Then someone at the state Telecom Department did the same thing, accepting Eric"s claim that he was with an equipment manufacturer, and providing the stranger with a phone number for dialing into the telephone switch serving the DMV.
Eric was able to get into the switch in large measure because of weak security practices on the part of the switch manufacturer in using the same account name on all their switches. That carelessness made it a walk in the park for the social engineer to guess the pa.s.sword, knowing once again that switch technicians, just like almost everybody else, choose pa.s.swords that will be a cinch for them to remember.
With access to the switch, he set up call forwarding from one of the DMV phone lines for law enforcement to his own cell phone.
And then, the capper and most blatant part, he conned one law enforcement officer after another into revealing not only their requestor codes but their own personal identifying information, giving Eric the ability to impersonate them.
While there was certainly technical knowledge required to pull off this stunt, it could not have worked without the help of a series of people who had no clue that they were talking to an imposter.
This story was another ill.u.s.tration of the phenomenon of why people don"t ask "Why me?" Why would the Teletype officer give this information to some sheriff"s deputy he didn"t know--or, in this case, a stranger pa.s.sing himself off as a sheriff"s deputy--instead of suggesting he get the information from a fellow deputy or his own sergeant? Again, the only answer I can offer is that people rarely ask this question. It doesn"t occur to them to ask? They don"t want to sound challenging and unhelpful? Maybe. Any further explanation would just be guesswork. But social engineers don"t care why; they only care that this little fact makes it easy to get information that otherwise might be a challenge to obtain.
MITNICK MESSAGE.
If you have a telephone switch at your company facilities, what would the person in charge do if he received a call from the vendor, asking for the dial-in number?
And by the way, has that person ever changed the default pa.s.sword for the switch? Is that pa.s.sword an easy-to-guess word found in any dictionary?
PREVENTING THE CON.
A security code, properly used, adds a valuable layer of protection. A security code improperly used can be worse than none at all because it gives the illusion of security where it doesn"t really exist. What good are codes if your employees don"t keep them. secret?
Any company with a need for verbal security codes needs to spell out clearly for its employees when and how the codes are used. Properly trained, the character in the first story in this chapter would not have had to rely on his instincts, easily overcome, when asked to give a security code to a stranger. He sensed that he should not be asked for this information under the circ.u.mstances, but lacking a clear security policy--and good common sense--he readily gave in.
Security procedures should also set up steps to follow when an employee fields an inappropriate request for a security code. All employees should be trained to immediately report any request for authentication credentials, such as a daily code or pa.s.sword, made under suspicious circ.u.mstances. They should also report when an attempt to verify the ident.i.ty of a requestor doesn"t check out.
At the very least, the employee should record the caller"s name, phone number, and office or department, and then hang up. Before calling back he should verify that the organization really does have an employee of that name, and that the call back phone number matches the phone number in the on-line or hard-copy company directory. Most of the time, this simple tactic will be all that"s needed to verify that the caller is who he says he is.
Verifying becomes a bit trickier when the company has a published phone directory instead of an on-line version. People get hired; people leave; people change departments, job positions, and phone. The hard-copy directory is already out of date the day after it"s published, even before being distributed. Even online directories can"t always be relied on, because social engineers know how to modify them. If an employee can"t verify the phone number from an independent source, she should be instructed to verify by some other means, such as contacting the employee"s manager.
Part 3
Intruder Alert.
Chapter 10.
Entering the Premises.
Why is it so easy for an outsider to a.s.sume the ident.i.ty of a company employee and carry off an impersonation so convincingly that even people who are highly security conscious are taken in? Why is it so easy to dupe individuals who may be fully aware of security procedures, suspicious of people they don"t personally know, and protective of their company"s interests?
Ponder these questions as you read the stories in this chapter.
THE EMBARRa.s.sED SECURITY GUARD.
Date/Time: Tuesday, October 17, 2:16 A.M. Tuesday, October 17, 2:16 A.M.
Place: Skywatcher Aviation, Inc. manufacturing plant on the outskirts of Tucson, Arizona. Skywatcher Aviation, Inc. manufacturing plant on the outskirts of Tucson, Arizona.
