Chapter 1 Entering the Premises Why is it so easy for an outsider to assume the identity of a company employee and carry off an impersonation so convincingly that even people who are highly security conscious are taken in? Why is it so easy to dupe individuals who may be fully aware of security procedures, suspicious of people they don't personally know, and protective of their company's interests? Ponder these questions as you read the stories in this chapter. THE EMBARRASSED SECURITY GUARD Date/Time: Tuesday, October 17, 2:16 A.M. Place: Skywatcher Aviation, Inc. manufacturing plant on the outskirts of Tucson, Arizona. The Security Guard's Story Hearing his leather heels click against the floor in the halls of the nearly deserted plant made Leroy Greene feel much better than spending the night hours of his watch in front of the video monitors in the security office. There he wasn't allowed to do anything but stare at the screens, not even read a magazine or his leather-bound Bible. You just had to sit there looking at the displays of still images where nothing ever moved. But walking the halls, he was at least stretching his legs, and when he remembered to throw his arms and shoulders into the walk, it got him a little exercise, too. Although it didn't really count very much as exercise for a man who had played right tackle on the All-City champion high school football team. Still, he thought, a job is a job. He turned the southwest corner and started along the gallery overlooking the half-mile-long production floor. He glanced down and saw two people walking past the line of partly built copters. The pair stopped and seemed to be pointing things out to each other. A strange sight at this time of night. 'Better check, "he thought. Leroy headed for a staircase that would bring him onto the production-line floor behind the pair, and they didn't sense his approach until he stepped alongside. "Morning. Can I see your security badges, please," he said. Leroy always tried to keep his voice soft at moments like this; he knew that the sheer size of him could seem threatening. "Hi, Leroy," one of them said, reading the name off his badge. "I'm Tom Stilton, from the Marketing office at corporate in Phoenix. I'm in town for meetings and wanted to show my friend here how the world's greatest helicopters get built." "Yes, sir. Your badge, please," Leroy said. He couldn't help noticing how young they seemed. The Marketing guy looked barely out of high school, the other one had hair down to his shoulders and looked about fifteen. The one with the haircut reached into his pocket for his badge, then started patting all his pockets. Leroy was suddenly beginning to have a bad feeling about this. "Damn," the guy said. "Must've left it in the car. I can get it--just take me ten minutes to go out to the parking lot and back." Leroy had his pad out by this time. "What'd you say your name was, sr. he asked, and carefully wrote down the response. Then he asked them to go with him to the Security Office. On the elevator to the third floor, Tom chatted about having been with the company for only six months and hoped he wasn't going to get in any trouble for this. In the Security monitoring room, the two others on the night shift with Leroy joined him in questioning the pair. Stilton gave his telephone number, and said his boss was Judy Underwood and gave her telephone number, and the information all checked out on the computer. Leroy took the other two security people aside and they talked about what to do. Nobody wanted to get this wrong; all three agreed they better call the guy's boss even though it would mean waking her in the middle of the night. Leroy called Mrs. Underwood himself, explained who he was and did she have a Mr. Tom Stilton working for her? She sounded like she was still half-asleep. "Yes," she said. "Well, we found him down on the production line at 2:30 in the morning with no ID badge." Mrs. Underwood said, "Let me talk to him." Stilton got on the phone and said, "Judy, I'm really sorry about these guys waking you up in the middle of the night. I hope you're not going to hold this against me." He listened and then said, "It was just that I had to be here in the morning anyway, for that meeting on the new press release. Anyway, did you get the email about the Thompson deal? We need to meet with Jim on Monday morning so we don't lose this. And I'm still having lunch with you on Tuesday, right?" He listened a bit more and said good-bye and hung up. That caught Leroy by surprise; he had thought he'd get the phone back so the lady could tell him everything was okay. He wondered if maybe he should call her again and ask, but thought better of it. He had already bothered her once in the middle of the night; if he called a second time, maybe she might get annoyed and complain to his boss. "Why make waves?" he thought. Okay if I show my friend the rest of the production line? Stilton asked Leroy You want to come along, keep an eye on us ? "Go on, Leroy said. "Look around. Just don't forget your badge next time. And let Security know if you need to be on the plant floor after hours-it's the rule." I'll remember that, Leroy," Stilton said. And they left. Hardly ten minutes had gone by before the phone rang in the Security Office. Mrs. Underwood was on the line. "Who was that guy?!" she wanted to know. She said she kept trying to ask questions but he just kept on talking about having lunch with her and she doesn't know who the hell he is. The security guys called the lobby and the guard at the gate to the parking lot. Both reported the two young men had left some minutes before. Joe Harper's Story Just to see what he could get away with, seventeen-year-old Joe Harper had been sneaking into buildings for more than a year, sometimes in the daytime, sometimes at night. The son of a musician and a cocktail waitress, both working the night shift, Joe had too much time by himself. His story of that same incident sheds instructive light on how it all happened. I have this friend Kenny who thinks he wants to be a helicopter pilot. He asked me, could I get him into the Skywatcher factory to see the production line where they make the choppers. He knows I've got into other places before. It's an adrenaline rush to see if you can slip into places you're not supposed to be. But you don't just walk into a factory or office building. Got to think it through, do a lot of planning, and do a full reconnaissance on the target. Check the company's Web page for names and titles, reporting structure, and telephone numbers. Read press clippings and magazine articles. Meticulous research is my own brand of caution, so I could talk to anybody that challenged me, with as much knowledge as any employee. So where to start? First I looked up on the Internet to see where the company had offices, and saw the corporate headquarters was in Phoenix. Perfect. I called and asked for Marketing; every company has a marketing department. A lady answered, and I said I was with Blue Pencil Graphics and we wanted to see if we could interest them in using our services and who would I talk to. She said that would be Tom Stilton. I asked for his phone number and she said they didn't give out that information but she could put me through. The call rang into voice mail, and his message said, "This is Tom Stilton in Graphics, extension 3147, please leave a message." Sure--they don't give out extensions, but this guy leaves his right on his voice mail. So that was cool. Now I had a name and extension. Another call, back to the same office. "Hi, I was looking for Tom Stilton. He's not in. I'd like to ask his boss a quick question." The boss was out, too, but by the time I was finished, I knew the boss's name. And she had nicely left her extension number on her voice mail, too. I could probably get us past the lobby guard with no sweat, but I've driven by that plant and I thought I remembered a fence around the parking lot. A fence means a guard who checks you when you try to drive in. And at night, they might be writing down license numbers, too, so I'd have to buy an old license plate at a flea market. But first I'd have to get the phone number in the guard shack. I waited a little so if I got the same operator when I dialed back in, she wouldn't recognize my voice. After a bit I called and said, "We've got a complaint that the phone at the Ridge Road guard shack has reported intermittent problems--are they still having trouble?" She said she didn't know but would connect me. The guy answered, "Ridge Road gate, this is Ryan." I said, "Hi, Ryan, this is Ben. Were you having problems with your phones there?" He's just a low-paid security guard but I guess he had some training because he right away said, "Ben who--what's your last name?" I just kept right on as if I hadn't even heard him. "Somebody reported a problem earlier." I could hear him holding the phone away and calling out, "Hey, Bruce, Roger, was there a problem with this phone. He came back on and said, "No, no problems we know about." "How many phone lines do you have there?" He had forgotten about my name. "Two," he said. "Which one are you on now?" "3140." Gotcha! "And they're both working okay?" "Seems like." Okay, I said. Listen, Tom, if you have any phone problems, just call us in Telecom any time. We're here to help." My buddy and I decided to visit the plant the very next night. Late that afternoon I called the guard booth, using the name of the Marketing guy. I said, "Hi, this is Tom Stilton in Graphics. We're on a crash deadline and I have a couple of guys driving into town to help out. Probably won't be here till one or two in the morning. Will you still be on then?" He was happy to say that, no, he got off at midnight. I said, "Well, just leave a note for the next guy, okay? When two guys show up and say they've come to see Tom Stilton, just wave 'em on in-okay?" Yes, he said, that was fine. He took down my name, department, and extension number and said he'd take care of it. We drove up to the gate a little after two, I gave Tom Stilton's name, and a sleepy guard just pointed to the door we should go in and where I should park. When we walked into the building, there was another guard station in the lobby, with the usual book for after-hours sign-ins. I told the guard I had a report that needed to be ready in the morning, and this friend of mine wanted to see the plant. "He's crazy about helicopters," I said "Thinks he wants to learn to pilot one." He asked me for my badge. I reached into a pocket, then patted around and said I must have left it in car; I’ll go get it. I said, "It'll take about ten minutes." He said, Never mind, it's okay, just sign in." Walking down that production line-what a gas. Until that tree-trunk of a Leroy stopped us. When things get tight, I just start sounding like I'm really steamed. Like I'm really who I claimed to be and it's annoying they don't believe me. When they started talking about maybe they should call the lady I said was my boss and went to get her home phone number from the computer, I stood there thinking, "Good time to just make a break for it." But there was that parking-lot gate-even if we got out of the building, they'd close the gate and we'd never make it out. When Leroy called the lady who was Stilton's boss and then gave me the phone, the lady started shouting at me "Who is this, who are you!" and I just kept on talking like we were having a nice conversation, and then hung up. How long does it take to find somebody who can give you a company phone number in the middle of the night? I figured we had less than fifteen minutes to get out of there before that lady was ringing the security office and putting a bug in their ears. We got out of there as fast as we could without looking like we were in a hurry. Sure was glad when the guy at the gate just waved us through. Analyzing the Con It's worth noting that in the real incident this story is based on, the intruders actually were teenagers. The intrusion was a lark, just to see if they could get away with it. But if it was so easy for a pair of teenagers, it would have been even easier for adult thieves, industrial spies, or terrorists. How did three experienced security officers allow a pair of intruders to just walk away? And not just any intruders, but a pair so young that any reasonable person should have been very suspicious? Leroy was appropriately suspicious, at first. He was correct in taking them to the Security Office, and in questioning the guy who called himself Tom Stilton and checking the names and phone numbers he gave. He was certainly correct in making the phone call to the supervisor. But in the end he was taken in by the young man's air of confidence and indignation. It wasn't the behavior he would expect from a thief or intruder-only a real employee would have acted that way.., or so he assumed. Leroy should have been trained to count on solid identification, not perceptions. Why wasn't he more suspicious when the young man hung up the phone without handing it back so Leroy could hear the confirmation directly from Judy Underwood and receive her assurance that the kid had a reason for being in the plant so late at night? Leroy was taken in by a ruse so bold that it should have been obvious. But consider the moment from his perspective: a high-school graduate, concerned for his job, uncertain whether he might get in trouble for bothering a company manager for the second time in the middle of the night. If you had been in his shoes, would you have made the follow-up call? But of course, a second phone call wasn't the only possible action. What else could the security guard have done? Even before placing the phone call, he could have asked both of the pair to show some kind of picture identification; they drove to the plant, so at least one of them should have a driver's license. The fact that they had originally given phony names would have been immediately obvious (a professional would have come equipped with fake ID, but these teenagers had not taken that precaution). In any case, Leroy should have examined their identification credentials and written down the information. If they both insisted they had no identification, he should then have walked them o the car to retrieve the company ID badge that "Tom Stilton" claimed he had left there. MITNICK MESSAGE Manipulative people usually have very attractive personalities. They are typically fast on their feet and quite articulate. Social engineers are also skilled at distracting people's thought processes so that they cooperate. To think that any one particular person is not vulnerable to this manipulation is to underestimate the skill and the killer instinct of the social engineer. A good social engineer, on the other hand, never underestimates his adversary. Following the phone call, one of the security people should have stayed with the pair until they left the building. And then walked them to their car and written down the license-plate number. If he had been observant enough, he would have noted that the plate (the one that the attacker had purchased at a flea market) did not have a valid registration sticker - and that should have been reason enough to detain the pair for further investigation. DUMPSTER DIVING Dumpster diving is a term that describes pawing through a target's garbage in search of valuable information. The amount of information you can learn about a target is