The Art of Deception: Controlling the Human Element of Security (27 page)

The verification process requires a balancing act that each Company must define for itself: Security versus productivity. What priority is going to be assigned to enforcing security measures? Will employees be resistant to following security procedures, and even circumvent them in order to complete their job responsibilities? Do employees understand why security is important to the company and themselves? These questions need to be answered to develop a security policy based on corporate culture and business needs. Most people inevitably see anything that interferes with getting their work done as an annoyance, and may circumvent any security measures that appear to be a waste of time. Motivating employees to make security part of their everyday responsibilities through education and awareness is key.

Although caller ID service should never be used as a means of authentication for voice calls from outside the company, another method called automatic number identification (ANI) can. This service is provided when a company subscribes to toll-flee services where the company pays for the incoming calls and is reliable for identification. Unlike caller ID, the telephone company switch does not use any information that is sent from a customer when providing the calling number. The number transmitted by ANI is the billing number assigned to the calling party.

Note that several modem manufacturers have added a caller ID feature into their products, protecting the corporate network by allowing remote-access calls only from a list ofpreauthorized telephone numbers. Caller ID modems are an acceptable means of authentication in a low-security environment but, as should be clear by now, spoofing caller ID is a relatively easy technique for computer intruders, and so should not be relied on for proving the caller's identity or location in a high-security setting.

To address the case of identity theft, as in the story about deceiving an administrator to create a voice mailbox on the corporate phone system, make it a policy that all phone service, all voice mailboxes, and all entries to the corporate directory, both in print and on line, must be requested in writing, on a form provided for the purpose. The employee's manager should sign the request, and the voice mail administrator should verify the signature.

Corporate security policy should require that new computer accounts or increases in access rights be granted only after positive verification of the person making the request, such as a callback to the system manager or administrator, or his or her designee, at the phone number listed in the print or on-line company directory. If the company uses secure email where employees can digitally sign messages, this alternative verification method may also be acceptable.

Remember that every employee, regardless of whether he has access to company computer systems, may be duped by a social engineer. Everyone must be included in security awareness training. Administrative assistants, receptionists, telephone operators, and security guards must be made familiar with the types of social engineering attack most likely to be directed against them so that they will be better prepared to defend against those attacks.

The threat of information attacks against government, corporations, and university systems is well established. Almost every day, the media reports a new computer virus, denial of service attack, or theft of credit card information from an e-commerce Web site.

We read about cases of industrial espionage such as Borland accusing Symantec of stealing trade secrets, Cadence Design Systems filing a suit charging the theft of source code by a competitor. Many business people read these stories and think it could never happen at their company. It's happening every day.

VARIATION ON A SCHEME The ruse described in the following tale has probably been pulled off many times, even though it sounds like something taken out of a Hollywood movie like The Insider, or from the pages of a John Grisham novel.

Class Action Imagine that a massive class-action lawsuit is raging against a major pharmaceutical company, Pharmomedic. The suit claims that they knew one of their very popular drugs had a devastating side effect, but one that would not be evident until a patient had been on the medication for years. The suit alleges that they had results from a number of research studies that revealed this danger, but suppressed the evidence and never turned it over to the FDA as required.

William ("Billy") Chaney, the attorney of record on the masthead of the New York law firm that filed the class-action suit, has depositions from two Pharmomedic doctors supporting the claim. But both are retired, neither has any files or documentation, and neither would make a strong, convincing witness. Billy knows he's on shaky ground. Unless he can get a copy of one of those reports, or some internal memo or communication between company executives, his whole case will fall apart.

So he hires a firm he's used before: Andreeson and Sons, private investigators. Billy doesn't know how Pete and his people get the stuff they do, and he doesn't want to know. All he knows is that Pete Andreeson is one good investigator.

To Andreeson, an assignment like this is what he calls a black bag job. The first rule is that the law firms and companies that hire him never learn how he gets his information so that they always have complete, plausible deniability. If anybody is going to have his feet shoved into boiling water, it's going to be Pete, and for what he collects in fees on the big jobs, he figures it's worth the risk. Besides, he gets such personal satisfaction from outsmarting smart people.

If the documents that Chaney wants him to find actually existed and haven't been destroyed, they'll be somewhere in the files of Pharmomedic. But finding them in the massive files of a large corporation would be a huge task. On the other hand, suppose they've turned copies over to their law firm, Jenkins and Petry? If the defense attorneys knew those documents existed and didn't turn them over as part of the discovery process, then they have violated the legal profession's canon of ethics, and violated the law, as well. In Pete's book, that makes any attack fair game.

