The Art of Deception: Controlling the Human Element of Security (3 page)

The same problem exists within government, business, and educational institutions throughout the world. Despite the efforts of security professionals, information everywhere remains vulnerable and will continue to be seen as a ripe target by attackers with social engineering skills, until the weakest link in the security chain, the human link, has been strengthened.

Now more than ever we must learn to stop wishful thinking and become more aware of the techniques that are being used by those who attempt to attack the confidentiality, integrity, and availability of our computer systems and networks. We've come to accept the need for defensive driving; it's time to accept and learn the practice of defensive computing.

The threat of a break-in that violates your privacy, your mind, or your company's information systems may not seem real until it happens. To avoid such a costly dose of reality, we all need to become aware, educated, vigilant, and aggressively protective of our information assets, our own personal information, and our nation's critical infrastructures. And we must implement those precautions today.

TERRORISTS AND DECEPTION Of course, deception isn't an exclusive tool of the social engineer. Physical terrorism makes the biggest news, and we have come to realize as never before that the world is a dangerous place. Civilization is, after all, just a thin veneer.

The attacks on New York and Washington, D.C., in September 2001 infused sadness and fear into the hearts of every one of us - not just Americans, but well- meaning people of all nations. We're now alerted to the fact that there are obsessive terrorists located around the globe, well - trained and waiting to launch further attacks against us.

The recently intensified effort by our government has increased the levels of our security consciousness. We need to stay alert, on guard against all forms of terrorism. We need to understand how terrorists treacherously create false identities, assume roles as students and neighbors, and melt into the crowd. They mask their true beliefs while they plot against us - practicing tricks of deception similar to those you will read about in these pages.

And while, to the best of my knowledge, terrorists have not yet used social engineering ruses to infiltrate corporations, water-treatment plants, electrical generation facilities, or other vital components of our national infrastructure, the potential is there. It's just too easy. The security awareness and security policies that I hope will be put into place and enforced by corporate senior management because of this book will come none too soon.

ABOUT THIS BOOK Corporate security is a question of balance. Too little security leaves your company vulnerable, but an overemphasis on security gets in the way of attending to business, inhibiting the company's growth and prosperity. The challenge is to achieve a balance between security and productivity.

Other books on corporate security focus on hardware and software technology, and do not adequately cover the most serious threat of all: human deception. The purpose of this book, in contrast, is to help you understand how you, your co- workers, and others in your company are being manipulated, and the barriers you can erect to stop being victims. The book focuses mainly on the non-technical methods that hostile intruders use to steal information, compromise the integrity of information that is believed to be safe but isn't., or destroy company work product.

My task is made more difficult by a simple truth: Every reader will have been manipulated by the grand experts of all time in social engineering - their parents. They found ways to get you - "for your own good" - to do what they thought best. Parents become great storytellers in the same way that social engineers skillfully develop very plausible stories, reasons, and justifications for achieving their goals. Yes, we were all molded by our parents: benevolent (and sometimes not so benevolent) social engineers.

Conditioned by that training, we have become vulnerable to manipulation. We would live a difficult life if we had to be always on our guard, mistrustful of others, concerned that we might become the dupe of someone trying to take advantage of us. In a perfect world we would implicitly trust others, confident that the people we encounter are going to be honest and trustworthy. But we do not live in a perfect world, and so we have to exercise a standard of vigilance to repel the deceptive efforts of our adversaries.

The main portions of this book, Parts 2 and 3, are made up of stories that show you social engineers in action. In these sections you'll read about:

� What phone phreaks discovered years ago: A slick method for getting an

unlisted phone number from the telephone company. � Several different methods used by attackers to convince even alert, suspicious

employees to reveal their computer usernames and passwords. � How an Operations Center manager cooperated in allowing an attacker to

steal his company's most secret product information. � The methods of an attacker who deceived a lady into downloading software

that spies on every keystroke she makes and emails the details to him. � How private investigators get information about your company, and about you

personally, that I can practically guarantee will send a chill up your spine.

