The Art of Deception: Controlling the Human Element of Security (11 page)

One of the most powerful methods for the social engineer to carry out this kind of attack is the simple ploy of pretending to need help - an approach frequently used by attackers. You don't want to stop your employees from being helpful to co workers or customers, so you need to arm them with specific verification procedures to use with anybody making a request for computer access or confidential information. That way they can be helpful to those who deserve to be helped, but at the same time protect the organization's information assets and computer systems.

Company security procedures need to spell out in detail what kind of verification mechanisms should be used in various circumstances. Chapter 17 provides a detailed list of procedures, but here are some guidelines to consider:

One good way to verify the identity of a person making a request is to call the phone number listed in the company directory for that person. If the person making the request is actually an attacker, the verification call will either let you speak to the real person on the phone while the imposter is on hold, or you will reach the employee's voice mail so that you can listen to the sound of his voice, and compare it to thespeech of the attacker. If employee numbers are used in your company for verifying identity, then those numbers have to be treated as sensitive information, carefully guarded and not given out to strangers. The same goes for all other kinds of internal identifiers, such as internal telephone numbers, departmental billing identifiers, and even email addresses.

Corporate training should call everyone's attention to the common practice of accepting unknown people as legitimate employees on the grounds that they sound authoritative or knowledgeable. Just because somebody knows a company practice or uses internal terminology is no reason to assume that his identity doesn't need to be verified in other ways.

Security officers and system administrators must not narrow their focus so that they are only alert to how security-conscious everyone else is being. They also need to make sure they themselves are following the same rules, procedures, and practices.

Passwords and the like must, of course, never be shared, but the restriction against sharing is even more important with time-based tokens and other secure forms of authentication. It should be a matter of common sense that sharing any of these items violates the whole point of the company's having installed the systems. Sharing means there can be no accountability. If a security incident takes place or something goes wrong, you won't be able to determine who the responsible party is.

As I reiterate throughout this book, employees need to be familiar with social engineering strategies and methods to thoughtfully analyze requests they receive. Consider using role-playing as a standard part of security training, so that employees can come to a better understanding of how the social engineer works.

There's an old saying that you never get something for nothing, Still, the ploy of offering something for free continues to be a big draw for both legitimate ("But wait--there's more! Call right now and we'll throw in a set of knives and a popcorn popper!") and not-so- legitimate ("Buy one acre of swampland in Florida and get a second acre free!") businesses.

And most of us are so eager to get something free that we may be distracted from thinking clearly about the offer or the promise being made.

We know the familiar warning, "buyer beware," but it's time to heed another warning: Beware of come-on email attachments and free software. The savvy attacker will use nearly any means to break into the corporate network, including appealing to our natural desire to get a free gift. Here are a few examples.

WOULDN'T YOU LIKE A FREE (BLANK)?" Just as viruses have been a curse to mankind and medical practitioners since the beginning of time, so the aptly named computer virus represents a similar curse to users of technology. The computer viruses that get most of the attention and end up in the spotlight, not coincidentally, do the most damage. These are the product of computer vandals.

Computer nerds turned malicious, computer vandals strive to show off how clever they are. Sometimes their acts are like a rite of initiation, meant to impress older and more experienced hackers. These people are motivated to create a worm or virus intended to inflict damage. If their work destroys files, trashes entire hard drives, and emails itself to thousands of unsuspecting people, vandals puff with pride at their accomplishment. If the virus causes enough chaos that newspapers write about it and the network news broadcasts warn against it, so much the better.

Much has been written about vandals and their viruses; books, software programs, and entire companies have been created to offer protection, and we won't deal here with the defenses against their technical attacks. Our interest at the moment is less in the destructive acts of the vandal than in the more targeted efforts of his distant cousin, the social engineer.

It Came in the Email You probably receive unsolicited emails every day that carry advertising messages or offer a free something-or-other that you neither need nor want. You know the kind. They promise investment advice, discounts on computers, televisions, cameras, vitamins, or travel, offers for credit cards you don't need, a device that will let you receive pay television channels free, ways to improve your health or your sex life, and on and on.

But every once in a while an offer pops up in your electronic mailbox for something that catches your eye. Maybe it's a free game, an offer of photos of your favorite star, a free calendar program, or inexpensive share" ware that will protect your computer against viruses. Whatever the offer, the email directs you to download the file with the goodies that the message has convinced you to try.

