products – firewalls, intrusion detection systems, or

stronger authentication devices such as time-based tokens or biometric

smart cards. Anyone who thinks that security products alone offer true

security is settling for. the illusion of security. It’s a case of living in a

world of fantasy: They will inevitably, later if not sooner, suffer a security

incident.

As noted security consultant Bruce Schneier puts it, «Security is not a

product, it’s a process.» Moreover, security is not a technology problem -

it’s a people and management problem.

As developers invent continually better security technologies, making it

increasingly difficult to exploit technical vulnerabilities, attackers will

turn more and more to exploiting the human element. Cracking the human

firewall is often easy, requires no investment beyond the cost of a phone

call, and involves minimal risk.

A CLASSIC CASE OF DECEPTION

What’s the greatest threat to the security of your business assets? That’s

easy: the social engineer–an unscrupulous magician who has you

watching his left hand while with his right he steals your secrets. This

character is often so friendly, glib, and obliging that you’re grateful for

having encountered him.

Take a look at an example of social engineering. Not many people today

still remember the young man named Stanley Mark Rifkin and his little

adventure with the now defunct Security Pacific National Bank in Los

Angeles. Accounts of his escapade vary, and Rifkin (like me) has never

told his own story, so the following is based on published reports.

Code Breaking

One day in 1978, Rifkin moseyed over to Security Pacific’s authorizedpersonnel-

only wire-transfer room, where the staff sent and received

transfers totaling several billion dollars every day.

He was working for a company under contract to develop a backup

system for the wire room’s data in case their main computer ever went

down. That role gave him access to the transfer procedures, including how

bank officials arranged for a transfer to be sent. He had learned that bank

officers who were authorized to order wire transfers would be given a

closely guarded daily code each morning to use when calling the wire

room.

In the wire room the clerks saved themselves the trouble of trying to

memorize each day’s code: They wrote down the code on a slip of paper

and posted it where they could see it easily. This particular November day

Rifkin had a specific reason for his visit. He wanted to get a glance at that

paper.

Arriving in the wire room, he took some notes on operating procedures,

supposedly to make sure the backup system would mesh properly with the

regular systems. Meanwhile, he surreptitiously read the security code

from the posted slip of paper, and memorized it. A few minutes later he

walked out. As he said afterward, he felt as if he had just won the lottery.

There’s This Swiss Bank Account…

Leaving the room at about 3 o’clock in the afternoon, he headed straight

for the pay phone in the building’s marble lobby, where he deposited a

coin and dialed into the wire-transfer room. He then changed hats,

transforming himself from Stanley Rifkin, bank consultant, into Mike

Hansen, a member of the bank’s International Department.

According to one source, the conversation went something like this:

«Hi, this is Mike Hansen in International,» he said to the young woman

who answered the phone.

She asked for the office number. That was standard procedure, and he was

prepared: .286. he said.

The girl then asked, «Okay, what’s the code?»

Rifkin has said that his adrenaline-powered heartbeat «picked up its pace»

at this point. He responded smoothly, «4789.» Then he went on to give

instructions for wiring «Ten million, two-hundred thousand dollars

exactly» to the Irving Trust Company in New York, for credit of the

Wozchod Handels Bank of Zurich, Switzerland, where he had already

established an account.

The girl then said, «Okay, I got that. And now I need the interoffice

settlement number.»

Rifkin broke out in a sweat; this was a question he hadn’t anticipated,

something that had slipped through the cracks in his research. But he

managed to stay in character, acted as if everything was fine, and on the

spot answered without missing a beat, «Let me check; I’ll call you right

back.» He changed hats once again to call another department at the bank,

this time claiming to be an employee in the wire-transfer room. He

obtained the settlement number and called the girl back.

She took the number and said, «Thanks.» (Under the circumstances, her

thanking him has to be considered highly ironic.)

Achieving Closure

A few days later Rifkin flew to Switzerland, picked up his cash, and

handed over $8 million to a Russian agency for a pile of diamonds. He

flew back, passing through U.S. Customs with the stones hidden in a

money belt. He had pulled off the biggest bank heist in history–and done

it without using a gun, even without a computer. Oddly, his caper

eventually made it into the pages of the Guinness Book of World Records

in the category of «biggest computer fraud.»

Stanley Rifkin had used the art of deception–the skills and techniques that

are today called social engineering. Thorough planning and a good gift of

gab is all it really took.

And that’s what this book is about–the techniques of social engineering

(at which yours truly is proficient) and how to defend against their being

used at your company.

THE NATURE OF THE THREAT

The Rifkin story makes perfectly clear how misleading our sense of

security can be. Incidents like this – okay, maybe not $10 million heists,

but harmful incidents nonetheless – are happening every day. You may be

losing money right now, or somebody may be stealing new product plans,

and you don’t even know it. If it hasn’t already happened to your

company, it’s not a question of if it will happen, but when.

