The Art of Deception

Chapter 8, he had created a login simulator--a decoy sign-in screen--looking just like the one she was accustomed to seeing when going onto the system for student records. "It"s not working," she told him. "It keeps saying "Login incorrect.

The end of the story: The affidavit and warrant showed that the police had well-doc.u.mented evidence of Arturo"s movie-copying activities. That was what he needed to know. By midnight, he had crossed the state line. Arturo was on the way to a new life, somewhere else with a new ident.i.ty, ready to get started again on his campaign.

a.n.a.lyzing the Con The people who work in any district attorney"s office, anywhere, are in constant contact with law enforcement officers--answering questions, making arrangements, taking messages. Anybody gutsy enough to call and claim to be a police officer, sheriff"s deputy, or whatever will likely be taken at his word.

Unless it"s obvious that he doesn"t know the terminology, or if he"s nervous and stumbles over his words, or in some other way doesn"t sound authentic, he may not even be asked a single question to verify his claim. That"s exactly what happened here, with two different workers.

MITNICK MESSAGE.

The truth of the matter is that no one is immune to being duped by a good social engineer. Because of the pace of normal life, we don"t always take the time for thoughtful decisions, even on matters that are important to us. Complicated situations, lack of time, emotional state, or mental fatigue can easily distract us.

So we take a mental shortcut, making our decisions without a.n.a.lyzing the information carefully and completely, a mental process known as automatic responding. This is even true for federal, state, and local law enforcement officials. We"re all human.

Obtaining a needed charge code was handled with a single phone call. Then Arturo played the sympathy card with the story about "a meeting with the Secret Service in fifteen minutes, I"ve been absent-minded and left the file at home." She naturally felt sorry for him, and went out of her way to help.

Then by using not one but two copy stores, Arturo made himself extra safe when he went to pick up the fax. A variation on this that makes the fax even more difficult to trace: Instead of having the doc.u.ment sent to another copy store, the attacker can give what appears to be a fax number, but is really an address at a free Internet service that will receive a fax for you and automatically forward it to your email address. That way it can be downloaded directly to the attacker"s computer, and he never has to show his face anyplace where someone might later be able to identify him. And the email address and electronic fax number can be abandoned as soon as the mission has been accomplished.

TURNING THE TABLES.

A young man I"ll call Michael Parker was one of those people who figured out a bit late that the better-paying jobs mostly go to people with college degrees. He had a chance to attend a local college on a partial scholarship plus education loans, but it meant working nights and weekends to pay his rent, food, gas, and car insurance. Michael, who always liked to find shortcuts, thought maybe there was another way, one that paid off faster and with less effort. Because he had been learning about computers from the time he got to play with one at age ten and became fascinated with finding out how they worked, he decided to see if he could "create" his own accelerated bachelor"s degree in computer science.

Graduating--Without Honors He could have broken into the computer systems of the state university, found the record of someone who had graduated with a nice B+ or A-average, copied the record, put his own name on it, and added it to the records of that year"s graduating cla.s.s. Thinking this through, feeling somehow uneasy about the idea, he realized there must be other records of a student having been on campus-- tuition payment records, the housing office, and who knows what else. Creating just the record of courses and grades would leave too many loopholes.

Plotting further, feeling his way, it came to him that he could reach his goal by seeing if the school had a graduate with the same name as his, who had earned a computer science degree any time during an appropriate span of years. If so, he could just put down the other Michael Parker"s social security number on employment application forms; any company that checked the name and social security number with the university would be told that, yes, he did have the claimed degree. (It wouldn"t be obvious to most people but was obvious to him that he could put one social security number on the job application and then, if hired, put his own real number on the new-employee forms. Most companies would never think to check whether a new hire had used a different number earlier in the hiring process.) Logging In to Trouble How to find a Michael Parker in the university"s records? He went about it like this: Going to the main library on the university campus, he sat down at a computer terminal, got up on the Internet, and accessed the university"s Web site. He then called the Registrar"s office. With the person who answered, he went through one of the by-now-familiar social engineering routines: "I"m calling from the Computer Center, we"re making some changes to the network configuration and we want to make sure we don"t disrupt your access. Which server do you connect to?"

"What do you mean, server, he was asked.

"What computer do you connect to when you need to look up student academic information.

The answer, admin.rnu.edu, gave him the name of the computer where student records were stored. This was the first piece of the puzzle: He now knew his target machine.

LINGO.

DUMB TERMINAL A terminal that doesn"t contain its own microprocessor. A terminal that doesn"t contain its own microprocessor.

