The Art of Deception: Controlling the Human Element of Security (13 page)

Read The Art of Deception: Controlling the Human Element of Security Online

Authors: Kevin D. Mitnick,William L. Simon,Steve Wozniak

Tags: #Computer Hackers, #Computer Security, #Electronic Books, #Computer Networks, #Computers, #Information Management, #Data Protection, #General, #Social Aspects, #Information Technology, #Internal Security, #Security, #Business & Economics, #Computer Science

BOOK: The Art of Deception: Controlling the Human Element of Security
9.64Mb size Format: txt, pdf, ePub

MITNICKS MESSAGE Intimidation can create a fear of punishment, influencing people to cooperate. Intimidation can also raise the fear of embarrassment or of being disqualified from that new promotion. People must be trained that it's not only acceptable but expected to challenge authority when security is at stake. Information security training should include teaching people how to challenge authority in customer-friendly ways, without damaging relationships. Moreover, this expectation must be supported from the top down. If an employee is not going to be backed up for challenging people regardless of their status, the normal reaction is to stop challenging--just the opposite of what you want.

WHAT THE SOCIAL SECURITY ADMINISTRATION KNOWS ABOUT YOU We like to think that government agencies with les on us keep the information safely locked away from people without an authentic need to know. The reality is that even the federal government isn't as immune to penetration as we would like to imagine. May Linn's Phone Call Place: A regional office of the Social Security Administration Time: 1 0:1 8 A.M., Thursday morning

"Mod Three. This is May Linn Wang."

The voice on the other end of the phone sounded apologetic, almost timid.

"Ms. Wang, this is Arthur Arondale, in the Office of the Inspector General. Can I call you 'May'? "It's 'May Linn'," she said.

"Well, it's like this, May Linn. We've got a new guy in here who there's no computer for yet, and right now he's got a priority project and he's using mine. We're the government of the United States, for cryin' out loud, and they say they don't have enough money in the budget to buy a computer for this guy to use. And now my boss thinks I'm falling behind and doesn't want to hear any excuses, you know?"

"I know what you mean, all right." "Can you help me with a quick inquiry on MCS?" he asked, using the name of the computer system for looking up taxpayer information. "Sure, what'cha need?" "The first thing I need you to do is an alphadent on Joseph Johnson, DOB 7/4/69." (Alphadent means to have the computer search for an account alphabetically by taxpayer name, further identified by date of birth.)

After a brief pause, she asked:

"What do you need to know?" "What's his account number?" he said, using the insider's

shorthand for the social security number. She read it off. "Okay, I need you to do a numident on that account number,"

the caller said.

That was a request for her to read off the basic taxpayer data, and May Linn responded by giving the taxpayer's place of birth, mother's maiden name, and father's name. The caller listened patiently while she also gave him the month and year the card was issued, and the district office it was issued by.

He next asked for a DEQY. (Pronounced "DECK-wee," it's short for "detailed earnings query.") The DEQY request brought the response, "For what year?" The caller replied, "Year 2001 ." May Linn said, "The amount was $190,286, the payer was Johnson MicroTech." "Any other wages?" "No." "Thanks," he said. "You've been very kind." Then he tried to arrange to call her whenever he needed information and couldn't get to his computer, again using the favorite trick of social engineers of always trying to establish a connection so that he can keep going back to the same person, avoiding the nuisance of having to find a new mark each time.

"Not next week," she told him, because she was going to Kentucky for her sister's

wedding.' Any other time, she'd do whatever she could.

When she put the phone down, May Linn felt good that she had been able to offer a little help to a fellow unappreciated public servant.

Keith Carter's Story To judge from the movies and from best-selling crime novels, a private investigator is short on ethics and long on knowledge of how to get the juicy facts on people. They do this by using thoroughly illegal methods, while just barely managing to avoid getting arrested. The truth, of course, is that most PIs run entirely legitimate businesses. Since many of them started their working lives as sworn law enforcement officers, they know perfectly well what's legal and what isn't, and most are not tempted to cross the line.

