The Art of Deception: Controlling the Human Element of Security (24 page)

"Oh. Okay." When he called back, she said:

"Oh, yes. Well, there's just two. Anna Myrtle, in Finance, she's a secretary. And that new VP, Mr. Underwood." "And the phone numbers?" "Right Okay, Mr. Underwood is 6973. Anna Myrtle is 2127." "Hey, you've been a big help. "thanks."

Anna's Call "Finance, Anna speaking."

"I'm glad I found somebody working late. Listen, this is Ron Vittaro, I'm publisher of the business division. I don't think we've been introduced. Welcome to the company."

"Oh, thank you." "Anna, I'm in Los Angeles and I've got a crisis. I need to take about ten minutes of your time."

"Of course. What do you need?"

"Go up to my office. Do you know where my office is?

"No."

"Okay, it's the corner office on the fifteenth floor--room 1502. I'll call you there in a few minutes. When you get to the office, you'll need to press the forward button on the phone so my call won't go directly to my voice mail."

"Okay, I'm on my way now."

Ten minutes later she was in his office, had cancelled his call forwarding and was waiting when the phone rang. He told her to sit down at the computer and launch Internet Explorer. When it was running he told her to type in an address: www.geocities.com/ron-insen/manuscript.doc.exe.

A dialog box appeared, and he told her to click Open. The computer appeared to start downloading the manuscript, and then the screen went blank. When she reported that something seemed to be wrong, he replied, "Oh, no. Not again. I've been having a problem with downloading from that Web site every so often but I thought it was fixed. Well, okay, don't worry, I'll get the file another way later." Then he asked her to restart his computer so he could be sure it would start up properly after the problem she had just had. He talked her through the steps for rebooting.

When the computer was running again properly, he thanked her warmly and hung up, and Anna went back to the Finance department to finish the job she had been working on.

Kurt Dillon's Story Millard-Fenton Publishers was enthusiastic about the new author they were just about to sign up, the retired CEO of a Fortune 500 company who had a fascinating story to tell. Someone had steered the man to a business manager for handling his negotiations. The business manager didn't want to admit he knew zip about publishing contracts, so he hired an old friend to help him figure out what he needed to know. The old friend, unfortunately, was not a very good choice. Kurt Dillon used what we might call unusual methods in his research, methods not entirely ethical. Kurt signed up for a free site on Geocities, in the name of Ron Vittaro, and loaded a spy-ware program onto the new site. He changed the name of the program to manuscript.doc.exe, so the name would appear to be a Word document and not raise suspicion. In fact, this worked even better than Kurt had anticipated; because the real Vittaro had never changed a default setting in his Windows operating system called "Hide file extensions for known file types." Because of that setting the file was actually displayed with the name manuscript.doc.

Then he had a lady friend call Vittaro's secretary. Following Dillon's coaching, she said, "I'm the executive assistant to Paul Spadone, president of Ultimate Bookstores, in Toronto. Mr. Vittaro met my boss at a book fair a while back, and asked him to call to discuss a project they might do together. Mr. Spadone is on the road a lot, so he said I should find out when Mr. Vittaro will be in the office."

By the time the two had finished comparing schedules, the lady friend had enough information to provide the attacker with a list of dates when Mr. Vittaro would be in the office. Which meant he also knew when Vittaro would be out of the office. It hadn't required much extra conversation to find out that Vittaro's secretary would be taking advantage of his absence to get in a little skiing. For a short span of time, both would be out of the office. Perfect.

LINGO SPYWARE Specialized software used to covertly monitor a targets computer activities. One form used to track the sites visited by internet shoppers so that on- line advertisements can be tailored to their surfing habits. The other form is analogous to a wiretap, except that the target device is a computer. The software captures the activities of the user, including passwords and keystrokes typed, email, chat conversations, instant messenger, all the web sites visited, and screenshots of the display screen.

LINGO SILENT INSTALL A method of installing a software application without the computer user or operator being aware that such a action is taking place.

The first day they were supposed to be gone he placed a pretext urgent call just to make sure, and was told by a receptionist that "Mr. Vittaro is not in the office and neither is his secretary. Neither of them is expected any time today or tomorrow or the next day."

His very first try at conning a junior employee into taking part in his scheme was successful, and she didn't seem to blink an eye at being told to help him by downloading a "manuscript," which was actually a popular, commercially available spyware program that the attacker had modified for a silent install. Using this method, the installation would not be detected by any antivirus software. For some strange reason, antivirus manufacturers do not market products that will detect commercially available spyware.

Immediately after the young woman had loaded the software onto Vittaro's computer, Kurt went back up to the Geocities site and replaced the doc.exe file with a book manuscript he found on the Internet. Just in case anyone stumbled on the ruse and returned to the site to investigate what had taken place, all they'd find would be an innocuous, amateurish, un-publishable book manuscript.

Once the program had been installed and the computer rebooted, it was set to immediately become active. Ron Vittaro would return to town in a few days, start to work, and the spyware would begin forwarding all the keystrokes typed on his computer, including all outgoing emails and screen shots showing what was displayed on his screen at that moment. It would all be sent at regular intervals to a free email service provider in the Ukraine.

Within a few days after Vittaro's return, Kurt was plowing through the log files piling up in his Ukrainian mailbox and before long had located confidential emails that indicated just how far Millard-Fenton Publishing was willing to go in making a deal with the author. Armed with that knowledge, it was easy for the author's agent to negotiate much better terms than originally offered, without ever running the risk of losing the deal altogether. Which, of course, meant a bigger commission for the agent.

