The Art of Deception: Controlling the Human Element of Security (15 page)

Plotting further, feeling his way, it came to him that he could reach his goal by seeing if the school had a graduate with the same name as his, who had earned a computer science degree any time during an appropriate span of years. If so, he could just put down the other Michael Parker's social security number on employment application forms; any company that checked the name and social security number with the university would be told that, yes, he did have the claimed degree. (It wouldn't be obvious to most people but was obvious to him that he could put one social security number on the job application and then, if hired, put his own real number on the new-employee forms. Most companies would never think to check whether a new hire had used a different number earlier in the hiring process.) Logging In to Trouble How to find a Michael Parker in the university's records? He went about it like this:

Going to the main library on the university campus, he sat down at a computer terminal, got up on the Internet, and accessed the university's Web site. He then called the Registrar's office. With the person who answered, he went through one of the by-now-familiar social engineering routines: "I'm calling from the Computer Center, we're making some changes to the network configuration and we want to make sure we don't disrupt your access. Which server do you connect to?"

"What do you mean, server, he was asked. "What computer do you connect to when you need to look up student academic information.

The answer, admin.rnu.edu, gave him the name of the computer where student records were stored. This was the first piece of the puzzle: He now knew his target machine.

LINGO DUMB TERMINAL A terminal that doesn't contain its own microprocessor. Dumb terminals can only accept simple commands and display text characters and numbers.

He typed that URL into the computer and got no response--as expected, there was a firewall blocking access. So he ran a program to see if he could connect to any of the services running on that computer, and found an open port with a Telnet service running, which allows one computer to connect remotely to another computer and access it as if directly connected using a dumb terminal. All he would need to gain access would be the standard user ID and password.

He made another call to the registrar's office, this time listening carefully to make sure he was talking to a different person. He got a lady, and again he claimed to be from the university's Computer Center. They were installing a new production system for administrative records, he told her. As a favor, he'd like her to connect to the new system, still in test mode, to see if she could access student academic records okay. He gave her the IP address to connect to, and talked her through the process.

In fact, the IP address took her to the computer Michael was sitting at in the campus library. Using the same process described in Chapter 8, he had created a login simulator--a decoy sign-in screen--looking just like the one she was accustomed to seeing when going onto the system for student records. "It's not working," she told him. "It keeps saying 'Login incorrect.

By now the login simulator had fed the keystrokes of her account name and password to Michael's terminal; mission accomplished. He told her, "Oh, some of the accounts haven't been brought over yet to this machine. Let me set up your account, and I'll call you back." Careful about tying up loose ends, as any proficient social engineer needs to be, he would make a point of phoning later to say that the test system wasn't working right yet, and if it was okay with her, they'd call back to her or one of the other folks there when they had figured out what was causing the problem. The Helpful Registrar Now Michael knew what computer system he needed to access, and he had a user's ID and password. But what commands would he need in order to search the files for information on a computer science graduate with the right name and graduation date? The student database would be a proprietary one, created on campus to meet the specific requirements of the university and the Registrar's office, and would have a unique way of accessing information in the database.

First step in clearing this last hurdle: Find out who could guide him through the mysteries of searching the student database. He called the Registrar's office again, this time reaching a different person. He was from the office of the Dean of Engineering, he told the lady, and he asked, "Who are we supposed to call for help when we're having problems accessing the student academic rues.

Minutes later he was on the phone with the college's database administrator, pulling the sympathy act: "I'm Mark Sellers, in the registrar's office. You feel like taking pity on a new guy? Sorry to be calling you but they're all in a meeting this afternoon and there's no one around to help me. I need to retrieve a list of all graduates with a computer science degree, between 1990 and 2000. They need it by the end of the day and if I don't have it, I may not have this job for long. You willing to help out a guy in trouble?" Helping people out was part of what this database administrator did, so he was extra patient as he talked Michael step by step through the process.

By the time they hung up, Michael had downloaded the entire list of computer science graduates for those years. Within a few minutes he had run a search, located two Michael Parkers, chosen one of them, and obtained the guy's social security number as well as other pertinent information stored in the database.

He had just become "Michael Parker, B.S. in Computer Science, graduated with honors, 1998." In this case, the "B.S." was uniquely appropriate.