A Growing Concern

The Computer Security Institute, in its 2001 survey of computer crime,

reported that 85 percent of responding organizations had detected

computer security breaches in the preceding twelve months. That’s an

astounding number: Only fifteen out of every hundred organizations

responding were able to say that they had not had a security breach during

the year. Equally astounding was the number of organizations that

reported that they had experienced financial losses due to computer

breaches: 64 percent. Well over half the organizations had suffered

financially. In a single year.

My own experiences lead me to believe that the numbers in reports like

this are somewhat inflated. I’m suspicious of the agenda of the people

conducting the survey. But that’s not to say that the damage isn’t

extensive; it is. Those who fail to plan for a security incident are planning

for failure.

Commercial security products deployed in most companies are mainly

aimed at providing protection against the amateur computer intruder, like

the youngsters known as script kiddies. In fact, these wannabe hackers

with downloaded software are mostly just a nuisance. The greater losses,

the real threats, come from sophisticated attackers with well-defined

targets who are motivated by financial gain. These people focus on one

target at a time rather than, like the amateurs, trying to infiltrate as many

systems as possible. While amateur computer intruders simply go for

quantity, the professionals target information of quality and value.

Technologies like authentication devices (for proving identity), access

control (for managing access to files and system resources), and intrusion

detection systems (the electronic equivalent of burglar alarms) are

necessary to a corporate security program. Yet it’s typical today for a

company to spend more money on coffee than on deploying

countermeasures to protect the organization against security attacks.

Just as the criminal mind cannot resist temptation, the hacker mind is

driven to find ways around powerful security technology safeguards. And

in many cases, they do that by targeting the people who use the

technology.

Deceptive Practices

There’s a popular saying that a secure computer is one that’s turned off.

Clever, but false: The pretexter simply talks someone into going into the

office and turning that computer on. An adversary who wants your

information can obtain it, usually in any one of several different ways. It’s

just a matter of time, patience, personality, and persistence. That’s where

the art of deception comes in.

To defeat security measures, an attacker, intruder, or social engineer must

find a way to deceive a trusted user into revealing information, or trick an

unsuspecting mark into providing him with access. When trusted

employees are deceived, influenced, or manipulated into revealing

sensitive information, or performing actions that create a security hole for

the attacker to slip through, no technology in the world can protect a

business. Just as cryptanalysts are sometimes able to reveal the plain text

of a coded message by finding a weakness that lets them bypass the

encryption

technology, social engineers use deception practiced on your employees

to bypass security technology.

ABUSE OF TRUST

In most cases, successful social engineers have strong people skills.

They’re charming, polite, and easy to like–social traits needed for

establishing rapid rapport and trust. An experienced social engineer is

able to gain access to virtually any targeted information by using the

strategies and tactics of his craft.

Savvy technologists have painstakingly developed information-security

solutions to minimize the risks connected with the use of computers, yet

left unaddressed the most significant vulnerability, the human factor.

Despite our intellect, we humans – you, me, and everyone else – remain

the most severe threat to each other’s security.

Our National Character

We’re not mindful of the threat, especially in the Western world. In the

United States most of all, we’re not trained to be suspicious of each other.

We are taught to «love thy neighbor» and have trust and faith in each

other. Consider how difficult it is for neighborhood watch organizations

to get people to lock their homes and cars. This sort of vulnerability is

obvious, and yet it seems to be ignored by many who prefer to live in a

dream world – until they get burned.

We know that all people are not kind and honest, but too often we live as

if they were. This lovely innocence has been the fabric of the lives of

Americans and it’s painful to give it up. As a nation we have built into our

concept of freedom that the best places to live are those where locks and

keys are the least necessary.

Most people go on the assumption that they will not be deceived by

others, based upon a belief that the probability of being deceived is very

low; the attacker, understanding this common belief, makes his request

sound so reasonable that it raises no suspicion, all the while exploiting the

victim’s trust.

Organizational Innocence

That innocence that is part of our national character was evident back

when computers were first being connected remotely. Recall that the

ARPANet (the Defense Department’s Advanced Research Projects

Agency

Network), the predecessor of the Internet, was designed as a way of

sharing research information between government, research, and

educational institutions. The goal was information freedom, as well as

technological advancement. Many educational institutions therefore set up

early computer systems with little or no security. One noted software

libertarian, Richard Stallman, even refused to protect his account with a

password.

But with the Internet being used for electronic commerce, the dangers of

weak security in our wired world have changed dramatically. Deploying

more technology is not going to solve the human security problem.

Just look at our airports today. Security has become paramount, yet we’re

alarmed by media reports of travelers who have been able to circumvent

security and carry potential weapons past checkpoints. How is this

possible during a time when our airports are on such a state of alert? Are

the metal detectors failing? No. The problem isn’t the machines. The

problem is the human factor: The people manning the machines. Airport

officials can marshal the National Guard and install metal detectors and

facial recognition systems, but educating the frontline security staff on

how to properly screen passengers is much more likely to help.