Analyzing the Con In this ruse, the attacker made his success more likely by picking a new employee to act as his proxy, counting on her being more willing to cooperate and be a team player, and being less likely to have knowledge of the company, its people, and good security practices which could thwart the attempt.

Because Kurt was pretexting as a vice president in his conversation with Anna, a clerk in Finance, he knew that it would be very unlikely that she would question his authority. On the contrary, she might entertain the thought that helping a VP could gain her favor.

And the process he walked Anna through that had the effect of installing the spyware appeared innocuous on its face. Anna had no idea that her seemingly innocent actions had set an attacker up to gain valuable information that could be used against the interests of the company. And why did he choose to forward the VP's message to an email account in the Ukraine? For several reasons a far-off destination makes tracing or taking action against an attacker much less likely. These types of crimes are generally considered low priority in countries like this, where the police tend to hold the view that committing a crime over the Internet isn't a noteworthy offense. For that reason, using email drops in countries that are unlikely to cooperate with U.S. law enforcement is an attractive strategy.

PREVENTING THE CON A social engineer will always prefer to target an employee who is unlikely to recognize that there is something suspicious about his requests. It makes his job not only easier, but also less risky--as the stories in this chapter illustrate.

MITNICK MESSAGE Asking a co-worker or subordinate to do a favor is a common practice. Social engineers know how to exploit people's natural desire to help and be a team player. An attacker exploits this positive human trait to deceive unsuspecting employees into performing actions that advance him toward his goal. It's important to understand this simple concept so you will be more likely to recognize when another person is trying to manipulate you.

Deceiving the Unwary I've emphasized earlier the need to train employees thoroughly enough that they will never allow themselves to be talked into carrying out the instructions of a stranger. All employees also need to understand the danger of carrying out a request to take any action on another person's computer. Company policy should prohibit this except when specifically approved by a manager. Allowable situations include:

When the request is made by a person well known to you, with the request made either face-to-face, or over the telephone when you unmistakably recognize the voice of the caller.

When you positively verify the identity of the requestor through approved procedures.

When the action is authorized by a supervisor or other person in authority who is personally familiar with the requestor.

Employees must be trained not to assist people they do not personally know, even if the person making the request claims to be an executive. Once security policies concerning verification have been put in place, management must support employees in adhering to these policies, even when it means that an employee challenges a member of the executive staff who is asking the employee to circumvent a security policy.

Every company also needs to have policies and procedures that guide employees in responding to requests to take any action with computers or computer-related equipment. In the story about the publishing company, the social engineer targeted a new employee who had not been trained on information security policies and procedures. To prevent this type of attack, every existing and new employee must be told to follow a simple rule: Do not use any computer system to perform an action requested by a stranger. Period.

Remember that any employee who has physical or electronic access to a computer or an item of computer-related equipment is vulnerable to being manipulated into taking some malicious action on behalf of an attacker.

Employees, and especially IT personnel, need to understand that allowing an outsider to gain access to their computer networks is like giving your bank account number to a telemarketer or giving your telephone calling card number to a stranger in jail. Employees must give thoughtful attention to whether carrying out a request can lead to disclosure of sensitive information or the compromising of the corporate computer system.

IT people must also be on their guard against unknown callers posing as vendors. In general, a company should consider having specific people designated as the contacts for each technology vendor, with a policy in place that other employees will not respond to vendor requests for information about or changes to any telephone or computer equipment. That way, the designated people become familiar with the vendor personnel who call or visit, and are less likely to be deceived by an imposter. If a vendor calls even when the company does not have a support contract, that should also raise suspicions.

Everyone in the organization needs to be made aware of information security threats and vulnerabilities. Note that security guards and the like need to be given not just security training, but training in information security, as well. Because security guards frequently have physical access to the entire facility, they must be able to recognize the types of social engineering attacks that may be used against them.

Beware Spyware Commercial spyware was once used mostly by parents to monitor what their children were doing on the Internet, and by employers, supposedly to determine which employees were goofing off by surfing the Internet. A more serious use was to detect potential theft of information assets or industrial espionage. Developers market their spyware by offering it as a tool to protect the children, when in fact their true market is people who want to spy on someone. Nowadays, the sale of spyware is driven to a great extent by people's desire to know if their spouse or significant other is cheating on them.

Shortly before I began writing the spyware story in this book, the person who receives email for me (because I'm not allowed to use the Internet) found a spam email message advertising a group of spyware products. One of the items offered was described like this:

FAVORITE! MUST HAVE:

This powerful monitoring and spy program secretly captures all keystrokes and the time and title of all active windows to a text file, while running hidden in the background. Logs can be encrypted and automatically sent to a specified email address, or just recorded on the hard drive. Access to the program is password protected and it can be hidden from the CTRL+ALT+DEL menu. Use it to monitor typed URLs, chat sessions, emails and many other things (even passwords).

Install without detection on ANY PC and email yourself the logs!

Antivirus Gap? Antivirus software doesn't detect commercial spyware, thereby treating the software as not malicious even though the intent is to spy on other people. So the computer equivalent of wiretapping goes unnoticed, creating the risk that each of us might be under illegal surveillance at any time. Of course, the antivirus software manufacturers may argue that spyware can be used for legitimate purposes, and therefore should not be treated as malicious. But the developers of certain tools once used by the hacking community, which are now being freely distributed or sold as security-related software, are nonetheless treated as malicious code. There's a double standard here, and I'm left wondering why.

Another item offered in the same email promised to capture screen shots of the user's computer, just like having a video camera looking over his shoulder. Some of these software products do not even require physical access to the victim's computer. Just install and configure the application remotely, and you have an instant computer wiretap! The FBI must love technology.