The Art of Deception Part 5

The social engineer in this story took advantage of that by finding out the details of a promotion, identifying himself as a company employee, and asking for a favor from another branch. This happens between branches of retail stores and between departments in a company, people are physically separated and deal with fellow employees they have never actually met day in and day out.

HACKING INTO THE FEDS.

People often don't stop to think about what materials their organization is making available on the Web. For my weekly show on KFI Talk Radio in Los Angeles, the producer did a search on line and found a copy of an instruction manual for accessing-the database of the National Crime Information Center. Later he found the actual NCIC manual itself on line, a sensitive doc.u.ment that gives all the instructions for retrieving information from the FBI's national crime database.

The manual is a handbook for law enforcement agencies that gives the formatting and codes for retrieving information on criminals and crimes from the national database. Agencies all over the country can search the same database for information to help solve crimes in their own jurisdiction. The manual contains the codes used in the database for designating everything from different kinds of tattoos, to different boat hulls, to denominations of stolen money and bonds.

Anybody with access to the manual can look up the syntax and the commands to extract information from the national database. Then, following instructions from the procedures guide, with a little nerve, anyone can extract information from the database. The manual also gives phone numbers to call for support in using the system. You may have similar manuals in your company offering product codes or codes for retrieving sensitive information.

The FBI almost certainly has never discovered that their sensitive manual and procedural instructions are available to anyone on line, and I don't think they'd be very happy about it if they knew. One copy was posted by a government department in Oregon, the other by a law enforcement agency in Texas. Why? In each case, somebody probably thought the information was of no value and posting it couldn't do any harm. Maybe somebody posted it on their intranet just as a convenience to their own employees, never realizing that it made the information available to everyone on the Internet who has access to a good search engine such as Google - including the just-plain-curious, the wannabe cop, the hacker, and the organized crime boss.

Tapping into the System The principle of using such information to dupe someone in the government or a business setting is the same: Because a social engineer knows how to access specific databases or applications, or knows the names of a company's computer servers, or the like, he gains credibility. Credibility leads to trust. Once a social engineer has such codes, getting the information he needs is an easy process. In this example, he might begin by calling a clerk in a local state police Teletype office, and asking a question about one of the codes in the manual - for example, the offense code. He might say something like, "When I do an OFF inquiry in the NCIC, I'm getting a "System is down' error. Are you getting the same thing when you do an OFF? Would you try it for me?" Or maybe he'd say he was trying to look up a wpf - police talk for a wanted person's file. talk for a wanted person's file.

The Teletype clerk on the other end of the phone would pick up the cue that the caller was familiar with the operating procedures and the commands to query the NCIC database. Who else other than someone trained in using NCIC would know these procedures?

After the clerk has confirmed that her system is working okay, the conversation might go something like this: "I could use a little help." "What're you looking for?"

"I need you to do an OFF command on Reardon, Martin. DOB 10118/66." 10118/66."

"What's the sosh?" (Law enforcement people sometimes refer to the social security number as the sosh.) "700-14-7435.".

After looking for the listing, she might come back with something like, "He's got a 2602."

The attacker would only have to look at the NCIC on line to find the meaning of the number: The man has a case of swindling on his record.

a.n.a.lyzing the Con An accomplished social engineer wouldn't stop for a minute to ponder ways of breaking into the NCIC database. Why should he, when a simple call to his local police department, and some smooth talking so he sounds convincingly like an insider, is all it takes to get the information he wants? And the next time, he just calls a different police agency and uses the same pretext.

LINGO.

SOSH: Law enforcement slang for a social security number You might wonder, isn't it risky to call a police department, a sheriff's station, or a highway patrol office? Doesn't the attacker run a huge risk?

The answer is no . . . and for a specific reason. People in law enforce-ment, like people in the military, have ingrained in them from the first day in the academy a respect for rank. As long as the social engineer is posing as a sergeant or lieutenant--a higher rank than the person he's talking to - the victim will be governed by that well-learned lesson that says you don't question people who are in a position of authority over you. Rank, in other words, has its privileges, in particular the privilege of not being challenged by people of lower rank.

But don't think law enforcement and the military are the only places where this respect for rank can be exploited by the social engineer. Social engineers often use authority or rank in the corporate hierarchy as a weapon in their attacks on businesses - as a number of the stories in these pages demonstrate.

PREVENTING THE CON.

What are some steps your organization can take to reduce the likelihood that social engineers will take advantage of your employees' natural instinct to trust people? Here are some suggestions.

Protect Your Customers In this electronic age many companies that sell to the consumer keep credit cards on file. There are reasons for this: It saves the customer the nuisance of having to provide the credit card information each time he visits the store or the Web site to make a purchase. However, the practice should be discouraged.

If you must keep credit card numbers on file, that process needs to be accompanied by security provisions that go beyond encryption or using access control. Employees need to be trained to recognize social engineering scams like the ones in this chapter. That fellow employee you've never met in person but who has become a telephone friend may not be who he or she claims to be. He may not have the "need to know" to access sensitive customer information, because he may not actually work for the company at all.