You might think as you read some of the stories in Parts 2 and 3 that they're not possible, that no one could really succeed in getting away with the lies, dirty tricks, and schemes de, scribed in these pages. The reality is that in every case, these stories depict events that can and do happen; many of them are happening every day somewhere on the planet, maybe even to your business as you read this book.

The material in this book will be a real eye-opener when it comes to protecting your business, but also personally deflecting the advances of a social engineer to protect the integrity of information in your private life.

In Part 4 of this book I switch gears. My goal here is to help you create the necessary business policies and awareness training to minimize the chances of your employees ever being duped by a social engineer. Understanding the strategies, methods, and tactics of the social engineer will help prepare you to deploy reasonable controls to safeguard your IT assets, without undermining your company's productivity.

In short, I've written this book to raise your awareness about the serious threat posed by social engineering, and to help you make sure that your company and its employees are less likely to be exploited in this way.

Or perhaps I should say, far less likely to be exploited ever again.

What do most people think is the real threat from social engineers? What should you do to be on your guard?

If the goal is to capture some highly valuable prize--say, a vital component of the company's intellectual capital - then perhaps what's needed is, figuratively, just a stronger vault and more heavily armed guards. Right?

But in reality penetrating a company's security often starts with the bad guy obtaining some piece of information or some document that seems so innocent, so everyday and unimportant, that most people in the organization wouldn't see any reason why the item should be protected and restricted

HIDDEN VALUE OF INFORMATION Much of the seemingly innocuous information in a company's possession is prized by a social engineering attacker because it can play a vital role in his effort to dress himself in a cloak of believability.

Throughout these pages, I'm going to show you how social engineers do what they do by letting you "witness" the attacks for yourself--sometimes presenting the action from the viewpoint of the people being victimized, allowing you to put yourself in their shoes and gauge how you yourself (or maybe one of your employees or co-workers) might have responded. In many cases you'll also experience the same events from the perspective of the social engineer.

The first story looks at a vulnerability in the financial industry.

CREDITCHEX For a long time, the British put up with a very stuffy banking system. As an ordinary, upstanding citizen, you couldn't walk in off the street and open a bank account. No, the bank wouldn't consider accepting you as a customer unless some person already well established as a customer provided you with a letter of recommendation.

Quite a difference, of course, in the seemingly egalitarian banking world of today. And our modern ease of doing business is nowhere more in evidence than in friendly, democratic America, where almost anyone can walk into a bank and easily open a checking account, right? Well, not exactly. The truth is that banks understandably have a natural reluctance to open. an account for somebody who just might have a history of writing bad checks--that would be about as welcome as a rap sheet of bank robbery or embezzlement charges. So it's standard practice at many banks to get a quick thumbs-up or thumbs-down on a prospective new customer.

One of the major companies that banks contract with for this information is an outfit we'll call CreditChex. They provide a valuable service to their clients, but like many companies, can also unknowingly provide a handy service to knowing social engineers.

The First Call: Kim Andrews "National Bank, this is Kim. Did you want to open an account today?" "Hi, Kim. I have a question for you. Do you guys use CreditChex?" "Yes." "When you phone in to CreditChex, what do you call the number you give them-- is it a 'Merchant ID'?"

A pause; she was weighing the question, wondering what this was about and whether she should answer.

The caller quickly continued without missing a beat:

"Because, Kim, I'm working on a book. It deals with private investigations." "Yes," she said, answering the question with new confidence, pleased to be

helping a writer. "So it's called a Merchant ID, right?" "Uh huh."

"Okay, great. Because I wanted to male sure I had the lingo right. For the book.

Thanks for your help. Good-bye, Kim."

The Second Call: Chris Talbert "National Bank, New Accounts, this is Chris." "Hi, Chris. This is Alex," the caller said. "I'm a customer service rep with CreditChex. We're doing a survey to improve our services. Can you spare me a couple of minutes?"

