The Art of Deception

Chapter 12 for more about this method) and found that one of the engineers on the development team, a guy named Steven Cramer, currently had an account on the computer with the pa.s.sword "Janice." Just on the chance, I tried entering his account with that pa.s.sword on one of the development servers; if it had worked, it would have saved me some time and a little risk. It didn"t.

I hung up and called Mich.e.l.le, got her on the phone and said, "This is Bill Thomas. Jerry told me I should call you when I had the spec ready that he wanted the guys on his team to review. You"re working on the heart stent, right?"

She said they were.

Now we were getting to the sweaty part of the scam. If she started sounding suspicious, I was ready to play the card about how I was just trying to do a favor Jerry had asked me for. I said, "Which system are you on?"

"System?"

"Which computer servers does your group use?"

"Oh," she said, "RM22. And some of the group also use GM16." Good. I needed that, and it was a piece of information I could get from her without making her suspicious. Which softened her up for the next bit, done as casually as I could manage. "Jerry said you could give me a list of email addresses for people on the development team," I said, and held my breath.

"Sure. The distribution list is too long to read off, can I email it to you?"

Oops. Any email address that didn"t end in GeminiMed.com would be a huge red flag. "How about you fax it to me?" I said.

She had no problem with doing that.

"Our fax machine is on the blink. I"ll have to get the number of another one. Call you back in a bit," I said, and hung up.

Now, you might think I was saddled with a sticky problem here, but it"s just another routine trick of the trade. I waited a while so my voice wouldn"t sound familiar to the receptionist, then called her and said, "Hi, it"s Bill Thomas, our fax machine isn"t working up here, can I have a fax sent to your machine?" She said sure, and gave me the number.

Then I just walk in and pick up the fax, right? Of course not. First rule: Never visit the premises unless you absolutely have to. They have a hard time identifying you if you"re just a voice on the telephone. And if they can"t identify you, they can"t arrest you. It"s hard to put handcuffs around a voice. So I called the receptionist back after a little while and asked her, did my fax come? "Yes,"

she said.

"Look," I told her, "I"ve got to get that to a consultant we"re using. Could you send it out for me?" She agreed. And why not--how could any receptionist be expected to recognize sensitive data? While she sent the fax out to the "consultant," I had my exercise for the day walking over to a stationery store near me, the one with the sign out front "Faxes Sent/Rcvd." My fax was supposed to arrive before I did, and as expected, it was there waiting for me when I walked in.

Six pages at $1.75. For a $10 bill and change, I had the group"s entire list of names and email addresses.

Getting Inside Okay, so I had by now talked to three or four different people in only a few hours and was already one giant step closer to getting inside the company"s computers.

But I"d need a couple more pieces before I was home.

Number one was the phone number for dialing into the Engineering server from outside. I called GeminiMed again and asked the switchboard operator for the IT Department, and asked the guy who answered for somebody who could give me some computer help. He transferred me, and I put on an act of being confused and kind of stupid about anything technical. "I"m at home, just bought a new laptop, and I need to set it up o I can dial in from outside."

The procedure was obvious but I patiently let him talk me through it until he got to the dial-in phone number. He gave me the number like it was just another routine piece of information. Then I made him wait while I tried it. Perfect.

So now I had pa.s.sed the hurdle of connecting to the network. I dialed in and found they were set up with a terminal server that would let a caller connect to any computer on their internal network. After a bunch of tries I stumbled across somebody"s computer that had a guest account with no pa.s.sword required. Some operating systems, when first installed, direct the user to set up an ID and pa.s.sword, but also provide a guest account. The user is supposed to set his or her own pa.s.sword for the guest account or disable it, but most people don"t know about this, or just don"t bother. This system was probably just set up and the owner hadn"t bothered to disable the guest account.

LINGO.

Pa.s.sWOPRD HASH: A string of gibberish that results from processing a pa.s.sword through a one way encryption process. The process is supposedly irreversible; that is, its believed that it is not possible to reconstruct the pa.s.sword from the hash Thanks to the guest account, I now had access to one computer, which turned out to be running an older version of the UNIX operating system. Under UNIX, the operating system maintains a pa.s.sword file which con- rains the encrypted pa.s.swords of everybody authorized to access that computer. The pa.s.sword file contains the one-way hash (that is, a form of encryption that is irreversible) of every user"s pa.s.sword. With a one-way hash an actual pa.s.sword such as, say, (that is, a form of encryption that is irreversible) of every user"s pa.s.sword. With a one-way hash an actual pa.s.sword such as, say, "justdoit" would be represented by a hash in encrypted form; in this case the hash would be converted by UNIX to thirteen alphanumeric characters.