astounding. Most people don't give much thought to what they're discarding at home: phone bills, credit card statements, medical prescription bottles, bank statements, work-related materials, and so much more. At work, employees must be made aware that people do look through trash to obtain information that may benefit them. During my high school years, I used to go digging through the trash behind the local phone company buildings-often alone but occasionally with friends who shared an interest in learning more about the telephone company. Once you became a seasoned Dumpster diver, you learn a few tricks, such as how to make special efforts to avoid the bags from the restrooms, and the necessity of wearing gloves. Dumpster diving isn't enjoyable, but the payoff was extraordinary- internal company telephone directories, computer manuals, employee lists, discarded printouts showing how to program switching equipment, and more-all there for the taking. I'd schedule visits for nights when new manuals were being issued, because the trash containers would have plenty of old ones, thoughtlessly thrown away. And I'd go at other odd times as well, looking for any memos, letters, reports, and so forth, that might offer some interesting gems of information. On arriving I'd find some cardboard boxes, pull them out and set them aside. If anyone challenged me, which happened now and then, I'd say that a friend was moving and I was just looking for boxes to help him pack. The guard never noticed all the documents I had put in the boxes to take home. In some cases, he'd tell me to get lost, so I'd just move to another phone company central office. I don't know what it's like today, but back then it was easy to tell which bags might contain something of interest. The floor sweepings and cafeteria garbage were loose in the large bags, while the office wastebaskets were all lined with white disposable trash bags, which the cleaning crew would lift out one by one and wrap a tie around. One time, while searching with some friends, we came up with some sheets of paper torn up by hand. And not just torn up: someone had gone to the trouble of ripping the sheets into tiny pieces, all conveniently thrown out in a single trash bag. We took the bag to a local donut shop, dumped the pieces out on a table, and started assembling them one by one. We were all puzzle-doers, so this offered the stimulating challenge of a giant jigsaw puzzle, but turned out to have more than a childish reward. When done, we had pieced together the entire account name and password list for one of the company's critical computer systems. Were our Dumpster-diving exploits worth the risk and the effort? You bet they were. Even more than you would think, because the risk is zero. It was true then and still true today: As long as you're not trespassing, poring through someone else's trash is 100 percent legal. Of course, phone phreaks and hackers aren't the only ones with their heads in trash cans. Police departments around the country paw through trash regularly, and a parade of people from Mafia dons to petty embezzlers have been convicted based in part on evidence gathered from their rubbish. Intelligence agencies, including our own, have resorted to this method for years. It may be a tactic too low down for James Bond-movie-goers would much rather watch him outfoxing the villain and bedding a beauty than standing up to his knees in garbage. Real-life spies are less squeamish when something of value may be bagged among the banana peels and coffee grounds, the newspapers and grocery lists. Especially if gathering the information doesn't put them in harm's way. Cash for Trash Corporations play the Dumpster-diving game, too. Newspapers had a field day in June 2000, reporting that Oracle Corporation (whose CEO, Larry Ellison, is probably the nation's most outspoken foe of Microsoft) had hired an investigative firm that had been caught with their hands in the cookie jar. It seems the investigators wanted trash from a Microsoft-supported lobbying outfit, ACT, but they didn't want to risk getting caught. According to press reports, the investigative firm sent in a woman who offered the janitors $60 to let her have the ACT trash. They turned her down. She was back the next night, upping the offer to $500 for the cleaners and $200 for the supervisor. The janitors turned her down and then turned her in. Leading on-line journalist Declan McCullah, taking a leaf from literature, titled his Wired News story on the episode, "'Twas Oracle That Spied on MS." Time magazine, nailing Oracle's Ellison, titled their article simply "Peeping Larry." Analyzing the Con Based on my own experience and the experience of Oracle, you might wonder why anybody would bother taking the risk of stealing someone's trash. The answer, I think, is that the risk is nil and the benefits can be substantial. Okay, maybe trying to bribe the janitors increases the chance of consequences, but for anyone who's willing to get a little dirty, bribes aren't necessary. For a social engineer, Dumpster diving has its benefits. He can get enough information to guide his assault against the target company, including memos, meeting agendas, letters and the like that reveal names, departments, titles, phone numbers, and project assignments. Trash can yield company organizational charts, information about corporate structure, travel schedules, and so on. All those details might seem trivial to insiders, yet they may be highly valuable information to an attacker. Mark Joseph Edwards, in his book Internet Security with Windows NT, talks about "entire reports discarded because of typos, passwords written on scraps of paper, 'While you were out' messages with phone numbers, whole file folders with documents still in them, diskettes and tapes that weren't erased or destroyed-all of which could help a would-be intruder." he writer goes on to ask, "And who are those people on your cleaning crew? You've decided that the cleaning crew won't [be permitted to] enter the computer room but don't forget the other trash cans. If federal agencies deem it necessary to do background checks on people who have access to their wastebaskets and shredders, you probably should as well." MITNICK MESSAGE Your trash may be your enemy's treasure. We don't give much consideration to the materials we discard in our personal lives, so why should we believe people have a different attitude in the workplace? It all comes down to educating the workforce about the danger (unscrupulous people digging for valuable information) and the vulnerability (sensitive information not being shredded or properly erased). THE HUMILIATED BOSS Nobody thought anything about it when Harlan Fortis came to work on Monday morning as usual at the County Highway Department, and said he'd left home in a hurry and forgotten his badge. The security guard had seen Harlan coming in and going out every weekday for the two years she had been working there. She had him sign for a temporary employee's badge, gave it to him, and he went on his way. It wasn't until two days later that all hell started breaking loose. The story spread through the entire department like wildfire. Half the people who heard it said it couldn't be true. Of the rest, nobody seemed to know whether to laugh out loud or to feel sorry for the poor soul. After all, George Adamson was a kind and compassionate person, the best head of department they'd ever had. He didn't deserve to have this happen to him. Assuming that the story was true, of course. The trouble had begun when George called Harlan into his office late one Friday and told him, as gently as he could, that come Monday Harlan would be reporting to a new job. With the Sanitation Department. To Harlan, this wasn't like being fired. It was worse; it was humiliating. He wasn't going to take it lying down. That same evening he seated himself on his porch to watch the homeward- bound traffic. At last he spotted the neighborhood boy named David who everyone called "The War Games Kid" going by on his moped on the way home from high school. He stopped David, gave him a Code Red Mountain Dew he had bought especially for the purpose, and offered him a deal: the latest video game player and six games in exchange for some computer help and a promise of keeping his mouth shut. After Harlan explained the project - without giving any of the compromising specifics-David agreed. He described what he wanted Harlan to do. He was to buy a modem, go into the office, find somebody's computer where there was a spare phone jack nearby, and plug in the modem. Leave the modem under the desk where nobody would be likely to see it. Then came the risky part. Harlan had to sit down at the computer, install a remote-access software package, and get it running. Any moment the man who worked in the office might show up, or someone might walk by and see him in another person's office. He was so uptight that he could hardly read the instructions that the kid had written down for him. But he got it done, and slipped out of the building without being noticed. Planting the Bomb
David stopped over after dinner that night. The two sat down at Harlan's computer and within in a few minutes the boy had dialed into the modem, gained access, and reached George Adamson's machine. Not very difficult, since George never had time for precautionary things like changing passwords, and was forever asking this person or that to download or email a file for him. In time, everyone in the office knew his password. A bit of hunting turned up the file called BudgetSlides2002.ppt, which the boy downloaded onto Harlan's computer. Harlan then told the kid to go on home, and come back in a couple of hours. When David returned, Harlan asked him to reconnect to the Highway Department computer system and put the same file back where they had found it, overwriting the earlier version. Harlan showed David the video game player, and promised that if things went well, he'd have it the next day. SurprisingGeorge You wouldn't think that something sounding as dull as budget hearings would be of much interest to anyone, but the meeting chamber of the County Council was packed, filled with reporters, representatives of special interest groups, members of the public, and even two television news crews. George always felt much was at stake for him in these sessions. The County Council held the purse strings, and unless George could put on a convincing presentation, the Highways budget would be slashed. Then everyone would start complaining about potholes and stuck traffic lights and dangerous intersections, and blaming him, and life would be miser able for the whole coming year. But when he was introduced that evening, he stood up feeling confident. He had worked six weeks on this presentation and the PowerPoint visuals, which he had tried out on his wife, his top staff people, and some respected friends. Everyone agreed it was his best presentation ever. The first three PowerPoint images played well. For a change, every Council member was paying attention. He was making his points effectively. And then all at once everything started going wrong. The fourth image was supposed to be a beautiful photo at sunset of the new highway extension opened last year. Instead it was something else, something very embarrassing. A photograph out of a magazine like Penthouse. He could hear the audience gasp as he hurriedly hit the button on his laptop to move to the next image. This one was worse. Not a thing was left to the imagination. He was still trying to click to another image when someone in the audience pulled out the power plug to the projector while the chairman banged loudly with his gavel and shouted above the din that the meeting was adjourned. Analyzing the Con Using a teenage hacker's expertise, a disgruntled employee managed to access the computer of the head of his department, download an important PowerPoint presentation, and replace some of the slides with images certain to cause grave embarrassment. Then he put the presentation back on the man's computer. With the modem plugged into a jack and connected to one of the office computers, the young hacker was able to dial in from the outside. The kid had set up the remote access software in advance so that, once connected to the computer, he would have full access to every file stored on the entire system. Since the computer was connected to the organization's network and he already knew the boss's username and password, he could easily gain access to the boss's files. Including the time to scan in the magazine images, the entire effort had taken only a few hours. The resulting damage to a good man's reputation was beyond imagining. MITNICK MESSAGE The vast majority of employees who are transferred, fired, or let go in a downsizing are never a problem. Yet it only takes one to make a company realize too late what steps they could have taken to prevent disaster. Experience and statistics have clearly shown that the greatest threat to the enterprise is from insiders. It's the insiders who have intimate knowledge of where the valuable information resides, and where to hit the company to cause the most harm. THE PROMOTION SEEKER Late in the morning of a pleasant autumn day, Peter Milton walked into the lobby of the Denver regional offices of Honorable Auto Parts, a national parts wholesaler for the automobile aftermarket. He waited at the reception desk while the young lady signed in a visitor, gave driving directions to a caller, and dealt with the UPS man, all more or less at the same time. "So how did you learn to do so many things at once?" Pete said when she had time to help him. She smiled, obviously pleased he had noticed. He was from Marketing in the Dallas office, he told her, and said that Mike Talbott from Atlanta field sales was going to be meeting him. "We have a client to visit together this afternoon," he explained. I'll just wait here in the lobby." "Marketing." She said the word almost wistfully, and Pete smiled at her, waiting to hear what was coming. "If I could go to college, that's what I'd take," she said. "I'd love to work in Marketing." He smiled again. "Kaila," he said, reading her name off the sign on the counter, "We have a lady in the Dallas office who was a secretary. She got herself moved over to Marketing. That was three years ago, and now she's an assistant marketing manager, making twice what she was." Kaila looked starry-eyed. He went on, "Can you use a computer?" "Sure," she said. "How would you like me to put your name in for a secretary's job in Marketing. She beamed. "For that I'd even move to Dallas." "You're going to love Dallas," he said. "I can't promise an opening right away, but I'll see what I can do." She thought that this nice man in the suit and tie and with the neatly trimmed, well-combed hair might make a big difference in her working life. Pete sat down across the lobby, opened his laptop, and started getting some work done. After ten or fifteen minutes, he stepped back up to the counter. "Listen," he said, "it looks like Mike must've been held up. Is there a conference room where I could sit and check my emails while I'm waiting?" Kaila called the man who coordinated the conference room scheduling and arranged for Pete to use one that wasn't booked. Following a pattern picked up from Silicon Valley companies (Apple was probably the first to do this) some of the conference rooms