The same problem exists within government, business, and educational

institutions throughout the world. Despite the efforts of security

professionals, information everywhere remains vulnerable and will

continue to be seen as a ripe target by attackers with social engineering

skills, until the weakest link in the security chain, the human link, has

been strengthened.

Now more than ever we must learn to stop wishful thinking and become

more aware of the techniques that are being used by those who attempt to

attack the confidentiality, integrity, and availability of our computer

systems and networks. We’ve come to accept the need for defensive

driving; it’s time to accept and learn the practice of defensive computing.

The threat of a break-in that violates your privacy, your mind, or your

company’s information systems may not seem real until it happens. To

avoid such a costly dose of reality, we all need to become aware,

educated, vigilant, and aggressively protective of our information assets,

our own personal information, and our nation’s critical infrastructures.

And we must implement those precautions today.

TERRORISTS AND DECEPTION

Of course, deception isn’t an exclusive tool of the social engineer.

Physical terrorism makes the biggest news, and we have come to realize

as never

before that the world is a dangerous place. Civilization is, after all, just a

thin veneer.

The attacks on New York and Washington, D.C., in September 2001

infused sadness and fear into the hearts of every one of us – not just

Americans, but well-meaning people of all nations. We’re now alerted to

the fact that there are obsessive terrorists located around the globe, well -

trained and waiting to launch further attacks against us.

The recently intensified effort by our government has increased the levels

of our security consciousness. We need to stay alert, on guard against all

forms of terrorism. We need to understand how terrorists treacherously

create false identities, assume roles as students and neighbors, and melt

into the crowd. They mask their true beliefs while they plot against us -

practicing tricks of deception similar to those you will read about in these

pages.

And while, to the best of my knowledge, terrorists have not yet used

social engineering ruses to infiltrate corporations, water-treatment plants,

electrical generation facilities, or other vital components of our national

infrastructure, the potential is there. It’s just too easy. The security

awareness and security policies that I hope will be put into place and

enforced by corporate senior management because of this book will come

none too soon.

ABOUT THIS BOOK

Corporate security is a question of balance. Too little security leaves your

company vulnerable, but an overemphasis on security gets in the way of

attending to business, inhibiting the company’s growth and prosperity.

The challenge is to achieve a balance between security and productivity.

Other books on corporate security focus on hardware and software

technology, and do not adequately cover the most serious threat of all:

human deception. The purpose of this book, in contrast, is to help you

understand how you, your co-workers, and others in your company are

being manipulated, and the barriers you can erect to stop being victims.

The book focuses mainly on the non-technical methods that hostile

intruders use to steal information, compromise the integrity of information

that is believed to be safe but isn’t., or destroy company work product.

My task is made more difficult by a simple truth: Every reader will have

been manipulated by the grand experts of all time in social engineering -

their parents. They found ways to get you – «for your own good» – to do

what they thought best. Parents become great storytellers in the same way

that social engineers skillfully develop very plausible stories, reasons, and

justifications for achieving their goals. Yes, we were all molded by our

parents: benevolent (and sometimes not so benevolent) social engineers.

Conditioned by that training, we have become vulnerable to manipulation.

We would live a difficult life if we had to be always on our guard,

mistrustful of others, concerned that we might become the dupe of

someone trying to take advantage of us. In a perfect world we would

implicitly trust others, confident that the people we encounter are going to

be honest and trustworthy. But we do not live in a perfect world, and so

we have to exercise a standard of vigilance to repel the deceptive efforts

of our adversaries.

The main portions of this book, Parts 2 and 3, are made up of stories that

show you social engineers in action. In these sections you’ll read about:

. What phone phreaks discovered years ago: A slick method for getting

an unlisted phone number from the telephone company.

. Several different methods used by attackers to convince even alert,

suspicious employees to reveal their computer usernames and

passwords.

. How an Operations Center manager cooperated in allowing an attacker

to steal his company’s most secret product information.

. The methods of an attacker who deceived a lady into downloading

software that spies on every keystroke she makes and emails the

details to him.

. How private investigators get information about your company, and

about you personally, that I can practically guarantee will send a chill

up your spine.

You might think as you read some of the stories in Parts 2 and 3 that

they’re not possible, that no one could really succeed in getting away with

the lies, dirty tricks, and schemes de, scribed in these pages. The reality is

that in every case, these stories depict events that can and do happen;

many of them are happening every day somewhere on the planet, maybe

even to your business as you read this book.

The material in this book will be a real eye-opener when it comes to

protecting your business, but also personally deflecting the advances of a

social engineer to protect the integrity of information in your private life.

In Part 4 of this book I switch gears. My goal here is to help you create

the necessary business policies and awareness training to minimize the

chances of your employees ever being duped by a social engineer.