Or maybe you receive a message with a subject line that reads Don, I miss you," or "Anna, why haven't you written me," or "Hi, Tim, here's the sexy photo I promised you." This couldn't be junk advertising mail, you think, because it has your own name on it and sounds so personal. So you open the attachment to see the photo or read the message.

All of these actions--downloading software you learned about from an advertising email, clicking on a link that takes you to a site you haven't heard of before, opening an attachment from someone you don't really know--are invitations to trouble. Sure, most of the time what you get is exactly what you expected, or at worst something disappointing or offensive, but harmless. But sometimes what you get is the handiwork of a vandal.

Sending malicious code to your computer is only a small part of the attack. The attacker needs to persuade you to download the attachment for the attack to succeed.

NOTE One type of program know in the computer underground as a RAT, or Remote Access Trojan, gives the attacker full access to your computer, just as if he were sitting at your keyboard.

The most damaging forms of malicious code - worms with names like Love Letter, SirCam, and Anna Kournikiva, to name a few - have all relied on social engineering techniques of deception and taking advantage of our desire to get something for nothing in order to be spread. The worm arrives as an attachment to an email that offers something tempting, such as confidential information, free pornography, or - a very clever ruse - a message saying that the attachment is the receipt for some expensive item you supposedly ordered. This last ploy leads you to open the attachment for fear your credit card has been charged for an item you didn't order. It's astounding how many people fall for these tricks; even after being told and told again about the dangers of opening email attachments, awareness of the danger fades over time, leaving each of us vulnerable.

Spotting Malicious Software Another kind of malware - short for malicious software - puts a program onto your computer that operates without your knowledge or consent, or performs a task without your awareness. Malware may look innocent enough, may even be a Word document or PowerPoint presentation, or any program that has macro functionality, but it will secretly install an unauthorized program. For example, malware may be a version of the Trojan Horse talked about in Chapter 6. Once this software is installed on your machine, it can feed every keystroke you type back to the attacker, including all your passwords and credit card numbers.

There are two other types of malicious software you may find shocking. One can feed the attacker every word you speak within range of your computer microphone, even when you think the microphone is turned off. Worse, if you have a Web cam attached to your computer, an attacker using a variation of this technique may be able to capture everything that takes place in front of your terminal, even when you think the camera is off, day or night.

LINGO MALWARE Slang for malicious software, a computer program, such as a virus, worm, or Trojan Horse, that performs damaging tasks.

MITNICK MESSAGE Beware of geeks bearing gifts, otherwise your company might endure the same fate as the city of Troy. When in doubt, to avoid an infection, use protection.

A hacker with a malicious sense of humor might try to plant a little program designed to be wickedly annoying on your computer. For example, it might make your CD drive tray keep popping open, or the file you're working on keep minimizing. Or it might cause an audio file to play a scream at full volume in the middle of the night. None of these is much fun when you're trying to get sleep or get work done.., but at least they don't do any lasting damage.

MESSAGE FROM A FRIEND The scenarios can get even worse, despite your precautions. Imagine: You've decided not to take any chances. You will no longer download any files except from secure sites that you know and trust, such as SecurityFocus.com or Amazon.com. You no longer click on links in email from unknown sources. You no longer open attachments in any email that you were not expecting. And you check your browser page to make sure there is a secure site symbol on every site you visit for e-commerce transactions or to exchange confidential information.

And then one day you get an email from a friend or business associate that carries an attachment. Couldn't be anything malicious if it comes from someone you know well, right? Especially since you would know who to blame if your computer data were damaged.

You open the attachment, and... BOOM! You just got hit with a worm or Trojan Horse. Why would someone you know do this to you? Because some things are not as they appear. You've read about this: the worm that gets onto someone's computer, and then emails itself to everyone in that person's address book. Each of those people gets an email from someone he knows and trusts, and each of those trusted emails contains the worm, which propagates itself like the ripples from a stone thrown into a still pond.

The reason this technique is so effective is that it follows the theory of killing two birds with one stone: The ability to propagate to other unsuspecting victims, and the appearance that it originated from a trusted person.

MITNICK MESSAGE Man has invented many wonderful things that have changed the world and our way of life. But for every good use of technology, whether a computer, telephone, or the Internet, someone will always find a way to abuse it for his or her own purposes.

It's a sad fact of life in the current state of technology that you may get an email from someone close to you and still have to wonder if it's safe to open.