were named after cartoon characters, others after restaurant chains or movie stars or comic book heroes. He was told to look for the Minnie Mouse room. She had him sign in, and gave him directions to find Minnie Mouse. He located the room, settled in, and connected his laptop to the Ethernet port. Do you get the picture yet? Right-the intruder had connected to the network behind the corporate firewall. Anthony's Story I guess you could call Anthony Lake a lazy businessman. Or maybe "bent" comes closer. Instead of working for other people, he had decided he wanted to go to work for himself; he wanted to open a store, where he could be at one place all day and not have to run all over the countryside. Only he wanted to have a business that he could be as sure as possible he could make money at. What kind of store? That didn't take long to figure out. He knew about repairing cars, so an auto parts store. And how do you build in a guarantee of success? The answer came to him in a flash: convince auto parts wholesaler Honorable Auto Parts to sell him all the merchandise he needed at their cost. Naturally they wouldn't do this willingly. But Anthony knew how to con people, his friend Mickey knew about breaking into other people's computers, and together they worked out a clever plan. That autumn day he convincingly passed himself off as an employee named Peter Milton, and he had conned his way inside the Honorable Auto Parts offices and had already plugged his laptop into their network. So far, so good, but that was only the first step. What he still had to do wouldn't be easy, especially since Anthony had set himself a fifteen-minute time limit-any longer and he figured that the risk of discovery would be too high. MITNICK MESSAGE Train your people not to judge a book solely by its cover-just because someone is well-dressed and well-groomed he shouldn't be any more believable. In an earlier phone call pretexting as a support person from their computer supplier, he had put on a song-and-dance act. "Your company has purchased a two-year support plan and we're putting you in the database so we can know when a software program you're using has come out with a patch or a new updated version. So I need to have you tell me what applications you're using." The response gave him a list of programs, and an accountant friend identified the one called MAS 90 as the target--the program that would hold their list of vendors and the discount and payment terms for each. With that key knowledge, he next used a software program to identifiy," all the working hosts on the network, and it didn't take him long to locate the correct server used by the Accounting department. From the arsenal of hacker tools on his laptop, he launched one program and used it to identify all of the authorized users on the target server. With another, he then ran a list of commonly used passwords, such as "blank," and "password" itself. "Password" worked. No surprise there. People just lose all creativity when it comes to choosing passwords. Only six minutes gone, and the game was half over. He was in. Another three minutes to very carefully add his new company, address, phone number, and contact name to the list of customers. And then for the crucial entry, the one that would make all the difference, the entry that said all items were to be sold to him at 1 percent over Honorable Auto Parts' cost. In slightly under ten minutes, he was done. He stopped long enough to tell Kaila thanks, he was through checking his emails. And he had reached Mike Talbot, change of plans, he was on the way to a meeting at a client's office. And he wouldn't forget about recommending her for that job in Marketing, either. Analyzing the Con The intruder who called himself Peter Milton used two psychological subversion techniques-one planned, the other improvised on the spur of the moment. He dressed like a management worker earning good money. Suit and tie, hair carefully styled-these seem like small details, but they make an impression. I discovered this myself, inadvertently. In a short time as a programmer at GTE California--a major telephone company no longer in existence-I discovered that if I came in one day without a badge, neatly dressed but casual--say, sports shirt, chinos, and Dockers--I'd be stopped and questioned. Where's your badge, who are you, where do you work? Another day I'd arrive, still without a badge but in a suit and tie, looking very corporate. I'd use a variation of the age-old piggybacking technique, blending in with a crowd of people as they walk into a building or a secure entrance. I would latch onto some people as they approached the main entrance, and walk in chatting with the crowd as if I was one of them. I walked past, and even if the guards noticed I was badge-less, they wouldn't bother me because I looked like management and I was with people who were wearing badges. From this experience, I recognized how predictable the behavior of security guards is. Like the rest of us, they were making judgments based on appearances-a serious vulnerability that social engineers learn to take advantage of. The attacker's second psychological weapon came into play when he noticed the unusual effort that the receptionist was making. Handling several things at once, she didn't get testy but managed to make everyone feel they had her full attention. He took this as the mark of someone interested in getting ahead, in proving herself. And then when he claimed to work in the Marketing department, he watched to see her reaction, looking for clues to indicate if he was establishing a rapport with her. He was. To the attacker, this added up to someone he could manipulate through a promise of trying to help her move into a better job. (Of course, if she had said she wanted to go into the Accounting department, he would have claimed he had contacts for getting her a job there, instead.) Intruders are also fond of another psychological weapon used in this story: building trust with a two-stage attack. He first used that chatty conversation about the job in Marketing, and he also used "name- dropping"-giving the name of another employee-a real person, incidentally, just as the name he himself used was the name of a real employee. He could have followed up the opening conversation right away with a request to get into a conference room. But instead he sat down for a while and pretended to work, supposedly waiting for his associate, another way of allaying any possible suspicions because an intruder wouldn't hang around. He didn't hang around for very long, though; social engineers know better than to stay at the scene of the crime any longer than necessary. Just for the record: By the laws on the books at the time of this writing, Anthony had not committed a crime when he entered the lobby. He had not committed a crime when he used the name of a real employee. He had not committed a crime when he talked his way into the conference room. He had not committed a crime when he plugged into the company's network and searched for the target computer. Not until he actually broke in to the computer system did he break the law. MITNICK MESSAGE Allowing a stranger into an area where he can plug a laptop into the corporate network increases the risk of a security incident. It's perfectly reasonable for an employee, especially one from offsite, to want to check his or her email from a conference room, but unless the visitor is established as a trusted employee or the network is segmented to prevent unauthorized connections, this may be the weak link that allows company files to be compromised. SNOOPING ON KEVIN Many years ago when I was working in a small business, I began to notice that each time I walked into the office that I shared with the three other computer people who made up the IT department, this one particular guy (Joe, I'll call him here) would quickly toggle the display on his computer to a different window. I immediately recognized this as suspicious. When it happened two more times the same day, I was sure something was going on that I should know about. What was this guy up to that he didn't want me to see? Joe's computer acted as a terminal to access the company's minicomputers, so I installed a monitoring program on the VAX minicomputer that allowed me to spy on what he was doing. The program acted as if a TV camera was looking over his shoulder, showing me exactly what he was seeing on his computer. My desk was next to Joe's, I turned my monitor as best I could to partly mask his view, but he could have looked over at any moment and realized I was spying on him. Not a problem, he was too enthralled in what he was doing to notice. What I saw made my jaw drop. I watched, fascinated, as the bastard called up my payroll data. He was looking up my salary! I had only been there a few months at the time and I guessed Joe couldn't stand the idea that I might have been making more than he was. A few minutes later I saw that he was downloading hacker tools used by less experienced hackers who don't know enough about programming to devise the tools for themselves. So Joe was clueless, and had no idea that one of American's most experienced hackers was sitting right next to him. I thought it was hilarious. He already had the information about my pay; so it was too late to stop him. Besides, any employee with computer access at the IRS or the Social Security Administration can look your salary up. I sure didn't want to tip my hand by letting him know I'd found out what he was up to. My main goal at the time was maintaining a low profile, and a good social engineer doesn't advertise his abilities and knowledge. You always want people to underestimate you, not see you as a threat. So I let it go, and laughed to myself that Joe thought he knew some secret about me, when it was the other way around: I had the upper hand by knowing what he had been up to. In time I discovered that all three of my co-workers in the IT group amused themselves by looking up the take-home pay of this or that cute secretary or (for the one girl in the group) neat-looking guy they had spotted. And they were all finding out the salary and bonuses of anybody at the company they were curious about, including senior management. Analyzing the Con This story illustrates an interesting problem. The payroll files were accessible to the people who had the responsibility of maintaining the company's computer systems. So it all comes down to a personnel issue: deciding who can be trusted. In some cases, IT staff might find it irresistible to snoop around. And they have the ability to do so because they have privileges allowing them to bypass access controls on those files. One safeguard would be to audit any access to particularly sensitive files, such as payroll. Of course, anyone with the requisite privileges could disable auditing or possibly remove any entries that would point back to them, but each additional step takes more effort to hide on the part of an unscrupulous employee. PREVENTING THE CON From pawing through your trash to duping a security guard or receptionist, social engineers can physically invade your corporate space. But you'll be glad to hear that there are preventive measures you can take. Protection After Hours All employees who arrive for work without their badges should be required to stop at the lobby desk or security office to obtain a temporary badge for the day. The incident in the first story of this chapter could have come to a much different conclusion if the company security guards had had a specific set of steps to follow when encountering anyone without the required employee badge. For companies or areas within a company where security is not a high-level concern, it may not be important to insist that every person have a badge visible at all times. But in companies with sensitive areas, this should be a standard requirement, rigidly enforced. Employees must be trained and motivated to challenge people who do not display a badge, and higher-level employees must be taught to accept such challenges without causing embarrassment to the person who stops them. Company policy should advise employees of the penalties for those who consistently fail to wear their badges; penalties might include sending the employee home for the day without pay, or a notation in his personnel file. Some companies institute a series of progressively more stringent penalties that may include reporting the problem to the person's manager, then issuing a formal warning. In addition, where there is sensitive information to protect, the company should establish procedures for authorizing people who need to visit during non-business hours. One solution: require that arrangements be made through corporate security or some other designated group. This group would routinely verify the identity of any employee calling to arrange an off-hours visit by a call back to the person's supervisor or some other reasonably secure method. Treating Trash with Respect The Dumpster-diving story dug into the potential misuses of your corporate trash. The eight keys to wisdom regarding trash: Classify all sensitive information based on the degree of sensitivity. Establish company-wide procedures for discarding sensitive information. Insist that all sensitive information to be discarded first be shredded, and provide for a safe way for getting rid of important information on scraps of paper too small for shredding. Shredders must not be the low-end budget type, which turn out strips of paper that a determined attacker, given enough patience, can reassemble. Instead, they need to be the kind called cross-shredders, or those that render the output into useless pulp. Provide a way for rendering unusable or completely erasing computer media-floppy disks, Zip disks, CDs and DVDs used for storing files, removable tapes, old hard drives, and other computer media--before they are discarded. Remember that deleting files does not actually remove them; they can still be recovered-as Enron executives and many others have learned to their dismay. Merely dropping computer media in the trash is an invitation to your local friendly Dumpster diver. (See Chapter 16 for specific guidelines on disposal of media and devices.) Maintain an appropriate level of control over the selection of people on your cleaning crews, using background checks if appropriate. Remind employees periodically to think about the nature of the materials they are tossing into the trash. Lock trash Dumpsters. Use separate disposal containers for sensitive materials, and contract to have the materials disposed of by a bonded company that specializes in this work. Saying Good-Bye to Employees The point has been made earlier in these pages about the need for ironclad procedures when a departing employee has had access to sensitive information, passwords, dial-in numbers, and the like. Your security procedures need to provide a way to keep track of who has authorization to various systems. It may be tough to keep a determined social engineer from slipping past your security barriers, but don't make it easy for an ex-employee. Another step easily overlooked: When an employee who was authorized to retrieve backup tapes from storage leaves, a written policy must call for the storage company to be immediately notified to remove her name from its authorization list. Chapter 16 of this book provides .detailed information on this vital