Understanding the strategies, methods, and tactics of the social engineer

will help prepare you to deploy reasonable controls to safeguard your IT

assets, without undermining your company’s productivity.

In short, I’ve written this book to raise your awareness about the serious

threat posed by social engineering, and to help you make sure that your

company and its employees are less likely to be exploited in this way.

Or perhaps I should say, far less likely to be exploited ever again.

Part 2

The Art Of The Attacker

Chapter 2

When Innocuous Information Isn’t

What do most people think is the real threat from social engineers? What

should you do to be on your guard?

If the goal is to capture some highly valuable prize–say, a vital

component of the company’s intellectual capital – then perhaps what’s

needed is, figuratively, just a stronger vault and more heavily armed

guards. Right?

But in reality penetrating a company’s security often starts with the bad

guy obtaining some piece of information or some document that seems so

innocent, so everyday and unimportant, that most people in the

organization wouldn’t see any reason why the item should be protected

and restricted

HIDDEN VALUE OF INFORMATION

Much of the seemingly innocuous information in a company’s possession

is prized

by a social engineering attacker because it can play a vital role in his

effort to dress himself in a cloak of believability.

Throughout these pages, I’m going to show you how social engineers do

what they do by letting you «witness» the attacks for yourself–sometimes

presenting the action from the viewpoint of the people being victimized,

allowing you to put yourself in their shoes and gauge how you yourself

(or maybe one of your employees or co-workers) might have responded.

In many cases you’ll also experience the same events from the perspective

of the social engineer.

The first story looks at a vulnerability in the financial industry.

CREDITCHEX

For a long time, the British put up with a very stuffy banking system. As

an ordinary, upstanding citizen, you couldn’t walk in off the street and

open a bank account. No, the bank wouldn’t consider accepting you as a

customer unless some person already well established as a customer

provided you with a letter of recommendation.

Quite a difference, of course, in the seemingly egalitarian banking

world of today. And our modern ease of doing business is nowhere more

in evidence than in friendly, democratic America, where almost anyone

can walk into a bank and easily open a checking account, right? Well, not

exactly. The truth is that banks understandably have a natural reluctance

to open. an account for somebody who just might have a history of

writing bad checks–that would be about as welcome as a rap sheet of

bank robbery or embezzlement charges. So it’s standard practice at many

banks to get a quick thumbs-up or thumbs-down on a prospective new

customer.

One of the major companies that banks contract with for this information

is an outfit we’ll call CreditChex. They provide a valuable service to their

clients, but like many companies, can also unknowingly provide a handy

service to knowing social engineers.

The First Call: Kim Andrews

«National Bank, this is Kim. Did you want to open an account today?»

«Hi, Kim. I have a question for you. Do you guys use CreditChex?»

«Yes.»

«When you phone in to CreditChex, what do you call the number you give

them–is it a ‹Merchant ID’?»

A pause; she was weighing the question, wondering what this was about

and whether she should answer.

The caller quickly continued without missing a beat:

«Because, Kim, I’m working on a book. It deals with private

investigations.»

«Yes,» she said, answering the question with new confidence, pleased to

be helping a writer.

«So it’s called a Merchant ID, right?»

«Uh huh.»

«Okay, great. Because I wanted to male sure I had the lingo right. For the

book. Thanks for your help. Good-bye, Kim.»

The Second Call: Chris Talbert

«National Bank, New Accounts, this is Chris.»

«Hi, Chris. This is Alex,» the caller said. «I’m a customer service rep

with CreditChex. We’re doing a survey to improve our services. Can you

spare me a couple of minutes?»

She was glad to, and the caller went on:

«Okay – what are the hours your branch is open for business?» She

answered, and continued answering his string of questions.

«How many employees at your branch use our service?»

«How often do you call us with an inquiry?»

«Which of our 800-numbers have we assigned you for calling us?»

«Have our representatives always been courteous?»

«How’s our response time?»

«How long have you been with the bank?»

«What Merchant ID are you currently using?»

«Have you ever found any inaccuracies with the information we’ve

provided you?»

«If you had any suggestions for improving our service, what would they

be?»

And:

«Would you be willing to fill out periodic questionnaires if we send them

to your branch?»

She agreed, they chatted a bit, the caller rang off, and Chris went back to

work.

The Third Call: Henry McKinsey

«CreditChex, this is Henry McKinsey, how can I help you?»

The caller said he was from National Bank. He gave the proper Merchant

ID and then gave the name and social security number of the person he

was looking for information on. Henry asked for the birth date, and the

caller gave that, too.

After a few moments, Henry read the listing from his computer screen.

«Wells Fargo reported NSF in 1998, one time, amount of $2,066.» NSF .

non sufficient funds – is the familiar banking lingo for checks that have

been written when there isn’t enough money in the account to cover them.

«Any activities since then?»

«No activities.»

«Have there been any other inquiries?»