The Security Guard"s Story Hearing his leather heels click against the floor in the halls of the nearly deserted plant made Leroy Greene feel much better than spending the night hours of his watch in front of the video monitors in the security office. There he wasn"t allowed to do anything but stare at the screens, not even read a magazine or his leather-bound Bible. You just had to sit there looking at the displays of still images where nothing ever moved.
But walking the halls, he was at least stretching his legs, and when he remembered to throw his arms and shoulders into the walk, it got him a little exercise, too. Although it didn"t really count very much as exercise for a man who had played right tackle on the All-City champion high school football team. Still, he thought, a job is a job.
He turned the southwest corner and started along the gallery overlooking the half-mile-long production floor. He glanced down and saw two people walking past the line of partly built copters. The pair stopped and seemed to be pointing things out to each other. A strange sight at this time of night. "Better check, "he thought.
Leroy headed for a staircase that would bring him onto the production-line floor behind the pair, and they didn"t sense his approach until he stepped alongside.
"Morning. Can I see your security badges, please," he said. Leroy always tried to keep his voice soft at moments like this; he knew that the sheer size of him could seem threatening.
"Hi, Leroy," one of them said, reading the name off his badge. "I"m Tom Stilton, from the Marketing office at corporate in Phoenix. I"m in town for meetings and wanted to show my friend here how the world"s greatest helicopters get built."
"Yes, sir. Your badge, please," Leroy said. He couldn"t help noticing how young they seemed. The Marketing guy looked barely out of high school, the other one had hair down to his shoulders and looked about fifteen.
The one with the haircut reached into his pocket for his badge, then started patting all his pockets. Leroy was suddenly beginning to have a bad feeling about this. "d.a.m.n," the guy said. "Must"ve left it in the car. I can get it--just take me ten minutes to go out to the parking lot and back."
Leroy had his pad out by this time. "What"d you say your name was, sr. he asked, and carefully wrote down the response. Then he asked them to go with him to the Security Office. On the elevator to the third floor, Tom chatted about having been with the company for only six months and hoped he wasn"t going to get in any trouble for this.
In the Security monitoring room, the two others on the night shift with Leroy joined him in questioning the pair. Stilton gave his telephone number, and said his boss was Judy Underwood and gave her telephone number, and the information all checked out on the computer. Leroy took the other two security people aside and they talked about what to do. n.o.body wanted to get this wrong; all three agreed they better call the guy"s boss even though it would mean waking her in the middle of the night.
Leroy called Mrs. Underwood himself, explained who he was and did she have a Mr. Tom Stilton working for her? She sounded like she was still half-asleep.
"Yes," she said.
"Well, we found him down on the production line at 2:30 in the morning with no ID badge."
Mrs. Underwood said, "Let me talk to him."
Stilton got on the phone and said, "Judy, I"m really sorry about these guys waking you up in the middle of the night. I hope you"re not going to hold this against me."
He listened and then said, "It was just that I had to be here in the morning anyway, for that meeting on the new press release. Anyway, did you get the email about the Thompson deal? We need to meet with Jim on Monday morning so we don"t lose this. And I"m still having lunch with you on Tuesday, right?"
He listened a bit more and said good-bye and hung up.
That caught Leroy by surprise; he had thought he"d get the phone back so the lady could tell him everything was okay. He wondered if maybe he should call her again and ask, but thought better of it. He had already bothered her once in the middle of the night; if he called a second time, maybe she might get annoyed and complain to his boss. "Why make waves?" he thought.
Okay if I show my friend the rest of the production line? Stilton asked Leroy You want to come along, keep an eye on us ?
"Go on, Leroy said. "Look around. Just don"t forget your badge next time. And let Security know if you need to be on the plant floor after hours--it"s the rule."
I"ll remember that, Leroy," Stilton said. And they left.
Hardly ten minutes had gone by before the phone rang in the Security Office.
Mrs. Underwood was on the line. "Who was that guy?!" she wanted to know. She said she kept trying to ask questions but he just kept on talking about having lunch with her and she doesn"t know who the h.e.l.l he is.
The security guys called the lobby and the guard at the gate to the parking lot.
