The verification process requires a balancing act that each Company must define for itself: Security versus productivity. What priority is going to be a.s.signed to enforcing security measures? Will employees be resistant to following security procedures, and even circ.u.mvent them in order to complete their job responsibilities? Do employees understand why security is important to the company and themselves? These questions need to be answered to develop a security policy based on corporate culture and business needs.
Most people inevitably see anything that interferes with getting their work done as an annoyance, and may circ.u.mvent any security measures that appear to be a waste of time. Motivating employees to make security part of their everyday responsibilities through education and awareness is key.
Although caller ID service should never be used as a means of authentication for voice calls from outside the company, another method called automatic number identification (ANI) can. This service is provided when a company subscribes to toll-flee services where the company pays for the incoming calls and is reliable for identification. Unlike caller ID, the telephone company switch does not use any information that is sent from a customer when providing the calling number.
The number transmitted by ANI is the billing number a.s.signed to the calling party.
Note that several modem manufacturers have added a caller ID feature into their products, protecting the corporate network by allowing remote-access calls only from a list ofpreauthorized telephone numbers. Caller ID modems are an acceptable means of authentication in a low-security environment but, as should be clear by now, spoofing caller ID is a relatively easy technique for computer intruders, and so should not be relied on for proving the caller"s ident.i.ty or location in a high-security setting.
To address the case of ident.i.ty theft, as in the story about deceiving an administrator to create a voice mailbox on the corporate phone system, make it a policy that all phone service, all voice mailboxes, and all entries to the corporate directory, both in print and on line, must be requested in writing, on a form provided for the purpose. The employee"s manager should sign the request, and the voice mail administrator should verify the signature.
Corporate security policy should require that new computer accounts or increases in access rights be granted only after positive verification of the person making the request, such as a callback to the system manager or administrator, or his or her designee, at the phone number listed in the print or on-line company directory. If the company uses secure email where employees can digitally sign messages, this alternative verification method may also be acceptable.
Remember that every employee, regardless of whether he has access to company computer systems, may be duped by a social engineer. Everyone must be included in security awareness training. Administrative a.s.sistants, receptionists, telephone operators, and security guards must be made familiar with the types of social engineering attack most likely to be directed against them so that they will be better prepared to defend against those attacks.
Chapter 14.
Industrial Espionage The threat of information attacks against government, corporations, and university systems is well established. Almost every day, the media reports a new computer virus, denial of service attack, or theft of credit card information from an e-commerce Web site.
We read about cases of industrial espionage such as Borland accusing Symantec of stealing trade secrets, Cadence Design Systems filing a suit charging the theft of source code by a compet.i.tor. Many business people read these stories and think it could never happen at their company.
It"s happening every day.
VARIATION ON A SCHEME.
The ruse described in the following tale has probably been pulled off many times, even though it sounds like something taken out of a Hollywood movie like The Insider, or from the pages of a John Grisham novel.
Cla.s.s Action Imagine that a ma.s.sive cla.s.s-action lawsuit is raging against a major pharmaceutical company, Pharmomedic. The suit claims that they knew one of their very popular drugs had a devastating side effect, but one that would not be evident until a patient had been on the medication for years. The suit alleges that they had results from a number of research studies that revealed this danger, but suppressed the evidence and never turned it over to the FDA as required.
William ("Billy") Chaney, the attorney of record on the masthead of the New York law firm that filed the cla.s.s-action suit, has depositions from two Pharmomedic doctors supporting the claim. But both are retired, neither has any files or doc.u.mentation, and neither would make a strong, convincing witness.
Billy knows he"s on shaky ground. Unless he can get a copy of one of those reports, or some internal memo or communication between company executives, his whole case will fall apart.
So he hires a firm he"s used before: Andreeson and Sons, private investigators.
Billy doesn"t know how Pete and his people get the stuff they do, and he doesn"t want to know. All he knows is that Pete Andreeson is one good investigator.
To Andreeson, an a.s.signment like this is what he calls a black bag job. The first rule is that the law firms and companies that hire him never learn how he gets his information so that they always have complete, plausible deniability. If anybody is going to have his feet shoved into boiling water, it"s going to be Pete, and for what he collects in fees on the big jobs, he figures it"s worth the risk. Besides, he gets such personal satisfaction from outsmarting smart people.
