The Art of Deception: Controlling the Human Element of Security (19 page)

THE PROMOTION SEEKER Late in the morning of a pleasant autumn day, Peter Milton walked into the lobby of the Denver regional offices of Honorable Auto Parts, a national parts wholesaler for the automobile aftermarket. He waited at the reception desk while the young lady signed in a visitor, gave driving directions to a caller, and dealt with the UPS man, all more or less at the same time.

"So how did you learn to do so many things at once?" Pete said when she had time to help him. She smiled, obviously pleased he had noticed. He was from Marketing in the Dallas office, he told her, and said that Mike Talbott from Atlanta field sales was going to be meeting him. "We have a client to visit together this afternoon," he explained. I'll just wait here in the lobby."

"Marketing." She said the word almost wistfully, and Pete smiled at her, waiting to hear what was coming. "If I could go to college, that's what I'd take," she said. "I'd love to work in Marketing."

He smiled again. "Kaila," he said, reading her name off the sign on the counter, "We have a lady in the Dallas office who was a secretary. She got herself moved over to Marketing. That was three years ago, and now she's an assistant marketing manager, making twice what she was." Kaila looked starry-eyed. He went on, "Can you use a computer?" "Sure," she said.

"How would you like me to put your name in for a secretary's job in Marketing. She beamed. "For that I'd even move to Dallas." "You're going to love Dallas," he said. "I can't promise an opening right away, but I'll see what I can do." She thought that this nice man in the suit and tie and with the neatly trimmed, well-combed hair might make a big difference in her working life.

Pete sat down across the lobby, opened his laptop, and started getting some work done. After ten or fifteen minutes, he stepped back up to the counter. "Listen," he said, "it looks like Mike must've been held up. Is there a conference room where I could sit and check my emails while I'm waiting?"

Kaila called the man who coordinated the conference room scheduling and arranged for Pete to use one that wasn't booked. Following a pattern picked up from Silicon Valley companies (Apple was probably the first to do this) some of the conference rooms were named after cartoon characters, others after restaurant chains or movie stars or comic book heroes. He was told to look for the Minnie Mouse room. She had him sign in, and gave him directions to find Minnie Mouse.

He located the room, settled in, and connected his laptop to the Ethernet port.

Do you get the picture yet?

Right--the intruder had connected to the network behind the corporate firewall.

Anthony's Story I guess you could call Anthony Lake a lazy businessman. Or maybe "bent" comes closer. Instead of working for other people, he had decided he wanted to go to work for himself; he wanted to open a store, where he could be at one place all day and not have to run all over the countryside. Only he wanted to have a business that he could be as sure as possible he could make money at.

What kind of store? That didn't take long to figure out. He knew about repairing cars, so an auto parts store.

And how do you build in a guarantee of success? The answer came to him in a flash: convince auto parts wholesaler Honorable Auto Parts to sell him all the merchandise he needed at their cost.

Naturally they wouldn't do this willingly. But Anthony knew how to con people, his friend Mickey knew about breaking into other people's computers, and together they worked out a clever plan.

That autumn day he convincingly passed himself off as an employee named Peter Milton, and he had conned his way inside the Honorable Auto Parts offices and had already plugged his laptop into their network. So far, so good, but that was only the first step. What he still had to do wouldn't be easy, especially since Anthony had set himself a fifteen-minute time limit--any longer and he figured that the risk of discovery would be too high.

MITNICK MESSAGE Train your people not to judge a book solely by its cover--just because someone is well-dressed and well-groomed he shouldn't be any more believable.

In an earlier phone call pretexting as a support person from their computer supplier, he had put on a song-and-dance act. "Your company has purchased a two-year support plan and we're putting you in the database so we can know when a software program you're using has come out with a patch or a new updated version. So I need to have you tell me what applications you're using." The response gave him a list of programs, and an accountant friend identified the one called MAS 90 as the target--the program that would hold their list of vendors and the discount and payment terms for each.

With that key knowledge, he next used a software program to identifiy," all the working hosts on the network, and it didn't take him long to locate the correct server used by the Accounting department. From the arsenal of hacker tools on his laptop, he launched one program and used it to identify all of the authorized users on the target server. With another, he then ran a list of commonly used passwords, such as "blank," and "password" itself. "Password" worked. No surprise there. People just lose all creativity when it comes to choosing passwords.

Only six minutes gone, and the game was half over. He was in.

Another three minutes to very carefully add his new company, address, phone number, and contact name to the list of customers. And then for the crucial entry, the one that would make all the difference, the entry that said all items were to be sold to him at 1 percent over Honorable Auto Parts' cost.

In slightly under ten minutes, he was done. He stopped long enough to tell Kaila thanks, he was through checking his emails. And he had reached Mike Talbot, change of plans, he was on the way to a meeting at a client's office. And he wouldn't forget about recommending her for that job in Marketing, either.

Analyzing the Con The intruder who called himself Peter Milton used two psychological subversion techniques--one planned, the other improvised on the spur of the moment. He dressed like a management worker earning good money. Suit and tie, hair carefully styled--these seem like small details, but they make an impression. I discovered this myself, inadvertently. In a short time as a programmer at GTE California--a major telephone company no longer in existence--I discovered that if I came in one day without a badge, neatly dressed but casual--say, sports shirt, chinos, and Dockers--I'd be stopped and questioned. Where's your badge, who are you, where do you work? Another day I'd arrive, still without a badge but in a suit and tie, looking very corporate. I'd use a variation of the age-old piggybacking technique, blending in with a crowd of people as they walk into a building or a secure entrance. I would latch onto some people as they approached the main entrance, and walk in chatting with the crowd as if I was one of them. I walked past, and even if the guards noticed I was badge-less, they wouldn't bother me because I looked like management and I was with people who were wearing badges.

