The Art of Deception: Controlling the Human Element of Security (26 page)

Read The Art of Deception: Controlling the Human Element of Security Online

Authors: Kevin D. Mitnick,William L. Simon,Steve Wozniak

Tags: #Computer Hackers, #Computer Security, #Electronic Books, #Computer Networks, #Computers, #Information Management, #Data Protection, #General, #Social Aspects, #Information Technology, #Internal Security, #Security, #Business & Economics, #Computer Science

BOOK: The Art of Deception: Controlling the Human Element of Security
3Mb size Format: txt, pdf, ePub

The rest was simply a matter of giving a reasonable excuse about a computer

problem, asking for the desired information, and requesting that the response be left on voice mail. And why would any employee be reluctant to share information with a co-worker? Since the phone number that Shirley provided was clearly an internal extension, there was no reason for any suspicion.

MITNICK MESSAGE Try calling your own voice mail once in a while; if you hear an outgoing message that's not yours, you may have just encountered your first social engineer.

THE HELPFUL SECRETARY Cracker Robert Jorday had been regularly breaking into the computer net works of a global company, Rudolfo Shipping, Inc. The company eventually recognized that someone was hacking into their terminal server, an, that through that server the user could connect to any computer system at the company. To safeguard the corporate network, the company decide, to require a dial-up password on every terminal server.

Robert called the Network Operations Center posing as an attorney with the Legal Department and said he was having trouble connecting to the network. The network administrator he reached explained that there had been some recent security issues, so all dial-up access users would need to obtain the monthly password from their manager. Robert wondered what method was being used to communicate each month's password to the managers and how he could obtain it. The answer, it turned out, was that the password for the upcoming month was sent in a memo via office, mail to each company manager.

That made things easy. Robert did a little research, called the company just after the first of the month, and reached the secretary of one manager who gave her name as Janet. He said, "Janet, hi. This is Randy Goldstein in Research and Development. I know I probably got the memo with this month's password for logging into the terminal server from outside the company but I can't find it anywhere. Did you get your memo for this, month?"

Yes, she said, she did get it. He asked her if she would fax it to him, and she agreed. He gave her the fax number of the lobby receptionist in a different building on the company campus, where he had already made arrangements for faxes to be held for him, and would then arrange for the password fax to be forwarded. This time, though, Robert used a different fax-forwarding method. He gave the receptionist a fax number that went to an on-line fax service. When this service receives a fax, the automated system sends it to the subscriber's email address.

The new password arrived at the email dead drop that Robert set up on a free email service in China. He was sure that if the fax was ever traced, the investigator would be pulling out his hair trying to gain cooperation from Chinese officials, who, he knew, were more than a little reluctant to be helpful in matters like this. Best of all, he never had to show up physically at the location of the fax machine.

MITNICK MESSAGE The skilled social engineer is very clever at influencing other people to do favors for him. Receiving a fax and forwarding it to another location appears so harmless that it's all too easy to persuade a receptionist or someone else to agree to do it. When somebody asks for a favor involving information, if you don't know him or can't verify his identity, just say no.

TRAFFIC COURT Probably everyone who has ever been given a speeding ticket has daydreamed about some way of beating it. Not by going to traffic school, or simply paying the fine, or taking a chance on trying to convince the judge about some technicality like how long it has been since the police-car speedometer or the radar gun was checked. No, the sweetest scenario would be beating the ticket by outsmarting the system.

The Con Although I would not recommend trying this method of beating a traffic ticket (as the saying goes, don't try this at home) still, this is a good example of how the art of deception can be used to help the social engineer.

Let's call this traffic violater Paul Durea.

First Steps "LAPD, Hollenbeck Division." "Hi, I'd like to talk to the Subpoena Control." "I'm the subpoena clerk." "Fine. This is Attorney John Leland, of Meecham, Meecham, and Talbott. I need to subpoena an officer on a case." "Okay, which officer?" "Do you have Officer Kendall in your division?" "What's his serial number?" "21349." "Yes. When do you need him?" "Some time next month, but I need to subpoena several other witnesses on the case and then tell the court what days will work for us. Are there any days next month Officer Kendall won't be available?"

