The Art of Deception

Chapter 6

TROJAN HORSE: A program containing malicious or harmful code, designed to damage the victim"s computer or files, or obtain information from the victim"s computer or network. Some Trojans are designed to hide within the computer"s operating system and spy on every keystroke or action, or accept instruction over a network connection to perform some function, all without the victim being aware of its presence.

And that wasn"t all. He could go back at any time to search through the email messages and private memos of the company"s executives, running a text search for words that might reveal any interesting tidbits of information.

Late on the night that he conned his target into installing the Trojan Horse software, Bobby threw the cell phone into a Dumpster. Of course he was careful to clear the memory first and pull the battery out before he tossed it - the last thing he wanted was for somebody to call the cell phone"s number by mistake and have the phone start ringing!

a.n.a.lyzing the Con The attacker spins a web to convince the target he has a problem that, in fact, doesn"t really exist - or, as in this case, a problem that hasn"t happened yet, but that the attacker knows will happen because he"s going to cause it. He then presents himself as the person who can provide the solution. happen because he"s going to cause it. He then presents himself as the person who can provide the solution.

The setup in this kind of attack is particularly juicy for the attacker: Because of the seed planted in advance, when the target discovers he has a problem, he himself makes the phone call to plead for help. The attacker just sits and waits for the phone to ring, a tactic fondly known in the trade as reverse social engineering . . An attacker who can make the target call him An attacker who can make the target call him gains instant credibility: If I place a call to someone I think is on the help desk, I"m not going to start asking him to prove his ident.i.ty. That"s when the attacker has it made.

LINGO.

REMOTE COMMAND Sh.e.l.l: A non graphical interface that accepts text based commands to perform certain functions or run programs. An attacker who exploits technical vulnerabilities or is able to install a Trojan Horse program on the victims computer may be able to obtain remote access to a command sh.e.l.l REVERSE SOCIAL ENGINEERING: A social engineering attack in which the attacker sets up a situation where the victim encounters a problem and contacts the attacker for help. Another form of reverse social engineering turns the tables on the attacker. The target recognizes the attack, and uses psychological principles of influence to draw out as much information as possible from the attacker so that the business can safeguard targeted a.s.sets.

MITNICK MESSAGE.

If a stranger does you a favor, then asks you for a favor, don"t reciprocate without thinking carefully about what he"s asking for.

In a con like this one, the social engineer tries to pick a target who is likely to have limited knowledge of computers. The more he knows, the more likely that he"ll get suspicious, or just plain figure out that he"s being manipulated. What I sometimes call the computer-challenged worker, who is less knowledgeable about technology and procedures, is more likely to comply. He"s all the more likely to fall for a ruse like "Just download this little program," because he has no idea of the potential damage a software program can inflict. What"s more, there"s a much smaller chance he"ll understand the value of the information on the computer network that he"s placing at risk.

A LITTLE HELP FOR THE NEW GAL.

New employees are a ripe target for attackers. They don"t know many people yet, they don"t know the procedures or the dos and don"ts of the company. And, in the name of making a good first impression, they"re eager show how cooperative and quick to respond they can be.

Helpful Andrea "Human Resources, Andrea Calhoun."

"Andrea, hi, this is Alex, with Corporate Security."

"Yes?"

"How"re you doing today?"

"Okay. What can I help you with?"

"Listen, we"re developing a security seminar for new employees and we need to round up some people to try it out on. I want to get the name and phone number of all the new hires in the past month. Can you help me with that?"

"I won"t be able to get to it "til this afternoon. Is that okay?

"What"s your extension?"

"Sure, okay, it"s 52 . . . oh, uh, but I"ll be in meetings most of today. I"ll call you when I"m back in my office, probably after four."

When Alex called about 4:30, Andrea had the list ready, and read him the names and extensions.

A Message for Rosemary Rosemary Morgan was delighted with her new job. She had never worked for a magazine before and was finding the people much friendlier than she expected, a surprise because of the never-ending pressure most of the staff was always under to get yet another issue finished by the monthly deadline. The call she received one Thursday morning reconfirmed that impression of friendliness.

"Is that Rosemary Morgan?"

"Yes."

"Hi, Rosemary. This is Bill Jorday, with the Information Security group."

"Yes?"

"Has anyone from our department discussed best security practices with you?"

"I don"t think so."

"Well, let"s see. For starters, we don"t allow anybody to install software brought in from outside the company. That"s because we don"t want any liability for unlicensed use of software. And to avoid any problems with software that might have a worm or a virus."

"Okay."

"Are you aware of our email policies?"

"No."

"What"s your current email address?" "[email protected]"

"Do you sign in under the username Rosemary?"

"No, it"s R underscore Morgan."

