The Art of Deception: Controlling the Human Element of Security (14 page)

Read The Art of Deception: Controlling the Human Element of Security Online

Authors: Kevin D. Mitnick,William L. Simon,Steve Wozniak

Tags: #Computer Hackers, #Computer Security, #Electronic Books, #Computer Networks, #Computers, #Information Management, #Data Protection, #General, #Social Aspects, #Information Technology, #Internal Security, #Security, #Business & Economics, #Computer Science

BOOK: The Art of Deception: Controlling the Human Element of Security
12.37Mb size Format: txt, pdf, ePub

But his refusal to help didn't seem to surprise her. She said she didn't think it was something he could do anyway. That was like a challenge, because of course he was sure he could. And that was how he came to agree. Alice had been offered a contract for some consulting work for a marketing company, but the contract terms didn't seem very good. Before she went back to ask for a better deal, she wanted to know what terms other consultants had on their contracts.

This is how Peter tells the story.

I wouldn't tell Alice but I got off on people wanting me to do something they didn't think I could, when I knew it would be easy. Well, not easy, exactly, not this time. It would take a bit of doing. But that was okay.

I could show her what smart was really all about.

A little after 7:30 Monday morning, I called the marketing company's offices and got the receptionist, said that I was with the company that handled their pension plans and I need to talk to somebody in Accounting. Had she noticed if any of the Accounting people had come in yet? She said, "I think I saw Mary come in a few minutes ago, I'll try her for you."

When Mary picked up the phone, I told her my little story about computer problems, which was designed to give her the jitters so she'd be glad to cooperate. As soon as I had talked her through changing her password, I then quickly logged onto the system with the same temporary password I had asked her to use, test123.

Here's where the mastery comes in--I installed a small program that allowed me to access the company's computer system whenever I wanted, using a secret password of my own. After I hung up with Mary, my first step was to erase the audit trail so no one would even know I had been on his or her system. It was easy. After elevating my system privileges, I was able to download a free program called clearlogs that I found on a security- related Web site at www.ntsecurity.nu. Time for the real job. I ran a search for any documents with the word contract" in the filename, and downloaded the files. Then I searched some more and came on the mother lode--the directory containing all the consultant payment reports. So I put together all the contract files and a list of payments.

Alice could pore through the contracts and see how much they were paying other consultants. Let her do the donkeywork of poring through all those files. I had done what she asked me to. From the disks I put the data onto, I printed out some of the files so I could show her the evidence. I made her meet me and buy dinner. You should have seen her face when she thumbed through the stack of papers. "No way," she said. "No way."

I didn't bring the disks with me. They were the bait. I said she'd have to come over to get them, hoping maybe she'd want to show her gratitude for the favor I just did her.

MITNICK MESSAGE It's amazing how easy it is for a social engineer to get people to do things based on how he structures the request. The premise is to trigger an automatic response based on psychological principles, and rely on the mental shortcuts people take when they perceive the caller as an ally.

Analyzing the Con Peter's phone call to the marketing company represented the most basic form of social engineering--a simple attempt that needed little preparation, worked on the first attempt, and took only a few minutes to bring off.

Even better, Mary, the victim, had no reason to think that any sort of trick or ruse had been played on her, no reason to file a report or raise a ruckus.

The scheme worked through Peter's use of three social engineering tactics. First he got Mary's initial cooperation by generating fear--making her think that her computer might not be usable. Then he took the time to have her open two of her applications so she could be sure they were working okay, strengthening the rapport between the two of them, a sense of being allies. Finally, he got her further cooperation for the essential part of his task by playing on her gratitude for the help he had provided in making sure her computer was okay.

By telling her she shouldn't ever reveal her password, should not reveal it even to him, Peter did a thorough but subtle job of convincing her that he was concerned about the security of her company's files. This boosted her confidence that he must be legitimate because he was protecting her and the company.

THE POLICE RAID Picture this scene: The government has been trying to lay a trap for a man named Arturo Sanchez, who has been distributing movies free over the Internet. The Hollywood studios say he's violating their copyrights, he says he's just trying to nudge them to recognize an inevitable market so they'll start doing something about making new movies available for download. He points out (correctly) that this could be a huge source of revenue for the studios that they seem to be completely ignoring.