Both reported the two young men had left some minutes before.
Telling the story later, Leroy always finished by saying, "Lordy, did boss chew me up one side and down the other. I"m lucky I still have a job."
Joe Harper"s Story Just to see what he could get away with, seventeen-year-old Joe Harper had been sneaking into buildings for more than a year, sometimes in the daytime, sometimes at night. The son of a musician and a c.o.c.ktail waitress, both working the night shift, Joe had too much time by himself. His story of that same incident sheds instructive light on how it all happened.
I have this friend Kenny who thinks he wants to be a helicopter pilot. He asked me, could I get him into the Skywatcher factory to see the production line where they make the choppers. He knows I"ve got into other places before. It"s an adrenaline rush to see if you can slip into places you"re not supposed to be.
But you don"t just walk into a factory or office building. Got to think it through, do a lot of planning, and do a full reconnaissance on the target. Check the company"s Web page for names and t.i.tles, reporting structure, and telephone numbers. Read press clippings and magazine articles. Meticulous research is my own brand of caution, so I could talk to anybody that challenged me, with as much knowledge as any employee.
So where to start? First I looked up on the Internet to see where the company had offices, and saw the corporate headquarters was in Phoenix. Perfect. I called and asked for Marketing; every company has a marketing department. A lady answered, and I said I was with Blue Pencil Graphics and we wanted to see if we could interest them in using our services and who would I talk to. She said that would be Tom Stilton. I asked for his phone number and she said they didn"t give out that information but she could put me through. The call rang into voice mail, and his message said, "This is Tom Stilton in Graphics, extension 3147, please leave a message." Sure--they don"t give out extensions, but this guy leaves his right on his voice mail. So that was cool. Now I had a name and extension.
Another call, back to the same office. "Hi, I was looking for Tom Stilton. He"s not in. I"d like to ask his boss a quick question." The boss was out, too, but by the time I was finished, I knew the boss"s name. And she had nicely left her extension number on her voice mail, too.
I could probably get us past the lobby guard with no sweat, but I"ve driven by that plant and I thought I remembered a fence around the parking lot. A fence means a guard who checks you when you try to drive in. And at night, they might be writing down license numbers, too, so I"d have to buy an old license plate at a flea market.
But first I"d have to get the phone number in the guard shack. I waited a little so if I got the same operator when I dialed back in, she wouldn"t recognize my voice.
After a bit I called and said, "We"ve got a complaint that the phone at the Ridge Road guard shack has reported intermittent problems--are they still having trouble?" She said she didn"t know but would connect me.
The guy answered, "Ridge Road gate, this is Ryan." I said, "Hi, Ryan, this is Ben.
Were you having problems with your phones there?" He"s just a low-paid security guard but I guess he had some training because he right away said, "Ben who-- low-paid security guard but I guess he had some training because he right away said, "Ben who-- what"s your last name?" I just kept right on as if I hadn"t even heard him.
"Somebody reported a problem earlier."
I could hear him holding the phone away and calling out, "Hey, Bruce, Roger, was there a problem with this phone. He came back on and said, "No, no problems we know about."
"How many phone lines do you have there?"
He had forgotten about my name. "Two," he said. "Which one are you on now?"
"3140.".
Gotcha! "And they"re both working okay?"
"Seems like."
Okay, I said. Listen, Tom, if you have any phone problems, just call us in Telecom any time. We"re here to help."
My buddy and I decided to visit the plant the very next night. Late that afternoon I called the guard booth, using the name of the Marketing guy. I said, "Hi, this is Tom Stilton in Graphics. We"re on a crash deadline and I have a couple of guys driving into town to help out. Probably won"t be here till one or two in the morning. Will you still be on then?"
He was happy to say that, no, he got off at midnight.
I said, "Well, just leave a note for the next guy, okay? When two guys show up and say they"ve come to see Tom Stilton, just wave "em on in--okay?"
Yes, he said, that was fine. He took down my name, department, and extension number and said he"d take care of it.
We drove up to the gate a little after two, I gave Tom Stilton"s name, and a sleepy guard just pointed to the door we should go in and where I should park.
