The Art of Deception: Controlling the Human Element of Security (12 page)

MITNICK MESSAGE While not foolproof (no security is), whenever visiting a site that requests information you consider private, always ensure that the connection is authenticated and encrypted. And even more important, do not automatically click Yes in any dialog box that may indicate a security issue, such as an invalid, expired, or revoked digital certificate.

VARIATIONS ON THE VARIATION How many other ways are there to deceive computer users into going to a bogus Web site where they provide confidential information? I don't suppose anyone has a valid, accurate answer, but "lots and lots" will serve the purpose.

The Missing Link One trick pops up regularly: Sending out an email that offers a tempting reason to visit a site, and provides a link for going directly to it. Except that the link doesn't take you to the site you think you're going to, because the link actually only resembles a link for that site. Here's another exam- pie that has actually been used on the Internet, again involving misuse of the name PayPal:

www. PayPai. com

At a quick glance, this looks as if it says PayPal. Even if the victim notices, he may think it's just a slight defect in the text that makes the "I" of Pal look like an "i." And who would notice at a glance that:

www. PayPal. com

uses the number 1 instead of a lowercase letter L? There are enough people who accept misspellings and other misdirection to make this gambit continually popular with credit card bandits. When people go to the phony site, it looks like the site they expected to go to, and they blithely enter their credit card information. To set up one of these scares, an attacker only needs to register the phony domain name, send out his emails, and wait for suckers to show up, ready to be cheated.

In mid-2002, I received an email, apparently part of a mass mailing that was marked as being from "[email protected]." The message is shown in Figure 8.1. Figure 8.1. The link in this or any other email should be used with caution. -------------------------------------------------------------------------------------------------- ---------------- msg: Dear eBay User,

It has become very noticeable that another party has been corrupting your eBay account and has violated our User Agreement policy listed:

4. Bidding and Buying

You are obligated to complete the transaction with the seller if you purchase an item through one of our fixed price formats or are the highest bidder as described below. If you are the highest bidder at the end of an auction (meeting the applicable minimum bid or reserve requirements) and your bid is accepted by the seller, you are obligated to complete the transaction with the seller, or the transaction is prohibited by law or by this Agreement.

You received this notice from eBay because it has come to our attention that your current account has caused interruptions with other eBay members and eBay requires immediate verification for your account. Please verify your account or the account may become disabled. Click Here To Verify Your Account - http://error ebay.tripod.com

Designated trademarks and brands are the property of their respective owners, eBay and the eBay logo are trademarks of eBay Inc. -------------------------------------------------------------------------------------------------- -------------------

Victims who clicked on the link went to a Web page that looked very much like an eBay page. In fact, the page was well designed, with an authentic eBay logo, and "Browse," "Sell" and other navigation links that, if clicked, took the visitor to the actual eBay site. There was also a security logo in the bottom right corner. To deter the savvy victim, the designer had even used HTML encryption to mask where the user-provided information was being sent.

It was an excellent example of a malicious computer-based social engineering attack. Still, it was not without several flaws.

The email message was not well written; in particular, the paragraph beginning "You received this notice" is clumsy and inept (the people responsible for these hoaxes never hire a professional to edit their copy, and it always shows). Also, anybody who was paying close attention would have become suspicious about eBay asking for the visitor's PayPal information; there is no reason eBay would ask a customer for this private information involving a different company.

And anyone knowledgeable about the Internet would probably recognize that the hyperlink connects not to the eBay domain but to tripod.com, which is a free Web hosting service. This was a dead giveaway that the email was not legitimate. Still, I bet a lot of people entered their information, including a credit card number, onto this page.

NOTE Why are people allowed to register deceptive or inapproprate domain names?. Because under current law and on-line policy, anyone can register any site names that' not already in use. Companies try to fight this use of copycat addresses, but consider what they're up against. General Motors filed suit against a company that registered f**kgeneralmotors.com (but without the asterisks) and pointed the URL to General Motor's Web site. GM lost.