When Billy Bob down the hall wants to transfer some files to a computer, he"s required to identify himself by providing a username and pa.s.sword. The system program that" checks his authorization encrypts the pa.s.sword he enters, and then compares the result to the encrypted pa.s.sword (the hash) contained in the pa.s.sword file; if the two match, he"s given access.

Because the pa.s.swords in the file were encrypted, the file itself was made available to any user on the theory that there"s no known way to decrypt the pa.s.swords. That"s a laugh - I downloaded the file, ran a dictionary attack on it (see Chapter 12 for more about this method) and found that one of the engineers on the development team, a guy named Steven Cramer, currently had an account on the computer with the pa.s.sword "Janice." Just on the chance, I tried entering his account with that pa.s.sword on one of the development servers; if it had worked, it would have saved me some time and a little risk. It didn"t.

That meant I"d have to trick the guy into telling me his username and pa.s.sword.

For that, I"d wait until the weekend. 70 You already know the rest. On Sat.u.r.day I called Cramer and walked him through a ruse about a worm and the servers having to be restored from backup to overcome his suspicions.

What about the story I told him, the one about listing a pa.s.sword when he filled out his employee papers? I was counting on him not remembering that had never happened. A new employee fills out so many forms that, years later, who would remember? And anyway, if I had struck out with him, I still had that long list of other names.

With his username and pa.s.sword, I got into the server, fished around for a little while, and then located the design files for the STH-100. I wasn"t exactly sure which ones were key, so I just transferred all the files to a dead drop, a free FTP site in China, where they could be stored without anybody getting suspicious. Let the client sort through the junk and find what he wants.

LINGO.

DEAD DROP A place for leaving information where it is unlikely to be found by others. In the world of traditional spies, this might be behind a loose stone in a wall; in the world of the computer hacker, it"s commonly an Internet site in a remote country.

a.n.a.lyzing the Con For the man we"re calling Craig Cogburne, or anyone like him equally skilled in the larcenous-but-not-always-illegal arts of social engineering, the challenge presented here was almost routine. His goal was to locate and download files stored on a secure corporate computer, protected by a firewall and all the usual security technologies.

Most of his work was as easy as catching rainwater in a barrel. He began by posing as somebody from the mail room and furnished an added sense of urgency by claiming there was a FedEx package waiting to be delivered. This deception produced the name of the team leader for the heart-stent engineering group, who was on vacation, but - convenient for any social engineer trying to steal information - he had helpfully left the name and phone number of his a.s.sistant. Calling her, Craig defused any suspicions by claiming that he was responding to a request from the team leader. With the team leader out of town, Mich.e.l.le had no way to verify his claim. She accepted it as the truth and had no problem providing a list of people in the group - for Craig, a necessary and highly prized set of information.

She didn"t even get suspicious when Craig wanted the list sent by fax instead of by email, ordinarily more convenient on both ends. Why was she so gullible?

Like many employees, she didn"t want her boss to return to town and find she had stonewalled a caller who was just trying to do something the boss had asked him for. Besides, the caller said that the boss had not just authorized the request, but asked for his a.s.sistance. Once again, here"s an example of someone displaying the strong desire to be a team player, which makes most people susceptible to deception.

Craig avoided the risk of physically entering the building simply by having the fax sent to the receptionist, knowing she was likely to be helpful. Receptionists are, after all, usually chosen for their charming personalities and their ability to make a good impression. Doing small favors like receiving a fax and sending it on comes with the receptionist"s territory, a fact that Craig was able to take advantage of. What she was ending out happened to be information that might have raised alarm bells with anyone knowing the value of the information - but how could receptionist be expected to know which information is benign and which sensitive?

Using a different style of manipulation, Craig acted confused and naive to convince the guy in computer operations to provide him with the dial up access number to the company"s terminal server, the hardware used as a connection point to other computer systems within the internal network.

MITNICK MESSAGE.

Everybody"s first priority at work is to get the job done. Under that pressure, security practices often take second place and are overlooked or ignored. Social engineers rely on this when practicing their craft.

Craig was able to connect easily by trying a default pa.s.sword that had never been changed, one of the glaring, wide-open gaps that exist throughout many internal networks that rely on firewall security. In fact, the default pa.s.swords for many operating systems, routers, and other types of products, including PBXs, are made available on line. Any social engineer, hacker, or industrial spy, as well as the just plain curious, can find the list at "s absolutely incredible how easy the Internet makes life for those who know where to look. And now you know, too.) Cogburne then actually managed to convince a cautious, suspicious man ("What did you say your last name was? Who"s your supervisor?") to divulge his username and pa.s.sword so that he could access servers used by the heart-stent development team. This was like leaving Craig with an open door to browse the company"s most closely guarded secrets and download the plans for the new product.

