The Art of Deception: Controlling the Human Element of Security (16 page)

Still, let's not be too hasty in blaming Louis. After all, the person on the phone knew (or at least appeared to know) that co worker Angela had requested a fax. The caller knew about the security codes, and knew they were identified by letter designation. The caller said his branch manager was requiring it for greater security. There didn't really seem any reason not to give him the verification he was asking for.

Louis isn't alone. Bank employees give up security codes to social engineers every day. Incredible but true.

There's a line in the sand where a private investigator's techniques stop being legal and start being illegal. Vince stayed legal when he obtained the branch number. He even stayed legal when he conned Louis into giving him two of the day's security codes. He crossed the line when he had confidential information on a bank customer faxed to him.

But for Vince and his employer, it's a low-risk crime. When you steal money or goods, somebody will notice it's gone. When you steal information, most of the time no one will notice because the information is still in their possession.

MITNICK MESSAGE Verbal security codes are equivalent to passwords in providing a convenient and reliable means of protecting data. But employees need to be knowledgeable about the tricks that social engineers use, and trained not to give up the keys to the kingdom.

COPS AS DUPES For a shady private investigator or social engineer, there are frequent occasions when it would be handy to know someone's driver's license number--for example, if you want to assume another person's identity in order to obtain information about her bank balances.

Short of lifting the person's wallet or peering over her shoulder at an opportune moment, finding out the driver's license number ought to be next to impossible. But for anyone with even modest social engineering skills, it's hardly a challenge. One particular social engineer--Eric Mantini, I'll call him, needed to get driver's license and vehicle registration numbers on a regular basis. Eric figured it was unnecessarily increasing his risk to call the Department of Motor Vehicles (DMV) and go through the same ruse time after time whenever he needed that information. He wondered whether there wasn't some way to simplify the process.

Probably no one had ever thought of it before, but he figured out a way to get the information in a blink, whenever he wanted it. He did it by taking advantage of a service provided by his state's Department of Motor Vehicles. Many state DMVs (or whatever the department may be called in your state) make otherwise-privileged information about citizens available to insurance firms, private investigators, and certain other groups that the state legislature has deemed entitled to share it for the good of commerce and the society at large.

The DMV, of course, has appropriate limitations on which types of data will be given out. The insurance industry can get certain types of information from the files, but not others. A different set of limitations applies to PIs, and so on.

For law enforcement officers, a different rule generally applies: The DMV will supply any information in the records to any sworn peace officer who properly identifies himself. In the state Eric then lived in, the required identification was a Requestor Code issued by the DMV, along with the officer's driver's license number. The DMV employee would always verify by matching the officer's name against his driver's license number and one other piece of information-- usually date of birth-- before giving out any information.

What social engineer Eric wanted to do was nothing less than cloak himself in the identity of a law enforcement officer. How did he manage that? By running a reverse sting on the cops!

Eric's Sting First he called telephone information and asked for the phone number of DMV headquarters in the state capitol. He was given the number 503555-5000; that, of course, is the number for calls from the general public. He then called a nearby sheriff's station and asked for Teletype--the office where communications are sent to and received from other law enforcement agencies, the national crime database, local warrants, and so forth. When he reached Teletype, he said he was looking for the phone number for law enforcement to use when calling the DMV state headquarters.

"Who are you?" the police officer in Teletype asked.

"This is Al. I was calling 503-555-5753," he said. This was partly an assumption, and partly a number he pulled out of thin air; certainly the special DMV office set up to take law enforcement calls would be in the same area code as the number gtyen out for the public to call, and it was almost as certain that the next three digits, the prefix, would be the same. as well. All he really needed to find out was the last four.

A sheriff's Teletype room doesn't get calls from the public. And the caller already had most of the number. Obviously he was legitimate.

"It's 503-555-6127," the officer said.

So Eric now had the special phone number for law enforcement officers to call the DMV. But just the one number wasn't enough to satisfy him; the office would have a good many more than the single phone line, and Eric needed to know how many lines there were, and the phone number of each.

The Switch To carry out his plan, he needed to gain access to the telephone switch that handled the law enforcement phone lines into DMV. He called the state Telecommunications Department and claimed he was from Nortel, the manufacturer of the DMS-100, one of the most widely used commercial telephone switches. He said, "Can you please transfer me to one of the switch technicians that works on the DMS-100?"

When he reached the technician, he claimed to be with the Nortel Technical Assistance Support Center in Texas, and explained that they were creating a master database to update all switches with the latest software upgrades. It would all be done remotely--no need for any switch technician to participate. But they needed the dial-in number to the switch so that they could perform the updates directly from the Support Center.

It sounded completely plausible, and the technician gave Eric the phone number. He could now dial directly into one of the state's telephone switches.

To defend against outside intruders, commercial switches of this type are password-protected, just like every corporate computer network. Any good social engineer with a phone-phreaking background knows that Nortel switches provide a default account name for software updates: NTAS (the abbreviation for Nortel Technical Assistance Support; not very subtle). But what about a password? Eric dialed in several times, each time trying one of the obvious and commonly used choices. Entering the same as the account name, NTAS, didn't work. Neither did "helper." Nor did "patch."

Then he tried "update" . . . and he was in. Typical. Using an obvious, easily guessed password is only very slightly better than having no password at all.

It helps to be up to speed in your field; Eric probably knew as much about that switch and how to program and troubleshoot it as the technician. Once he was able to access the switch as an authorized user, he would gain full control over the telephone lines that were his target. From his computer, he queried the switch for the phone number he had been given for law enforcement calls to the DMV, 555-6127. He found there were nineteen other phone lines into the same department. Obviously they handled a high volume of calls.