subject, but it will be helpful to list here some of the key security provisions that should be in place, as highlighted by this story: A complete and thorough checklist of steps to be taken upon the departure of an employee, with special provisions for workers who had access to sensitive data. A policy of terminating the employee's computer access immediately-preferably before the person has even left the building. A procedure to recover the person's ID badge, as well as any keys or electronic access devices. Provisions that require security guards to see photo ID before admitting any employee who does not have his or her security pass, and for checking the name against a list to verify that the person is still employed by the organization. Some further steps will seem excessive or too expensive for some companies, but they are appropriate to others. Among these more stringent security measures are: Electronic ID badges combined with scanners at entrances; each employee swipes his badge through the scanner for an instantaneous electronic determination that the person is still a current employee and entitled to enter the building. (Note, however, that security guards must still be trained to be on the alert for piggybacking-an unauthorized person slipping by in the wake of a legitimate employee.) A requirement that all employees in the same workgroup as the person leaving (especially if the person is being fired) change their passwords. (Does this seem extreme? Many years after my short time working at General Telephone, I learned that the Pacific Bell security people, when they heard General Telephone had hired me, "rolled on the ground with laughter." But to General Telephone's credit when they realized they had a reputed hacker working for them after they laid me off, they then required that passwords be changed for everyone in the company!) You don't want your facilities to feel like jails, but at the same time you need to defend against the guy who was fired yesterday but is back today intent on doing damage. Don't Forget Anybody Security policies tend to overlook the entry-level worker, people like receptionists who don't handle sensitive corporate information. We've seen elsewhere that receptionists are a handy target for attackers, and the story of the break-in at the auto parts company provides another example: A friendly person, dressed like a professional, who claims to be a company employee from another facility may not be what he appears. Receptionists need to be well-trained about politely asking for company ID when appropriate, and the training needs to be not just for the main receptionist but also for everyone who sits in as relief at the reception desk during lunchtime or coffee breaks. For visitors from outside the company, the policy should require that a photo ID be shown and the information recorded. It isn't hard to get fake ID, but at least demanding ID makes pre-texting one degree harder for the would-be attacker. In some companies, it makes sense to follow a policy requiring that visitors be escorted from the lobby and from meeting to meeting. Procedures should require that the escort make clear when delivering the visitor to his first appointment that this person has entered the building as an employee , or non-employee. Why is this important? Because, as we've seen in earlier stories, an attacker will often pass himself off in one guise to the first person encountered, and as someone else to the next. It's too easy for an attacker to show up in the lobby, convince the receptionist that he has an appointment with, say, an engineer.., then be escorted to the engineer's office where he claims to be a rep from a company that wants to sell some product to the company.., and then, after the meeting with the engineer, he has free access to roam the building. Before admitting an off-site employee to the premises, suitable procedures must be followed to verify that the person is truly an employee; receptionists and guards must be aware of methods used by attackers to pretext the identity of an employee in order to gain access to company buildings. How about protecting against the attacker who cons his way inside the building and manages to plug his laptop into a network port behind the corporate firewall? Given today's technology, this is a challenge: conference rooms, training rooms, and similar areas should not leave network ports unsecured but should protect them with firewalls or routers. But better protection would come from the use of a secure method to authenticate any users who connect to the network. Secure IT! A word to the wise: In your own company, every worker in IT probably knows or can find out in moments how much you are earning, how much the CEO takes home, and who's using the corporate jet to go on skiing vacations. It's even possible in some companies for IT people or accounting people to increase their own salaries, make payments to a phony vendor, remove negative ratings from HR records, and so on. Sometimes it's only the fear of getting caught that keeps them honest.., and then one day along comes somebody whose greed or native dishonesty makes him (or her) ignore the risk and take whatever he thinks he can get away with. There are solutions, of course. Sensitive files can be protected by installing proper access controls so that only authorized people can open them. Some operating systems have audit controls that can be configured to maintain a log of certain events, such as each person who attempts to access a protected file, regardless of whether or not the attempt succeeds. If your company has understood this issue and has implemented proper access controls and auditing that protects sensitive files-you're taking powerful steps in the right direction. Chapter 2 Combining Technology and Social Engineering A social engineer lives by his ability to manipulate people into doing things that help him achieve his goal, but success often also requires a large measure of knowledge and skill with computer systems and telephone systems. HACKING BEHIND BARS What are some of the most secure installations you can think of, protected against break-in, whether physical, telecommunications, or electronic in nature? Fort Knox? Sure. The White House? Absolutely. NORAD, the North American Air Defense installation buried deep under a mountain? Most definitely. How about federal prisons and detention centers? They must be about as secure as any place in the country, right? People rarely escape, and when they do, they are normally caught in short order. You would think that a federal facility would be invulnerable to social engineering attacks. But you would be wrong-there is no such thing as foolproof security, anywhere. A few years ago, a pair of grifters (professional swindlers) ran into a problem. It turned out they had lifted a large bundle of cash from a local judge. The pair had been in trouble with the law on and off through the years, but this time the federal authorities took an interest. They nabbed one of the grifters, Charles Gondorff, and tossed him into a correctional center near San Diego. The federal magistrate ordered him detained as flight risk and a danger to the community. His pal Johnny Hooker knew that Charlie was going to need a defense attorney. But where was the money going to come from? most grifters, their money had always gone for good clothes, fancy cam and the ladies as fast as it came in. Johnny larely had enough to live on. The money for a good lawyer would have to come from running another scam. Johnny wasn't up to doing this on this own. Charlie Gondorff had always been the brains behind their cons. But Johnny didn't dare visit the detention center to ask Charlie what to do, not when the Feds knew there had been two men involved in the scam and were so eager to lay their hands on the other one. Especially since only family can visit. which meant he'd have to show fake identification and claim to be a family member. Trying to use fake ID in a federal prison didn't sound like a smart idea. No, he'd have to get in touch with Gondorff some other way. It wouldn't be easy. No inmate in any federal, state, or local facility is allowed to receive phone calls. A sign posted by every inmate telephone in a federal detention center says something like, "This notice is to advise the user that all conversations from this telephone are subject to monitoring. and the use of the telephone constitutes consent to the monitoring. Having government officials listen in on your phone calls while committing a crime has a way of extending your federally funded vacation plans. Johnny knew, though, that certain phone calls were not monitored: calls between a prisoner and his attorney, protected by the Constitution as client-attorney communications, for example. In fact, the facility where Gondorff was being held had telephones connected directly to the federal Public Defender's Office. Pick up one of those phones, and a direct connection is made to the corresponding telephone in the PDO. The phone company calls this service Direct Connect. The unsuspecting authorities assume the service is secure and invulnerable to tampering because outgoing calls can only go to the PDO, and incoming calls are blocked. Even if someone were somehow able to find ut the phone number, the phones are programmed in the telephone company switch as deny terminate, which is a clumsy phone company term for service where incoming calls are not permitted. Since any halfway decent grifter is well versed in the art of deception, Johnny figured there had to be a way around this problem. From the inside, Gondorff had already tried picking up one of the PDO phones and saying, "This is Tom, at the phone company repair center. We're running a test on this line and I need you to try dialing nine, and then zero-zero." The nine would have accessed an outside line, the zero-zero would then have reached a long-distance operator. It didn't work the person answering the phone at the PDO was already hip to that trick. Johnny was having better success. He readily found out that there were ten housing units in the detention center, each with a direct connect telephone line to the Public Defender's Office. Johnny encountered some obstacles, but like a social engineer, he was able to think his way around these annoying stumbling blocks. Which unit was Gondorff in? What was the telephone number to the direct connect services in that housing unit? And how would he initially get a message to Gondorff without it being intercepted by prison officials? What may appear to be the impossible to average folks, like obtaining the secret telephone numbers located in federal institutions, is very often no more than a few phone calls away for a con artist. After a couple of tossing-and-turning nights brainstorming a plan, Johnny woke up one mormng with the whole thing laid out in his mind, in five steps. First, he'd find out the phone numbers for those ten direct-connect telephones to the PDO. He'd have all ten changed so that the phones would allow incoming calls. He'd find out which housing unit Gondorff was on. Then he'd find out which phone number went to that unit. Finally, he'd arrange with Gondorff when to expect his call, without the government suspecting a thing. Piece a' cake, he thought. LINGO DIRECT CONNECT Phone company term for a phone line that goes directly to a specific number when picked up DENY TERMINATE A phone company service option where switching equipment is set that incoming calls cannot be received at a phone number Calling Ma Bell... Johnny began by calling the phone company business office under the pretext of being from the General Services Administration, the agency responsible for purchasing goods and services for the federal government. He said he was working on an acquisition order for additional services and needed to know the billing information for any direct connect services currently in use, including the working telephone numbers and monthly cost at the San Diego detention center. The lady was happy to help. Just to make sure, he tried dialing into one of those lines and was answered by the typical audichron recording, "This line has been disconnected or is no longer in service"—which he knew meant nothing of kind but instead meant that the line was programmed to block incoming calls, just as he expected. He knew from his extensive knowledge of phone company operations and procedures that he'd need to reach a department called the Recent Change Memory Authorization Center or RCMAC (I will always wonder who makes up these names!). He began by calling the phone company Business Office, said he was in Repair and needed to know the number for the RCMAC that handled the service area for the area code and prefix he gave, which was served out of the same central office for all the to telephone lines in the detention center. It was a routine request, the kind provided for technicians out in the field in need of some assistance, and the clerk had no hesitation in giving him the number. He called RCMAC, gave a phony name and again said he was in Repair He had the lady who answered access one of the telephone numbers he had conned out of the business office a few calls earlier; when she had it up, Johnny asked, "Is the number set to deny termination? "Yes," she said. "Well, that explains why the customer isn't able to receive calls!" Johnny said. "Listen, can you do me a favor. I need you to change the line class code or remove the deny terminate feature, okay?" There was a pause as she checked another computer system to verify that a service order had been placed to authorize the change. She said, "That number is supposed to be restricted for outgoing calls only. There's no service order for a change." "Right, it's a mistake. We were supposed to process the order yesterday but the regular account rep that handles this customer went home sick and forgot to have someone else take care of the order for her. So now of course the customer is up in arms about it." After a momentary pause while the lady pondered this request, which would be out of the ordinary and against standard operating procedures, she said, "Okay." He could hear her typing, entering the change. And a few seconds later, it was done. The ice had been broken, a kind of collusion established between them. Reading the woman's attitude and willingness to help, Johnny didn't hesitate to go for it all. He said, "Do you have a few minutes more to help me?" "Yeah," she answered. "What do you need?" "I've got a several other lines that belong to the same customer, and all have the same problem. I'll read off the numbers, so you can make sure that they're not set for deny terminate-okay?" She said that was fine. A few minutes later, all ten phone lines had been "fixed" to accept incoming calls. Finding Gondorff Next, find out what housing unit Gondorff was on. This is information that the people who run detention centers and prisons definitely don't want outsiders to know. Once again Johnny had to rely on his social engineering skills. He placed a call to a federal prison in another city--he called Miami, but any one would have worked--and claimed he was calling from the detention center in New York. He asked to talk to somebody who worked with the Bureau's Sentry computer, the computer system that contains information on every prisoner being held in a Bureau of Prisons facility anywhere in the