Analyzing the Con This attack used one ruse I haven't talked about before: The attacker asking the organization's database administrator to walk him through the steps of carrying out a computer process he didn't know how to do. A powerful and effective turning of the tables, this is the equivalent of asking the owner of a store to help you carry a box containing items you've just stolen from his shelves out to your car. MITNICK MESSAGE Computer users are sometimes clueless about the threats and vulnerabilities associated with social engineering that exist in our world of technology. They have access to information, yet lack the detailed knowledge of what might prove to be a security threat. A social engineer will target an employee who has little understanding of how valuable the information being sought is, so the target is more likely to grant the stranger's request.

PREVENTING THE CON Sympathy, guilt, and intimidation are three very popular psychological triggers used by the social engineer, and these stories have demonstrated the tactics in action. But what can you and your company do to avoid these types of attacks?

Protecting Data Some stories in this chapter emphasize the danger of sending a file to someone you don't know, even when that person is (or appears to be) an employee, and the file is being sent internally, to an email address or tax machine within the company.

Company security policy needs to be very specific about the safeguards for surrendering valued data to anyone not personally known to the sender. Exacting procedures need to be established for transferring files with sensitive information. When the request is from someone not personally known, there must be clear steps to take for verification, with different levels of authentication depending on the sensitivity of the information.

Here are some techniques to consider:

Establish the need to know (which may require obtaining authorization from the designated information owner).

Keep a personal or departmental log of these transactions.

Maintain a list of people who have been specially trained in the procedures and who are trusted to authorize sending out sensitive information. Require that only these people be allowed to send information to anyone outside the workgroup.

If a request for the data is made in writing (email, fax, or mail) take additional security steps to verify that the request actually came from the person it appears to have come from. About Passwords All employees who are able to access any sensitive information--and today that means virtually every worker who uses a computer--need to understand that simple acts like changing your password, even for a few moments, can lead to a major security breach.

Security training needs to cover the topic of passwords, and that has to focus in part on when and how to change your password, what constitutes an acceptable password, and the hazards of letting anyone else become involved in the process. The training especially needs to convey to all employees that they should be suspicious of any request that involves their passwords.

On the surface this appears to be a simple message to get across to employees. It's not, because to appreciate this idea requires that employees grasp how a simple act like changing a password can lead to a security compromise. You can tell a child "Look both ways before crossing the street," but until the child understands why that's important, you're relying on blind obedience. And rules requiring blind obedience are typically ignored or forgotten.

NOTE Passwords are such a central focus of social engineering attacks that we devote a separate section to the topic in Chapter 16, where you will find specific recommended policies on managing passwords.

A Central Reporting Point Your security policy should provide a person or group designated as a central point for reporting suspicious activities that appear to be attempts to infiltrate your organization. All employees need to know who to call any time they suspect an attempt at electronic or physical intrusion. The phone number of the place to make these reports should always be close at hand so employees don't have to dig for it if they become suspicious that an attack is taking place.

Protect Your Network Employees need to understand that the name of a computer server or network is not trivial information, but rather it can give an attacker essential knowledge that helps him gain trust or find the location of the information he desires.

In particular, people such as database administrators who work with software belong to that category of those with technology expertise, and they need to operate under special and very restrictive rules about verifying the identity of people who call them for information or advice. People who regularly provide any. kind of computer help need to be well trained in what kinds of requests should be red flags, suggesting that the caller may be attempting a social engineering attack.

It's worth noting, though, that from the perspective of the database administrator in the last story in this chapter, the caller met the criteria for being legitimate: He was calling from on campus, and he was obviously on a site that required an account name and password. This just makes clear once again the importance of having standardized procedures for verifying the identity of anybody requesting information, especially in a case like this where the caller was asking for help in obtaining access to confidential records.

All of this advice goes double for colleges and universities. It's not news that computer hacking is a favorite pastime for many college students, and it should also be no surprise that student records--and sometimes faculty records, as well-- are a tempting target. This abuse is so rampant that some corporations actually consider campuses a hostile environment, and create firewall rules that block access from educational institutions with addresses that end in .edu.

The long and short of it is that all student and personnel records of any kind should be seen as prime targets of attack, and should be well protected as sensitive information.