From this experience, I recognized how predictable the behavior of security guards is. Like the rest of us, they were making judgments based on appearances- -a serious vulnerability that social engineers learn to take advantage of.

The attacker's second psychological weapon came into play when he noticed the unusual effort that the receptionist was making. Handling several things at once, she didn't get testy but managed to make everyone feel they had her full attention. He took this as the mark of someone interested in getting ahead, in proving herself. And then when he claimed to work in the Marketing department, he watched to see her reaction, looking for clues to indicate if he was establishing a rapport with her. He was. To the attacker, this added up to someone he could manipulate through a promise of trying to help her move into a better job. (Of course, if she had said she wanted to go into the Accounting department, he would have claimed he had contacts for getting her a job there, instead.)

Intruders are also fond of another psychological weapon used in this story: building trust with a two-stage attack. He first used that chatty conversation about the job in Marketing, and he also used "name- dropping"--giving the name of another employee--a real person, incidentally, just as the name he himself used was the name of a real employee.

He could have followed up the opening conversation right away with a request to get into a conference room. But instead he sat down for a while and pretended to work, supposedly waiting for his associate, another way of allaying any possible suspicions because an intruder wouldn't hang around. He didn't hang around for very long, though; social engineers know better than to stay at the scene of the crime any longer than necessary. MITNICK MESSAGE Allowing a stranger into an area where he can plug a laptop into the corporate network increases the risk of a security incident. It's perfectly reasonable for an employee, especially one from offsite, to want to check his or her email from a conference room, but unless the visitor is established as a trusted employee or the network is segmented to prevent unauthorized connections, this may be the weak link that allows company files to be compromised.

Just for the record: By the laws on the books at the time of this writing, Anthony had not committed a crime when he entered the lobby. He had not committed a crime when he used the name of a real employee. He had not committed a crime when he talked his way into the conference room. He had not committed a crime when he plugged into the company's network and searched for the target computer.

Not until he actually broke in to the computer system did he break the law.

SNOOPING ON KEVIN Many years ago when I was working in a small business, I began to notice that each time I walked into the office that I shared with the three other computer people who made up the IT department, this one particular guy (Joe, I'll call him here) would quickly toggle the display on his computer to a different window. I immediately recognized this as suspicious. When it happened two more times the same day, I was sure something was going on that I should know about. What was this guy up to that he didn't want me to see?

Joe's computer acted as a terminal to access the company's minicomputers, so I installed a monitoring program on the VAX minicomputer hat allowed me to spy on what he was doing. The program acted as if a TV camera was looking over his shoulder, showing me exactly what he was seeing on his computer.

My desk was next to Joe's; I turned my monitor as best I could to partly mask his view, but he could have looked over at any moment and realized I was spying on him. Not a problem; he was too enthralled in what he was doing to notice.

What I saw made my jaw drop. I watched, fascinated, as the bastard called up my payroll data. He was looking up my salary! I had only been there a few months at the time and I guessed Joe couldn't stand the idea that I might have been making more than he was.

A few minutes later I saw that he was downloading hacker tools used by less experienced hackers who don't know enough about programming to devise the tools for themselves. So Joe was clueless, and had no idea that one of American's most experienced hackers was sitting right next to him. I thought it was hilarious.

He already had the information about my pay; so it was too late to stop him. Besides, any employee with computer access at the IRS or the Social Security Administration can look your salary up. I sure didn't want to tip my hand by letting him know I'd found out what he was up to. My main goal at the time was maintaining a low profile, and a good social engineer doesn't advertise his abilities and knowledge. You always want people to underestimate you, not see you as a threat.

So I let it go, and laughed to myself that Joe thought he knew some secret about me, when it was the other way around: I had the upper hand by knowing what he had been up to.

In time I discovered that all three of my co-workers in the IT group amused themselves by looking up the take-home pay of this or that cute secretary or (for the one girl in the group) neat-looking guy they had spotted. And they were all finding out the salary and bonuses of anybody at the company they were curious about, including senior management.

Analyzing the Con This story illustrates an interesting problem. The payroll files were accessible to the people who had the responsibility of maintaining the company's computer systems. So it all comes down to a personnel issue: deciding who can be trusted. In some cases, IT staff might find it irresistible to snoop around. And they have the ability to do so because they have privileges allowing them to bypass access controls on those files.

One safeguard would be to audit any access to particularly sensitive files, such as payroll. Of course, anyone with the requisite privileges could disable auditing or possibly remove any entries that would point back to them, but each additional step takes more effort to hide on the part of an unscrupulous employee.

PREVENTING THE CON From pawing through your trash to duping a security guard or receptionist, social engineers can physically invade your corporate space. But you'll be glad to hear that there are preventive measures you can take.

Protection After Hours All employees who arrive for work without their badges should be required to stop at the lobby desk or security office to obtain a temporary badge for the day. The incident in the first story of this chapter could have come to a much different conclusion if the company security guards had had a specific set of steps to follow when encountering anyone without the required employee badge.

For companies or areas within a company where security is not a high-level concern, it may not be important to insist that every person have a badge visible at all times. But in companies with sensitive areas, this should be a standard requirement, rigidly enforced. Employees must be trained and motivated to challenge people who do not display a badge, and higher-level employees must be taught to accept such challenges without causing embarrassment to the person who stops them.

Company policy should advise employees of the penalties for those who consistently fail to wear their badges; penalties might include sending the employee home for the day without pay, or a notation in his personnel file. Some companies institute a series of progressively more stringent penalties that may include reporting the problem to the person's manager, then issuing a formal warning.