She was glad to, and the caller went on:

"Okay - what are the hours your branch is open for business?" She answered, and continued answering his string of questions. "How many employees at your branch use our service?" "How often do you call us with an inquiry?" "Which of our 800-numbers have we assigned you for calling us?" "Have our representatives always been courteous?" "How's our response time?" "How long have you been with the bank?" "What Merchant ID are you currently using?" "Have you ever found any inaccuracies with the information we've provided

you?" "If you had any suggestions for improving our service, what would they be?"

And:

"Would you be willing to fill out periodic questionnaires if we send them to your

branch?"

She agreed, they chatted a bit, the caller rang off, and Chris went back to work.

The Third Call: Henry McKinsey "CreditChex, this is Henry McKinsey, how can I help you?"

The caller said he was from National Bank. He gave the proper Merchant ID and then gave the name and social security number of the person he was looking for information on. Henry asked for the birth date, and the caller gave that, too.

After a few moments, Henry read the listing from his computer screen.

"Wells Fargo reported NSF in 1998, one time, amount of $2,066." NSF � non sufficient funds - is the familiar banking lingo for checks that have been written when there isn't enough money in the account to cover them. "Any activities since then?" "No activities." "Have there been any other inquiries?" "Let's see. Okay, two of them, both last month. Third United Credit Union of Chicago." He stumbled over the next name, Schenectady Mutual Investments, and had to spell it. "That's in New York State," he added.

Private Investigator at Work All three of those calls were made by the same person: a private investigator we'll call Oscar Grace. Grace had a new client, one of his first. A cop until a few months before, he found that some of this new work came naturally, but some offered a challenge to his resources and inventiveness. This one came down firmly in the challenge category. The hardboiled private eyes of fiction - the Sam Spades and the Philip Marlowes - spend long night time hours sitting in cars waiting to catch a cheating spouse. Real-life PIs do the same. They also do a less written about, but no less important kind of snooping for warring spouses, a method that leans more heavily on social engineering skills than on fighting off the boredom of night time vigils.

Grace's new client was a lady who looked as if she had a pretty comfortable budget for clothes and jewelry. She walked into his office one day and took a seat in the leather chair, the only one that didn't have papers piled on it. She settled her large Gucci handbag on his desk with the logo turned to face him and announced she was planning to tell her husband that she wanted a divorce, but admitted to "just a very little problem."

It seemed her hubby was one step ahead. He had already pulled the cash out of their savings account and an even larger sum from their brokerage account. She wanted to know where their assets had been squirreled away, and her divorce lawyer wasn't any help at all. Grace surmised the lawyer was one of those uptown, high-rise counselors who wouldn't get his hands dirty on something messy like where did the money go.

Could Grace help?

He assured her it would be a breeze, quoted a fee, expenses billed at cost, and collected a check for the first payment.

Then he faced his problem. What do you do if you've never handled a piece of work like this before and don't quite know how to go about tracking down a money trail? You move forward by baby steps. Here, accord- mg to our source, is Grace's story.

I knew about CreditChex and how banks used the outfit - my ex-wife used to work at a bank. But I didn't know the lingo and procedures, and trying to ask my ex- would be a waste of time.

Step one: Get the terminology straight and figure out how to make the request so it sounds like I know what I'm talking about. At the bank I called, the first young lady, Kim, was suspicious when I asked about how they identify themselves when they phone CreditChex. She hesitated; she didn't know whether to tell me. Was I put off by that? Not a bit. In fact, the hesitation gave me an important clue, a sign that I had to supply a reason she'd find believable. When I worked the con on her about doing research for a book, it relieved her suspicions. You say you're an author or a movie writer, and everybody opens up. She had other knowledge that would have helped - things like what reformation CreditChex requires to identify the person you're calling about, what information you can ask for, and the big one, what was Kim's bank Merchant ID number. I was ready to ask those questions, but her hesitation sent up the red flag. She bought the book research story, but she already had a few niggling suspicions. If she'd been more willing right way, I would have asked her to reveal more details about their procedures.

LINGO MARK: The victim of a con. BURN THE SOURCE: An attacker is said to have burned the source when he allows a victim to recognize that an attack has taken place. Once the victim becomes aware and notifies other employees or management of the attempt, it becomes extremely difficult to exploit the same source in future attacks.