«Let’s see. Okay, two of them, both last month. Third United Credit Union

of Chicago.» He stumbled over the next name, Schenectady Mutual

Investments, and had to spell it. «That’s in New York State,» he added.

Private Investigator at Work

All three of those calls were made by the same person: a private

investigator we’ll call Oscar Grace. Grace had a new client, one of his

first. A cop until a few months before, he found that some of this new

work came naturally, but some offered a challenge to his resources and

inventiveness. This one came down firmly in the challenge category.

The hardboiled private eyes of fiction – the Sam Spades and the Philip

Marlowes – spend long night time hours sitting in cars waiting to catch a

cheating spouse. Real-life PIs do the same. They also do a less written

about, but no less important kind of snooping for warring spouses, a

method that leans more heavily on social engineering skills than on

fighting off the boredom of night time vigils.

Grace’s new client was a lady who looked as if she had a pretty

comfortable budget for clothes and jewelry. She walked into his office

one day and took a seat in the leather chair, the only one that didn’t have

papers piled on it. She settled her large Gucci handbag on his desk with

the logo turned to face him and announced she was planning to tell her

husband that she wanted a divorce, but admitted to «just a very little

problem.»

It seemed her hubby was one step ahead. He had already pulled the cash

out of their savings account and an even larger sum from their brokerage

account. She wanted to know where their assets had been squirreled away,

and her divorce lawyer wasn’t any help at all. Grace surmised the lawyer

was one of those uptown, high-rise counselors who wouldn’t get his hands

dirty on something messy like where did the money go.

Could Grace help?

He assured her it would be a breeze, quoted a fee, expenses billed at cost,

and collected a check for the first payment.

Then he faced his problem. What do you do if you’ve never handled a

piece of work like this before and don’t quite know how to go about

tracking down a money trail? You move forward by baby steps. Here,

accord- mg to our source, is Grace’s story.

I knew about CreditChex and how banks used the outfit – my ex-wife used

to work at a bank. But I didn’t know the lingo and procedures, and trying

to ask my ex- would be a waste of time.

Step one: Get the terminology straight and figure out how to make the

request so it sounds like I know what I’m talking about. At the bank I

called, the first young lady, Kim, was suspicious when I asked about how

they identify themselves when they phone CreditChex. She hesitated; she

didn’t know whether to tell me. Was I put off by that? Not a bit. In fact,

the hesitation gave me an important clue, a sign that I had to supply a

reason she’d find believable. When I worked the con on her about doing

research for a book, it relieved her suspicions. You say you’re an author or

a movie writer, and everybody opens up.

She had other knowledge that would have helped – things like what

reformation CreditChex requires to identify the person you’re calling

about, what information you can ask for, and the big one, what was Kim’s

bank Merchant ID number. I was ready to ask those questions, but her

hesitation sent up the red flag. She bought the book research story, but she

already had a few niggling suspicions. If she’d been more willing right

way, I would have asked her to reveal more details about their procedures.

LINGO

MARK: The victim of a con.

BURN THE SOURCE: An attacker is said to have burned the source

when he allows a victim to recognize that an attack has taken place. Once

the victim becomes aware and notifies other employees or management of

the attempt, it becomes extremely difficult to exploit the same source in

future attacks.

You have to go on gut instinct, listen closely to what the mark is saying

and how she’s saying it. This lady sounded smart enough for alarm bells

to start going off if I asked too many unusual questions. And even though

she didn’t know who I was or what number I was calling from, still in this

business you never want anybody putting out the word to be on the look

out for someone calling to get information about the business. That.s

because you don’t want to burn the source – you may want to call same

office back another time.

I’m always on the watch for little signs that give me a read on how

cooperative a person is, on a scale that runs from «You sound like a nice

person and I believe everything you’re saying» to «Call the cops, alert the

National Guard, this guy’s up to no good.»

I read Kim as a little bit on edge, so I just called somebody at a different

branch. On my second call with Chris, the survey trick played like a

charm. The tactic here is to slip the important questions in among

inconsequential ones that are used to create a sense of believability.

Before I dropped the question about the Merchant ID number with

CreditChex, I ran a little last-minute test by asking her a personal question

about how long she’d been with the bank.

A personal question is like a land mine – some people step right over it

and never notice; for other people, it blows up and sends them scurrying

for safety. So if I ask a personal question and she answers the question

and the tone of her voice doesn’t change, that means she probably isn’t

skeptical about the nature of the request. I can safely ask the sought after

question without arousing her suspicions, and she’ll probably give me the

answer I’m looking for.

One more thing a good PI knows: Never end the conversation after getting

the key information. Another two or three questions, a little chat, and then

it’s okay to say good-bye. Later, if the victim remembers anything about

what you asked, it will probably be the last couple of questions. The rest

will usually be forgotten.

So Chris gave me their Merchant ID number, and the phone number they

call to make requests. I would have been happier if I had gotten to ask

some questions about how much information you can get from

CreditChex. But it was better not to push my luck.