Search Warrant, Please Coming home late one night, he checks the windows of his apartment from across the street and notices the lights are off, even though he always leaves one on when he goes out.

He pounds and bangs on a neighbor's door until he wakes the man up, and learns that there was indeed a police raid in the building. But they made the neighbors stay downstairs, and he still isn't sure what apartment they went into. He only knows they left carrying some heavy things, only they were wrapped up and he couldn't tell what they were. And they didn't take anybody away in handcuffs.

Arturo checks his apartment. The bad news is that there's a paper from the police requiring that he call immediately and set up an appointment for an interview within three days. The worse news is that his computers are missing.

Arturo vanishes into the night, going to stay with a friend. But the uncertainty gnaws at him. How much do the police know? Have they caught up with him at last, but left him a chance to flee? Or is this about something else entirely, something he can clear up without having to leave town?

Before you read on, stop and think for a moment: Can you imagine any way you could find out what the police know about you? Assuming you don't have any political contacts or friends in the police department or the prosecutor s office, do you imagine there's any way that you, as an ordinary citizen, could get this information? Or that even someone with social engineering skills could?

Scamming the Police Arturo satisfied his need to know like this: To start with, he got the phone number for a nearby copy store, called them, and asked for their fax number. Then he called the district attorney's office, and asked for Records. When he was connected with the records office, he introduced himself as an investigator with Lake County, and said he needed to speak with the clerk who files the active search warrants.

"I do," the lady said. "Oh, great," he answered. "Because we raided a suspect last night and I'm trying to locate the affidavit."

"We file them by address," she told him.

He gave his address, and she sounded almost excited. "Oh, yeah," she bubbled, "I know about that one. 'The Copyright Caper.'"

"That's the one," he said. "I'm looking for the affidavit and copy of the warrant.

"Oh, I have it right here."

"Great," he said. "Listen, I'm out in the field and I have a meeting with the Secret Service on this case if I fifteen minutes. I've been so absentminded lately, I left the file at home, and I'll never make it there and back in time. Could I get copies from you?"

"Sure, no problem. I'll make copies; you can come right over and pick them up."

"Great," he said. "That's great. But listen, I'm on the other side of town. Is it possible you could fax them to me?"

That created a small problem, but not insurmountable. "We don't have a fax up here in Records," she said. "But they have one downstairs in the Clerk's office they might let me use."

He said, "Let me call the Clerk's office and set it up."

The lady in the Clerk's office said she'd be glad to take care of it but wanted to know "Who's going to pay for it?" She needed an accounting code.

"I'll get the code and call you back," he told her. He then called the DA's office, again identified himself as a police officer and simply asked the receptionist, "What's the accounting code for the DA's office?" Without hesitation, she told him. Calling back to the Clerk's office to provide the accounting number gave him the excuse for manipulating the lady a little further: He talked her into walking upstairs to get the copies of the papers to be faxed. NOTE How does a social engineer know the details of so many operation � police departments, prosecutors offices, phone company practices, the organization of specific companies that are in fields useful in his attacks, such as telecommunications and computers ? Because it's his business to find out. This knowledge is a social engineers stock in the trade because information can aid him in his efforts to deceive.

Covering His Tracks Arturo still had another couple of steps to take. There was always a possibility that someone would smell something fishy, and he might arrive at the copy store to find a couple of detectives, casually dressed and trying to look busy until somebody showed up asking for that particular fax. He waited a while, and then called the Clerk's office back to verify that the lady had sent the fax. Fine so far.

He called another copy store in the same chain across town and used the ruse about how he was "pleased with your handling of a job and want to write the manager a letter of congratulations, what's her name?" With that essential piece of information, he called the first copy store again and said he wanted to talk to the manager. When the man picked up the phone, Arturo said, "Hi, this is Edward at store 628 in Hartfield. My manager, Anna, told me to call you. We've got a customer who's all upset--somebody gave him the fax number of the wrong store. He's here waiting for an important fax, only the number he was given is for your store." The manager promised to have one of his people locate the fax and send it on to the Hartfield store immediately.