country. When that person came on the phone, Johnny put on his Brooklyn accent. "Hi," he said. "This is Thomas at the FDC New York. Our connection to Sentry keeps going down, can you find the location of a prisoner for me, I think this prisoner may be at your institution," and gave Gondorff's name and his registration number. "No, he's not here," the guy said after a couple of moments. "He's at the correctional center in San Diego." Johnny pretended to be surprised. "San Diego! He was supposed to be transferred to Miami on the Marshal's airlift last week! Are we talking about the same guy--what's the guy's DOB?" 12/3/60," the man read from his screen. "Yeah, that's the same guy. What housing unit is he on?" "He's on Ten North," the man said--blithely answering the question even though there isn't any conceivable reason why a prison employee in New York would need to know this. Johnny now had the phones turned on for incoming calls, and knew which housing unit Gondorff was on. Next, find out which phone number connected to unit Ten North. This one was a bit difficult. Johnny called one of the numbers. He knew the ringer of the phone would be turned off; no one would know it was ringing. So he sat there reading Fodor's Europe} Great Cities travel guide. while listening to the constant ringing on speakerphone until finally somebody picked up. The inmate on the other end would, of course, be trying to reach his court-appointed lawyer. Johnny was prepared with the expected response. "Public Defender's Office," he announced. When the man asked for his attorney, Johnny said, "I'll see if he's available, what housing unit are you calling from?" He jotted down the man's answer, clicked onto hold, came back after half a minute and said, "He's in court, you'll have to call back later," and hung up. He had spent the better part of a morning, but it could have been worse; his fourth attempt turned out to be from Ten North. So Johnny now knew the phone number to the PDO phone on Gondorff's housing unit. Synchronize Your Watches Now to get a message through to Gondorff on when to pick up the telephone line that connects inmates directly to the Public Defender's Office. ]'his was easier than it might sound. Johnny called the detention center using his official-sounding voice, identified himself as an employee, and asked to be transferred to Ten North. The call was put right through. When the correctional officer there picked up, Johnny conned him by using the insider's abbreviation for Receiving and Discharge, the unit that processes new inmates in, and departing ones out: "This is Tyson in R&D," he said. "I need to speak to inmate Gondorff. We have some property of his we have to ship and we need an address where he wants it sent. Could you call him to the phone for me?" Johnny could hear the guard shouting across the day room. After an impatient several minutes, a familiar voice came on the line. Johnny told him, "Don't say anything until I explain what this is." He explained the pretext so Johnny could sound like he was discussing where his property should be shipped. Johnny then said, "If you can get to the Public Defender phone at one this afternoon, don't respond. If you can't, then say a time that you can be there." Gondorff didn't reply. Johnny went on, "Good. Be there at one o'clock. I'll call you then. Pick up the phone. If it starts to ring to the Public Defenders Office, flash the switch hook every twenty seconds. Keep trying till you hear me on the other end." At one o'clock, Gondorff picked up the phone, and Johnny was there waiting for him. They had a chatty, enjoyable, unhurried conversation, leading to a series of similar calls to plan the scam that would raise the money to pay Gondorff's legal fees-all free from government surveillance. Analyzing the Con This episode offers a prime example of how a social engineer can make the seemingly impossible happen by conning several people, each one doing something that, by itself, seems inconsequential. In reality, each action provides one small piece of the puzzle until the con is complete. The first phone company employee thought she was giving information to someone from the federal government's General Accounting Office. The next phone company employee knew she wasn't supposed to change the class of telephone service without a service order, but helped out the friendly man anyway. This made it possible to place calls through to all ten of the public defender phone lines in the detention center. For the man at the detention center in Miami, the request to help someone at another federal facility with a computer problem seemed perfectly reasonable. And even though there didn't seem any reason he would want to know the housing unit, why not answer the question? And the guard on Ten North who believed that the caller was really from within the same facility, calling on official business? It was a perfectly reasonable request, so he called the inmate Gondorff to the telephone. No big deal. A series of well-planned stories that added up to completing the sting. THE SPEEDY DOWNLOAD Ten years after they had finished law school, Ned Racine saw his classmates living in nice homes with front lawns, belonging to country clubs, playing golf once or twice a week, while he was still handling penny-ante cases for the kind of people who never had enough money to pay his bill. Jealousy can be a nasty companion. Finally one day, Ned had had enough. The one good client he ever had was a small but very successful accounting firm that specialized in mergers and acquisitions. They hadn't used Ned for long, just long enough for him to realize they were involved in deals that, once they hit the newspapers, would affect the stock price of one or two publicly traded companies. Penny-ante, bulletin-board stocks, but in some ways that was even better--a small jump in price could represent a big percentage gain on an investment. If he could only tap into their files and find out what they were working on... He knew a man who knew a man who was wise about things not exactly in the mainstream. The man listened to the plan, got fired up and agreed to help. For a smaller fee than he usually charged, against a percentage of Ned's stock market killing, the man gave Ned instructions on what to do. He also gave him a handy little device to use, something brand-new on the market. For a few days in a row Ned kept watch on the parking lot of the small business park where the accounting company had its unpretentious, storefront-like offices. Most people left between 5:30 and 6. By 7, the lot was empty. The cleaning crew showed up around 7:30. Perfect. The next night at a few minutes before 8 o'clock, Ned parked across the street from the parking lot. As he expected, the lot was empty except for the truck from the janitorial services company. Ned put his ear to the door and heard the vacuum cleaner running. He knocked at the door very loudly, and stood there waiting in his suit and tie, holding his well-worn briefcase. No answer, but he was patient. He knocked again. A man from the cleaning crew finally appeared. "Hi," Ned shouted through the glass door, showing the business card of one of the partners that he had picked up some time earlier. "I locked my keys in my car and I need to get to my desk." The man unlocked the door, locked it again behind Ned, and then went down the corridor turning on lights so Ned could see where he was going. And why not--he was being kind to one of the people who helped put food on his table. Or so he had every reason to think. Ned sat down at the computer of one of the partners, and turned it on. While it was starting up, he installed the small device he had been given into the USB port of the computer, a gadget small enough to carry on a
key ring, yet able to hold more than 120 megabytes of data. He logged into the network with the username and password of the partner's secretary, which were conveniently written down on a Post-it note stuck to the display. In less than five minutes, Ned had downloaded every spreadsheet and document file stored on the workstation and from the partner's network directory and was on his way home. MITNICK MESSAGE Industrial spies and computer intruders will sometimes make a physical entry into the targeted business. Rather than using a crowbar to break in, the social engineer uses the art of deception to influence the person on the other side of the door to open up for him. EASY MONEY When I was first introduced to computers in high school, we had to connect over a modem to one central DEC PDP 11 minicomputer in downtown Los Angeles that all the high schools in L.A. shared. The operating system on that computer was called RSTS/E, and it was the operating system I first learned to work with. At that time, in 1981, DEC sponsored an annual conference for its product users, and one year I read that the conference was going to be held in L.A. A popular magazine for users of this operating system carried an announcement about a new security product, LOCK-11. The product was being promoted with a clever ad campaign that said something like, "It's 3:30 ,.M. and Johnny down the street found your dial-in number, 555-0336, on his 336th try. He's in and you're out. Get LOCK-11." The product, the ad suggested, was hacker-proof. And it was going to be on display at the conference. I was eager to see the product for myself. A high school buddy and friend, Vinny, my hacking partner for several years who later became a federal informant against me, shared my interest in the new DEC product, and encouraged me to go to the conference with him. Cash on the Line We arrived to find a big buzz already going around the crowd at the trade show about LOCK-11. It seemed that the developers were staking cash on the line in a bet that no one could break into their product. Sounded like a challenge I could not resist. We headed straight for the LOCK-11 booth and found it manned by three guys who were the developers of the product; I recognized them and they recognized me--even as a teen, I already had a reputation as a phreaker and hacker because of a big story the LA Times had run about my first juvenile brush with the authorities. The article reported that I had talked my way into a Pacific Telephone building in the middle of the night and walked out with computer manuals, right under the nose of their security guard. (It appears the Times wanted to run a sensationalist story and it served their purposes to publish my name; because I was still a juvenile, the article violated the custom if not the law of withholding the names of minors accused of wrongdoing.) When Vinny and I walked up, ir created some interest on both sides. There was an interest on their side because they recognized me as the hacker they had read about and they were a bit shocked to see me. It created an interest on our side because each of the three developers was standing there with a $100 bill sticking out of his tradeshow badge. The prize money for anybody who could defeat their system would be the whole $300--which sounded like a lot of money to a pair of teenagers. We could hardly wait to get started. LOCK-11 was designed on an established principle that relied on two levels of security. A user had to have a valid ID and password, as usual, but in addition that ID and password would only work when entered from authorized terminals, an approach called terminal-based security. To defeat the system, a hacker would need not only to have knowledge of an account ID and password, but would also have to enter that information from the correct terminal. The method was well established, and the inventors of LOCK-11 were convinced it would keep the bad guys out. We decided we were going to teach them a lesson, and earn three hundred bucks to boot. A guy I knew who was considered an RSTS/E guru had already beaten us to the booth. Years before he had been one of the guys who had challenged me to break into the DEC internal development computer, after which his associates had turned me in. Since those days he had become a respected programmer. We found out that he had tried to defeat the LOCK-11 security program not long before we arrived, but had been unable to. The incident had given the developers greater confidence that their product really was secure. The contest was a straightforward challenge: You break in, you win the bucks. A good publicity stunt.., unless somebody was able to embarrass them and take the money. They were so sure of their product that they were even audacious enough to have a printout posted at the booth giving the account numbers and corresponding passwords to some accounts on the system. And not just regular user accounts, but all the privileged accounts. That was actually less daring than it sounds: In this type of set-up, I knew, each terminal is plugged into a port on the computer itself. It wasn't rocket science to figure out they had set up the five terminals in the conference hall so a visitor could log in only as a non-privileged user--that is, logins were possible only to accounts without system administrator privileges. It looked as if there were only two routes: either bypass the security software altogether--exactly what the LOCK-11 was designed to prevent; or somehow get around the software in a way that the developers hadn't imagined. Taking Up the Challenge Vinny and I walked away and talked about the challenge, and I came up with a plan. We wandered around innocently, keeping an eye on the booth from a distance. At lunchtime, when the crowd thinned out, the three developers took advantage of the break and took off together to get something to eat, leaving behind a woman who might have been the wife or girlfriend of one of them. We sauntered back over and I distracted the woman, chatting her up about this and that, "How long have you been with the company? "What other products does your company have on the market?" and so on. Meanwhile Vinny, out of her sight line, had gone to work, making use of a skill he and I had both developed. Besides the fascination of breaking into computers, and my own interest in magic, we had both been intrigued by learning how to open locks. As a young kid, I had scoured the shelves of an underground bookstore in the San Fernando Valley that had volumes on picking locks, getting out of handcuffs, creating fake identities-all kinds of things a kid was not supposed to know about. Vinny, like me, had practiced lock-picking until we were pretty good with any run-of-the-mill hardware-store lock. There had been a time when I got a kick out of pranks involving locks, like spotting somebody who was using two locks for extra protection, picking the locks, and put-ring them back in the opposite places, which would baffle and frustrate the owner when he tried to open each with the wrong key. In the exhibit hall, I continued to keep the young woman distracted while Vinny, squatting down at the back of the booth so he couldn't be seen, picked the lock on the cabinet that housed their PDP-11 minicomputer and the cable terminations. To call the cabinet locked was almost a joke. It was secured with what locksmiths refer to as a wafer lock, notoriously easy to pick, even for fairly clumsy, amateur lock-pickers like us. It took Vinny all of about a minute to open the lock. Inside the cabinet he found just what we had anticipated: the strip of ports for plugging in user terminals, and one port for what's called the console terminal. This was the terminal used by the computer operator or system administrator to control all the computers. Vinny plugged the cable leading from the console port into one of the terminals on the show floor. That meant this one terminal was now recognized as a console terminal. I sat down at the recabled machine and logged in using a password the developers had so audaciously provided. Because the LOCK-11 software now identified that I was logging in from an authorized terminal, it granted me access, and I was connected with system administrator privileges. I patched the operating system by changing it so that from any of the terminals on the floor, I would be able to log in as a privileged user. Once my secret patch was installed, Vinny went back to work disconnecting the terminal cable plugging it back in where it had been originally. Then he picked the lock once again, this time to fasten the cabinet door closed. I did a directory listing to find out what files were on the computer, looking for the LocK-11 program and associated files and stumbled on something I found shocking: a directory that should not have been on this machine. The developers had been so overconfident, so certain their software was invincible, that they hadn't bothered to remove the source code of their new product. Moving to the adjacent hard-copy terminal, I started printing out portions of the source code onto the continuous sheets of the green-striped computer paper used in those days. Vinny had only just barely finished picking the lock closed and rejoined me when the guys returned from lunch. They found me sitting at the computer pounding the keys while the printer continued to churn away. "What'cha doing, Kevin?" one of them asked. "Oh, just printing out your source code," I said. They assumed I was joking, of course. Until they looked at the printer and saw that it really u, as the jealously guarded source code for their product. They didn't believe it was possible that I was logged in as a privileged user. "Type a Control-T," one of the developers commanded. I did. The display that appeared on the screen confirmed my claim. The guy smacked his forehead, as Vinny said, "Three hundred dollars, please."