VARIATIONS ON A THEME In this era of the Internet, there is a kind of fraud that involves misdirecting you to a Web site that is not what you expected. This happens regularly, and it takes a variety of forms. This example, which is based on an actual scam perpetrated on the Internet, is representative.

Merry Christmas. . . A retired insurance salesman named Edgar received an email one day from PayPal, a company that offers a fast and convenient way of making online payments. This kind of service is especially handy when a person in one part of the country (or the world, for that matter) is buying an item from an individual he doesn't know. PayPal charges the purchaser's credit card and transfers the money directly to the seller's account. As a collector of antique glass jars Edgar did a lot of business through the on-line auction company eBay. He used PayPal often, sometimes several times a week. So Edgar was interested when he received an email in the holiday season of 2001 that seemed to be from PayPal, offering him a reward for updating his PayPal account. The message read:

Season's Greetings Valued PayPal Customer; As the New Year approaches and as we all get ready to move a year ahead, PayPal would like to give you a $5 credit to your account! All you have to do to claim your $5 gift from us is update your information on our secure Pay Pal site by January 1st, 2002. A year brings a lot of changes, by updating your information with us you will allow for us to continue providing you and our valued customer service with excellent service and in the meantime, keep our records straight!

To update your information now and to receive $5 in your PayPal account instantly, click this link:

http://www, paypal -secure. com/cgi bin

Thank you for using PayPal.com and helping us grow to be the largest of our kind! Sincerely wishing you a very "Merry Christmas and Happy New Year," PayPal Team

A Note about E.commerce Web Sites

You probably know people who are reluctant to buy goods on line, even from brand-name companies such as Amazon and eBay, or the Web sites of Old Navy, Target, or Nike. In a way, they're right to be suspicious. If your browser uses today's standard of 128-bit encryption, the information you send to any secure site goes out from your computer encrypted. This data could be unencrypted with a lot of effort, but probably is not breakable in a reasonable amount of time, except perhaps by the National Security Agency (and the NSA, so far 98 as we know, has not shown any interest in stealing credit card numbers of American citizens or trying to find out who is ordering sexy videotapes or kinky underwear).

These encrypted files could actually be broken by anyone with the time and resources. But really, what fool would go to all that effort to steal one credit card number when many e-commerce companies make the mistake of storing all their customer financial information unencrypted in their databases? Worse, a number of e-commerce companies that use a particular SQL database software badly compound the problem: They have never changed the default system administrator password for the program. When they took the software out of the box, the password was "null," and it's still "null" today. So the contents of the database are available to anyone on the Internet who decides to try to connect to the database server. These sites are under attack all the time and information does get stolen, without anyone being the wiser,

On the other hand, the same people who won't buy on the Internet because they're afraid of having their credit card information stolen have no problem buying with that same credit card in a brick-and- mortar store, or paying for lunch, dinner, or drinks with the card even in a back-street bar or restaurant they wouldn't take their mother to. Credit card receipts get stolen from these places all the time, or fished out of trash bins in the back alley. And any unscrupulous clerk or waiter can jot down your name and card info, or use a gadget readily available on the Internet, a card-swiping device that stores data from any credit card passed through it, for later retrieval.

There are some hazards to shopping on line, but it's probably as safe as shopping in a bricks-and-mortar store. And the credit card companies offer you the same protection when using your card on line--if any fraudulent charges get made to the account, you're only responsible for the first $50. So in my opinion, fear of shopping online is just another misplaced worry.

Edgar didn't notice any of the several tell-tale signs that something was wrong with this email (for example, the semicolon after the greeting line, and the garbled text about "our valued customer service with excellent service"). He clicked on the link, entered the information requested - name, address, phone number, and credit card information - and sat. back to wait for the five-dollar credit to show up on his next credit-card bill. What showed up instead was a list of charges for items he never purchased.

Analyzing the Con Edgar had been taken in by a commonplace Internet scam. It's a scam that comes in a variety of forms. One of them (detailed in Chapter 9) involves a decoy login screen created by the attacker that looks identical to the real thing. The difference is that the phony screen doesn't give access to the computer system that the user is trying to reach, but instead feeds his username and password to the hacker.

Edgar had been taken in by a scam in which the crooks had registered a Web site with the name "paypal-secure.com"- which sounds as if it should have been a secure page on the legitimate PayPal site, but it isn't. When he entered information on that site, the attackers got just what they wanted.