Pete's Attack Pete gets a couple of his people started on research and within days he knows what company Jenkins and Petty uses for storing their offsite backups. And he knows that the storage company maintains a list of the names of people whom the law firm has authorized to pick up tapes from storage. He also knows that each of these people has his or her own password. Pete sends two of his people out on a black bag job.

The men tackle the lock using a lock pick gun ordered on the Web at www.southord.com. Within several minutes they slip into the offices of the storage firm around 3 a.m. one night and boot up a PC. They smile when they see the Windows 98 logo because it means this will be a piece of cake. Windows 98 does not require any form of authentication. After abit of searching, they locate a Microsoft Access database with the names of people authorized by each of the storage company customers to pick up tapes. They add a phony name to the authorization list for Jenkins and Petry, a name matching one on a phony driver's license one of the men has already obtained. Could they have broken into the locked storage area and tried to locate the tapes their client wanted? Sure--but then all the company's customers, including the law firm, would have certainly been notified of the breach. And the attackers would have lost an advantage: Professionals always like to leave an opening for future access, should the need arise.

Following a standard practice of industrial spies to keep something in the back pocket for future use, just in case, they also made a copy of the file containing the authorization list onto a floppy disk. None of them had any idea how it might ever prove useful, but it's just one of those "We're here, we might just as well" things that every now and then turns out to be valuable. The next day, one of the same men called the storage company, used the name they had added to the authorization list, and gave the corresponding password. He asked for all the Jenkins and Petry tapes dated within the last month, and said that a messenger service would come by to pick up the package. By mid-afternoon, Andreeson had the tapes. His people restored all the data to their own computer system, ready to search at leisure. Andreeson was very pleased that the law firm, like most other businesses, didn't bother encrypting their backup data.

The tapes were delivered back to the storage company the next day and no one was the wiser.

MITNICK MESSAGE Valuable information must be protected no matter what form it takes or where it is located. An organization's customer list has the same value whether in hardcopy form or an electronic file at your office or in a storage box. Social engineers always prefer the easiest to circumvent, least defended point of attack. A company's offsite backup storage facility is seen as having less risk of detection or getting caught. Every organization that stores any valuable, sensitive, or critical data with third parties should encrypt their data to protect its confidentiality.

Analyzing the Con Because of lax physical security, the bad guys were easily able to pick the lock of the storage company, gain access to the computer, and modify the database containing the list of people authorized to have access to the storage unit. Adding a name to the list allowed the imposters to obtain the computer backup tapes they were after, without having to break into the firm's storage unit. Because most businesses don't encrypt backup data, the information was theirs for the taking.

This incident provides one more example of how a vendor company that does not exercise reasonable security precautions can make it easy for an attacker to compromise their customer's information assets.

THE NEW BUSINESS PARTNER Social engineers have a big advantage over con men and grifters, and the advantage is distance. A grifter can only cheat you by being in your presence, allowing you to give a good description of him afterward or even call the cops if you catch on to the ruse early enough.

Social engineers ordinarily avoid that risk like the plague. Sometimes, though, the risk is necessary, and justified by the potential reward. Jessica's Story Jessica Andover was feeling very good about getting a job with a hotshot robotics company. Sure, it was only a start-up and they couldn't pay very much, but it was small, the people were friendly, and there was the excitement of knowing her stock options just might turn out to make her rich. Okay, maybe not a millionaire like the company founders would be, but rich enough.

Which was how it happened that Rick Daggot got a glowing smile when he walked into the lobby that Tuesday morning in August. In his expensive- looking suit (Armani) and his heavy gold wrist-watch (a Rolex President), with his immaculate haircut, he had that same manly, self-confident air that had driven all the girls crazy when Jessica was in high school.

"Hi," he said. "I'm Rick Daggot and I'm here for my meeting with Larry."

Jessica's smile faded. "Larry?" she said. "Larry's on vacation all week." "I have an appointment with him at one o'clock. I just flew in from Louisville to meet with him," Rick said, as he drew out his Palm, turned it on, and showed her.

She looked at it and gave a small shake of her head. "The 20th," she said. "That's next week." He took the palmtop back and stared at it. "Oh, no!" he groaned. "I can't believe what a stupid mistake I made."

"Can I book a return flight for you, at least?" she asked, feeling sorry for him.

While she made the phone call, Rick confided that he and Larry had arranged to set up a strategic marketing alliance. Rick's company was producing products for the manufacturing and assembly line, items that would perfectly complement their new product, the C2Alpha. Rick's products and the C2Alpha together would make a strong solution that would open up important industrial markets for both companies.