What if Steve Cramer had continued to be suspicious about Craig"s call? It was unlikely he would do anything about reporting his suspicions until he showed up at work on Monday morning, which would have been too late to prevent the attack.

One key to the last part of the ruse: Craig at first made himself sound lackadaisical and uninterested in Steve"s concerns, then changed his tune and sounded as if he was trying to help so Steve could get his work done. Most of the time, if the victim believes you"re trying to help him or do him some kind of favor, he will part with confidential information that he would have otherwise protected carefully.

PREVENTING THE CON.

One of the most powerful tricks of the social engineer involves turning the tables.

That"s what you"ve seen in this chapter. The social engineer creates the problem, and then magically solves the problem, deceiving the victim into providing access to the company"s most guarded secrets. Would your employees fall for this type of ruse? Have you bothered to draft and distribute specific security rules that could help to prevent it?

Educate, Educate, and Educate...

There"s an old story about a visitor to New York who stops a man on the street and asks, "How do I get to Carnegie Hall?" The man answers, "Practice, practice, practice." Everyone is so vulnerable to social engineering attacks that a company"s only effective defense is to educate and train your people, giving them the practice they need to spot a social engineer. And then keep reminding people on a consistent basis of what they learned in the training, but are all too apt to forget.

Everyone in the organization must be trained to exercise an appropriate degree of suspicion and caution when contacted by someone he or she doesn"t personally know, especially when that someone is asking for any sort of access to a computer or network. It"s human nature to want to trust others, but as the j.a.panese say, business is war. Your business cannot afford to let down its guard.

Corporate security policy must clearly define appropriate and inappropriate behavior.

Security is not one-size-fits-all. Business personnel usually have disparate roles and responsibilities and each position has a.s.sociated vulnerabilities. There should be a base level of training that everyone in the company is required to complete, and then people must also be trained according to their job profile to adhere to certain procedures that will reduce the chance that they will become part of the problem. People who work with sensitive information or are placed in positions of trust should be given additional specialized training.

Keeping Sensitive Information Safe When people are approached by a stranger offering to help, as seen in the stories in this chapter, they have to fall back on corporate security policy that is tailored as appropriate to the business needs, size, and culture of your company.

NOTE.

Personally, I don"t believe any business should allow any exchange of pa.s.swords.

Its much easier to establish a hard rule that forbids personnel from ever sharing or exchanging confidential pa.s.swords. Its safer, too. But each business has to a.s.sess its own culture and security concerns in making this choice Never cooperate with a stranger who asks you to look up information, enter unfamiliar commands into a computer, make changes to software settings or - the most potentially disastrous of all - open an email attachment or download unchecked software. Any software program - even one that appears to do nothing at all - may not be as innocent as it appears to be.

There are certain procedures that, no matter how good our training, we tend to grow careless about over time. Then we forget about that training at crunch time, just when we need it. You would think that not giving out your account name and pa.s.sword is something that just about everybody knows (or should know) and hardly needs to be told: it"s simple common sense. But in fact, every employee needs to be reminded frequently that giving out the account name and pa.s.sword to their office computer, their home computer, or even the postage machine in the mail room is equivalent to giving out the PIN number for their ATM card.

There is occasionally - very occasionally - a quite valid circ.u.mstance when it"s necessary, perhaps even important, to give someone else confidential information. For that reason, it"s not appropriate to make an absolute rule about "never." Still, your security policies and procedures do need to be very specific about circ.u.mstances under which an employee may give out his or her pa.s.sword and - most importantly--who is authorized to ask for the information.

Consider the Source In most organizations, the rule should be that any information that can possibly cause harm to the company or to a. fellow employee may be given only to someone who is known on a face-to-face basis, or whose voice is so familiar that you recognize it without question.

In high-security situations, the only requests that should be granted are ones delivered in person or with a strong form of authentication--for example, two separate items such as a shared secret and a time-based token.

Data cla.s.sification procedures must designate that no information be provided from a part of the organization involved with sensitive work to anyone not personally known or vouched for in some manner.

NOTE.

Incredibly, even looking up the name and phone number of the caller in the company"s employee database and calling him back is not an absolute guarantee social engineers know ways of planting names in a corporate database or redirecting telephone calls.

So how do you handle a legitimate-sounding request for information from another company employee, such as the list of names and email addresses of people in your group? In fact, how do you raise awareness so that an item like this, which is clearly less valuable than, say, a spec sheet for a product under development, is recognized as something for internal use only? One major part of the solution: Designate employees in each department who will handle all requests for information to be sent outside the group. An advanced security-training program must then be provided to make these designated employees aware of the special verification procedures they should follow.

