The Art of Deception: Controlling the Human Element of Security (21 page)

And the guard on Ten North who believed that the caller was really from within the same facility, calling on official business? It was a perfectly reasonable request, so he called the inmate Gondorff to the telephone. No big deal.

A series of well-planned stories that added up to completing the sting.

THE SPEEDY DOWNLOAD Ten years after they had finished law school, Ned Racine saw his classmates living in nice homes with front lawns, belonging to country clubs, playing golf once or twice a week, while he was still handling penny-ante cases for the kind of people who never had enough money to pay his bill. Jealousy can be a nasty companion. Finally one day, Ned had had enough.

The one good client he ever had was a small but very successful accounting firm that specialized in mergers and acquisitions. They hadn't used Ned for long, just long enough for him to realize they were involved in deals that, once they hit the newspapers, would affect the stock price of one or two publicly traded companies. Penny-ante, bulletin-board stocks, but in some ways that was even better--a small jump in price could represent a big percentage gain on an investment. If he could only tap into their files and find out what they were working on...

He knew a man who knew a man who was wise about things not exactly in the mainstream. The man listened to the plan, got fired up and agreed to help. For a smaller fee than he usually charged, against a percentage of Ned's stock market killing, the man gave Ned instructions on what to do. He also gave him a handy little device to use, something brand-new on the market.

For a few days in a row Ned kept watch on the parking lot of the small business park where the accounting company had its unpretentious, storefront-like offices. Most people left between 5:30 and 6. By 7, the lot was empty. The cleaning crew showed up around 7:30. Perfect.

The next night at a few minutes before 8 o'clock, Ned parked across the street from the parking lot. As he expected, the lot was empty except for the truck from the janitorial services company. Ned put his ear to the door and heard the vacuum cleaner running. He knocked at the door very loudly, and stood there waiting in his suit and tie, holding his well-worn briefcase. No answer, but he was patient. He knocked again. A man from the cleaning crew finally appeared. "Hi," Ned shouted through the glass door, showing the business card of one of the partners that he had picked up some time earlier. "I locked my keys in my car and I need to get to my desk."

The man unlocked the door, locked it again behind Ned, and then went down the corridor turning on lights so Ned could see where he was going. And why not--he was being kind to one of the people who helped put food on his table. Or so he had every reason to think.

MITNICK MESSAGE Industrial spies and computer intruders will sometimes make a physical entry into the targeted business. Rather than using a crowbar to break in, the social engineer uses the art of deception to influence the person on the other side of the door to open up for him.

Ned sat down at the computer of one of the partners, and turned it on. While it was starting up, he installed the small device he had been given into the USB port of the computer, a gadget small enough to carry on a key ring, yet able to hold more than 120 megabytes of data. He logged into the network with the username and password of the partner's secretary, which were conveniently written down on a Post-it note stuck to the display. In less than five minutes, Ned had downloaded every spreadsheet and document file stored on the workstation and from the partner's network directory and was on his way home.

EASY MONEY When I was first introduced to computers in high school, we had to connect over a modem to one central DEC PDP 11 minicomputer in downtown Los Angeles that all the high schools in L.A. shared. The operating system on that computer was called RSTS/E, and it was the operating system I first learned to work with.

At that time, in 1981, DEC sponsored an annual conference for its product users, and one year I read that the conference was going to be held in L.A. A popular magazine for users of this operating system carried an announcement about a new security product, LOCK-11. The product was being promoted with a clever ad campaign that said something like, "It's 3:30 ,.M. and Johnny down the street found your dial-in number, 555-0336, on his 336th try. He's in and you're out. Get LOCK-11." The product, the ad suggested, was hacker-proof. And it was going to be on display at the conference.

I was eager to see the product for myself. A high school buddy and friend, Vinny, my hacking partner for several years who later became a federal informant against me, shared my interest in the new DEC product, and encouraged me to go to the conference with him.

Cash on the Line We arrived to find a big buzz already going around the crowd at the trade show about LOCK-11. It seemed that the developers were staking cash on the line in a bet that no one could break into their product. Sounded like a challenge I could not resist.

We headed straight for the LOCK-11 booth and found it manned by three guys who were the developers of the product; I recognized them and they recognized me--even as a teen, I already had a reputation as a phreaker and hacker because of a big story the LA Times had run about my first juvenile brush with the authorities. The article reported that I had talked my way into a Pacific Telephone building in the middle of the night and walked out with computer manuals, right under the nose of their security guard. (It appears the Times wanted to run a sensationalist story and it served their purposes to publish my name; because I was still a juvenile, the article violated the custom if not the law of withholding the names of minors accused of wrongdoing.)

When Vinny and I walked up, ir created some interest on both sides. There was an interest on their side because they recognized me as the hacker they had read about and they were a bit shocked to see me. It created an interest on our side because each of the three developers was standing there with a $100 bill sticking out of his tradeshow badge. The prize money for anybody who could defeat their system would be the whole $300--which sounded like a lot of money to a pair of teenagers. We could hardly wait to get started. LOCK-11 was designed on an established principle that relied on two levels of security. A user had to have a valid ID and password, as usual, but in addition that ID and password would only work when entered from authorized terminals, an approach called terminal-based security. To defeat the system, a hacker would need not only to have knowledge of an account ID and password, but would also have to enter that information from the correct terminal. The method was well established, and the inventors of LOCK-11 were convinced it would keep the bad guys out. We decided we were going to teach them a lesson, and earn three hundred bucks to boot.

A guy I knew who was considered an RSTS/E guru had already beaten us to the booth. Years before he had been one of the guys who had challenged me to break into the DEC internal development computer, after which his associates had turned me in. Since those days he had become a respected programmer. We found out that he had tried to defeat the LOCK-11 security program not long before we arrived, but had been unable to. The incident had given the developers greater confidence that their product really was secure.