If the doc.u.ments that Chaney wants him to find actually existed and haven"t been destroyed, they"ll be somewhere in the files of Pharmomedic. But finding them in the ma.s.sive files of a large corporation would be a huge task. On the other hand, suppose they"ve turned copies over to their law firm, Jenkins and Petry? If the defense attorneys knew those doc.u.ments existed and didn"t turn them over as part of the discovery process, then they have violated the legal profession"s canon of ethics, and violated the law, as well. In Pete"s book, that makes any attack fair game.
Pete"s Attack Pete gets a couple of his people started on research and within days he knows what company Jenkins and Petty uses for storing their offsite backups. And he knows that the storage company maintains a list of the names of people whom the law firm has authorized to pick up tapes from storage. He also knows that each of these people has his or her own pa.s.sword. Pete sends two of his people out on a black bag job.
The men tackle the lock using a lock pick gun ordered on the Web at www.southord.com. Within several minutes they slip into the offices of the storage firm around 3 a.m. one night and boot up a PC. They smile when they see the Windows 98 logo because it means this will be a piece of cake. Windows 98 does not require any form of authentication. After abit of searching, they locate a Microsoft Access database with the names of people authorized by each of the storage company customers to pick up tapes. They add a phony name to the authorization list for Jenkins and Petry, a name matching one on a phony driver"s license one of the men has already obtained. Could they have broken into the locked storage area and tried to locate the tapes their client wanted? Sure--but then all the company"s customers, including the law firm, would have certainly been notified of the breach. And the attackers would have lost an advantage: Professionals always like to leave an opening for future access, should the need arise.
Following a standard practice of industrial spies to keep something in the back pocket for future use, just in case, they also made a copy of the file containing the authorization list onto a floppy disk. None of them had any idea how it might ever prove useful, but it"s just one of those "We"re here, we might just as well"
things that every now and then turns out to be valuable.
The next day, one of the same men called the storage company, used the name they had added to the authorization list, and gave the corresponding pa.s.sword. He asked for all the Jenkins and Petry tapes dated within the last month, and said that a messenger service would come by to pick up the package. By mid-afternoon, Andreeson had the tapes. His people restored all the data to their own computer system, ready to search at leisure. Andreeson was very pleased that the law firm, like most other businesses, didn"t bother encrypting their backup data.
The tapes were delivered back to the storage company the next day and no one was the wiser.
MITNICK MESSAGE.
Valuable information must be protected no matter what form it takes or where it is located. An organization"s customer list has the same value whether in hardcopy form or an electronic file at your office or in a storage box. Social engineers always prefer the easiest to circ.u.mvent, least defended point of attack.
A company"s offsite backup storage facility is seen as having less risk of detection or getting caught. Every organization that stores any valuable, sensitive, or critical data with third parties should encrypt their data to protect its confidentiality.
a.n.a.lyzing the Con Because of lax physical security, the bad guys were easily able to pick the lock of the storage company, gain access to the computer, and modify the database containing the list of people authorized to have access to the storage unit. Adding a name to the list allowed the imposters to obtain the computer backup tapes they were after, without having to break into the firm"s storage unit.
Because most businesses don"t encrypt backup data, the information was theirs for the taking.
This incident provides one more example of how a vendor company that does not exercise reasonable security precautions can make it easy for an attacker to compromise their customer"s information a.s.sets.
THE NEW BUSINESS PARTNER.
Social engineers have a big advantage over con men and grifters, and the advantage is distance. A grifter can only cheat you by being in your presence, allowing you to give a good description of him afterward or even call the cops if you catch on to the ruse early enough.
Social engineers ordinarily avoid that risk like the plague. Sometimes, though, the risk is necessary, and justified by the potential reward.
Jessica"s Story Jessica Andover was feeling very good about getting a job with a hotshot robotics company. Sure, it was only a start-up and they couldn"t pay very much, but it was small, the people were friendly, and there was the excitement of knowing her stock options just might turn out to make her rich. Okay, maybe not a millionaire like the company founders would be, but rich enough.
Which was how it happened that Rick Daggot got a glowing smile when he walked into the lobby that Tuesday morning in August. In his expensive- looking suit (Armani) and his heavy gold wrist-watch (a Rolex President), with his immaculate haircut, he had that same manly, self-confident air that had driven all the girls crazy when Jessica was in high school.