Be Alert As individual users of the Internet, we all need to be alert, making a conscious decision about when it's okay to enter personal information, passwords, account numbers, PINs, and the like.

How many people do you know who could tell you whether a particular Internet page they're looking at meets the requirements of a secure page? How many employees in your company know what to look for?

Everyone who uses the Internet should know about the little symbol that often appears somewhere on a Web page and looks like a drawing of a padlock. They should know that when the hasp is closed, the site has been certified as being secure. When the hasp is open or the lock icon is missing, the Web site is not authenticated as genuine, and any information transmitted is in the clear--that is, unencrypted.

However, an attacker who manages to compromise administrative privileges on a company computer may be able to modify or patch the operating system code to change the user's perception of what is really happening. For example, the programming instructions in the browser software that indicate a Web site's digital certificate is invalid can be modified to bypass the check. Or the system could be modified with something called a root kit, installing one or more back doors at the operating system level, which are harder to detect. A secure connection authenticates the site as genuine, and encrypts the information being communicated, so an attacker cannot make use of any data that is intercepted. Can you trust any Web site, even one that uses a secure connection? No, because the site owner may not be vigilant about applying all the necessary security patches, or forcing users or administrators to respect good password practices. So you can't assume that any supposedly secure site is invulnerable to attack.

LINGO BACK DOOR A covert entry point that provides a secret way into a user's computer that is unkown to the user. Also used by programmers while developing a software program so that they can go into the program to fix problems

Secure HTTP (hypertext transfer protocol) or SSL (secure sockets layer) provides an automatic mechanism that uses digital certificates not only to encrypt information being sent to the distant site, but also to provide authentication (an assurance that you are communicating with the genuine Web site). However, this protection mechanism does not work for users who fail to pay attention to whether the site name displayed in the address bar is in fact the correct address of the site they're trying to access.

Another security issue, mostly ignored, appears as a warning message that says something like "This site is not secure or the security certificate has expired. Do you want to go to the site anyway?" Many Internet users don't understand the message, and when it appears, they simply click Okay or Yes and go on with their work, unaware that they may be on quicksand. Be warned: On a Web site that does not use a secure protocol, you should never enter any confidential information such as your address or phone number, credit card or bank account numbers, or anything else you want to keep private.

Thomas Jefferson said maintaining our freedom required "eternal vigilance." Maintaining privacy and security in a society that uses information as currency requires no less.

Becoming Virus Savvy A special note about virus software: It is essential for the corporate intranet, but also essential for every employee who uses a computer. Beyond just having anti virus software installed on their machines, users obviously need to have the software turned on (which many people don't like because it inevitably slows down some computer functions).

With anti virus software there's another important procedure to keep in mind, as well: Keeping the virus definitions up to date. Unless your company is set up to distribute software or updates over the network to every user, each individual user must carry the responsibility of downloading the latest set of virus definitions on his own. My personal recommendation is to have everyone set the virus software preferences so that new virus definitions are automatically updated every day.

LINGO SECURE SOCKETS LAYER A protocol developed by Netscape that provides authentication of both client and server in a secure communication on the internet.

Simply put, you're vulnerable unless the virus definitions are updated regularly. And even so, you're still not completely safe from viruses or worms that the anti virus software companies don't yet know about or haven't yet published a detection pattern file for.

All employees with remote access privileges from their laptops or home computers need to have updated virus software and a personal firewall on those machines at a minimum. A sophisticated attacker will look at the big picture to seek out the weakest link, and that's where he'll attack. Reminding people with remote computers regularly about the need for personal firewalls and updated, active virus software is a corporate responsibility, because you can't expect that individual workers, managers, sales people, and others remote from an IT department will remember the dangers of leaving their computers unprotected.

Beyond these steps, I strongly recommend use of the less common, but no less important, software packages that guard against Trojan Horse attacks, so-called anti-Trojan software. At the time of this writing, two of the better-known programs are The Cleaner (www.moosoft.com), and Trojan Defense Sweep (www.diamondcs.com.au).