"Let's see... He has vacation days on the 20th through the 23rd, and he has training days on the 8th and 16th." "Thanks. That's all I need right now. I'll call you back when the court date is set."

Municipal Court, Clerk's Counter Paul: "I'd like to schedule a court date on this traffic ticket." Clerk: "Okay. I can give you the 26th of next month." "Well, I'd like to schedule an arraignment." "You want an arraignment on a traffic ticket?" "Yes." "Okay. We can set the arraignment tomorrow in the morning or afternoon. What

would you like?" "Afternoon." "Arraignment is tomorrow at 1:30 P.M. in Courtroom Six." "Thanks. I'll be there."

Municipal Court, Courtroom Six Date: Thursday, 1:45 P.M. Clerk: "Mr. Durea, please approach the bench."

Judge: "Mr. Durea, do you understand the rights that have been explained to you this afternoon?"

Paul: "Yes, your honor."

Judge: "Do you want to take the opportunity to attend traffic school? Your case will be dismissed after successful completion of an eight-hour course. I've checked your record and you are presently eligible."

Paul: "No, your honor. I respectfully request that the case be set for trial. One more thing, your honor, I'll be travelling out of the country, but I'm available on the 8th or 9th. Would it be possible to set my case for trial on either of those days? I'm leaving on a business trip for Europe tomorrow, and I return in four weeks."

Judge: "Very well. Trial is set for June 8th, 8:30 A.M., Courtroom Four."

Paul: "Thank you, your honor."

Municipal Court, Courtroom Four Paul arrived at court early on the 8th. When the judge came in, the clerk gave him a list of the cases for which the officers had not appeared. The judge called the defendants, including Paul, and told them their cases were dismissed.

Analyzing the Con When an officer writes a ticket, he signs it with his name and his badge number (or whatever his personal number is called in his agency). Finding his station is a piece of cake. A call to directory assistance with the name of the law enforcement agency shown on the citation (highway patrol, county sheriff, or whatever) is enough to get a foot in the door. Once the agency is contacted, they can refer the caller to the correct telephone number for the subpoena clerk serving the geographical area where the traffic stop was made.

Law enforcement officers are subpoenaed for court appearances with regularity; it comes with the territory. When a district attorney or a defense lawyer needs an officer to testify, if he knows how the system works, he first checks to make sure the officer will be available. That's easy to do; it just takes a call to the subpoena clerk for that agency.

Usually in those conversations, the attorney asks if the officer in question will be available on such-and-such a date. For this ruse, Paul needed a bit of tact; he had to offer a plausible reason why the clerk should tell him what dates the officer would not be available.

When he first went to the court building, why didn't Paul simply tell the court clerk what date he wanted? Easy--from what I understand, traffic-court clerks in most places don't allow members of the public to select court dates. If a date the clerk suggests doesn't work for the person, she'll offer an alternative or two, but that's as far as she will bend. On the other hand, anyone who is willing to take the extra time of showing up for an arraignment is likely to have better luck.

Paul knew he was entitled to ask for an arraignment. And he knew the judges are often willing to accommodate a request for a specific date. He carefully asked for dates that coincided with the officer's training days, knowing that in his state, officer training takes precedence over an appearance in traffic court.

MITNICK MESSAGE The human mind is a marvelous creation. It's interesting to note how imaginative people can be at developing deceptive ways to get what they want or to get out of a sticky situation. You have to use the same creativity and imagination to safeguard information and computer systems in the public and private sectors. So, folks, when devising your company's security policies--be creative and think outside the box. And in traffic court, when the officer does not show up--case dismissed. No fines. No traffic school. No points. And, best of all, no record of a traffic offense!

My guess is that some police officials, court officers, district attorneys and the like will read this story and shake their heads because they know that this ruse does work. But shaking their heads is all they'll do. Nothing will change. I'd be willing to bet on it. As the character Cosmo says in the 1992 movie Sneakers, "It's all about the ones and zeros"--meaning that in the end, everything comes down to information.