"Right. We like to make all our new employees aware that it can be dangerous to open any email attachment you aren"t expecting. Lots of viruses and worms get sent around and they come in emails that seem to be from people you know. So if you get an email with an attachment you weren"t expecting you should always check to be sure the person listed as sender really did send you the message. You understand?"

"Yes, I"ve heard about that."

"Good. And our policy is that you change your pa.s.sword every ninety days.

When did you last change your pa.s.sword?"

"I"ve only been here three weeks; I"m still using the one I first set."

"Okay, that"s fine. You can wait the rest of the ninety days. But we need to be sure people are using pa.s.swords that aren"t too easy to guess. Are you using a pa.s.sword that consists of both letters and numbers?"

"No."

We need to fix that. What pa.s.sword are you using now?"

"It"s my daughter"s name - Annette."

"That"s really not a secure pa.s.sword. You should never choose a pa.s.sword that"s based on family information. Well, let"s see.., you could do the same thing I do.

It"s okay to use what you"re using now as the first part of the pa.s.sword, but then each time you change it, add a number for the current month."

"So if I did that now, for March, would I use three, or oh-three."

"That"s up to you. Which would you be more comfortable with?"

"I guess Annette-three."

"Fine. Do you want me to walk you through how to make the change?"

"No, I know how."

"Good. And one more thing we need to talk about. You have anti-virus software on your computer and it"s important to keep it up to date. You should never disable the automatic update even if your computer slows down every once in a while. Okay?"

"Sure."

"Very good. And do you have our phone number over here, so you can call us if you have any computer problems?"

She didn"t. He gave her the number, she wrote it down carefully, and went back to work, once again, pleased at how well taken care of she felt.

a.n.a.lyzing the Con This story reinforces an underlying theme you"ll find throughout this book: The most common information that a social engineer wants from an employee, regardless of his ultimate goal, is the target"s authentication credentials. With an account name and pa.s.sword in hand from a single employee in the right area of the company, the attacker has what he needs to get inside and locate whatever information he"s after. Having this information is like finding the keys to the kingdom; with them in hand, he can move freely around the corporate landscape and find the treasure he seeks.

MITNICK MESSAGE.

Before new employees are allowed access to any company computer systems, they must be trained to follow good security practices, especially policies about never disclosing their pa.s.swords.

NOT AS SAFE AS YOU THINK.

"The company that doesn"t make an effort to protect its sensitive information is just plain negligent." A lot of people would agree with that statement. And the world would be a better place if life were so obvious and so simple. The truth is that even those companies that do make an effort to protect confidential information may be at serious risk.

Here"s a story that ill.u.s.trates once again how companies fool themselves every day into thinking their security practices, designed by experienced, competent, professionals, cannot be circ.u.mvented.

Steve Cramer"s Story It wasn"t a big lawn, not one of those expensively seeded spreads. It garnered no envy. And it certainly wasn"t big enough to give him an excuse for buying a sit-down mower, which was fine because he wouldn"t have used one anyway. Steve enjoyed cutting the gra.s.s with a hand-mower because it took longer, and the ch.o.r.e provided a convenient excuse to focus on his own thoughts instead of listening to Anna telling him stories about the people at the bank where she worked or explaining errands for him to do. He hated those honey-do lists that had become an integral part of his weekends. It flashed though his mind that 12-year-old Pete was d.a.m.n smart to join the swimming team. Now he"d have to be at practice or a meet every Sat.u.r.day so he wouldn"t get stuck with Sat.u.r.day ch.o.r.es.

Some people might think Steve"s job designing new devices for GeminiMed Medical Products was boring; Steve knew he was saving lives. Steve thought of himself as being in a creative line of work. Artist, music composer, engineer - in Steve"s view they all faced the same kind of challenge he did: They created something that no one had ever done before. And his latest, an intriguingly clever new type of heart stent, would be his proudest achievement yet.

It was almost 11:30 on this particular Sat.u.r.day, and Steve was annoyed because he had almost finished cutting the gra.s.s and hadn"t made any real progress in figuring out how to reduce the power requirement on the heart stent, the last remaining hurdle. A perfect problem to mull over while mowing, but no solution had come.

Anna appeared at the door, her hair covered in the red paisley cowboy scarf she always wore when dusting. "Phone call," she shouted to him. "Somebody from work."

"Who?" Steve shouted back.

"Ralph something. I think."

Ralph? Steve couldn"t remember anybody at GeminiMed named Ralph who might be calling on a weekend. But Anna probably had the name wrong.

"Steve, this is Ramon Perez in Tech Support." Ramon - how in the world did Anna get from a Hispanic name to Ralph, Steve wondered.

"This is just a courtesy call,, Ramon was saying. "Three of the servers are down, we think maybe a worm, and we have to wipe the drives and restore from backup.

We should be able to have your files up and running by Wednesday or Thursday. If we"re lucky."