Finally, what is probably the most important security message of all for companies that do not scan for dangerous emails at the corporate gateway: Since we all tend to be forgetful or negligent about things that seem peripheral to getting our jobs done, employees need to be reminded over and over again, in different ways, about not opening email attachments unless they are certain that the source is a person or organization they can trust. And management also needs to remind employees that they must use active virus software and anti-Trojan software that provides invaluable protection against the seemingly trustworthy email that may contain a destructive payload.

As discussed in Chapter 15, a social engineer uses the psychology of influence to lead his target to comply with his request. Skilled social engineers are very adept at developing a ruse that stimulates emotions, such as fear, excitement, or guilt. They do this by using psychological triggers--automatic mechanisms that lead people to respond to requests without in-depth analysis of all the available information.

We all want to avoid difficult situations for ourselves and others. Based on this positive impulse, the attacker can play on a person's sympathy, make his victim feel guilty, or use intimidation as a weapon.

Here are some graduate-school lessons in popular tactics that play on the emotions.

A VISIT TO THE STUDIO Have you ever noticed how some people can walk up to the guard at the door of, say, a hotel ballroom where some meeting, private party, or book-launching function is under way, and just walk past that person without being asked for his ticket or pass?

In much the same way, a social engineer can talk his way into places that you would not have thought possible - as the following story about the movie industry makes clear.

The Phone Call "Ron Hillyard's office, this is Dorothy." "Dorothy, hi. My name is Kyle Bellamy. I've just come on board to work in Animation Development on Brian Glassman's staff. You folks sure do things different over here." "I guess. I never worked on any other movie lot so I don't really know. What can

I do for you?" "To tell you the truth, I'm feeling sort of stupid. I've got a writer coming over this afternoon for a pitch session and I don't know who I'm supposed to talk to about getting him onto the lot. The people over here in Brian's office are really nice but I hate to keep bothering them, how do I do this, how do I do that. It's like I just started junior high and can't find my way to the bathroom. You know what I mean?" Dorothy laughed. "You want to talk to Security. Dial 7, and then 6138. If you get Lauren, tell her Dorothy said she should take good care of you." "Thanks, Dorothy. And if I can't find the men's room, I may call you back!"

They chuckled together over the idea, and hung up.

David Harold's Story I love the movies and when I moved to Los Angeles, I thought I'd get to meet all kinds of people in the movie business and they'd take me along to parties and have me over to lunch at the studios. Well, I was there for a year, I was turning twenty-six years old, and the closest I got was going on the Universal Studios tour with all the nice people from Phoenix and Cleveland. So finally it got to the point where I figured, if they won't invite me in, I'll invite myself. Which is what I did.

I bought a copy of the Los Angeles Times and read the entertainment column for a couple of days, and wrote down the names of some producers at different studios. I decided I'd try hitting on one of the big studios first. So I called the switchboard and asked for the office of this producer I had read about in the paper. The secretary that answered sounded like the motherly type, so I figured I had gotten lucky; if it was some young girl who was just there hoping she'd be discovered, she probably wouldn't have given me the time of day.

But this Dorothy, she sounded like somebody that would take in a stray kitten, somebody who'd feel sorry for the new kid that was feeling a little overwhelmed on the new job. And I sure got just the right touch with her. It's not every day you try to trick somebody and they give you even more than you asked for. Out of pity, she not only gave me the name of one of the people in Security, but said I should tell the lady that Dorothy wanted her to help me.

Of course I had planned to use Dorothy's name anyway. This made it even better. Lauren opened right up and never even bothered to look up the name I gave to see if it was really in the employee database.

When I drove up to the gate that afternoon, they not only had my name on the visitor's list, they even had a parking space for me. I had a late lunch at the commissary, and wandered the lot until the end of the day. I even sneaked into a couple of sound stages and watched them shooting movies. Didn't leave till 7 o'clock. It was one of my most exciting days ever. Analyzing the Con Everybody was a new employee once. We all have memories of what that first day was like, especially when we were young and inexperienced. So when a new employee asks for help, he can expect that many people-- especially entry-level people--will remember their own new-kid on-the- block feelings and go out of their way to lend a hand. The social engineer knows this, and he understands that he can use it to play on the sympathies of his victims.