Forget n.o.body Anyone can quickly rattle off the ident.i.ty of organizations within her company that need a high degree of protection against malicious attacks. But we often overlook other places that are less obvious, yet highly vulnerable. In one of these stories, the request for a fax to be sent to a phone number within the company seemed innocent and secure enough, yet the attacker took advantage of this security loophole. The lesson here: Everybody from secretaries and administrative a.s.sistants to company executives and high-level managers needs to have special security training so that they can be alert to these types of tricks.

And don"t forget to guard the front door: Receptionists, too, are often prime targets for social engineers and must also be made aware of the deceptive techniques used by some visitors and callers.

Corporate security should establish a single point of contact as a kind of central clearinghouse for employees who think they may have been the target of a social engineering ruse. Having a single place to report security incidents will provide an effective early-warning system that will make it dear when a coordinated attack is under way, so that any damage can be controlled immediately.

Chapter 6.

"Can You Help Me?"

You"ve seen how social engineers trick people by offering to help.Another favorite approach turns the tables: The social engineer manipulates by pretending he needs the other person to help him. We can all sympathize with people in a tight spot, and the approach proves effective over and over again in allowing a social engineer to reach his goal.

THE OUT-OF TOWNER.

A story in Chapter 3 showed how an attacker can talk a victim into revealing his employee number. This one uses a different approach for achieving the same result, and then shows how the attacker can make use of that Keeping Up with the Joneses Keeping Up with the Joneses In Silicon Valley there is a certain global company that shall be nameless. The scattered sales offices and other field installations around the worldare all connected to that company"s headquarters over a WAN, a wide area network. The intruder, a smart, feisty guy named Brian Atterby, knew it was almost always easier to break into a network at one of the remote sites where security is practically guaranteed to be more lax than at headquarters.

The intruder phoned the Chicago office and asked to speak with Mr Jones. intruder phoned the Chicago office and asked to speak with Mr Jones.

The receptionist asked if he knew Mr. Jones"s first name; he answered, "I had it here, I"m looking for it. How many Joneses do you have?" She said, "Three. Which department would he be in?"

He said, "If you read me the names, maybe I"ll recognize it." So she did: "Barry, Joseph, and Gordon."

"Joe. I"m pretty sure that was it," he said. "And he was in .. which department?"

"Business Development."

"Fine. Can you connect me, please?"

She put the call through. When Jones answered, the attacker said, "Mr.

Jones? Hi, this is Tony in Payroll. We just put through your request to have your paycheck deposited directly to your credit union account."

"WHAT???!!! You"ve got to be kidding. I didn"t make any request like that. I don"t even have an account at a credit union."

"Oh, d.a.m.n, I already put it through."

Jones was more than a little upset at the idea that his paycheck might be going to someone else"s account, and he was beginning to think the guy on the other end of the phone must be a little slow. Before he could even reply, the attacker said, "I better see what happened. Payroll changes are entered by employee number. What"s your employee number?"

Jones gave the number. The caller said, "No, you"re right, the request wasn"t from you, then." They get more stupid every year, Jones thought.

"Look, I"ll see it"s taken care of. I"ll put in a correction right now. So don"t worry - you"ll get your next paycheck okay," the guy said rea.s.suringly.

A Business Trip Not long after, the system administrator in the company"s Austin, Texas, sales office received a phone call. "This is Joseph Jones," the caller announced. "I"m in Business Development at corporate. I"ll be in to, for the week, at the Driskill Hotel. I"d like to have you set me up with a temporary account so I can access my email without making a long distance call."

"Let me get that name again, and give me your employee number," the sys admin said. The false Jones gave the number and went on, "Do you have any high speed dial-up numbers.

"Hold on, buddy. I gotta verify you in the database." After a bit, he said, "Okay, Joe. Tell me, what"s your building number?" The attacker had done his homework and had the answer ready MITNICK MESSAGE.

Don"t rely on network safeguards and firewalls to protect your information. Look to your most vulnerable spot. You"ll usually find that vulnerability lies in your people.

"Okay," the sys admin told him, "you convinced me."

It was as simple as that. The sys admin had verified the name Joseph Jones, the department, and the employee number, and "Joe" had given the right answer to the test question. "Your username"s going to be the same as your corporate one, jbjones," the sys admin said, "and I"m giving you an initial pa.s.sword of "changeme.""

a.n.a.lyzing the Con With a couple of phone calls and fifteen minutes of time, the attacker had gained access to the company"s wide area network. This was a company that, like many, had what I refer to as candy security, after a description first used by two Bell Labs researchers, Steve Bellovin and Steven Cheswick. They described such security as "a hard crunchy sh.e.l.l with a oft chewy center" - like an M&M candy.

The outer sh.e.l.l, the firewall, Bellovin and Cheswick argued, is not sufficient protection, because once an intruder is able to circ.u.mvent it, the internal computer systems have soft, chewy security. Most of the time, they are inadequately protected.