MITNICK MESSAGE.

Everyone should be aware of the social engineer's modus operandi: Gather as much information about the target as possible, and use that information to gain trust as an insider. Then go for the jugular!

Trust Wisely It's not just the people who have access to clearly sensitive information - the software engineers, the folks in R&D, and so on - who need to be on the defensive against intrusions. Almost everyone in your organization needs training to protect the enterprise from industrial spies and information thieves.

Laying the groundwork for this should begin with a survey of enterprise- wide information a.s.sets, looking separately at each sensitive, critical, or valuable a.s.set, and asking what methods an attacker might use to compromise those a.s.sets through the use of social engineering tactics. Appropriate training for people who have trusted access to such information should be designed around the answers to these questions.

When anyone you don't know personally requests some information or material, or asks you to perform any task on your computer, have your employees ask themselves some. questions. If I gave this information to my worst enemy, could it be used to injure me or my company? Do I completely understand the potential effect of the commands I am being asked to enter into my computer?

We don't want to go through life being suspicious of every new person we encounter. Yet the more trusting we are, the more likely that the next social engineer to arrive in town will be able to deceive us into giving up our company's proprietary information.

What Belongs on Your Intranet?

Parts of your intranet may be open to the outside world, other parts restricted to employees. How careful is your company in making sure sensitive information isn't posted where it's accessible to audiences you meant to protect it from? When is the last time anyone in your organization checked to see if any sensitive information on your company's intranet had inadvertently been made available through the public-access areas of your Web site?

If your company has implemented proxy servers as intermediaries to protect the enterprise from electronic security threats, have those servers been checked recently to be sure they're configured properly?

In fact, has anyone ever ever checked the security of your intranet? checked the security of your intranet?

Chapter 5.

"Let Me Help You"

We're all grateful when we're plagued by a problem and somebody with the knowledge, skill, and willingness comes along offering to lend us a hand. The social engineer understands that, and knows how to take advantage of it.

He also knows how to cause cause a problem for you.., then make you grateful when he resolves the problem.., and finally play on your grat.i.tude to extract some information or a small favor from you that will leave your company (or maybe you, individually) very much worse off for the encounter. And you may never even know you've lost something of value. Here are some typical ways that social engineers step forward to "help." a problem for you.., then make you grateful when he resolves the problem.., and finally play on your grat.i.tude to extract some information or a small favor from you that will leave your company (or maybe you, individually) very much worse off for the encounter. And you may never even know you've lost something of value. Here are some typical ways that social engineers step forward to "help."

THE NETWORK OUTAGE.

Day/Time: Monday, February 12, 3:25 p.m.

Place: Offices of Starboard s.h.i.+pbuilding Offices of Starboard s.h.i.+pbuilding The First Call: Tom Delay "Tom DeLay, Bookkeeping."

"Hey, Tom, this is Eddie Martin from the Help Desk. We're trying to troubleshoot a computer networking problem. Do you know if anyone in your group has been having trouble staying on line?"

"Uh, not that I know of."

"And you're not having any problems yourself."

"No, seems fine."

"Okay, that's good. Listen, we're calling people who might be affected 'cause itLs important you let us know right away if you lose your network connection."

"That doesn't sound good. You think it might happen?"

"We hope not, but you'll call if it does, right?"

"You better believe it."

"Listen, sounds like having your network connection go down would be a problem for you..."

"You bet bet it would." it would."

"... so while we're we're working on this, let me give you my cell phone number. Then you can reach me directly if you need to." working on this, let me give you my cell phone number. Then you can reach me directly if you need to."

"That'd be great. Go ahead."

"It's 555 867 5309."

"555 867 5309. Got it. Hey, thanks. What was your name again?"

"It's Eddie. Listen, one other thing--I need to check which port your computer is connected to. Take a look on your computer and see if there's a sticker somewhere that says something like 'Port Number'."

"Hang on No, don't see anything like that."

"Okay, then in the back of the computer, can you recognize the network cable."

"Yeah."

"Trace it back to where it's plugged in. See if there's a label on the jack it's plugged into."

"Hold on a second. Yeah, wait a minute - I have to squat down here so I can get close enough to read it. Okay - it says Port 6 dash 47."

"Good - that's what we had you down as, just making sure."

The Second Call: The IT Guy Two days later, a call came through to the same company's Network Operations Center.

"Hi, this is Bob; I'm in Tom DeLay's office in Bookkeeping. We're trying to troubleshoot a cabling problem. I need you to disable Port 6-47."

The IT guy said it would be done in just a few minutes, and to let them know when he was ready to have it enabled.

The Third Call: Getting Help from the Enemy About an hour later, the guy who called himself Eddie Martin was shopping at Circuit City when his cell phone rang. He checked the caller ID, saw the call was from the s.h.i.+pbuilding company, and hurried to a quiet spot before answering.

"Help Desk, Eddie."

"Oh, hey, Eddie. You've got an echo, where are you?"