We make it too easy for outsiders to con their way into our company plants and offices. Even with guards at entrances and sign-in procedures for anyone who isn't an employee, any one of several variations on the ruse used in this story will allow an intruder to obtain a visitor's badge and walk right in. And if your company requires that visitors be escorted? That's a good rule, but it's only effective if your employees are truly conscientious about stopping anyone with or without a visitor's badge who is on his own, and questioning him. And then, if the answers aren't satisfactory, your employees have to be willing to contact security.

Making it too easy for outsiders to talk their way into your facilities endangers your company's sensitive information. In today's climate, with the threat of terrorist attacks hanging over our society, it's more than just information that could be at risk.

"DO IT NOW" Not everyone who uses social engineering tactics is a polished social engineer. Anybody with an insider's knowledge of a particular company can turn dangerous. The risk is even greater for any company that holds in its files and databases any personal information about its employees, which, of course, most companies do.

When workers are not educated or trained to recognize social engineering attacks, determined people like the jilted lady in the following story can do things that most honest people would think impossible.

Doug's Story Things hadn't been going all that well with Linda anyway, and I knew as soon as I met Erin that she was the one for me. Linda is, like, a little bit... well, sort of not exactly unstable but she can sort of go off the deep end when she gets upset. I told her as gentle as I could that she had to move out, and I helped her pack and even let her take a couple of the Queensryche CDs that were really mine. As soon as she was gone I went to the hardware store for a new Medico lock to put on the front door and put it on that same night. The next morning I called the phone company and had them change my phone number, and made it unpublished. That left me free to pursue Erin.

Linda's Story I was ready to leave, anyway, I just hadn't decided when. But nobody likes to feel rejected. So it was just a question of, what could I do to let him know what a jerk he was?

It didn't take long to figure out. There had to be another girl, otherwise he wouldn't of sent me packing in such a hurry. So I'd just wait a bit and then start calling him late in the evening. You know, around the time they would least want to be called.

I waited till the next weekend and called around 11 o'clock on Saturday night. Only he had changed his phone number. And the new number was unlisted. That just shows what kind of SOB the guy was.

It wasn't that big of a setback. I started rummaging through the papers I had managed to take home just before I left my job at the phone company. And there it was--I had saved a repair ticket from once when there was a problem with the telephone line at Doug's, and the printout listed the cable and pair for his phone. See, you can change your phone number all you want, but you still have the same pair of copper wires running from your house to the telephone company switching office, called the Central Office, or CO. The set of copper wires from every house and apartment is identified by these numbers, called the cable and pair. And if you know how the phone company does things, which I do, knowing the target's cable and pair is all you need to find out the phone number. I had a list giving all the COs in the city, with their addresses and phone numbers. I looked up the number for the CO in the neighborhood where I used to live with Doug the jerk, and called, but naturally nobody was there. Where's the switchman when you really need him? Took me all of about twenty seconds to come up with a plan. I started calling around to the other COs and finally located a guy. But he was miles away and he was probably sitting there with his feet up. I knew he wouldn't want to do what I needed. I was ready with my plan. "This is Linda, Repair Center," I said. "We have an emergency. Service for a paramedic unit has gone down. We have a field tech trying to restore service but he can't find the problem. We need you to drive over to the Webster CO immediately and see if we have dial tone leaving the central office."

And then I told him, 'I'll call you when you get there," because of course I couldn't have him calling the Repair Center and asking for me. I knew he wouldn't want to leave the comfort of the central office to bundle up and go scrape ice off his windshield and drive through the slush late at night. But it was an emergency, so he couldn't exactly say he was too busy. When I reached him forty-five minutes later at the Webster CO, I told him to check cable 29 pair 2481, and he walked over to the flame and checked and said, Yes, there was dial tone. Which of course I already knew.