Training Tips Most social engineering attacks are ridiculously easy to defend against... for anyone who knows what to be on the lookout for.

From the corporate perspective, there is a fundamental need for good training. But there is also a need for something else: a variety of ways to remind people of what they've learned.

Use splash screens that appear when the user's computer is turned on, with a different security message each day. The message should be designed so that it does not disappear automatically, but requires the user to click on some kind of acknowledgement that he/she has read it.

Another approach I recommend is to start a series of security reminders. Frequent reminder messages are important; an awareness program needs to be ongoing and never-ending. In delivering content, the reminders should not be worded the same in every instance. Studies have shown that these messages are more effectively received when they vary in wording or when used in different examples. One excellent approach is to use short blurbs in the company newsletter. This should not be a full column on the subject, although a security column would certainly be valuable. Instead, design a two- or three-column-wide insert, something like a small display ad in your local newspaper. In each issue of the newsletter, present a new security reminder in this short, attention-catching way.

The sting, mentioned elsewhere in this book (and in my opinion probably the best movie that s ever been made about a con operation), lays out its tricky plot in fascinating detail. The sting operation in the movie is an exact depiction of how top grifters run "the wire," one of the three types of major swindles referred to as "big cons." If you want to know how a team of professionals pulls off a scam raking in a great deal of money in a single evening, there's no better textbook.

But traditional cons, whatever their particular gimmick, run according to a pattern. Sometimes a ruse is worked in the opposite direction, which is called a reverse sting. This is an intriguing twist in which the attacker sets up the situation so that the victim calls on the attacker for help, or a co worker has made a request, which the attacker is responding to. How does this work? You're about to find out.

LINGO REVERSE STING A con in which the person being attacked asks the attacker for help

THE ART OF FRIENDLY PERSUASION When the average person conjures up the picture of a computer hacker, what usually comes to mind is the uncomplimentary image of a lonely, introverted nerd whose best friend is his computer and who has difficulty carrying on a conversation, except by instant messaging. The social engineer, who often has hacker skills, also has people skills at the opposite end of the spectrum--well- developed abilities to use and manipulate people that allow him to talk his way into getting information in ways you would never have believed possible.

Angela's Caller Place: Valley branch, Industrial Federal Bank. Time: 11:27 A.M.

Angela Wisnowski answered a phone call from a man who said he was just about to receive a sizeable inheritance and he wanted information on the different types of savings accounts, certificates of deposit, and whatever other investments she might be able to suggest that would be safe, but earn decent interest. She explained there were quite a number of choices and asked if he'd like to come in and sit down with her to discuss them. He was leaving on a trip as soon as the money arrived, he said, and had a lot of arrangements to make. So she began suggesting some of the possibilities and giving him details of the interest rates, what happens if you sell a CD early, and so on, while trying to pin down his investment goals.

She seemed to be making progress when he said, "Oh, sorry, I've got to take this other call. What time can I finish this conversation with you so I can make some decisions? When do you leave for lunch?" She told him 12:30 and he said he'd try to call back before then or the following day.

Louis's Caller Major banks use internal security codes that change every day. When somebody from one branch needs information from another branch, he proves he's entitled to the information by demonstrating he knows the day's code. For an added degree of security and flexibility, some major banks issue multiple codes each day. At a West Coast outfit I'll call Industrial Federal Bank, each employee finds a list of five codes for the day, identified as A through E, on his or her computer each morning.

Place: Same. Time: 12:48 '.M., same day.

Louis Halpburn didn't think anything of it when a call came in that afternoon, a call like others he handled regularly several times a week.

'Hello," the caller said. "This is Neil Webster. I'm calling from branch 3182 in Boston. Angela Wisnowski, please." "She's at lunch. Can I help?" "Well, she left a message asking us to fax some information on one of our

customers."

The caller sounded like he had been having a bad day.

"The person who normally handles those requests is out sick," he said. "I've got a stack of these to do, it's almost 4 o'clock here and I'm supposed to be out of this place to go to a doctor's appointment in half an hour."

The manipulation--giving all the reasons why the other person should feel sorry for him--was part of softening up the mark. He went on, "Whoever took her phone message, the fax number is unreadable. It's 213-something. What's the rest?"