"Absolutely unacceptable," Steve said firmly, trying not to let his frustration take over. How could these people be so stupid? Did they really think he could manage without access to his files all weekend and most of next week? "No way.

I"m going to sit down at my home terminal in just about two hours and I will need access to my files. Am I making this clear?"

"Yeah, well, everybody I"ve called so far wants to be at the top of the list.

I gave up my weekend to come in and work on this and it"s no fun having everybody I talk to get p.i.s.sed at me."

"I"m on a tight deadline, the company is counting on this; I"ve got to get work done this afternoon. What part of this do you not understand?"

"I"ve still got a lot of people to call before I can even get started," Ramon laid.

"How about we say you"ll have your files by Tuesday?"

"Not Tuesday, not Monday, today. NOW!" Steve said, wondering who he was going to call if he couldn"t get his point through this guy"s thick skull.

"Okay, okay," Ramon said, and Steve could hear him breathe a sigh of annoyance. "Let me see what I can do to get you going. You use the RM22 server, right?"

"RM22 and the GM16. Both."

"Right. Okay, I can cut some corners, save some time--I"ll need your username and pa.s.sword."

Uh oh, Steve thought. What"s going on here? Why would he need my pa.s.sword?

Why would IT, of all people, ask for it?

"What did you say your last name was? And who"s your supervisor?" "Ramon Perez. Look, I tell you what, when you were hired, there was a form you had to fill out to get your user account, and you had to put down a pa.s.sword. I could look that up and show you we"ve got it on file here. Okay?"

Steve mulled that over for a few moments, then agreed. He hung on with growing impatience while Ramon went to retrieve doc.u.ments from a file cabinet. Finally back on the phone, Steve could hear him shuffling through a stack of papers.

"Ah, here it is," Ramon said at last. "You put down the pa.s.sword "Janice."" Janice, Steve thought. It was his mother"s name, and he had indeed sometimes used it as a pa.s.sword. He might very well have put that down for his pa.s.sword when filling out his new-hire papers.

"Yes, that"s right," he acknowledged.

"Okay, we"re wasting time here. You know I"m for real, you want me to use the shortcut and get your files back in a hurry, you re gonna have to help me out here."

"My ID is s, d, underscore, cramer--c-r-a-m-e-r. The pa.s.sword is "pelican 1 .""

"I"ll get right on it," Ramon said, sounding helpful at last. "Give me a couple of hours."

Steve finished the lawn, had lunch, and by the time he got to his computer found that his files had indeed been restored. He was pleased with himself for handling that uncooperative IT guy so forcefully, and hoped Anna had heard how a.s.sertive he was. Would be good to give the guy or his boss an attaboy, but he knew it was one of those things he"d never get around to doing.

Craig Cogburne"s Story Craig Cogburne had been a salesman for a high-tech company, and done well at it. After a time he began to realize he had a skill for reading a customer, understanding where the person was resistant and recognizing some weakness or vulnerability that made it easy to close the sale. He began to think about other ways to use this talent, and the path eventually led him into a far more lucrative field: corporate espionage.

This one was a hot a.s.signment. Didn"t look to take me very long and worth enough to pay for a trip to Hawaii. Or maybe Tahiti.

The guy that hired me, he didn"t tell me the client, of course, but it figured to be some company that wanted to catch up with the compet.i.tion in one quick, big, easy leap. All I"d have to do is get the designs and product specs for a new gadget called a heart stent, whatever that was. The company was called GeminiMed. Never heard of it, but it was a Fortune 500 outfit with offices in half a dozen locations - which makes the job easier than a smaller company where there"s a fair chance the guy you"re talking to knows the guy you"re claiming to be and knows you"re not him. This, like pilots say about a midair collision, can ruin your whole day.

My client sent me a fax, a bit from some doctor"s magazine that said GeminiMed was working on a stent with a radical new design and it would be called the STH-IO0. For crying out loud, some reporter has already done a big piece of the legwork for me. I had one thing I needed even before I got started, the new product name.

First problem: Get names of people in the company who worked on the STH-100 or might need to see the designs. So I called the switchboard operator and said, "I promised one of the people in your engineering group I"d get in touch with him and I don"t remember his last name, but his first name started with an S." And she said, "We have a Scott Archer and a Sam Davidson." I took a long shot. "Which one works in the STH100 group?" She didn"t know, so I just picked Scott Archer at random, and she rang his phone.

When he answered, I said, "Hey, this is Mike, in the mail room. We"ve got a FedEx here that"s for the Heart Stent STH-100 project team. Any idea who that should go to?" He gave me the name of the project leader, Jerry Mendel. I even got him to look up the phone number for me.

I called. Mendel wasn"t there but his voice mail message said he"d be on vacation till the thirteenth, which meant he had another week left for skiing or whatever, and anybody who needed something in the meantime should call Mich.e.l.le on 9137. Very helpful, these people. Very helpful.