It was like having a blank check on CreditChex. I could now call and get

information whenever I wanted. I didn’t even have to pay for the service.

As it turned out, the CreditChex rep was happy to share exactly the

information I wanted: two places my client’s husband had recently applied

to open an account. So where were the assets his soon-to-be ex-wife was

looking for? Where else but at the banking institutions the guy at

CreditChex listed?

Analyzing the Con

This entire ruse was based on one of the fundamental tactics of social

engineering: gaining access to information that a company employee

treats as innocuous, when it isn’t.

The first bank clerk confirmed the terminology to describe the identifying

number used when calling CreditChex: the Merchant ID. The second

provided the phone number for calling CreditChex, and the most vital

piece of information, the bank’s Merchant ID number. All this information

appeared to the clerk to be innocuous. After all, the bank clerk thought

she was talking to someone from CreditChex -so what could be the harm

in disclosing the number?

All of this laid the groundwork for the third call. Grace had everything he

needed to phone CreditChex, pass himself off as a rep from one of their

customer banks, National, and simply ask for the information he was

after.

With as much skill at stealing information as a good swindler has at

stealing your money, Grace had well-honed talents for reading people. He

knew the common tactic of burying the key questions among innocent

ones. He knew a personal question would test the second clerk’s

willingness to cooperate, before innocently asking for the Merchant ID

number.

The first clerk’s error in confirming the terminology for the CreditChex ID

number would be almost impossible to protect against. The information is

so widely known within the banking industry that it appears to be

unimportant – the very model of the innocuous. But the second clerk,

Chris, should not have been so willing to answer questions without

positively verifying that the caller was really who he claimed to be. She

should, at the very least, have taken his name and number and called

back; that way, if any questions arose later, she may have kept a record of

what phone number the person had used. In this case, making a call like

that would have made it much more difficult for the attacker to

masquerade as a representative from CreditChex.

MITNICK MESSAGE

A Merchant ID in this situation is analogous to a password. If bank

personnel treated it like an ATM PIN, they might appreciate the sensitive

nature of the information. Is there an internal code or number in your

organization that people aren’t treating with enough care?

Better still would have been a call to CreditChex using a nun bank already

had on record – not a number provided by the caller . to verify that the

person really worked there, and that the company was really doing a

customer survey. Given the practicalities of the real world and the time

pressures that most people work under today, though, this kind of

verification phone call is a lot to expect, except when an employee is

suspicious that some kind of attack is being made.

THE ENGINEER TRAP

It is widely known that head-hunter firms use social engineering to recruit

corporate talent. Here’s an example of how it can happen.

In the late 1990s, a not very ethical employment agency signed a new

client, a company looking for electrical engineers with experience in the

telephone industry. The honcho on the project was a lady endowed with a

throaty voice and sexy manner that she had learned to use to develop

initial trust and rapport over the phone.

The lady decided to stage a raid on a cellular phone service provider to

see if she could locate some engineers who might be tempted to walk

across the street to a competitor. She couldn’t exactly call the switch board

and say, «Let me talk to anybody with five years of engineering

experience.» Instead, for reasons that will become clear in a moment, she

began the talent assault by seeking a piece of information that appeared to

have no sensitivity at all, information that company people give out to

almost anybody who asks.

The First Call: The receptionist

The attacker, using the name Didi Sands, placed a call to the corporate

offices of the cellular phone service. In part, the conversation went like

this:

Receptionist: Good afternoon. This is Marie, how may I help you?

Didi: Can you connect me to the Transportation Department?

R: I’m not sure if we have one, I’ll look in my directory. Who’s calling?

D: It’s Didi.

R: Are you in the building, or… ?

D: No, I’m outside the building.

R: Didi who?

D: Didi Sands. I had the extension for Transportation, but I forgot what

it was.

R: One moment.

To allay suspicions, at this point Didi asked a casual, just making

conversation question designed to establish that she was on the «inside,»

familiar with company locations.

D: What building are you in – Lakeview or Main Place?

R: Main Place. (pause) It’s 805 555 6469.

To provide herself with a backup in case the call to Transportation didn’t

provide what she was looking for, Didi said she also wanted to talk to

Real Estate. The receptionist gave her that number, as well. When Didi

asked to be connected to the Transportation number, the receptionist tried,

but the line was busy.

At that point Didi asked for a third phone number, for Accounts

Receivable, located at a corporate facility in Austin, Texas. The

receptionist asked her to wait a moment, and went off the line. Reporting

to Security that she had a suspicious phone call and thought there was

something fishy going on? Not at all, and Didi didn’t have the least bit of

concern. She was being a bit of a nuisance, but to the receptionist it was

all part of a typical workday. After about a minute, the receptionist came

back on the line, looked up the Accounts Receivable number, tried it, and

put Didi through.

The Second Call: Peggy

The next conversation went like this:

Peggy: Accounts Receivable, Peggy.