Louis gave the fax number, and the caller said, "Okay, thanks. Before I can fax this, I need to ask you for Code B." "But you called me," he said with just enough chill so the man from Boston

would get the message.

This is good, the caller thought. It's so cool when people don't fall over at the first gentle shove. If the, don't resist a little, the job is too easy and I could start getting lazy.

To Louis, he said, "I've got a branch manager that's just turned paranoid about getting verification before we send anything out, is all. But listen, if you don't need us to fax the information, it's okay. No need to verify." "Look," Louis said, "Angela will be back in half an hour or so. I can have her call

you back." "I'll just tell her I couldn't send the information today because you wouldn't

identify this as a legitimate request by giving me the code. If I'm not out sick

tomorrow, I'll call her back then."

"The message says 'Urgent.' Never mind, without verification my hands are tied.

You'll tell her I tried to send it but you wouldn't give the code, okay?"

Louis gave up under the pressure. An audible sigh of annoyance came winging its way down the phone line.

"Well," he said, "wait a minute; I have to go to my computer. Which code did

you want?" "B," the caller said. He put the call on hold and then in a bit picked up the line again. "It's 3184."

"That's not the right code." "Yes it is--B is 3184." "I didn't say B, I said E." "Oh, damn. Wait a minute." Another pause while he again looked up the codes. "E is 9697." "9697--right. I'll have the fax on the way. Okay?" "Sure. Thanks."

Walter's Call "Industrial Federal Bank, this is Walter." "Hey, Walter, it's Bob Grabowski in Studio City, branch 38," the caller said. "I need you to pull a sig card on a customer account and fax it to me." The sig card, or signature card, has more than just the customer's signature on it; it also has identifying information, familiar items such as the social security number, date of birth, mother's maiden name, and sometimes even a driver's license number. Very handy to a social engineer.

"Sure thing. What's Code C?"

"Another teller is using my computer right now," the caller said. "But I just used B and E, and I remember those. Ask me one of those."

"Okay, what's E?"

"E is 9697."

A few minutes later, Walter faxed the sig card as requested.

Donna Plaice's Call "Hi, this is Mr. Anselmo." "How can I help you today?" "What's that 800 number I'm supposed to call when I want to see if a deposit has

been credited yet?" "You're a customer of the bank?" "Yes, and I haven't used the number in a while and now I don't know where I

wrote it down." "The number is 800-555-8600."

"Okay, thanks."

Vince Capelli's Tale The son of a Spokane street cop, Vince knew from an early age that he wasn't going to spend his life slaving long hours and risking his neck for minimum wage. His two main goals in life became getting out of Spokane, and going into business for himself. The laughter of his homies all through high school only fired him up all the more--they thought it was hilarious that he was so busted on starting his own business but had no idea what business it might be.

Secretly Vince knew they were right. The only thing he was good at was playing catcher on the high school baseball team. But not good enough to capture a college scholarship, no way good enough for professional baseball. So what business was he going to be able to start?

One thing the guys in Vince's group never quite figured out: Anything one of them had---a new switchblade knife, a nifty pair of warm gloves, a sexy new girlfriend if Vince admired it, before long the item was his. He didn't steal it, or sneak behind anybody's back; he didn't have to. The guy who had it would give it up willingly, and then wonder afterward how it had happened. Even asking Vince wouldn't have gotten you anywhere: He didn't know himself. People just seemed to let him have whatever he wanted.

Vince Capelli was a social engineer from an early age, even though he had never heard the term.

His friends stopped laughing once they all had high school diplomas in hand. While the others slogged around town looking for jobs where you didn't have to say "Do you want fries with that?" Vince's dad sent him off to talk to an old cop pal who had left the force to start his own private investigation business in San Francisco. He quickly spotted Vince's talent for the work, and took him on.

That was six years ago. He hated the part about getting the goods on unfaithful spouses, which involved achingly dull hours of sitting and watching, but felt continually challenged by assignments to dig up asset information for attorneys trying to figure out if some miserable stiff was rich enough to be worth suing. These assignments gave him plenty of chances to use his wits.

Like the time he had to look into the bank accounts of a guy named Joe Markowitz. Joe had maybe worked a shady deal on a one-time friend of his, which friend now wanted to know, if he sued, was Markowitz flush enough that the friend might get some of his money back?