Dumb terminals can only accept simple commands and display text characters and numbers.

He typed that URL into the computer and got no response--as expected, there was a firewall blocking access. So he ran a program to see if he could connect to any of the services running on that computer, and found an open port with a Telnet service running, which allows one computer to connect remotely to another computer and access it as if directly connected using a dumb terminal. All he would need to gain access would be the standard user ID and pa.s.sword.

He made another call to the registrar"s office, this time listening carefully to make sure he was talking to a different person. He got a lady, and again he claimed to be from the university"s Computer Center. They were installing a new production system for administrative records, he told her. As a favor, he"d like her to connect to the new system, still in test mode, to see if she could access student academic records okay. He gave her the IP address to connect to, and talked her through the process.

In fact, the IP address took her to the computer Michael was sitting at in the campus library. Using the same process described in Chapter 8, he had created a login simulator--a decoy sign-in screen--looking just like the one she was accustomed to seeing when going onto the system for student records. "It"s not working," she told him. "It keeps saying "Login incorrect.

By now the login simulator had fed the keystrokes of her account name and pa.s.sword to Michael"s terminal; mission accomplished. He told her, "Oh, some of the accounts haven"t been brought over yet to this machine. Let me set up your account, and I"ll call you back." Careful about tying up loose ends, as any proficient social engineer needs to be, he would make a point of phoning later to say that the test system wasn"t working right yet, and if it was okay with her, they"d call back to her or one of the other folks there when they had figured out what was causing the problem.

The Helpful Registrar Now Michael knew what computer system he needed to access, and he had a user"s ID and pa.s.sword. But what commands would he need in order to search the files for information on a computer science graduate with the right name and graduation date? The student database would be a proprietary one, created on campus to meet the specific requirements of the university and the Registrar"s office, and would have a unique way of accessing information in the database. order to search the files for information on a computer science graduate with the right name and graduation date? The student database would be a proprietary one, created on campus to meet the specific requirements of the university and the Registrar"s office, and would have a unique way of accessing information in the database.

First step in clearing this last hurdle: Find out who could guide him through the mysteries of searching the student database. He called the Registrar"s office again, this time reaching a different person. He was from the office of the Dean of Engineering, he told the lady, and he asked, "Who are we supposed to call for help when we"re having problems accessing the student academic rues.

Minutes later he was on the phone with the college"s database administrator, pulling the sympathy act: "I"m Mark Sellers, in the registrar"s office. You feel like taking pity on a new guy? Sorry to be calling you but they"re all in a meeting this afternoon and there"s no one around to help me. I need to retrieve a list of all graduates with a computer science degree, between 1990 and 2000. They need it by the end of the day and if I don"t have it, I may not have this job for long. You willing to help out a guy in trouble?" Helping people out was part of what this database administrator did, so he was extra patient as he talked Michael step by step through the process.

By the time they hung up, Michael had downloaded the entire list of computer science graduates for those years. Within a few minutes he had run a search, located two Michael Parkers, chosen one of them, and obtained the guy"s social security number as well as other pertinent information stored in the database.

He had just become "Michael Parker, B.S. in Computer Science, graduated with honors, 1998." In this case, the "B.S." was uniquely appropriate.

a.n.a.lyzing the Con This attack used one ruse I haven"t talked about before: The attacker asking the organization"s database administrator to walk him through the steps of carrying out a computer process he didn"t know how to do. A powerful and effective turning of the tables, this is the equivalent of asking the owner of a store to help you carry a box containing items you"ve just stolen from his shelves out to your car.

MITNICK MESSAGE.

Computer users are sometimes clueless about the threats and vulnerabilities a.s.sociated with social engineering that exist in our world of technology. They have access to information, yet lack the detailed knowledge of what might prove to be a security threat. A social engineer will target an employee who has little understanding of how valuable the information being sought is, so the target is more likely to grant the stranger"s request.

PREVENTING THE CON.

Sympathy, guilt, and intimidation are three very popular psychological triggers used by the social engineer, and these stories have demonstrated the tactics in action. But what can you and your company do to avoid these types of attacks?

Protecting Data Some stories in this chapter emphasize the danger of sending a file to someone you don"t know, even when that person is (or appears to be) an employee, and the file is being sent internally, to an email address or tax machine within the company.

Company security policy needs to be very specific about the safeguards for surrendering valued data to anyone not personally known to the sender. Exacting procedures need to be established for transferring files with sensitive information.