When we walked into the building, there was another guard station in the lobby, with the usual book for after-hours sign-ins. I told the guard I had a report that needed to be ready in the morning, and this friend of mine wanted to see the plant. "He"s crazy about helicopters," I said "Thinks he wants to learn to pilot one." He asked me for my badge. I reached into a pocket, then patted around and said I must have left it in car; I"ll go get it. I said, "It"ll take about ten minutes."
He said, Never mind, it"s okay, just sign in."
Walking down that production line--what a gas. Until that tree-trunk of a Leroy stopped us.
In the security office, I figured somebody who didn"t really belong would look nervous and frightened. When things get tight, I just start sounding like I"m really steamed. Like I"m really who I claimed to be and it"s annoying they don"t believe me.
When they started talking about maybe they should call the lady I said was my boss and went to get her home phone number from the computer, I stood there thinking, "Good time to just make a break for it." But there was that parking-lot gate--even if we got out of the building, they"d close the gate and we"d never make it out.
When Leroy called the lady who was Stilton"s boss and then gave me the phone, the lady started shouting at me "Who is this, who are you!" and I just kept on talking like we were having a nice conversation, and then hung up.
How long does it take to find somebody who can give you a company phone number in the middle of the night? I figured we had less than fifteen minutes to get out of there before that lady was ringing the security office and putting a bug in their ears.
We got out of there as fast as we could without looking like we were in a hurry.
Sure was glad when the guy at the gate just waved us through.
a.n.a.lyzing the Con It"s worth noting that in the real incident this story is based on, the intruders actually were teenagers. The intrusion was a lark, just to see if they could get away with it. But if it was so easy for a pair of teenagers, it would have been even easier for adult thieves, industrial spies, or terrorists.
How did three experienced security officers allow a pair of intruders to just walk away? And not just any intruders, but a pair so young that any reasonable person should have been very suspicious?
Leroy was appropriately suspicious, at first. He was correct in taking them to the Security Office, and in questioning the guy who called himself Tom Stilton and checking the names and phone numbers he gave. He was certainly correct in making the phone call to the supervisor.
But in the end he was taken in by the young man"s air of confidence and indignation. It wasn"t the behavior he would expect from a thief or intruder--only a real employee would have acted that way.., or so he a.s.sumed. Leroy should have been trained to count on solid identification, not perceptions.
Why wasn"t he more suspicious when the young man hung up the phone without handing it back so Leroy could hear the confirmation directly from Judy Underwood and receive her a.s.surance that the kid had a reason for being in the plant so late at night?
Leroy was taken in by a ruse so bold that it should have been obvious. But consider the moment from his perspective: a high-school graduate, concerned for his job, uncertain whether he might get in trouble for bothering a company manager for the second time in the middle of the night. If you had been in his shoes, would you have made the follow-up call?
But of course, a second phone call wasn"t the only possible action. What else could the security guard have done?
Even before placing the phone call, he could have asked both of the pair to show some kind of picture identification; they drove to the plant, so at least one of them should have a driver"s license. The fact that they had originally given phony names would have been immediately obvious (a professional would have come equipped with fake ID, but these teenagers had not taken that precaution). In any case, Leroy should have examined their identification credentials and written down the information. If they both insisted they had no identification, he should then have walked them o the car to retrieve the company ID badge that "Tom Stilton" claimed he had left there.
MITNICK MESSAGE.
Manipulative people usually have very attractive personalities. They are typically fast on their feet and quite articulate. Social engineers are also skilled at distracting people"s thought processes so that they cooperate. To think that any one particular person is not vulnerable to this manipulation is to underestimate the skill and the killer instinct of the social engineer.
A good social engineer, on the other hand, never underestimates his adversary.
Following the phone call, one of the security people should have stayed with the pair until they left the building. And then walked them to their car and written down the license-plate number. If he had been observant enough, he would have noted that the plate (the one that the attacker had purchased at a flea market) did not have a valid registration sticker - and that should have been reason enough to detain the pair for further investigation.
DUMPSTER DIVING.
Dumpster diving is a term that describes pawing through a target"s garbage in search of valuable information. The amount of information you can learn about a target is astounding.