As long as law enforcement agencies are willing to give information about an officer's schedule to virtually anyone who calls, the ability to get out of traffic tickets will always exist. Do you have similar gaps in your company or organization's procedures that a clever social engineer can take advantage of to get information you'd rather they didn't have?

SAMANTHA'S REVENGE Samantha Gregson was angry.

She had worked hard for her college degree in business, and stacked up a pile of student loans to do it. It had always been drummed into her that a college degree was how you got a career instead of a job, how you earned the big bucks. And then she graduated and couldn't find a decent job anywhere.

How glad she had been to get the offer from Lambeck Manufacturing. Sure, it was humiliating to accept a secretarial position, but Mr. Cartright had said how eager they were to have her, and taking the secretarial job would put her on the spot when the next non-administrative position opened up.

Two months later she heard that one of Cartright's junior product managers was leaving. She could hardly sleep that night, imagining herself on the fifth floor, in an office with a door, attending meetings and making decisions. The next morning she went first thing to see Mr. Cartright. He said they felt she needed to learn more about the industry before she was ready for a professional position. And then they went and hired an amateur from outside the company who knew less about the industry than she did.

It was about then that it began to dawn on her: The company had plenty of women, but they were almost all secretaries. They weren't going to give her a management job. Ever.

Payback It took her almost a week to figure out how she was going to pay them back. About a month earlier a guy from an industry trade magazine had tried to hit on her when he came in for the new product launch. A few weeks later he called her up at work and said if she would send him some advance information on the Cobra 273 product, he'd send her flowers, and if it was really hot information that he used in the magazine, he'd make a special trip in from Chicago just to take her out to dinner.

She had been in young Mr. Johannson's office one day shortly after that when he logged onto the corporate network. Without thinking, she had watched his fingers (shoulder surfing, this is sometimes called). He had entered "marty63" as his password.

Her plan was beginning to come together. There was a memo she remembered typing not long after she came to the company. She found a copy in the files and typed up a new version, using language from the original one. Her version read:

TO: C. Pelton, IT dept. FROM: L. Cartright, Development Martin Johansson will be working with a special projects team in my department.

I hereby authorize him to have access to the servers used by the engineering group. Mr. Johansson's security profile is to be updated to grant him the same access rights as a product developer.

Louis Cartright

LINGO SHOULDER SURFING The act of watching a person type at his computer keyboard to detect and steal his password or other user information. When most everybody was gone at lunch, she cut Mr. Cartright's signature from the original memo, pasted it onto her new version, and daubed Wite-Out around the edges. She made a copy of the result, and then made a copy of the copy. You could barely see the edges around the signature. She sent the fax from the machine "near Mr. Cartright's office.

Three days later, she stayed after hours and waited till everyone left. She walked into Johannson's office, and tried logging onto the network with his username and the password, marry63. It worked.

In minutes she had located the product specification files for the Cobra 273, and downloaded them to a Zip disk.

The disk was safely in her purse as she walked in the cool night-time breeze to the parking lot. It would be on its way to the reporter that night.

Analyzing the Con A disgruntled employee, a search through the files, a quick cut-paste-and Wite- Out operation, a little creative copying, and a fax. And, voila!--she has access to confidential marketing and product specifications.

And a few days later, a trade magazine journalist has a big scoop with the specs and marketing plans of a hot new product that will be in the hands of magazine subscribers throughout the industry months in advance of the product's release. Competitor companies will have several months head start on developing equivalent products and having their ad campaigns ready to undermine the Cobra 273.

Naturally the magazine will never say where they got the scoop.

PREVENTING THE CON When asked for any valuable, sensitive, or critical information that could be of benefit to a competitor or anyone else, employees must be aware that using caller ID as a means of verifying the identity of an outside caller is not acceptable. Some other means of verification must be used, such as checking with the person's supervisor that the request was appropriate and that the user has authorization to receive the information.

Other books

Picture Perfect by Lacey, Lilac
When in Rio by Delphine Dryden
Dead Seed by William Campbell Gault
Bring Your Own Poison by Jimmie Ruth Evans
Rapture by Phillip W. Simpson
Beautiful Assassin by Jordan Silver
Cherry Blossom Dreams by Gwyneth Rees
DEFENSE by Glenna Sinclair