When the request is from someone not personally known, there must be clear steps to take for verification, with different levels of authentication depending on the sensitivity of the information.

Here are some techniques to consider: Establish the need to know (which may require obtaining authorization from the designated information owner).

Keep a personal or departmental log of these transactions.

Maintain a list of people who have been specially trained in the procedures and who are trusted to authorize sending out sensitive information. Require that only these people be allowed to send information to anyone outside the workgroup.

If a request for the data is made in writing (email, fax, or mail) take additional security steps to verify that the request actually came from the person it appears to have come from.

About Pa.s.swords All employees who are able to access any sensitive information--and today that means virtually every worker who uses a computer--need to understand that simple acts like changing your pa.s.sword, even for a few moments, can lead to a major security breach.

Security training needs to cover the topic of pa.s.swords, and that has to focus in part on when and how to change your pa.s.sword, what const.i.tutes an acceptable pa.s.sword, and the hazards of letting anyone else become involved in the process.

The training especially needs to convey to all employees that they should be suspicious of any request that involves their pa.s.swords.

On the surface this appears to be a simple message to get across to employees. It"s not, because to appreciate this idea requires that employees grasp how a simple act like changing a pa.s.sword can lead to a security compromise. You can tell a child "Look both ways before crossing the street," but until the child understands why that"s important, you"re relying on blind obedience. And rules requiring blind obedience are typically ignored or forgotten.

NOTE.

Pa.s.swords are such a central focus of social engineering attacks that we devote a separate section to the topic in Chapter 16, where you will find specific recommended policies on managing pa.s.swords.

A Central Reporting Point Your security policy should provide a person or group designated as a central point for reporting suspicious activities that appear to be attempts to infiltrate your organization. All employees need to know who to call any time they suspect an attempt at electronic or physical intrusion. The phone number of the place to make these reports should always be close at hand so employees don"t have to dig for it if they become suspicious that an attack is taking place.

Protect Your Network Employees need to understand that the name of a computer server or network is not trivial information, but rather it can give an attacker essential knowledge that helps him gain trust or find the location of the information he desires.

In particular, people such as database administrators who work with software belong to that category of those with technology expertise, and they need to operate under special and very restrictive rules about verifying the ident.i.ty of people who call them for information or advice.

People who regularly provide any. kind of computer help need to be well trained in what kinds of requests should be red flags, suggesting that the caller may be attempting a social engineering attack.

It"s worth noting, though, that from the perspective of the database administrator in the last story in this chapter, the caller met the criteria for being legitimate: He was calling from on campus, and he was obviously on a site that required an account name and pa.s.sword. This just makes clear once again the importance of having standardized procedures for verifying the ident.i.ty of anybody requesting information, especially in a case like this where the caller was asking for help in obtaining access to confidential records.

All of this advice goes double for colleges and universities. It"s not news that computer hacking is a favorite pastime for many college students, and it should also be no surprise that student records--and sometimes faculty records, as well-- are a tempting target. This abuse is so rampant that some corporations actually consider campuses a hostile environment, and create firewall rules that block access from educational inst.i.tutions with addresses that end in .edu.

The long and short of it is that all student and personnel records of any kind should be seen as prime targets of attack, and should be well protected as sensitive information.

Training Tips Most social engineering attacks are ridiculously easy to defend against... for anyone who knows what to be on the lookout for.

From the corporate perspective, there is a fundamental need for good training.

But there is also a need for something else: a variety of ways to remind people of what they"ve learned.

Use splash screens that appear when the user"s computer is turned on, with a different security message each day. The message should be designed so that it does not disappear automatically, but requires the user to click on some kind of acknowledgement that he/she has read it.

Another approach I recommend is to start a series of security reminders. Frequent reminder messages are important; an awareness program needs to be ongoing and never-ending. In delivering content, the reminders should not be worded the same in every instance. Studies have shown that these messages are more effectively received when they vary in wording or when used in different examples. should not be worded the same in every instance. Studies have shown that these messages are more effectively received when they vary in wording or when used in different examples.

One excellent approach is to use short blurbs in the company newsletter. This should not be a full column on the subject, although a security column would certainly be valuable. Instead, design a two- or three-column-wide insert, something like a small display ad in your local newspaper. In each issue of the newsletter, present a new security reminder in this short, attention-catching way.

Chapter 9.

The Reverse Sting The sting, mentioned elsewhere in this book (and in my opinion probably the best movie that s ever been made about a con operation), lays out its tricky plot in fascinating detail. The sting operation in the movie is an exact depiction of how top grifters run "the wire," one of the three types of major swindles referred to as "big cons." If you want to know how a team of professionals pulls off a scam raking in a great deal of money in a single evening, there"s no better textbook.