For each incoming call, the switch was programmed to "hunt" through the twenty lines until it found one that wasn't busy.

He picked line number eighteen in the sequence, and entered the code that added call forwarding to that line. For the call-forwarding number, he entered the phone number of his new, cheap, prepaid cell phone, the kind that drug dealers are so fond of because they're inexpensive enough to throw away after the job is over. With call forwarding now activated on the eighteenth line, as soon as the office got busy enough to have seventeen calls in progress, the next call to come in would not ring in the DMV office but would instead be forwarded to Eric's cell phone. He sat back and waited.

A Call to DMV Shortly before 8 o'clock that morning, the cell phone rang. This part was the best, the most delicious. Here was Eric, the social engineer, talking to a cop, someone with the authority to come and arrest him, or get a search warrant and conduct a raid to collect evidence against him.

And not just one cop would call, but a string of them, one after another. On one occasion, Eric was sitting in a restaurant having lunch with friends, fielding a call every five minutes or so, writing the information on a paper napkin using a borrowed pen. HE still finds this hilarious.

But talking to police officers doesn't faze a good social engineer in the least. In fact, the thrill of deceiving these law enforcement agencies probably added to Eric s enjoyment of the act. According to Eric, the calls went something like this: "DMV, may I help you?" "This is Detective Andrew Cole." "Hi, detective. What can I do for you today?"

"I need a Soundex on driver's license 005602789," he might say, using the term familiar in law enforcement to ask for a photo--useful, for example, when officers are going out to arrest a suspect and want to know what he looks like. "Sure, let me bring up the record," Eric would say. "And, Detective Cole, what's your agency?" "Jefferson County." And then Eric would ask the hot questions: "Detective, what's your requestor code? What's your driver's license number. "What's your date of birth" The caller would give his personal identifying information. Eric would go through some pretense of verifying the information, and then tell the caller that the identifying information had been confirmed, and ask for the details of what the caller wanted to find out from the DMV. He'd pretend to start looking up the name, with the caller able to hear the clicking of the keys, and then say something like, "Oh, damn, my computer just went down again. Sorry, detective, my computer has been on the blink, all week. Would you mind calling back and getting another clerk to help you?"

This way he'd end the call tying up the loose ends without arousing any suspicion about why he wasn't able to assist the officer with his request. Meanwhile Eric had a stolen identity--details he could use to obtain confidential DMV information whenever he needed to.

After taking calls for a few hours and obtaining dozens of requestor codes, Eric dialed into the switch and deactivated the call forwarding.

For months after that, he'd carry on the assignments jobbed out to him by legitimate PI firms that didn't want to know how he was getting his information. Whenever he needed to, he'd dial back into the switch, turn on call forwarding, and gather another stack of police officer credentials.

Analyzing the Con Let's run a playback on the ruses Eric pulled on a series of people to make this deceit work. In the first successful step, he got a sheriff's deputy in a Teletype room to give out a confidential DMV phone number to a complete stranger, accepting the man as a deputy without requesting any verification.

Then someone at the state Telecom Department did the same thing, accepting Eric's claim that he was with an equipment manufacturer, and providing the stranger with a phone number for dialing into the telephone switch serving the DMV.

Eric was able to get into the switch in large measure because of weak security practices on the part of the switch manufacturer in using the same account name on all their switches. That carelessness made it a walk in the park for the social engineer to guess the password, knowing once again that switch technicians, just like almost everybody else, choose passwords that will be a cinch for them to remember.

With access to the switch, he set up call forwarding from one of the DMV phone lines for law enforcement to his own cell phone.

And then, the capper and most blatant part, he conned one law enforcement officer after another into revealing not only their requestor codes but their own personal identifying information, giving Eric the ability to impersonate them.

While there was certainly technical knowledge required to pull off this stunt, it could not have worked without the help of a series of people who had no clue that they were talking to an imposter.

This story was another illustration of the phenomenon of why people don't ask "Why me?" Why would the Teletype officer give this information to some sheriff's deputy he didn't know--or, in this case, a stranger passing himself off as a sheriff's deputy--instead of suggesting he get the information from a fellow deputy or his own sergeant? Again, the only answer I can offer is that people rarely ask this question. It doesn't occur to them to ask? They don't want to sound challenging and unhelpful? Maybe. Any further explanation would just be guesswork. But social engineers don't care why; they only care that this little fact makes it easy to get information that otherwise might be a challenge to obtain.

MITNICK MESSAGE If you have a telephone switch at your company facilities, what would the person in charge do if he received a call from the vendor, asking for the dial-in number? And by the way, has that person ever changed the default password for the switch? Is that password an easy-to-guess word found in any dictionary?

PREVENTING THE CON A security code, properly used, adds a valuable layer of protection. A security code improperly used can be worse than none at all because it gives the illusion of security where it doesn't really exist. What good are codes if your employees don't keep them. secret?

Any company with a need for verbal security codes needs to spell out clearly for its employees when and how the codes are used. Properly trained, the character in the first story in this chapter would not have had to rely on his instincts, easily overcome, when asked to give a security code to a stranger. He sensed that he should not be asked for this information under the circumstances, but lacking a clear security policy--and good common sense--he readily gave in.

Security procedures should also set up steps to follow when an employee fields an inappropriate request for a security code. All employees should be trained to immediately report any request for authentication credentials, such as a daily code or password, made under suspicious circumstances. They should also report when an attempt to verify the identity of a requestor doesn't check out.