MITNICK MESSAGE Here's another example of smart people underestimating the enemy. How about you--are you so certain about your company's security safeguards that you would bet $300 against an attacker breaking in? Sometimes the way around a technological security device is not the one you expect. They paid up. Vinny and I walked around the tradeshow floor for the rest of the day with the hundred-dollar bills stuck into our conference badges. Everyone who saw the bills knew what they represented. Of course, Vinny and I hadn't defeated their software, and if the developer team had thought to set better rules for the contest, or had used a really secure lock, or had watched their equipment more carefully, they wouldn't have suffered the humiliation of that day-humiliation at the hands of a pair of teenagers. I found out later that the developer team had to stop by a bank to get some cash: those hundred-dollar bills represented all the spending money they had brought with them.
THE DICTIONARY AS AN ATTACK TOOL When someone obtains your password, he's able to invade your system. In most circumstances, you never even know that anything bad has happened. A young attacker I'll call Ivan Peters had a target of retrieving the source code for a new electronic game. He had no trouble getting into the company's wide area network, because a hacker buddy of his had already compromised one of the company's Web servers. After finding an un-patched vulnerability in the Web server software, his buddy had just about fallen out of his chair when he realized the system had been set up as a dual-homed host, which meant he had an entry point into the internal network. But once Ivan was connected, he then faced a challenge that was like being inside the Louvre and hoping to find the Mona Lisa. Without a floor plan, you could wander for weeks. The company was global, with hundreds of offices and thousands of computer servers, and they didn't exactly provide an index of development systems or the services of a tour guide to steer him to the right one. Instead of using a technical approach to finding out what server he needed to target, Ivan used a social engineering approach. He placed phone calls based on methods similar to those described elsewhere in this book. First, calling IT technical support, he claimed to be a company employee having an interface issue on a product his group was designing. and asked for the phone number of the project leader for the gaming development team. Then he called the name he'd been given, posing as a guy from IT. "Later tonight," he said, "we're swapping out a router and need to make sure the people on your team don't lose connectivity to your server. So we need to know which servers your team uses." The network was being upgraded all the time. And giving the name of the server wouldn't hurt anything anyway, now would it? Since it was password-protected, just having the name couldn't help anybody break in. So the guy gave the attacker the server name. Didn't even bother to call the man back to verify his story, or write down his name and phone number. He just gave the name of the servers, ATM5 and ATM6. The Password Attack At this point, Ivan switched to a technical approach to get the authentication information. The first step with most technical attacks on systems that provide remote access capability is to identify an account with a weak password, which provides an initial entry point into the system. When an attacker attempts to use hacking tools for remotely identifying passwords, the effort may require him to stay connected to the company's network for hours at a time. Clearly he does this at his peril: The longer he stays connected, the greater the risk of detection and getting caught. As a preliminary step, Ivan would do an enumeration, which reveals details about a target system. Once again the Internet conveniently provides software for the purpose (at http://ntsleuth.0catch.com; the character before "catch" is a zero). Ivan found several publicly available hacking tools on the Web that automated the enumeration process, avoiding the need to do it by hand, which would take longer and thus run a higher risk. Knowing that the organization mostly deployed Windows-based servers, he downloaded a copy of NBTEnum, a NetBIOS (basic input/output system) enumeration utility. He entered the IP (Internet protocol) address of the ATM5 server, and started running the program. LINGO ENUMERATION A process that reveals the service enabled on the target system, the operating system platform, and a list of accounts names of the users who have access to the system. The enumeration tool was able to identify several accounts that existed on the server. Once the existing accounts had been identified, the same enumeration tool had the ability to launch a dictionary attack against the computer system. A dictionary attack is something that many computer security folks and intruders are intimately familiar with, but that most other people will probably be shocked to learn is possible. Such an attack is aimed at uncovering the password of each user on the system by using commonly used words. We're all lazy about some things, but it never ceases to amaze me that when people choose their passwords, their creativity and imagination seem to disappear. Most of us want a password that gives us protection but that is at the same time easy to remember, which usually means something closely connected to us. Our initials, middle name, nickname, spouse's name, favorite song, movie, or brew, for example. The name of the street we live on or the town we live in, the kind of car we drive, the beachfront village we like to stay at in Hawaii, or that favorite stream with the best trout fishing around. Recognize the pattern here? These are mostly personal names, place names, or dictionary words. A dictionary attack runs through common words at a very rapid pace, trying each as a password on one or more user accounts. Ivan ran the dictionary attack in three phases. For the first, he used a simple list of some 800 of the most common passwords; the list includes secret, work, and password. Also the program permutated the dictionary words to try each word with an appended digit, or appending the number of the current month. The program tried each attempt against all of the user accounts that had been identified. No luck. For the next attempt, Ivan went to Google's search engine and typed, "wordlists dictionaries," and found thousands of sites with extensive wordlists and dictionaries for English and several foreign languages. He downloaded an entire electronic English dictionary. He then enhanced this by downloading a number of word lists that he found with Google. Ivan chose the site at www.outpost9.com/files/WordLists.html. This site allowed him to download (all of this for free) a selection of files including family names, given namek, congressional names and words, actor's names, and words and names from the Bible. Another of the many sites offering word lists is actually provided through Oxford University, at ftp://ftp.ox.ac.uk/pub/wordlists. Other sites offer lists with the names of cartoon characters, words used in Shakespeare, in the Odyssey, Tolkien, and the Star Trek series, as well as in science and religion, and on and on. (One on-line company sells a list containing 4.4 million words and names for only $20.) The attack program can be set to test the anagrams of the dictionary words, as well- another favorite method that many computer users think increases their safety. Faster Than You Think Once Ivan had decided which wordlist to use, and started the attack, the software ran on autopilot. He was able to turn his attention to other things. And here's the incredible part: You would think such an attack would allow the hacker to take a Rip van Winkle snooze and the software would still have made little progress when he awoke. In fact, depending on the platform being attacked, the security configuration of the system, and network connectivity, every word in an English dictionary can, incredibly, be attempted in less than thirty minutes! While this attack was running, Ivan started another computer running a similar attack on the other server used by the development group, ATM6. Twenty minutes later, the attack software had done what most unsuspecting users like to think is impossible: It had broken a password, revealing that one of the users had chosen the password "Frodo," one of the Hobbits in the book The Lord of the Rings. With this password in hand, Ivan was able to connect to the ATM6 server using the user's account. There was good news and bad news for our attacker. The good news was that the account he cracked had administrator privileges, which would be essential for the next step. The bad news was that the source code for the game was not anywhere to be found. It must be, after all, on the other machine, the ATM5, which he already knew was resistant to a dictionary attack. But Ivan wasn't giving up just yet; he still had a few more tricks to try. On some Windows and UNIX operating systems, password hashes (encrypted passwords) are openly available to anyone who has access to the computer they're stored on. The reasoning is that the encrypted passwords cannot be broken and therefore do not need to be protected. The theory is wrong. Using another tool called pwdump3, also available on the Internet, he was able to extract the password hashes from the ATM6 machine and download them. A typical file of password hashes looks like this: Administrator: 500:95E4321A38AD8D6AB75EOC8D76954A50:2E48927AO BO4F3BFB341E26F6D6E9A97 : : : akasper : 1110:5A8D7E9E3C3954F642C5C736306CBFEF:393CE7F90A8357 F157873D72D0490821: : : digger: 1111:5D15COD58DD216C525AD3B83FA6627C7 : 17AD564144308B4 2B8403DOIAE256558: : : ellgan : 1112:2017D4A5D8D1383EFF17365FAFIFFE89:O7AEC950C22CBB9 C2C734EB89320DB13: : : tabeck: 1115:9F5890B3FECCAB7EAAD3B435B51404EE: 1FO115A72844721 2FCO5EID2D820B35B: : : vkantar : 1116:81A6A5DO35596E7DAAD3B435B51404EE:B933D36DD12258 946FCC7BD153F1CD6E : : : vwallwick: 1119 : 25904EC665BA30F4449AF42E1054F192:15B2B7953FB6 32907455D2706A432469 : : : mmcdonald: 1121:A4AEDO98D29A3217AAD3B435B51404EE: E40670F936B7 9C2ED522F5ECA9398A27 : : : kworkman : 1141:C5C598AF45768635AAD3B435B51404EE: DEC8E827A1212 73EFO84CDBF5FD1925C : : : With the hashes now downloaded to his computer, Ivan used another tool that performed a different flavor of password attack known as brute force. This kind of attack tries every combination of alphanumeric characters and most special symbols. Ivan used a software utility called L0phtcrack3 (pronounced loft-crack; available at www.atstake.com; another source for some excellent password recovery tools is www.elcomsoft.com). System administrators use L0pht-crack3 to audit weak passwords; attackers use it to crack passwords. The brute force feature in LC3 tries passwords with combinations of letters, numerals, and most symbols including !@#$%^&. It systematically tries every possible combination of most characters. (Note, however, that if nonprintable characters are used, LC3 will be unable to discover the password ) The program has a nearly unbelievable speed, which can reach to as high as 2.8 million attempts a second on a machine with a 1 GHz processor. Even with this speed, and if the system administrator has configured the Windows operating system properly (disabling the use of LANMAN hashes), breaking a password can still take an excessive amount of time.