But traditional cons, whatever their particular gimmick, run according to a pattern. Sometimes a ruse is worked in the opposite direction, which is called a reverse sting. This is an intriguing twist in which the attacker sets up the situation so that the victim calls on the attacker for help, or a co worker has made a request, which the attacker is responding to.

How does this work? You"re about to find out.

LINGO.

REVERSE STING A con in which the person being attacked asks the attacker for help A con in which the person being attacked asks the attacker for help THE ART OF FRIENDLY PERSUASION.

When the average person conjures up the picture of a computer hacker, what usually comes to mind is the uncomplimentary image of a lonely, introverted nerd whose best friend is his computer and who has difficulty carrying on a conversation, except by instant messaging. The social engineer, who often has hacker skills, also has people skills at the opposite end of the spectrum--well-developed abilities to use and manipulate people that allow him to talk his way into getting information in ways you would never have believed possible. of the spectrum--well-developed abilities to use and manipulate people that allow him to talk his way into getting information in ways you would never have believed possible.

Angela"s Caller Place: Valley branch, Industrial Federal Bank.

Time: 11:27 A.M.

Angela Wisnowski answered a phone call from a man who said he was just about to receive a sizeable inheritance and he wanted information on the different types of savings accounts, certificates of deposit, and whatever other investments she might be able to suggest that would be safe, but earn decent interest. She explained there were quite a number of choices and asked if he"d like to come in and sit down with her to discuss them. He was leaving on a trip as soon as the money arrived, he said, and had a lot of arrangements to make. So she began suggesting some of the possibilities and giving him details of the interest rates, what happens if you sell a CD early, and so on, while trying to pin down his investment goals.

She seemed to be making progress when he said, "Oh, sorry, I"ve got to take this other call. What time can I finish this conversation with you so I can make some decisions? When do you leave for lunch?" She told him 12:30 and he said he"d try to call back before then or the following day.

Louis"s Caller Major banks use internal security codes that change every day. When somebody from one branch needs information from another branch, he proves he"s ent.i.tled to the information by demonstrating he knows the day"s code. For an added degree of security and flexibility, some major banks issue multiple codes each day. At a West Coast outfit I"ll call Industrial Federal Bank, each employee finds a list of five codes for the day, identified as A through E, on his or her computer each morning.

Place: Same.

Time: 12:48 ".M., same day.

Louis Halpburn didn"t think anything of it when a call came in that afternoon, a call like others he handled regularly several times a week.

"h.e.l.lo," the caller said. "This is Neil Webster. I"m calling from branch 3182 in Boston. Angela Wisnowski, please."

"She"s at lunch. Can I help?"

"Well, she left a message asking us to fax some information on one of our customers."

The caller sounded like he had been having a bad day.

"The person who normally handles those requests is out sick," he said. "I"ve got a stack of these to do, it"s almost 4 o"clock here and I"m supposed to be out of this place to go to a doctor"s appointment in half an hour."

The manipulation--giving all the reasons why the other person should feel sorry for him--was part of softening up the mark. He went on, "Whoever took her phone message, the fax number is unreadable. It"s 213-something. What"s the rest?"

Louis gave the fax number, and the caller said, "Okay, thanks.

Before I can fax this, I need to ask you for Code B."

"But you called me," he said with just enough chill so the man from Boston would get the message.

This is good, the caller thought. It"s so cool when people don"t fall over at the first gentle shove. If the, don"t resist a little, the job is too easy and I could start getting lazy.

To Louis, he said, "I"ve got a branch manager that"s just turned paranoid about getting verification before we send anything out, is all. But listen, if you don"t need us to fax the information, it"s okay. No need to verify."

"Look," Louis said, "Angela will be back in half an hour or so. I can have her call you back."

"I"ll just tell her I couldn"t send the information today because you wouldn"t identify this as a legitimate request by giving me the code. If I"m not out sick tomorrow, I"ll call her back then."

"The message says "Urgent." Never mind, without verification my hands are tied.

You"ll tell her I tried to send it but you wouldn"t give the code, okay?"

Louis gave up under the pressure. An audible sigh of annoyance came winging its way down the phone line.

"Well," he said, "wait a minute; I have to go to my computer. Which code did you want?"

"B," the caller said.

He put the call on hold and then in a bit picked up the line again. "It"s 3184."

"That"s not the right code."

"Yes it is--B is 3184."