Didi: Hi, Peggy. This is Didi, in Thousand Oaks.

P: Hi, Didi.

D: How ya doing?

P: Fine.

Didi then used a familiar term in the corporate world that describes the

charge code for assigning expenses against the budget of a specific

organization or workgroup:

D: Excellent. I have a question for you. How do I find out the cost center

for a particular department?

P: You’d have to get a hold of the budget analyst for the department.

D: Do you know who’d be the budget analyst

for Thousand Oaks – headquarters? I’m trying to

fill out a form and I don’t know the proper cost

center.

P: I just know when y’all need a cost center number, you call your

budget analyst.

D: Do you have a cost center for your department there in Texas?

P: We have our own cost center but they don’t give us a complete list of

them.

D: How many digits is the cost center? FOr example, what’s your cost

center?

P: Well, like, are you with 9WC or with SAT?

Didi had no idea what departments or groups these referred to, but it

didn’t matter. She answered:

D: 9WC.

P: Then it’s usually four digits. Who did you say you were with?

D: Headquarters–Thousand Oaks.

P: Well, here’s one for Thousand Oaks. It’s 1A5N, that’s N like in

Nancy.

By just hanging out long enough with somebody willing to be helpful,

Didi had the cost center number she needed – one of those pieces of

information that no one thinks to protect because it seems like something

that couldn’t be of any value to an outsider.

The Third Call: A Helpful Wrong Number

Didi’s next step would be to parlay the cost center number into something

of real value by using it as a poker chip.

She began by calling the Real Estate department, pretending she had

reached a wrong number. Starting with a «Sorry to bother you, but …. «

she claimed she was an employee who had lost her company directory,

and asked who you were supposed to call to get a new copy. The man said

the print copy was out of date because it was available on the company

intranet site.

Didi said she preferred using a hard copy, and the man told her to call

Publications, and then, without being asked – maybe just to keep the sexysounding

lady on the phone a little longer – helpfully looked up the

number and gave it to her.

The Fourth Call: Bart in Publications

In Publications, she spoke with a man named Bart. Didi said she was from

Thousand Oaks, and they had a new consultant who needed a copy of the

company directory. She told him a print copy would work better for the

consultant, even if it was somewhat out of date. Bart told her she’d have to

fill out a requisition form and send the form over to him.

Didi said she was out of forms and it was a rush, and could Bart be a

sweetheart and fill out the form for her? He agreed with a little too much

enthusiasm, and Didi gave him the details. For the address of the fictional

contractor, she drawled the number of what social engineers call a mail

drop, in this case a Mail Boxes Etc.-type of commercial business where

her company rented boxes for situations just like this.

The earlier spadework now came in handy: There would be a charge for

the cost and shipping of the directory. Fine – Didi gave the cost center for

Thousand Oaks:

«IA5N, that’s N like in Nancy.»

A few days later, when the corporate directory arrived, Didi found it was

an even bigger payoff than she had expected: It not only listed the names

and phone numbers, but also showed who worked for whom – the

corporate structure of the whole organization.

The lady of the husky voice was ready to start making her head-hunter,

people-raiding phone calls. She had conned the information she needed to

launch her raid using the gift of gab honed to a high polish by every

skilled social engineer. Now she was ready for the payoff.

LINGO

MAIL DROP: The social engineer.s term for a rental mailbox, typically

rented under an assumed name, which is used to deliver documents or

packages the victim has been duped into sending

MITNICK MESSAGE

Just like pieces of a jigsaw puzzle, each piece of information may be

irrelevant by itself. However, when the pieces are put together, a clear

picture emerges. In this I case, the picture the social engineer saw was the

entire internal structure of the company .

Analyzing the Con

In this social engineering attack, Didi started by getting phone numbers

for three departments in the target company. This was easy, because the

numbers she was asking for were no secret, especially to employees. A

social engineer learns to sound like an insider, and Didi was skilled at this

game. One of the phone numbers led her to a cost center number, which

she then used to obtain a copy of the firm’s employee directory.

The main tools she needed: sounding friendly, using some corporate

lingo, and, with the last victim, throwing in a little verbal eyelash-batting.

And one more tool, an essential element not easily acquired – the

manipulative skills of the social engineer, refined through extensive

practice and the unwritten lessons of bygone generations of confidence

men.

MORE «WORTHLESS» INFO

Besides a cost center number and internal phone extensions, what other

seemingly useless information can be extremely valuable to your enemy?.

Peter Abel.s Phone Call

«Hi,» the voice at the other end of the line says. «This is Tom at Parkhurst

Travel. Your tickets to San Francisco are ready. Do you want us to deliver

them, or do you want to pick them up?»

«San Francisco?» Peter says. «I’m not going to San Francisco.» «Is this

Peter Abels?»

«Yes, but I don’t have any trips coming up.»

«Well,» the caller says with a friendly laugh, «you sure you don’t want to

go to San Francisco?»