LINGO BRUTE FORCE ATTACK A password detection stategy that tries every possible combination of alphanumeric characters and special symbols. For that reason the attacker often downloads the hashes and runs the attack on his or another machine, rather than staying on line on the target company's network and risking detection. For Ivan, the wait was not that long. Several hours later the program presented him with passwords for every one of the development team members. But these were the passwords for users on the ATM6 machine, and he already knew the game source code he was after was not on this server. What now? He still had not been able to get a password for an account on the ATM5 machine. Using his hacker mindset, understanding the poor security habits of typical users, he figured one of the team members might have chosen the same password for both machines. In fact, that's exactly what he found. One of the team members was using the password "garners" on both ATM5 and ATM6. The door had swung wide open for Ivan to hunt around until he found the programs he was after. Once he located the source-code tree and gleefully downloaded it, he took one further step typical of system crackers: He changed the password of a dormant account that had administrator rights, just in case he wanted to get an updated version of the software at some time in the future. Analyzing the Con In this attack that called on both technical and people-based vulnerabilities, the attacker began with a pretext telephone call to obtain the location and host names of the development servers that held the proprietary information. He then used a software utility to identify valid account-user names for everyone who had an account on the development server. Next he ran two successive password attacks, including a dictionary attack, which searches for commonly used passwords by trying all of the words in an English dictionary, sometimes augmented by several word lists containing names, places, and items of special interest. Because both commercial and public-domain hacking tools can be obtained by anyone for whatever purpose they have in mind, it's all the more important that you be vigilant in protecting enterprise computer systems and your network infrastructure. The magnitude of this threat cannot be overestimated. According to Computer World magazine, an analysis at New York-based Oppenheimer Funds led to a startling discovery. The firm's Vice President of Network Security and Disaster Recovery ran a password attack against the employees of his firm using one of the standard software packages. The magazine reported that within three minutes he managed to crack the passwords of 800 employees. MITNICK MESSAGE In the terminology of the game Monopoly, if you use a dictionary word for your password-Go directly to Jail. Do not pass Go, do not collect $200. You have to teach your employees how to choose passwords that truly protect your assets. PREVENTING THE CON Social engineering attacks may become even more destructive when the attacker adds a technology element. Preventing this kind of attack typically involves taking steps on both human and technical levels. Just Say No In the first story of the chapter, the telephone company RCMAC clerk should not have removed the deny terminate status from the ten phone lines when no service order existed authorizing the change. It's not enough for employees to know the security policies and procedures; employees must understand how important these policies are to the company in preventing damage. Security policies should discourage deviation from procedure through a system of rewards and consequences. Naturally, the policies must be realistic, not calling on employees to carry out steps so burdensome that they are likely to be ignored. Also, a security awareness program needs to convince employees that, while it's important to complete job assignments in a timely manner, taking a shortcut that circumvents proper security procedures can be detrimental to the company and co workers. The same caution should be present when providing information to a stranger on the telephone. No matter how persuasively the person presents himself, regardless of the person's status or seniority in the company, absolutely no information should be provided that is not designated as publicly available until the caller's identity has been positively verified. If this policy had been strictly observed, the social engineering scheme in this story would have failed and federal detainee Gondorff would never have been able to plan a new scare with his pal Johnny. This one point is so important that I reiterate it throughout this book: Verify, verify, verify. Any request not made in person should never be accepted without verifying the requestor's identity-period. Cleaning Up For any company that does not have security guards around the clock, the scheme wherein an attacker gains access to an office after hours presents a challenge. Cleaning people will ordinarily treat with respect anyone who appears to be with the company and appears legitimate. After all, this is someone who could get them in trouble or fired. For that reason, cleaning crews, whether internal or contracted from an outside agency, must be trained on physical security matters. Janitorial work doesn't exactly require a college education, or even the ability to speak English, and the usual training, if any, involves non-security related issues such as which kind of cleaning product to use for different tasks. Generally these people don't get an instruction like, "If someone asks you to let them in after hours, you need to see their company ID card, and then call the cleaning company office, explain the situation, and wait for authorization." An organization needs to plan for a situation like the one in this chapter before it happens and train people accordingly. In my personal experience, I have found that most, if not all, private sector businesses are very lax in this area of physical security. You might try to approach the problem from the other end, putting the burden on your company's own employees. A company without 24-hour guard service should tell its employees that to get in after hours, they are to bring their own keys or electronic access cards, and must never put the cleaning people in the position of deciding who it is okay to admit. Then tell the janitorial company that their people must always be trained that no one is to be admitted to your premises by them at any time. This is a simple rule: Do not open the door for anyone. If appropriate, this could be put into writing as a condition of the contract with the cleaning company. Also, cleaning crews should be trained about piggybacking techniques (unauthorized persons following an authorized person into a secure entrance). They should also be trained not to allow another person to follow them into the building just because the person looks like they might be an employee. Follow up every now and then-say, three or four times a year-by staging a penetration test or vulnerability assessment. Have someone show up at the door when the cleaning crew is at work and try to talk her way into the building. Rather than using your own employees, you can hire a firm that specializes in this kind of penetration testing. Pass It On: Protect Your Passwords More and more, organizations are becoming increasingly vigilant about enforcing security policies through technical means-for example, configuring the operating system to enforce password policies and limit the number of invalid login attempts that can be made before locking out the account. In fact, Microsoft Windows business platforms generally have this feature built in. Still, recognizing how easily annoyed customers are by features that require extra effort, the products are usually delivered with security features turned off. It's really about time that software manufacturers stop delivering products with security features disabled by default when it should be the other way around. (I suspect they'll figure this out soon enough.) Of course, corporate security policy should mandate system administrators to enforce security policy through technical means whenever possible, with the goal of not relying on fallible humans any more than necessary. It's a no-brainer that when you limit the number of successive invalid login attempts to a particular account, for example, you make an attacker's life significantly more difficult. Every organization faces that uneasy balance between strong security and employee productivity, which leads some employees to ignore security policies, not accepting how essential these safeguards are for protecting the integrity of sensitive corporate information. If a company's policies leave some issues un-addressed, employees may use the path of least resistance and do whatever action is most convenient and makes their job easier. Some employees may resist change and openly disregard good security habits. You may have encountered such an employee, who follows enforced rules about password length and complexity but then writes the password on a Post-it note and defiantly sticks it to his monitor. A vital part of protecting your organization is the use of hard-to-discover passwords, combined with strong security settings in your technology. For a detailed discussion of recommended password policies, see Chapter 16. Chapter 3 Attacks on the Entry-Level Employee As many of the stories here demonstrate, the skilled social engineer often targets lower-level personnel in the organizational hierarchy. It can be easy to manipulate these people into revealing seemingly innocuous information that the attacker uses to advance one step closer to obtaining more sensitive company information. An attacker targets entry-level employees because they are typically unaware of the value of specific company information or of the possible results of certain actions. Also, they tend to be easily influenced by some of the more common social engineering approaches--a caller who invokes authority; a person who seems friendly and likeable; a person who appears to know people in the company who are known to the victim; a request that the attacker claims is urgent; or the inference that the victim will gain some kind of favor or recognition. Here are some illustrations of the attack on the lower-level employee in action. THE HELPFUL SECURITY GUARD Swindlers hope to find a person who's greedy because they are the ones most likely to fall for a con game. Social engineers, when targeting someone such as a member of a sanitation crew or a security guard, hope to find someone who is good-natured, friendly, and trusting of others. They are the ones most likely to be willing to help. That's just what the attacker had in mind in the following story. Elliot's View Date/time: 3:26 a.m. on a Tuesday morning in February 1998. Location: Marchand Microsystems facility, Nashua, New Hampshire Elliot Staley knew he wasn't supposed to leave his station when he wasn't on his scheduled rounds. But it was the middle of the night, for crying out loud, and he hadn't seen a single person since he had come on duty. And it was nearly time to make his rounds anyway. The poor guy on the telephone sounded like he really needed help. And it makes a person feel fine when they can do a little good for somebody. Bill's Story Bill Goodrock had a simple goal, one he had held on to, unaltered, since age twelve: to retire by age twenty-four, not ever touching a penny of his trust fund. To show his father, the almighty and unforgiving banker, that he could be a success on his own. Only two years left and it's by now perfectly clear he won't make his fortune in the next twenty-four months by being a brilliant businessman and he won't do it by being a sharp investor. He once wondered about robbing banks with a gun but that's just the stuff of fiction-the risk-benefit trade-off is so lousy. Instead he daydreams about doing a Rifkin--robbing a bank electronically. The last time Bill was in Europe with the family, he opened a bank account in Monaco with 100 Francs. It still has only 100 francs in it, but he has a plan that could help it reach seven digits in a hurry. Maybe even eight if he's lucky. Bill's girlfriend Anne-marie worked in M&A for a large Boston bank. One day while waiting at her offices until she got out of a late meeting, he gave in to curiosity and plugged his laptop into an Ethernet port in the conference room he was using. Yes!--he was on their internal network, connected inside the bank's network.., behind the corporate firewall. That gave him an idea. He pooled his talent with a classmate who knew a young woman named Julia, a brilliant computer science Ph.D. candidate doing an internship at Marchand Microsystems. Julia looked like a great source for essential insider information. They told her they were writing a script for a movie and she actually believed them. She thought it was fun making up a story with them and giving them all the details about how you could actually bring off the caper they had described. She thought the idea was brilliant, actually, and kept badgering them about giving her a screen credit, too. They warned her about how often screenplay ideas get stolen and made her swear she'd never tell anyone. Suitably coached by Julia, Bill did the risky part himself and never doubted he could bring it off. I called in the afternoon and managed to find out that the night supervisor of the security force was a man named Isaiah Adams. At 9:30 that night I called the building and talked to the guard on the lobby security desk. My story was all based on urgency and I made myself sound a little panicky. "I'm having car trouble and I can't get to the facility," I said. "I have this emergency and I really need your help. I tried calling the guard supervisor, Isaiah, but he's not at home. Can you just do me this onetime favor, I'd really appreciate it?" The rooms in that big facility were each labeled with a mail-stop code so I gave him the mail-stop of the computer lab and asked him if he knew where that was. He said yes, and agreed to go there for me. He said it would take him a few minutes to get to the room, and I said I'd call him in the lab, giving the excuse that I was using the only phone line available to me and I was using it to dial into the network to try to fix the problem. He was already there and waiting by the time I called, and I told him where to find the console I was interested in, looking for one with a paper banner reading "elmer"--the host that Julia had said was used to build the release versions of the operating system that the company marketed. When he said he had found it, I knew for sure that Julia had been feeding us good information and my heart skipped a beat. I had him hit the Enter key a couple of times, and he said it printed a pound sign. Which told me the computer was logged in as root, the super-user account with all system privileges. He was a hunt-and-peck typist and got all in a sweat when I tried to talk him through entering my next command, which was more than a bit tricky: echo 'fix:x:0:0::/:/bin/sh' >> /etc/passwd Finally he got it right, and we had now provided an account with a name fix. And then I had him type echo 'fix: :10300:0:0' 55 /etc/shadow This established the encrypted password, which goes between the double colon. Putting nothing between those two colons meant the account would have a null password. So just those two commands was all it took to append the account fix to the password file, with a null password. Best of all, the account would have the same privileges as a super-user. The next thing I had him do was to enter a recursive directory command that printed out a long list of file names. Then I had him feed the paper forward, tear it off, and take it with him back to his guard desk because "I may need you to read me something from it later on." The beauty of this was that he had no idea he had created a new account. And I had him print out the directory listing of filenames because I needed to make sure the commands he typed earlier would leave the computer room with him. That way the system administrator or operator wouldn't spot anything the next morning that would alert them there had been a security breach. I was now set up with an account, a password, and full privileges. A little before midnight I dialed in and followed the instructions Julia had carefully typed up "for the screenplay." In a blink I had access to one of the development systems that contained the master copy of the source code for the new version of the company's operating system software. I uploaded a patch that Julia had written, which she said modified a routine in one of the operating system's libraries. That patch would, in effect, create a covert backdoor that would allow remote access into the system with a secret password. NOTE The type of backdoor used here does not change the operating system login program itself Rather, a specific function contained within the dynamic library used by the login program is replaced to create the secret entry point. In typical attacks, computer intruders often