There are, however, exceptions. Some Pis - more than a few - do indeed fit the mold of the guys in the crime stories. These guys are known in the trade as information brokers, a polite term for people who are willing to break the rules. They know they can get any assignment done a good deal faster and a good deal easier if they take some shortcuts. That these shortcuts happen to be potential felonies that might land them behind bars for a few years doesn't seem to deter the more unscrupulous ones.

Meanwhile the upscale PIs--the ones who work out of a fancy office suite in a high-rent part of town--don't do this kind of work themselves. They simply hire some information broker to do it for them.

The guy we'll call Keith Carter was the kind of private eye unencumbered by ethics. It was a typical case of "Where's he hiding the money?" Or sometimes it's "Where's she hiding the money?" Sometimes it was a rich lady who wanted to know where her husband had hidden her money (though why a woman with money ever marries a guy without was a riddle Keith Carter wondered about now and then but had never found a good answer for).

In this case the husband, whose name was Joe Johnson, was the one keeping the money on ice. He "was a very smart guy who had started a high-tech company with ten thousand dollars he borrowed from his wife's family and built into a hundred-million dollar firm. According to her divorce lawyer, he had done an impressive job of hiding his assets, and the lawyer wanted a complete rundown.

Keith figured his starting point would be the Social Security Administration, targeting their files on Johnson, which would be packed with highly useful information for a situation like this. Armed with their info, Keith could pretend to be the target and get the banks, brokerage firms, and offshore institutions to tell him everything. His first phone call was to a local district office, using the same 800 number that any member of the public uses, the number listed in the local phone book. When a clerk came on the line, Keith asked to be connected to someone in Claims. Another wait, and then a voice. Now Keith shifted gears; "Hi," he began. "This is Gregory Adams, District Office 329. Listen, I'm trying to reach a claims adjuster that handles an account number that ends in 6363, and the number I have goes to a fax machine."

"That's Mod 2," the man said. He looked up the number and gave it to Keith.

Next he called Mod 2. When May Linn answered, he switched hats and went through the routine about being from the Office of the Inspector General, and the problem about somebody else having to use his computer. She gave him the information he was looking for, and agreed to do whatever she could when he needed help in the future.

Analyzing the Con What made this approach effective was the play on the employee's sympathy with the story about someone else using his computer and "my boss is not happy with me." People don't show their emotions at work very often; when they do, it can roll right over someone else's ordinary defenses against social engineering attacks. The emotional ploy of "I'm in trouble, won't you help me?" was all it took to win the day. Social Insecurity Incredibly, the Social Security Administration has posted a copy of their entire Program Operations Manual on the Web, crammed with information that's useful for their people, but also incredibly valuable to social engineers. It contains abbreviations, lingo, and instructions for how to request what you want, as described in this story.

Want to learn more inside information about the Social Security Administration? Just search on Google or enter the following address into your browser: http://policy.ssa.gov/poms.nsf/. Unless the agency has already read this story and removed the manual by the time you read this, you'll find on-line instructions that even give detailed information on what data an SSA clerk is allowed to give to the law enforcement community. In practical terms, that community includes any social engineer who can convince an SSA clerk that he is from a law enforcement organization. The attacker could not have been successful in obtaining this information from one of the clerks who handles phone calls from the general public. The kind of attack Keith used only works when the person on the receiving end of the call is someone whose phone number is unavailable to the public, and who therefore has the expectation that anyone calling must be somebody on the inside--another example of speakeasy security'. The elements that helped this attack to work included:

Knowing the phone number to the Mod.

Knowing the terminology they used--numident, alphadent, and DEQY.

Pretending to be from the Office of the Inspector General, which every federal government employee knows as a government-wide investigative agency with broad powers. This gives the attacker an aura of authority.

One interesting sidelight: Social engineers seem to know how to make requests so that hardly anyone ever thinks, "Why are you calling me.'- even when, logically; it would have made more sense if the call had gone to some other person in some completely different department. Perhaps it simply offers such a break in the monotony of the daily grind to help the caller that the victim discounts how unusual the call seems. Finally, the attacker in this incident, not satisfied with getting the information just for the case at hand, wanted to establish a contact he could call on regularly. He might otherwise have been able to use a common ploy for the sympathy attack-- "I spilled coffee on my keyboard." That was no good here, though, because a keyboard can be replaced in a day. Hence he used the story about somebody else using his computer, which he could reasonably string out for weeks: "Yep, I thought he'd have his own computer yesterday, but one came in and another guy pulled some kind of deal and got it instead. So this joker is still showing up in my cubicle." And so on.