When Jessica had finished making his reservation on a late afternoon flight, Rick said, "Well, at least I could talk to Steve if he's available." But Steve, the company's VP and cofounder, was also out of the office.

Rick, being very friendly to Jessica and flirting just a little, then suggested that, as long as he was there and his flight home wasn't till late afternoon, he'd like to take some of the key people to lunch. And he added, "Including you, of course--is there somebody who can fill in for you at lunchtime. Flushed at the idea of being included, Jessica asked, "Who do you want to come?" He tapped his palmtop again and named a few people--two engineers from R&D, the new sales and marketing man, and the finance guy assigned to the project. Rick suggested she tell them about his relationship with the company, and that he'd like to introduce himself to them. He named the best restaurant in the area, a place where Jessica had always wanted to go, and said he'd book the table himself, for 12:30, and would call back later in the morning to make sure everything was all set.

When they gathered at the restaurant--the four of them plus Jessica their table wasn't ready yet, so they settled at the bar, and Rick made it clear that drinks and lunch were on him. Rick was a man with style and class, the kind of person who makes you feel comfortable from the very first, the same way you feel with someone you've known for years. He always seemed to know just the right thing to say, had a lively remark or something funny whenever the conversation lagged, and made you feel good just being around him.

He shared just enough details about his own company's products that they could envision the joint marketing solution he seemed so animated about. He named several Fortune 500 companies that his firm was already selling to, until everyone at the table began to picture their product becoming a success from the day the first units rolled out of the factory.

Then Rick walked over to Brian, one of the engineers. While the others chatted among themselves, Rick shared some ideas privately with Brian, and drew him out about the unique features of the C2Alpha and what set it apart from anything the competition had. He found out about a couple of features the company was downplaying that Brian was proud of and thought really "neat."

Rick worked his way along the line, chatting quietly with each. The marketing guy was happy for a chance to talk about the roll-out date and marketing plans. And the bean counter pulled an envelope from his pocket and wrote down details of the material and manufacturing costs, price point and expected margin, and what kind of deal he was trying to work out with each of the vendors, which he listed by name.

By the time their table was ready, Rick had exchanged ideas with everybody and had won admirers all along the line. By the end of the meal, they each shook hands with Rick in turn and thanked him. Rick swapped business cards with each and mentioned in passing to Brian, the engineer, that he wanted to have a longer discussion as soon as Larry returned. The following day Brian picked up his telephone to find that the caller was Rick, who said he had just finished speaking with Larry. I'll be coming back in on Monday to work out some of the specifics with him," Rick said, "and he wants me to be up to speed on your product. He said you should email the latest designs and specs to him. He'll pick out the parts he wants me to have and forward them on to me."

The engineer said that would be fine. Good, Rick answered. He went on, "Larry wanted you to know he's having a problem retrieving his email. Instead of sending the stuff to his regular account, he arranged with the hotel's business center to set up a Yahoo mail account for him. He says you should send the files to [email protected]."

The following Monday morning, when Larry walked into the office looking tanned and relaxed, Jessica was primed and eager to gush over Rick. "What a great guy. He took a bunch of us to lunch, even me." Larry looked confused. "Rick? Who the hell is Rick?"

"What're you talking about?--your new business partner." "What!!!???"

"And everybody was so impressed with what good questions he asked." "I don't know any Rick ..."

"What's the matter with you? Is this a joke, Larry--you're just fooling with me, right?"

"Get the executive team into the conference room. Like now. No matter what they're doing. And everybody who was at that lunch. Including you."

They sat around the table in a somber mood, hardly speaking. Larry walked in, sat down and said, "I do not know anybody named Rick. I do not have a new business partner I've been keeping secret from all of you. Which I would have thought was obvious. If there's a practical ,joker in our midst, I want him to speak up now."

Not a sound. The room seemed to be growing darker moment by moment.

Finally Brian spoke. "Why didn't you say something when I sent you that email with the product specs and source code?"

"What email! ?"

Brian stiffened. "Oh... shit!" Cliff, the other engineer, chimed in. "He gave us all business cards. We just need to call him and see what the bell's going on."

Brian pulled out his palmtop, called up an entry, and scooted the device across the table to Larry. Still hoping against hope, they all watched as if entranced while Larry dialed. After a moment, he stabbed the speakerphone button and everyone heard a busy signal. After trying the number several times over a period of twenty minutes, a frustrated Larry dialed the operator to ask for an emergency interruption.