"Hi," he said. "I"m Rick Daggot and I"m here for my meeting with Larry."
Jessica"s smile faded. "Larry?" she said. "Larry"s on vacation all week." "I have an appointment with him at one o"clock. I just flew in from Louisville to meet with him," Rick said, as he drew out his Palm, turned it on, and showed her.
She looked at it and gave a small shake of her head. "The 20th," she said. "That"s next week." He took the palmtop back and stared at it. "Oh, no!" he groaned. "I can"t believe what a stupid mistake I made."
"Can I book a return flight for you, at least?" she asked, feeling sorry for him.
While she made the phone call, Rick confided that he and Larry had arranged to set up a strategic marketing alliance. Rick"s company was producing products for the manufacturing and a.s.sembly line, items that would perfectly complement their new product, the C2Alpha. Rick"s products and the C2Alpha together would make a strong solution that would open up important industrial markets for both companies.
When Jessica had finished making his reservation on a late afternoon flight, Rick said, "Well, at least I could talk to Steve if he"s available." But Steve, the company"s VP and cofounder, was also out of the office.
Rick, being very friendly to Jessica and flirting just a little, then suggested that, as long as he was there and his flight home wasn"t till late afternoon, he"d like to take some of the key people to lunch. And he added, "Including you, of course--is there somebody who can fill in for you at lunchtime.
Flushed at the idea of being included, Jessica asked, "Who do you want to come?" He tapped his palmtop again and named a few people--two engineers from R&D, the new sales and marketing man, and the finance guy a.s.signed to the project. Rick suggested she tell them about his relationship with the company, and that he"d like to introduce himself to them. He named the best restaurant in the area, a place where Jessica had always wanted to go, and said he"d book the table himself, for 12:30, and would call back later in the morning to make sure everything was all set.
When they gathered at the restaurant--the four of them plus Jessica their table wasn"t ready yet, so they settled at the bar, and Rick made it clear that drinks and lunch were on him. Rick was a man with style and cla.s.s, the kind of person who makes you feel comfortable from the very first, the same way you feel with someone you"ve known for years. He always seemed to know just the right thing to say, had a lively remark or something funny whenever the conversation lagged, and made you feel good just being around him.
He shared just enough details about his own company"s products that they could envision the joint marketing solution he seemed so animated about. He named several Fortune 500 companies that his firm was already selling to, until everyone at the table began to picture their product becoming a success from the day the first units rolled out of the factory.
Then Rick walked over to Brian, one of the engineers. While the others chatted among themselves, Rick shared some ideas privately with Brian, and drew him out about the unique features of the C2Alpha and what set it apart from anything the compet.i.tion had. He found out about a couple of features the company was downplaying that Brian was proud of and thought really "neat."
Rick worked his way along the line, chatting quietly with each. The marketing guy was happy for a chance to talk about the roll-out date and marketing plans.
And the bean counter pulled an envelope from his pocket and wrote down details of the material and manufacturing costs, price point and expected margin, and what kind of deal he was trying to work out with each of the vendors, which he listed by name.
By the time their table was ready, Rick had exchanged ideas with everybody and had won admirers all along the line. By the end of the meal, they each shook hands with Rick in turn and thanked him. Rick swapped business cards with each and mentioned in pa.s.sing to Brian, the engineer, that he wanted to have a longer discussion as soon as Larry returned.
The following day Brian picked up his telephone to find that the caller was Rick, who said he had just finished speaking with Larry. I"ll be coming back in on Monday to work out some of the specifics with him," Rick said, "and he wants me to be up to speed on your product. He said you should email the latest designs and specs to him. He"ll pick out the parts he wants me to have and forward them on to me."
The engineer said that would be fine. Good, Rick answered. He went on, "Larry wanted you to know he"s having a problem retrieving his email. Instead of sending the stuff to his regular account, he arranged with the hotel"s business center to set up a Yahoo mail account for him. He says you should send the files to [email protected]"
The following Monday morning, when Larry walked into the office looking tanned and relaxed, Jessica was primed and eager to gush over Rick. "What a great guy. He took a bunch of us to lunch, even me." Larry looked confused.
"Rick? Who the h.e.l.l is Rick?"