Poor me, I need help. Works like a charm.

ONE SIMPLE CALL One of an attacker's main hurdles is to make his request sound reasonable something typical of requests that come up in the victim's workday, something that doesn't put the victim out too much. As with a lot of other things in life, making a request sound logical may be a challenge one day, but the next, it may be a piece of cake.

Mary H's Phone Call Date/Time: Monday, November 23, 7:49 A.M. Place: Mauersby & Storch Accounting, New York

To most people, accounting work is number crunching and bean counting, generally viewed as being about as enjoyable as having a root canal. Fortunately, not everyone sees the work that way. Mary Harris, for example, found her work as a senior accountant absorbing, part of the reason she was one of the most dedicated accounting employees at her firm.

On this particular Monday, Mary arrived early to get a head start on what she expected to be a long day, and was surprised to find her phone ringing. She picked it up and gave her name.

"Hi, this is Peter Sheppard. I'm with Arbuclde Support, the company that does tech support for your firm. We logged a couple of complaints over the weekend from people having problems with the computers there. I thought I could troubleshoot before everybody comes into work this morning. Are you having any problems with your computer or connecting to the network?"

She told him she didn't know yet. She turned her computer on and while it was booting, he explained what he wanted to do.

"I'd like to run a couple of tests with you, he said. "I'm able to see on my screen the keystrokes you type, and I want to make sure they're going across the network correctly. So every time you type a stroke, I want you to tell me what it is, and I'll see if the same letter or number is appearing here. Okay?" With nightmare visions of her computer not working and a frustrating day of not being able to get any work done, she was more than happy to have this man help her. After a few moments, she told him, "I have the login screen, and I'm going to type in my ID. I'm typing it now--M...A...R...Y...D."

"Great so far," he said. "I'm seeing that here. Now, go ahead and type your password but don't tell me what it is. You should never tell anybody your password, not even tech support. I'll just see asterisks here--your password is protected so I can't see it.': None of this was true, but it made sense to Mary. And then he said, "Let me know once your computer has started up." When she said it was running, he had her open two of her applications, and she reported that they launched "just fine."

Mary was relieved to see that everything seemed to be working normally. Peter said, "I'm glad I could make sure you'll be able to use your computer okay. And listen," he went on, "we just installed an update that allow people to change their passwords. Would you be willing to take a couple of minutes with me so I can see if we got it working right?

She was grateful for the help he had given her and readily agreed. Peter talked her through the steps of launching the application that allows a user to change passwords, a standard element of the Windows 2000 operating system. "Go ahead and enter your password," he told her. "But remember not to say it out loud."

When she had done that, Peter said, "Just for this quick test, when it asks for your new password, enter 'test123.' Then type it again in the Verification box, and click Enter."

He walked her through the process of disconnecting from the server. He had her wait a couple of minutes, then connect again, this time trying to log on with her new password. It worked like a charm, Peter seemed very pleased, and talked her through changing back to her original password or choosing a new one--once more cautioning her about not saying the password out loud.

"Well, Mary," Peter told her. "We didn't find any trouble, and that's great. Listen, if any problems do come up, just call us over here at Arbuckle. I'm usually on special projects but anybody here who answers can help you." She thanked him and they said goodbye.

Peter's Story The word had gotten around about Peter--a number of the people in his community who had gone to school with him had heard he turned into some kind of a computer whiz who could often find out useful information that other people couldn't get. When Alice Conrad came to him to ask a favor, he said no at first. Why should he help? When he ran into her once and tried to ask for a date, she had turned him down cold.

Other books

Model Misfit by Holly Smale
Late of This Parish by Marjorie Eccles
Aveline by Lizzy Ford
Runes #03 - Grimnirs by Ednah Walters