"I'm, uh, in a cabling closet. Who's this?

"It's Tom DeLay. Boy, am I glad I got ahold of you. Maybe you remember you called me the other day? My network connection just went down like you said it might, and I'm a little panicky here."

"Yeah, we've got a bunch of people down right now. We should have it taken care of by the end of the day. That okay?"

"NO! d.a.m.n, I'll get way behind if I'm down that long. What's the best you can do for me?"

"How pressed are you?"

"I could do some other things for right now. Any chance you could take care of it in half an hour?"

"HALF AN HOUR! You don't want much. Well, look, I'll drop what I'm doing and see if I can tackle it for you."

"Hey, I really appreciate that, Eddie."

The Fourth Call: Gotcha!

Forty-five minutes later...

"Tom? It's Eddie. Go ahead and try your network connection."

After a couple of moments: "Oh, good, it's working. That's just great."

"Good, glad I could take care of it for you."

"Yeah, thanks a lot."

"Listen, if you want to make sure your connection doesn't go down again, there's some software you oughta be running. Just take a couple of minutes."

"Now's not the best time."

"I understand... It could save us both big headaches the next time this network problem happens."

"Well . . . if it's only a few minutes."

"Here's what you do..."

Eddie then took Tom through the steps of downloading a small application from a Web site. After the program had downloaded, Eddie told Tom to double-click on it. He tried, but reported: "It's not working. It's not doing anything."

"Oh, what a pain. Something must be wrong with the program. Let's just get rid of it, we can try again another time." And he talked Tom through the steps of deleting the program so it couldn't be recovered.

Total elapsed time, twelve minutes.

The Attacker's Story Bobby Wallace always thought it was laughable when he picked up a good a.s.signment like this one and his client p.u.s.s.yfooted around the unasked but obvious question of why they wanted the information. In this case he could only think of two reasons. Maybe they represented some outfit that was interested in buying the target company, Starboard s.h.i.+pbuilding, and wanted to know what kind of financial shape they were really in - especially all the stuff the target might want to keep hidden from a potential buyer. Or maybe they represented investors who thought there was something fishy about the way the money was being handled and wanted to find out whether some of the executives had a case of hands-in-the cookie-jar.

And maybe his client also didn't want to tell him the real reason because, if Bobby knew how valuable the information was, he'd probably want more money for doing the job.

There are a lot of ways to crack into a company's most secret files. Bobby spent a few days mulling over the choices and doing a little checking around before he decided on a plan. He settled on one that called for an approach he especially liked, where the target is set up so that he asks the attacker for help.

For starters, Bobby picked up a $39.95 cell phone at a convenience store. He placed a call to the man he had chosen as his target, pa.s.sed himself off as being from the company help desk, and set things up so the man would call Bobby's cell phone any time he found a problem with his network connection.

He left a pause of two days so as not to be too obvious, and then made a call to the network operations center (NOC) at the company. He claimed he was troubleshooting a problem for Tom, the target, and asked to have Tom's network connection disabled. Bobby knew this was the trickiest part of the whole escapade - in many companies, the help desk people work closely with the NOC; in fact, he knew the help desk is often part of the IT organization. But the indifferent NOC guy he spoke with treated the call as routine, didn't ask for the name of the help desk person who was supposedly working on the networking problem, and agreed to disable the target's network port. When done, Tom would be totally isolated from the company's intranet, unable to retrieve files from the server, exchange files with his co-workers, download his email, or even send a page of data to the printer. In today's world, that's like living in a cave.

As Bobby expected, it wasn't long before his cell phone rang. Of course he made himself sound eager to help this poor "fellow employee" in distress. Then he called the NOC and had the man's network connection turned back on. Finally, he called the man and manipulated him once again, this time making him feel guilty for saying no after Bobby had done him a favor. Tom agreed to the request that he download a piece of software to his computer.

Of course, what he agreed to wasn't exactly what it seemed. The software that Tom was told would keep his network connection from going down, was really a Trojan Horse, a software application that did for Tom's computer what the original deception did for the Trojans: It brought the enemy inside the camp. Tom reported that nothing happened when he double-clicked on the software icon; the fact was that, by design, he couldn't see anything happening, even though the small application was installing a secret program that would allow the infiltrator covert access to Tom's computer. a software application that did for Tom's computer what the original deception did for the Trojans: It brought the enemy inside the camp. Tom reported that nothing happened when he double-clicked on the software icon; the fact was that, by design, he couldn't see anything happening, even though the small application was installing a secret program that would allow the infiltrator covert access to Tom's computer.

With the software running, Bobby was provided with complete control over Tom's computer, an arrangement known as a remote command sh.e.l.l . . When Bobby accessed Tom's computer, he could look for the accounting files that might be of interest and copy them. Then, at his leisure, he'd examine them for the information that would give his clients what they were looking for. When Bobby accessed Tom's computer, he could look for the accounting files that might be of interest and copy them. Then, at his leisure, he'd examine them for the information that would give his clients what they were looking for.

LINGO.