"What"re you talking about?--your new business partner." "What!!!???"
"And everybody was so impressed with what good questions he asked." "I don"t know any Rick ..."
"What"s the matter with you? Is this a joke, Larry--you"re just fooling with me, right?"
"Get the executive team into the conference room. Like now. No matter what they"re doing. And everybody who was at that lunch. Including you."
They sat around the table in a somber mood, hardly speaking. Larry walked in, sat down and said, "I do not know anybody named Rick. I do not have a new business partner I"ve been keeping secret from all of you. Which I would have thought was obvious. If there"s a practical ,joker in our midst, I want him to speak up now."
Not a sound. The room seemed to be growing darker moment by moment.
Finally Brian spoke. "Why didn"t you say something when I sent you that email with the product specs and source code?"
"What email! ?"
Brian stiffened. "Oh... s.h.i.t!"
Cliff, the other engineer, chimed in. "He gave us all business cards. We just need to call him and see what the bell"s going on."
Brian pulled out his palmtop, called up an entry, and scooted the device across the table to Larry. Still hoping against hope, they all watched as if entranced while Larry dialed. After a moment, he stabbed the speakerphone b.u.t.ton and everyone heard a busy signal. After trying the number several times over a period of twenty minutes, a frustrated Larry dialed the operator to ask for an emergency interruption.
A few moments later, the operator came back on the line. She said in a challenging tone, "Sir, where did you get this number?" Larry told her it was on the business card of a man he needed to contact urgently. The operator, said, "I"m sorry. That"s a phone company test number. It always rings busy."
Larry started making a list of what information had been shared with Rick. The picture was not pretty.
Two police detectives came and took a report. After listening to the story, they pointed out that no state crime had been committed; there was nothing they could do. They advised Larry to contact the FBI because they have jurisdiction over any crimes involving interstate commerce. When Rick Daggot asked the engineer to forward the test results by misrepresenting himself, he may have committed a federal crime, but Rick would have to speak with the FBI to find out.
Three months later Larry was in his kitchen reading the morning paper over breakfast, and almost spilled his coffee. The thing he had been dreading since he had first heard about Rick had come true, his worst nightmare. There it was in black and white, on the front page of the business section: A company he"d never heard of was announcing the release of a new product that sounded exactly like the C2Alpha his company had been developing for the past two years.
Through deceit, these people had beaten him to market. His dream was destroyed.
The millions of dollars invested in research and development wasted. And he probably couldn"t prove a single thing against them.
Sammy Sanford"s Story Smart enough to be earning a big salary at a legitimate job, but crooked enough to prefer making a living as a con man, Sammy Sanford had done very well for himself. In time he came to the attention of a spy who had been forced into early retirement because of a drinking problem; bitter and revengeful, the man had found a way of selling the talents that the government had made him an expert in.
Always on the lookout for people he could use, he had spotted Sammy the first time they met. Sammy had found it easy, and very profitable, to shift his focus from lifting people"s money to lifting company secrets.
Most people wouldn"t have the guts to do what I do. Try to cheat people over the telephone or over the Internet and n.o.body ever gets to see you. But any good con man, the old-fashioned, face-to-face kind (and there are plenty of them still around, more than you would think) can look you in the eye, tell you a whopper, and get you to believe it. I"ve known a prosecutor or two who think that"s criminal. I think it"s a talent.
But you can"t go walking in blind, you have to size things up first. A street con, you can take a man"s temperature with a little friendly conversation and couple of carefully worded suggestions. Get the right responses and Bingo!--you"ve bagged a pigeon.
A company job is more like what we call a big con. You"ve got setup to do. Find out what their b.u.t.tons are, find out what they want. What they need. Plan an attack. Be patient, do your homework. Figure out the role you"re going to play and learn your lines. And don"t walk in the door until you"re ready.
I spent better than three weeks getting up to speed for this one. The client gave me a two-day session in what I should say "my" company did and how to describe why it was going to be such a good joint marketing alliance.
Then I got lucky. I called the company and said I was from a venture capital firm and we were interested in setting up a meeting and I was juggling schedules to find a time when all of our partners would be available sometime in the next couple of months, and was there any time slot I should avoid, any period when Larry wasn"t going to be in town? And she said, Yes, he hadn"t had any time off in the two years since they started the company but his wife was dragging him away on a golf vacation the first week in August.