LINGO TERMINAL-BASED SECURITY Security based in part on the identification of the particular computer terminal being used; this method of security was especially popular with IBM mainframe computers.

The contest was a straightforward challenge: You break in, you win the bucks. A good publicity stunt.., unless somebody was able to embarrass them and take the money. They were so sure of their product that they were even audacious enough to have a printout posted at the booth giving the account numbers and corresponding passwords to some accounts on the system. And not just regular user accounts, but all the privileged accounts.

That was actually less daring than it sounds: In this type of set-up, I knew, each terminal is plugged into a port on the computer itself. It wasn't rocket science to figure out they had set up the five terminals in the conference hall so a visitor could log in only as a non-privileged user--that is, logins were possible only to accounts without system administrator privileges. It looked as if there were only two routes: either bypass the security software altogether--exactly what the LOCK-11 was designed to prevent; or somehow get around the software in a way that the developers hadn't imagined.

Taking Up the Challenge Vinny and I walked away and talked about the challenge, and I came up with a plan. We wandered around innocently, keeping an eye on the booth from a distance. At lunchtime, when the crowd thinned out, the three developers took advantage of the break and took off together to get something to eat, leaving behind a woman who might have been the wife or girlfriend of one of them. We sauntered back over and I distracted the woman, chatting her up about this and that, "How long have you been with the company? "What other products does your company have on the market?" and so on.

Meanwhile Vinny, out of her sight line, had gone to work, making use of a skill he and I had both developed. Besides the fascination of breaking into computers, and my own interest in magic, we had both been intrigued by learning how to open locks. As a young kid, I had scoured the shelves of an underground bookstore in the San Fernando Valley that had volumes on picking locks, getting out of handcuffs, creating fake identities--all kinds of things a kid was not supposed to know about.

Vinny, like me, had practiced lock-picking until we were pretty good with any run-of-the-mill hardware-store lock. There had been a time when I got a kick out of pranks involving locks, like spotting somebody who was using two locks for extra protection, picking the locks, and put-ring them back in the opposite places, which would baffle and frustrate the owner when he tried to open each with the wrong key.

In the exhibit hall, I continued to keep the young woman distracted while Vinny, squatting down at the back of the booth so he couldn't beseen, picked the lock on the cabinet that housed their PDP-11 minicomputer and the cable terminations. To call the cabinet locked was almost a joke. It was secured with what locksmiths refer to as a wafer lock, notoriously easy to pick, even for fairly clumsy, amateur lock-pickers like us.

It took Vinny all of about a minute to open the lock. Inside the cabinet he found just what we had anticipated: the strip of ports for plugging in user terminals, and one port for what's called the console terminal. This was the terminal used by the computer operator or system administrator to control all the computers. Vinny plugged the cable leading from the console port into one of the terminals on the show floor.

That meant this one terminal was now recognized as a console terminal. I sat down at the recabled machine and logged in using a password the developers had so audaciously provided. Because the LOCK-11 software now identified that I was logging in from an authorized terminal, it granted me access, and I was connected with system administrator privileges. I patched the operating system by changing it so that from any of the terminals on the floor, I would be able to log in as a privileged user. Once my secret patch was installed, Vinny went back to work disconnecting the terminal cable plugging it back in where it had been originally. Then he picked the lock once again, this time to fasten the cabinet door closed.

I did a directory listing to find out what files were on the computer, looking for the LocK-11 program and associated files and stumbled on something I found shocking: a directory that should not have been on this machine. The developers had been so overconfident, so certain their software was invincible, that they hadn't bothered to remove the source code of their new product. Moving to the adjacent hard-copy terminal, I started printing out portions of the source code onto the continuous sheets of the green-striped computer paper used in those days.

Vinny had only just barely finished picking the lock closed and rejoined me when the guys returned from lunch. They found me sitting at the computer pounding the keys while the printer continued to churn away. "What'cha doing, Kevin?" one of them asked.

"Oh, just printing out your source code," I said. They assumed I was joking, of course. Until they looked at the printer and saw that it really u, as the jealously guarded source code for their product.

They didn't believe it was possible that I was logged in as a privileged user. "Type a Control-T," one of the developers commanded. I did. The display that appeared on the screen confirmed my claim. The guy smacked his forehead, as Vinny said, "Three hundred dollars, please."

MITNICK MESSAGE Here's another example of smart people underestimating the enemy. How about you--are you so certain about your company's security safeguards that you would bet $300 against an attacker breaking in? Sometimes the way around a technological security device is not the one you expect.

They paid up. Vinny and I walked around the tradeshow floor for the rest of the day with the hundred-dollar bills stuck into our conference badges. Everyone who saw the bills knew what they represented.

Of course, Vinny and I hadn't defeated their software, and if the developer team had thought to set better rules for the contest, or had used a really secure lock, or had watched their equipment more carefully, they wouldn't have suffered the humiliation of that day--humiliation at the hands of a pair of teenagers. I found out later that the developer team had to stop by a bank to get some cash: those hundred-dollar bills represented all the spending money they had brought with them.

THE DICTIONARY AS AN ATTACK TOOL When someone obtains your password, he's able to invade your system. In most circumstances, you never even know that anything bad has happened. A young attacker I'll call Ivan Peters had a target of retrieving the source code for a new electronic game. He had no trouble getting into the company's wide area network, because a hacker buddy of his had already compromised one of the company's Web servers. After finding an un-patched vulnerability in the Web server software, his buddy had just about fallen out of his chair when he realized the system had been set up as a dual-homed host, which meant he had an entry point into the internal network. .