replace or patch the login program itself, but sharp system administrators can detect the change by comparing it to the version shipped on media such as cd , or by other distribution methods. I carefully followed the instructions she had written down for me, first installing the patch, then taking steps that removed the fix account and wiped clean all audit logs so there would be no trace of my activities, effectively erasing my tracks. Soon the company would begin shipping the new operating system upgrade to their customers: Financial institutions all over the world. And every copy they sent out would include the backdoor I had placed into the master distribution before it was sent out, allowing me to access any computer system of every bank and brokerage house that installed the upgrade. LINGO PATCH Traditionally a piece of code that , when placed in an executable program, fixes a problem. Of course, I wasn't quite home free--there would still be work to do. I'd still have to gain access to the internal network of each financial institution I wanted to "visit." Then I'd have to find out which of their computers was used for money transfers, and install surveillance software to learn the details of their operations and exactly how to transfer funds.All of that I could do long distance. From a computer located anywhere. Say, overlooking a sandy beach. Tahiti, here I come.I called the guard back, thanked him for his help, and told him he could go ahead and toss the printout. Analyzing the Con The security guard had instructions about his duties, but even thorough, well-thought-out instructions can't anticipate every possible situation. Nobody had told him the harm that could be done by typing a few keystrokes on a computer for a person he thought was a company employee. With the cooperation of the guard, it was relatively easy to gain access to a critical system that stored the distribution master, despite the fact that it was behind the locked door of a secure laboratory. The guard, of course, had keys to all locked doors. Even a basically honest employee (or, in this case, the Ph.D. candidate and company intern, Julia) can sometimes be bribed or deceived into revealing information of crucial importance to a social engineering attack, such as where the target computer system is located and--the key to the success of this attack---when they were going to build the new release of the software for distribution. That's important, since a change of this kind made too early has a higher chance of being detected or being nullified if the operating system is rebuilt from a clean source. Did you catch the detail of having the guard take the printout back to the lobby desk and later destroying it? This was an important step. When the computer operators came to work the next workday, the attacker didn't want them to find this damning evidence on the hard-copy terminal, or notice it in the trash. Giving the guard a plausible excuse to take the printout with him avoided that risk. MITNICK MESSAGE When the computer intruder cannot gain physical access to a computer system or network himself, he will try to manipulate another person to do it for him. In cases where physical access is necessary for the plan, using the victim as a proxy is even better than doing it himself, because the attacker assumes much less risk of detection and apprehension. THE EMERGENCY PATCH You would think a tech support guy would understand the dangers of giving access to the computer network to an outsider. But when that outsider is a clever social engineer masquerading as a helpful software vendor, the results might not be what you expect. A Helpful Call The caller wanted to know Who's in charge of computers there? and the telephone operator put him through to the tech support guy, Paul Ahearn. The caller identified himself as "Edward, with SeerWare, your database vendor. Apparently a bunch of our customers didn't get the email about our emergency update, so we're calling a few for a quality control check to see whether there was a problem installing the patch. Have you installed the update yet?" Paul said he was pretty sure he hadn't seen anything like that. Edward said, "Well, it could cause intermittent catastrophic loss of data, so we recommend you get it installed as soon as possible." Yes, that was something he certainly wanted to do, Paul said. "Okay," the caller responded. "We can send you a tape or CD with the patch, and I want to tell you, it's really critical--two companies already lost several days of data. So you really should get this installed as soon as it arrives, before it happens to your company." "Can't I download it from your Web site?" Paul wanted to know. "It should be available soon-the tech team has been putting out all these fires. If you want, we can have our customer support center install it for you, remotely. We can either dial up or use Telnet to connect to the system, if you can support that." "We don't allow Telnet, especially from the Internet--it's not secure," Paul answered. "If you can use SSH, that'd be okay," he said, naming a product that provides secure file transfers. "Yeah. We have SSH. So what's the IP address?" Paul gave him the IP address, and when Andrew asked, "and what username and password can I use," Paul gave him those, as well. Analyzing the Con Of course that phone call might really have come from the database manufacturer. But then the story wouldn't belong in this book. The social engineer here influenced the victim by creating a sense of fear that critical data might be lost, and offered an immediate solution that would resolve the problem. Also, when a social engineer targets someone who knows the value of the information, he needs to come up with very convincing and persuasive arguments for giving remote access. Sometimes he needs to add the element of urgency so the victim is distracted by the need to rush, and complies before he has had a chance to give much thought to the request. THE NEW GIRL What kind of information in your company's files might an attacker want to gain access to? Sometimes it can be something you didn't think you needed to protect at all. Sarah’s Call "Human Resources, this is Sarah." "Hi, Sarah. This is George, in the parking garage. You know the access card you use to get into the parking garage and elevators? Well, we had a problem and we need to reprogram the cards for all the new hires from the last fifteen days." "So you need their names?" "And their phone numbers." "I can check our new hire list and call you back. What's your phone number?" "I'm at 73 . Uh, I'm going on .break, how about if I call you back in a half-hour?" "Oh. Okay." When he called back, she said: "Oh, yes. Well, there's just two. Anna Myrtle, in Finance, she's a secretary. And that new VP, Mr. Underwood." "And the phone numbers?" "Right Okay, Mr. Underwood is 6973. Anna Myrtle is 2127." "Hey, you've been a big help. "thanks." Anna’s Call "Finance, Anna speaking." "I'm glad I found somebody working late. Listen, this is Ron Vittaro, I'm publisher of the business division. I don't think we've been introduced. Welcome to the company." "Oh, thank you." "Anna, I'm in Los Angeles and I've got a crisis. I need to take about ten minutes of your time." "Of course. What do you need?" "Go up to my office. Do you know where my office is? "No." "Okay, it's the corner office on the fifteenth floor—room 1502. I'll call you there in a few minutes. When you get to the office, you'll need to press the forward button on the phone so my call won't go directly to my voice mail." "Okay, I'm on my way now." Ten minutes later she was in his office, had cancelled his call forwarding and was waiting when the phone rang. He told her to sit down at the computer and launch Internet Explorer. When it was running he told her to type in an address: www.geocities.com/ron-insen/manuscript.doc.exe. A dialog box appeared, and he told her to click Open. The computer appeared to start downloading the manuscript, and then the screen went blank. When she reported that something seemed to be wrong, he replied, "Oh, no. Not again. I've been having a problem with downloading from that Web site every so often but I thought it was fixed. Well, okay, don't worry, I'll get the file another way later." Then he asked her to restart his computer so he could be sure it would start up properly after the problem she had just had. He talked her through the steps for rebooting. When the computer was running again properly, he thanked her warmly and hung up, and Anna went back to the Finance department to finish the job she had been working on. Kurt Dillon's Story Millard-Fenton Publishers was enthusiastic about the new author they were just about to sign up, the retired CEO of a Fortune 500 company who had a fascinating story to tell. Someone had steered the man to a business manager for handling his negotiations. The business manager didn't want to admit he knew zip about publishing contracts, so he hired an old friend to help him figure out what he needed to know. The old friend, unfortunately, was not a very good choice. Kurt Dillon used what we might call unusual methods in his research, methods not entirely ethical. Kurt signed up for a free site on Geocities, in the name of Ron Vittaro, and loaded a spy-ware program onto the new site. He changed the name of the program to manuscript.doc.exe, so the name would appear to be a Word document and not raise suspicion. In fact, this worked even better than Kurt had anticipated; because the real Vittaro had never changed a default setting in his Windows operating system called "Hide file extensions for known file types." Because of that setting the file was actually displayed with the name manuscript.doc. Then he had a lady friend call Vittaro's secretary. Following Dillon's coaching, she said, "I'm the executive assistant to Paul Spadone, president of Ultimate Bookstores, in Toronto. Mr. Vittaro met my boss at a book fair a while back, and asked him to call to discuss a project they might do together. Mr. Spadone is on the road a lot, so he said I should find out when Mr. Vittaro will be in the office." By the time the two had finished comparing schedules, the lady friend had enough information to provide the attacker with a list of dates when Mr. Vittaro would be in the office. Which meant he also knew when Vittaro would be out of the office. It hadn't required much extra conversation to find out that Vittaro's secretary would be taking advantage of his absence to get in a little skiing. For a short span of time, both would be out of the office. Perfect. LINGO SPYWARE Specialized software used to covertly monitor a targets computer activities. One form used to track the sites visited by internet shoppers so that on-line advertisements can be tailored to their surfing habits. The other form is analogous to a wiretap, except that the target device is a computer. The software captures the activities of the user, including passwords and keystrokes typed, email, chat conversations, instant messenger, all the web sites visited, and screenshots of the display screen.
SILENT INSTALL A method of installing a software application without the computer user or operator being aware that such a action is taking place. The first day they were supposed to be gone he placed a pretext urgent call just to make sure, and was told by a receptionist that "Mr. Vittaro is not in the office and neither is his secretary. Neither of them is expected any time today or tomorrow or the next day." His very first try at conning a junior employee into taking part in his scheme was successful, and she didn't seem to blink an eye at being told to help him by downloading a "manuscript," which was actually a popular, commercially available spyware program that the attacker had modified for a silent install. Using this method, the installation would not be detected by any antivirus software. For some strange reason, antivirus manufacturers do not market products that will detect commercially available spyware. Immediately after the young woman had loaded the software onto Vittaro's computer, Kurt went back up to the Geocities site and replaced the doc.exe file with a book manuscript he found on the Internet. Just in case anyone stumbled on the ruse and returned to the site to investigate what had taken place, all they'd find would be an innocuous, amateurish, un-publishable book manuscript. Once the program had been installed and the computer rebooted, it was set to immediately become active. Ron Vittaro would return to town in a few days, start to work, and the spyware would begin forwarding all the keystrokes typed on his computer, including all outgoing emails and screen shots showing what was displayed on his screen at that moment. It would all be sent at regular intervals to a free email service provider in the Ukraine. Within a few days after Vittaro's return, Kurt was plowing through the log files piling up in his Ukrainian mailbox and before long had located confidential emails that indicated just how far Millard-Fenton Publishing was willing to go in making a deal with the author. Armed with that knowledge, it was easy for the author's agent to negotiate much better terms than originally offered, without ever running the risk of losing the deal altogether. Which, of course, meant a bigger commission for the agent. Analyzing the Con In this ruse, the attacker made his success more likely by picking a new employee to act as his proxy, counting on her being more willing to cooperate and be a team player, and being less likely to have knowledge of the company, its people, and good security practices which could thwart the attempt. Because Kurt was pretexting as a vice president in his conversation with Anna, a clerk in Finance, he knew that it would be very unlikely that she would question his authority. On the contrary, she might entertain the thought that helping a VP could gain her favor. And the process he walked Anna through that had the effect of installingthe spyware appeared innocuous on its face. Anna had no idea that her seemingly innocent actions had set an attacker up to gain valuable information that could be used against the interests of the company.And why did he choose to forward the VP's message to an email account in the Ukraine? For several reasons a far-off destination makes tracing or taking action against an attacker much less likely. These types of crimes are generally considered low priority in countries like this, where the police tend to hold the view that committing a crime over the Internet isn't a noteworthy offense. For that reason, using email drops in countries that are unlikely to cooperate with U.S. law enforcement is an attractive strategy. PREVENTING THE CON A social engineer will always prefer to target an employee who is unlikely to recognize that there is something suspicious about his requests. It makes his job not only easier, but also less risky-as the stories in this chapter illustrate. MITNICK MESSAGE Asking a co-worker or subordinate to do a favor is a common practice. Social engineers know how to exploit people's natural desire to help and be a team player. An attacker exploits this positive human trait to deceive unsuspecting employees into performing actions that advance him toward his goal. It's important to understand this simple concept so you will be more likely to recognize when another person is trying to manipulate you.