You have to go on gut instinct, listen closely to what the mark is saying and how she's saying it. This lady sounded smart enough for alarm bells to start going off if I asked too many unusual questions. And even though she didn't know who I was or what number I was calling from, still in this business you never want anybody putting out the word to be on the look out for someone calling to get information about the business. That's because you don't want to burn the source - you may want to call same office back another time.

I'm always on the watch for little signs that give me a read on how cooperative a person is, on a scale that runs from "You sound like a nice person and I believe everything you're saying" to "Call the cops, alert the National Guard, this guy's up to no good."

I read Kim as a little bit on edge, so I just called somebody at a different branch. On my second call with Chris, the survey trick played like a charm. The tactic here is to slip the important questions in among inconsequential ones that are used to create a sense of believability. Before I dropped the question about the Merchant ID number with CreditChex, I ran a little last-minute test by asking her a personal question about how long she'd been with the bank.

A personal question is like a land mine - some people step right over it and never notice; for other people, it blows up and sends them scurrying for safety. So if I ask a personal question and she answers the question and the tone of her voice doesn't change, that means she probably isn't skeptical about the nature of the request. I can safely ask the sought after question without arousing her suspicions, and she'll probably give me the answer I'm looking for. One more thing a good PI knows: Never end the conversation after getting the key information. Another two or three questions, a little chat, and then it's okay to say good-bye. Later, if the victim remembers anything about what you asked, it will probably be the last couple of questions. The rest will usually be forgotten.

So Chris gave me their Merchant ID number, and the phone number they call to make requests. I would have been happier if I had gotten to ask some questions about how much information you can get from CreditChex. But it was better not to push my luck.

It was like having a blank check on CreditChex. I could now call and get information whenever I wanted. I didn't even have to pay for the service. As it turned out, the CreditChex rep was happy to share exactly the information I wanted: two places my client's husband had recently applied to open an account. So where were the assets his soon-to-be ex-wife was looking for? Where else but at the banking institutions the guy at CreditChex listed?

Analyzing the Con This entire ruse was based on one of the fundamental tactics of social engineering: gaining access to information that a company employee treats as innocuous, when it isn't.

The first bank clerk confirmed the terminology to describe the identifying number used when calling CreditChex: the Merchant ID. The second provided the phone number for calling CreditChex, and the most vital piece of information, the bank's Merchant ID number. All this information appeared to the clerk to be innocuous. After all, the bank clerk thought she was talking to someone from CreditChex -so what could be the harm in disclosing the number?

All of this laid the groundwork for the third call. Grace had everything he needed to phone CreditChex, pass himself off as a rep from one of their customer banks, National, and simply ask for the information he was after.

With as much skill at stealing information as a good swindler has at stealing your money, Grace had well-honed talents for reading people. He knew the common tactic of burying the key questions among innocent ones. He knew a personal question would test the second clerk's willingness to cooperate, before innocently asking for the Merchant ID number.

The first clerk's error in confirming the terminology for the CreditChex ID number would be almost impossible to protect against. The information is so widely known within the banking industry that it appears to be unimportant - the very model of the innocuous. But the second clerk, Chris, should not have been so willing to answer questions without positively verifying that the caller was really who he claimed to be. She should, at the very least, have taken his name and number and called back; that way, if any questions arose later, she may have kept a record of what phone number the person had used. In this case, making a call like that would have made it much more difficult for the attacker to masquerade as a representative from CreditChex.

MITNICK MESSAGE A Merchant ID in this situation is analogous to a password. If bank personnel treated it like an ATM PIN, they might appreciate the sensitive nature of the information. Is there an internal code or number in your organization that people aren't treating with enough care?

Better still would have been a call to CreditChex using a nun bank already had on record - not a number provided by the caller � to verify that the person really worked there, and that the company was really doing a customer survey. Given the practicalities of the real world and the time pressures that most people work under today, though, this kind of verification phone call is a lot to expect, except when an employee is suspicious that some kind of attack is being made.