That was only two weeks away. I could wait.
Meanwhile an industry magazine gave me the name of the firm"s PR company. I said I liked the amount of s.p.a.ce they were getting for their robotics company client and I wanted to talk to whoever was handling that account about handling my company. It turned out to be an energetic young lady who liked the idea she might be able to bring in a new account. Over a pricey lunch with one more drink than she really wanted, she did her best to convince me they were oh, so good at understanding a client"s problems and finding the right PR solutions. I played hard to convince. I needed some details. With a little prodding, by the time the plates were being cleared she had told me more about the new product and the company"s problems than I could have hoped for.
The thing went like clockwork. The story about being so embarra.s.sed that the meeting was next week but I might as well meet the team as long as I"m here, the receptionist swallowed whole. She even felt sorry for me into the bargain. The lunch set me back all of $150. With tip. And I had what I needed. Phone numbers, job t.i.tles, and one very key guy who believed I was who I said I was.
Brian had me fooled, I admit. He seemed like the kind of guy who"d just email me anything I asked for. But he sounded like he was holding back a little when I brought up the subject. It pays to expect the unexpected. That email account in Larry"s name, I had it in my back pocket just in case. The Yahoo security people are probably still sitting there waiting for somebody to use the account again so they can trace him. They"ll have a long wait. The fat lady has sung. I"m off on another project.
a.n.a.lyzing the Con Anyone who works a face-to-face con has to cloak himself in a look that will make him acceptable to the mark. He"ll put himself together one way to appear at the race track, another to appear at a local watering hole, still another for an upscale bar at a fancy hotel.
It"s the same way with industrial espionage. An attack may call for a suit and tie and an expensive briefcase if the spy is posing as an executive of an established firm, a consultant, or a sales rep. On another job, trying to pa.s.s as a software engineer, a technical person, or someone from the mail room, the clothes, the uniform--the whole look would be different.
For infiltrating the company, the man who called himself Rick Daggot knew he had to project an image of confidence and competence, backed by a thorough knowledge of the company"s product and industry.
Not much difficulty laying his hands on the information he needed in advance.
He devised an easy ruse to find out when the CEO would be away. A small challenge, but still not very tough, was finding out enough details about the project that he could sound "on the inside" about what they were doing. Often this information is known to various company suppliers, as well as investors, venture capitalists they"ve approached about raising money, their banker, and their law firm. The attacker has to take care, though: Finding someone who will part with insider knowledge can be tricky, but trying two or three sources to turn up someone who can be squeezed for information runs the risk that people will catch on to the game. That way lies danger. The Rick Daggots of the world need to pick carefully and tread each information path only once.
The lunch was another sticky proposition. First there was the problem of arranging things so he"d have a few minutes alone with each person, out of earshot of the others. He told Jessica 12:30 but booked the table for 1 P.M., at an upscale, expense-account type of restaurant. He hoped that would mean they"d have to have drinks at the bar, which is exactly what happened. A perfect opportunity to move around and chat with each individual.
Still, there were so many ways that a misstep--a wrong answer or a careless remark could reveal Rick to be an imposter. Only a supremely confident and wily industrial spy would dare take a chance of exposing himself that way. But years of working the streets as a confidence man had built Rick"s abilities and given him the confidence that, even if he made a slip, he"d be able to cover it up well enough to quiet any suspicions. This was the most challenging, most dangerous time of the entire operation, and the elation he felt at bringing off a sting like this made him realize why he didn"t have to drive fast cars or skydive or cheat on his wife--he got plenty of excitement just doing his job. How many people, he wondered, could say as much?
MITNICK MESSAGE.
While most social engineering attacks occur over the telephone or email, don"t a.s.sume that a bold attacker will never appear in person at your business. In most cases, the imposter uses some form of social engineering to gain access to a building after counterfeiting an employee badge using a commonly available software program such as Photoshop.
What about the business cards with the phone company test line? The television show The Rockford Files, which was a series about a private investigator, ill.u.s.trated a clever and somewhat humorous technique. Rockford (played by actor James Garner) had a portable business card printing machine in his car, which he used to print out a card appropriate to whatever the occasion called for. These days, a social engineer can get business cards printed in an hour at any copy store, or print them on a laser printer.
NOTE.