Vince's first step would be to find out at least one, but preferably two, of the bank's security codes for the day. That sounds like a nearly impossible challenge: What on earth would induce a bank employee to knock a chink in his own security system? Ask yourself--if you wanted to do this, would you have any idea of how to go about it? For people like Vince, it's too easy.

People trust you if you know the inside lingo of their job and their company. It's like showing you belong to their inner circle. It's like a secret handshake.

I didn't need much of that for a job like this. Definitely not brain surgery. All's I needed to get started was a branch number. When I dialed the Beacon Street office in Buffalo, the guy that answered sounded like a teller.

"This is Tim Ackerman," I said. Any name would do, he wasn't going to write it down. "What's the branch number there?"

"The phone number or the branch number, he wanted to know, which was pretty stupid because I had just dialed the phone number, hadn't I? "Branch number." "3182," he said. Just like that. No, "Whad'ya wanna know for?" or anything. 'Cause it's not sensitive information, it's written on just about every piece of paper they use.

Step Two, call the branch where my target did his banking, get the name of one of their people, and find out when the person would be out for lunch. Angela. Leaves at 12:30. So far, so good.

Step Three, call back to the same branch during Angela's lunch break, say I'm calling from branch number such-and-such in Boston, Angela needs this information faxed, gimme a code for the day. This is the tricky part; it's where the rubber meets the road. If I was making up a test to be a social engineer, I'd put something like this on it, where your victim gets suspicious--for good reason-- and you still stick in there until you break him down and get the information you need. You can't do that by reciting lines from a script or learning a routine, you got to be able to read your victim, catch his mood, play him like landing a fish where you let out a little line and reel in, let out and reel in. Until you get him in the net and flop him into the boat, splat!

So I landed him and had one of the codes for the day. A big step. With most banks, one is all they use, so I would've been home flee. Industrial Federal Bank uses five, so having just one out of five is long odds. With two out of five, I'd have a much better chance of getting through the next act of this little drama. I love that part about "I didn't say B, I said E." When it works, it's beautiful. And it works most of the time.

Getting a third one would have been even better. I've actually managed to get three on a single call--"B," "D," and "E" sound so much alike that you can claim they misunderstood you again. But you have to be talking to somebody who's a real pushover. This man wasn't. I'd go with two.

The day codes would be my trump to get the signature card. I call, and the guy asks for a code. C he wants, and I've only got B and E. But it's not the end of the world. You gotta stay cool at a moment like this, sound confident, keep right on going, Real smooth, I played him with the one about, "Somebody's using my computer, ask me one of these others."

We're all employees of the same company, we're all in this together, make it easy on the guy--that's what you're hoping the victim is thinking at a moment like this. And he played it right by the script. He took one of the choices I offered, I gave him the right answer, he sent the fax of the sig card. Almost home. One more call gave me the 800 number that customers use for the automated service where an electronic voice reads you off the information you ask for. From the sig card, I had all of my target's account numbers and his PIN number, because that bank used the first five or last four digits of the social security number. Pen in hand, I called the 800 number and after a few minutes of pushing buttons, I had the latest balance in all four of the guy's accounts, and just for good measure, his most recent deposits and withdrawals in each.

Everything my client had asked for and more. I always like to give a little extra for good measure. Keep the clients happy. After all, repeat business is what keeps an operation going, right?

Analyzing the Con The key to this entire episode was obtaining the all-important day codes, and to do that the attacker, Vince, used several different techniques.

He began with a little verbal arm-twisting when Louis proved reluctant to give him a code. Louis was right to be suspicious--the codes are designed to be used in the opposite direction. He knew that in the usual flow of things, the unknown caller would be giving him a security code. This was the critical moment for Vince, he hinge on which the entire success of his effort depended.

In the face of Louis's suspicion, Vince simply laid it on with manipulation, using an appeal to sympathy ("going to the doctor"), and pressure ("I've got a stack to do, it's almost 4 o'clock"), and manipulation ("Tell her you wouldn't give me the code"). Cleverly, Vince didn't actually make a threat, he just implied one: If you don't give me the security code, I won't send the customer information that your co worker needs, and I'll tell her I would have sent it but you wouldn't cooperate.