Arturo was already waiting at the second store when the fax arrived there. Once he had it in hand, he called back to the Clerk's office to tell the lady thanks, and 'It's not necessary to bring those copies back upstairs, you can just throw them away now." Then he called the manager at the first store and told him, too, to throw away their copy of the fax. This way there wouldn't be any record of what had taken place, just in case somebody later came around asking questions. Social engineers know you can never be too careful.

Arranged this way, Arturo didn't even have to pay charges at the first copy store for receiving the fax and for sending it out again to the second store. And if it turned out that the police did show up at the first store, Arturo would already have his fax and be long gone by the time they could arrange to get people to the second location.

The end of the story: The affidavit and warrant showed that the police had well- documented evidence of Arturo's movie-copying activities. That was what he needed to know. By midnight, he had crossed the state line. Arturo was on the way to a new life, somewhere else with a new identity, ready to get started again on his campaign.

Analyzing the Con The people who work in any district attorney's office, anywhere, are in constant contact with law enforcement officers--answering questions, making arrangements, taking messages. Anybody gutsy enough to call and claim to be a police officer, sheriff's deputy, or whatever will likely be taken at his word. Unless it's obvious that he doesn't know the terminology, or if he's nervous and stumbles over his words, or in some other way doesn't sound authentic, he may not even be asked a single question to verify his claim. That's exactly what happened here, with two different workers.

MITNICK MESSAGE The truth of the matter is that no one is immune to being duped by a good social engineer. Because of the pace of normal life, we don't always take the time for thoughtful decisions, even on matters that are important to us. Complicated situations, lack of time, emotional state, or mental fatigue can easily distract us. So we take a mental shortcut, making our decisions without analyzing the information carefully and completely, a mental process known as automatic responding. This is even true for federal, state, and local law enforcement officials. We're all human.

Obtaining a needed charge code was handled with a single phone call. Then Arturo played the sympathy card with the story about "a meeting with the Secret Service in fifteen minutes, I've been absent-minded and left the file at home." She naturally felt sorry for him, and went out of her way to help.

Then by using not one but two copy stores, Arturo made himself extra safe when he went to pick up the fax. A variation on this that makes the fax even more difficult to trace: Instead of having the document sent to another copy store, the attacker can give what appears to be a fax number, but is really an address at a free Internet service that will receive a fax for you and automatically forward it to your email address. That way it can be downloaded directly to the attacker's computer, and he never has to show his face anyplace where someone might later be able to identify him. And the email address and electronic fax number can be abandoned as soon as the mission has been accomplished.

TURNING THE TABLES A young man I'll call Michael Parker was one of those people who figured out a bit late that the better-paying jobs mostly go to people with college degrees. He had a chance to attend a local college on a partial scholarship plus education loans, but it meant working nights and weekends to pay his rent, food, gas, and car insurance. Michael, who always liked to find shortcuts, thought maybe there was another way, one that paid off faster and with less effort. Because he had been learning about computers from the time he got to play with one at age ten and became fascinated with finding out how they worked, he decided to see if he could "create" his own accelerated bachelor's degree in computer science.

Graduating--Without Honors He could have broken into the computer systems of the state university, found the record of someone who had graduated with a nice B+ or A-average, copied the record, put his own name on it, and added it to the records of that year's graduating class. Thinking this through, feeling somehow uneasy about the idea, he realized there must be other records of a student having been on campus-- tuition payment records, the housing office, and who knows what else. Creating just the record of courses and grades would leave too many loopholes.

Other books

Billionaire Bodyguard by Kristi Avalon
At Knit's End by Stephanie Pearl-McPhee
Village Affairs by Miss Read
Dragon Song by Jordyn Tracey
The Pretend Fiancé by Lucy Lambert
Tainted by K.A. Robinson
Christmas at Draycott Abbey by Christina Skye
Ascension by Felicity Heaton