So then I said, "Okay, I need you to do an LV," which means line verification, which is asking him to identify the phone number. He does this by dialing a special number that reads back the number he called from. He doesn't know anything about if it's an unlisted number or that it's justbeen changed, so he did what I asked and I heard the number being announced over his lineman's test set. Beautiful. The whole thing had worked like a charm.

I told him, "Well, the problem must be out in the field," like I knew the ,,umber all along. I thanked him and told him we'd keep working on it, and said good night.

MITNICK MESSAGE Once a social engineer knows how things work inside the targeted company, it becomes easy to use that knowledge to develop rapport with legitimate employees. Companies need to prepare for social engineering attacks from current or former employees who may have an axe to grind. Background checks may be helpful to weed out prospects who may have a propensity toward this type of behavior. But in most cases, these people will be extremely difficult to detect. The only reasonable safeguard in these cases is to enforce and audit procedures for verifying identity, including the person's employment status, prior to disclosing any information to anyone not personally known to still be with the company.

So much for that Doug and trying to hide from me behind an unlisted number. The fun was about to begin.

Analyzing the Con The young lady in this story was able to get the information she wanted to carry out her revenge because she had inside knowledge: the phone numbers, procedures, and lingo of the telephone company. With it she was not only able to find out a new, unlisted phone number, but was able to do it in the middle of a wintry night, sending a telephone switchman chasing across town for her. "MR. BIGG WANTS THIS" A popular and highly effective form of intimidation--popular in large measure because it's so simple--relies on influencing human behavior by using authority.

Just the name of the assistant in the CEO's office can be valuable. Private investigators and even head-hunters do this all the time. They'll call the switchboard operator and say they want to be connected to the CEO's office. When the secretary or executive assistant answers, they'll say they have a document or package for the CEO, or if they send an email attachment, would she print it out? Or else they'll ask, what's the fax number? And by the way, what's your name?

Then they call the next person, and say, "Jeannie in Mr. Bigg's office told me to call you so you can help me with something."

The technique is called name-dropping, and it's usually used as a method to quickly establish rapport by influencing the target to believe that the attacker is connected with somebody in authority. A target is more likely to do a favor for someone who knows somebody he knows.

If the attacker has his eyes set on highly sensitive information, he may use this kind of approach to stir up useful emotions in the victim, such as fear of getting into trouble with his superiors. Here's an example.

Scott's Story "Scott Abrams."

"Scott, this is Christopher Dalbridge. I just got off the phone with Mr. Biggley, and he's more than a little unhappy. He says he sent a note ten days ago that you people were to get copies of all your market penetration research over to us for analysis. We never got a thing."

"Market penetration research? Nobody said anything to me about it. What department are you in?" "We're a consulting firm he hired, and we're already behind schedule." "Listen, I'm just on my way to a meeting. Let me get your phone number

and . . ."

The attacker now sounded just short of truly frustrated: "Is that what you want me to tell Mr. Biggley?! Listen, he expects our analysis by tomorrow morning and we have to work on it tonight. Now, do you want me to tell him we couldn't do it 'cause we couldn't get the report from you, or do you want to tell him that yourself?."

An angry CEO can ruin your week. The target is likely to decide that maybe this is something he better take care of before he goes into that meeting. Once again, the social engineer has pressed the right button to get the response he wanted.

Analyzing the Con The ruse of intimidation by referencing authority works especially well if the other person is at a fairly low level in the company. The use of an important person's name not only overcomes normal reluctance or suspicion, but often makes the person eager to please; the natural instinct of wanting to be helpful is multiplied when you think that the person you're helping is important or influential.

The social engineer knows, though, that it's best when running this particular deceit to use the name of someone at a higher level than the person's own boss. And this gambit is tricky to use within a small organization: The attacker doesn't want his victim making a chance comment to the VP of marketing. "I sent out the product marketing plan you had that guy call me about," can too easily produce a response of "What marketing plan? What guy?" And that could lead to the discovery that the company has been victimized.