«If you think you can talk my boss into it…» Peter says, playing along

with the friendly conversation.

«Sounds like a mix-up,» the caller says. «On our system, we book travel

arrangements under the employee number. Maybe somebody used the

wrong number. What’s your employee number?»

Peter obligingly recites his number. And why not? It goes on just about

every personnel form he fills out, lots of people in the company have

access to it – human resources, payroll, and, obviously, the outside travel

agency. No one treats an employee number like some sort of secret. What

difference could it make?

The answer isn’t hard to figure out. Two or three pieces of information

might be all it takes to mount an effective impersonation – the social

engineer cloaking himself in someone else’s identity. Get hold of an

employee’s name, his phone number, his employee number–and maybe,

for good measure, his manager’s name and phone number–and a halfwaycompetent

social engineer is equipped with most of what he’s likely to

need to sound authentic to the next target he calls.

If someone who said he was from another department in your company

had called yesterday, given a plausible reason, and asked for your

employee number, would you have had any reluctance in giving it to him?

And by the way, what is your social security number?

MITNICK MESSAGE

The moral of the story is, don’t give out any personal or internal company

information or identifiers to anyone, unless his or her voice is

recognizable and the requestor has a need to know.

PREVENTING THE CON

Your company has a responsibility to make employees aware of how a

serious mistake can occur from mishandling non public information. A

well thought-out information security policy, combined with proper

education and training, will dramatically increase employee awareness

about the proper handling of corporate business information. A data

classification policy will help you to implement proper controls with

respect to disclosing information. Without a data classification policy, all

internal information must be considered confidential, unless otherwise

specified.

Take these steps to protect your company from the release of seemingly

innocuous information:

The Information Security Department needs to conduct awareness training

detailing the methods used by social engineers. One method, as described

above, is to obtain seemingly non sensitive information and use it as a

poker chip to gain short-term trust. Each and every employee needs to be

aware that when a caller has knowledge about company procedures, lingo,

and internal identifiers it does not in any way, shape, or form authenticate

the requestor or authorize him or her as having a need to know. A caller

could be a former employee or

 

contractor with the requisite insider information. Accordingly, each

corporation has a responsibility to determine the appropriate

authentication method to be used when employees interact with people

they don’t recognize in person or over the telephone.

The person or persons with the role and responsibility of drafting a data

classification policy should examine the types of details that may be used

to gain access for legitimate employees that seem innocuous, but could

lead to information that is, sensitive. Though you’d never give out the

access codes for your ATM card, would you tell somebody what server

you use to develop company software products? Could that information

be used by a person pretending to be somebody who has legitimate access

to the corporate network?

Sometimes just knowing inside terminology can make the social engineer

appear authoritative and knowledgeable. The attacker often relies on this

common misconception to dupe his or her victims into compliance. For

example, a Merchant ID is an identifier that people in the New Accounts

department of a bank casually use every day. But such an identifier

exactly the same as a password. If each and every employee understands

the nature of this identifier – that it is used to positively authenticate a

requestor–they might treat it with more respect.

MITNICK MESSAGE

As the old adage goes – even real paranoids probably have enemies. We

must assume that every business has its enemies, too – attackers that target

the network infrastructure to compromise business secrets. Don’t end up

being a statistic on computer crime – it’s high time to shore up the

necessary defenses by implementing proper controls through wellthought-

out security policies and procedures.

No companies – well, very few, at least – give out the direct dial phone

numbers of their CEO or board chairman. Most companies, though, have

no concern about giving out phone numbers to most departments and

workgroups in the, organization – especially to someone who is, or

appears to be, an employee. A possible countermeasure: Implement a

policy

that prohibits giving internal phone numbers of employees, contractors,

consultants, and temps to outsiders. More importantly, develop a step-bystep

procedure to positively identify whether a caller asking for phone

numbers is really an employee.

Accounting codes for workgroups and departments, as well as copies of

the corporate directory (whether hard copy, data file, or electronic phone

book on the intranet) are frequent targets of social engineers. Every

company needs a written, well-publicized policy on disclosure of this type

of information. The safeguards should include maintaining an audit log

that records instances when sensitive information is disclosed to people

outside of the company.

Information such as an employee number, by itself, should not be used as

any sort of authentication. Every employee must be trained to verify not

just the identity of a requestor, but also the requestor’s need to know.

In your security training, consider teaching employees this approach:

Whenever asked a question or asked for a favor by a stranger, learn first

to politely decline until the request can be verified. Then – before giving

in to the natural desire to be Mr. or Ms. Helpful – follow company policies

and procedures with respect to verification and disclosure of non public

information. This style may go against our natural tendency to help

others, but a little healthy paranoia may be necessary to avoid being the

social engineer’s next dupe.

As the stories in this chapter have shown, seemingly innocuous

information can be the key to your company’s most prized secrets

About these ads