The Art of Deception: Controlling the Human Element of Security (6 page)

It never occurred to Janie that somebody might actually lie about some thing like this, that the caller might not really be from the billing department at all. Of course, the blame doesn't lie at Janie's feet. She wasn't well versed in the rule about making sure you know who you're talking to before discussing information in a customer's file. Nobody had ever told her about the danger of a phone call like the one from Art. It wasn't in the company policy, it wasn't part of her training, and her supervisor had never mentioned it.

PREVENTING THE CON A point to include in your security training: Just because a caller or visitor knows the names of some people in the company, or knows some of the corporate lingo or procedures, doesn't mean he is who he claims to be. And it definitely doesn't establish him as anybody authorized to be given internal information, or access to your computer system or network.

Security training needs to emphasize: When in doubt, verify, verify, verify.

In earlier times, access to information within a company was a mark of rank and privilege. Workers stoked the furnaces, ran the machines, typed the letters, and filed the reports. The foreman or boss told them what to do, when, and how. It was the foreman or boss who knew how many widgets each worker should be producing on a shift, how many and in what colors and sizes the factory needed to turn out this week, next week, and by the end of the month.

Workers handled machines and tools and materials, and bosses handled information. Workers needed only the information specific to their specific jobs.

The picture is a little different today, isn't it? Many factory workers use some form of computer or computer-driven machine. For a large part of the workforce, critical information is pushed down to the users' desktops so that they can fulfill their responsibility to get their work done. In today's environment, almost everything employees do involves the handling of information. That's why a company's security policy needs to be distributed enterprise-wide, regardless of position. Everybody must understand that it's not just the bosses and executives who have the information that an attacker might be after. Today, workers at every level, even those who don't use a computer, are liable to be targeted. The newly hired rep in the customer service group may be just the weak link that a social engineer breaks to achieve his objective. Security training and corporate security policies need to strengthen that link.

Some of these stories might lead you to think that I believe everyone in business is a complete idiot, ready, even eager, to give away every secret in his or her possession. The social engineer knows isn't true. Why are social engineering attacks so successful? It isn't because people are stupid or lack common sense. But we, as human beings are all vulnerable to being deceived because people can misplace their trust if manipulated in certain ways.

The social engineer anticipates suspicion and resistance, and he's always prepared to turn distrust into trust. A good social engineer plans his attack like a chess game, anticipating the questions his target might ask so he can be ready with the proper answers.

One of his common techniques involves building a sense of trust on the part of his victims. How does a con man make you trust him? Trust me, he can.

TRUST: THE KEY TO DECEPTION The more a social engineer can make his contact seem like business as usual, the more he allays suspicion. When people don't have a reason to be suspicious, it's easy for a social engineer to gain their trust.

Once he's got your trust, the drawbridge is lowered and the castle door thrown open so he can enter and take whatever information he wants.

NOTE You may notice I refer to social engineers, phone phreaks, and con-game operators as 'he" through most of these stories. This is not chauvinism; it simply reflects the truth that most practitioners in these fields are male. But though there aren't many women social engineers, the number is growing. There are enough female social engineers out there that you shouldn't let your guard down just because you hear a women's voice. In fact, female social engineers have a distinct advantage because they can use their sexuality to obtain cooperation. You'll find a small number of the so-called gentler sex represented in these pages

The First Call: Andrea Lopez Andrea Lopez answered the phone at the video rental store where she worked, and in a moment was smiling: It's always a pleasure when a customer takes the trouble to say he's happy about the service. This caller said he had had a very good experience dealing with the store, and he wanted to send the manager a letter about it. He asked for the manager's name and the mailing address, and she told him it was Tommy Allison, and gave him the address. As he was about to hang up, he had another idea and said, "I might want to write to your company headquarters, too. What's your store number?" She gave him that information, as well. He said thanks, added something pleasant about how helpful she had been, and said goodbye.

"A call like that," she thought, "always seems to make the shift go by faster. How nice it would be if people did that more often."

The Second Call: Ginny "Thanks for calling Studio Video. This is Ginny, how can I help you?" "Hi, Ginny," the caller said enthusiastically, sounding as if he talked to Ginny every week or so. "It's Tommy Allison, manager at Forest Park, Store 863. We have a customer in here who wants to rent Rocky 5 and we're all out of copies. Can you check on what you've got?" She came back on the line after a few moments and said, "Yeah, we've got three copies." "Okay, I'll see if he wants to drive over there. Listen, thanks. If you ever need any help from our store, just call and ask for Tommy. I'll be glad to do whatever I can for you."

Three or four times over the next couple of weeks, Ginny got calls from Tommy for help with one thing or another. They were seemingly legitimate requests, and he was always very friendly without sounding like he was trying to come on to her. He was a little chatty along the way, as well - "Did you hear about the big fire in Oak Park? Bunch of streets closed over there," and the like. The calls were a little break from the routine of the day, and Ginny was always glad to hear from him.

One day Tommy called sounding stressed. He asked, "Have you guys been having trouble with your computers?"

"No," Ginny answered. "Why?" "Some guy crashed his car into a telephone pole, and the phone company repairman says a whole part of the city will lose their phones and Internet connection till they get this fixed." "Oh, no. Was the man hurt?" "They took him away in an ambulance. Anyway, I could use a little help. I've got a customer of yours here who wants to rent Godfather II and doesn't have his card with him. Could you verify his information for me?" "Yeah, sure." Tommy gave the customer's name and address, and Ginny found him in the computer. She gave Tommy the account number. "Any late returns or balance owed?" Tommy asked. "Nothing showing." "Okay, great. I'll sign him up by hand for an account here and put it in our database later on when the computers come back up again. And he wants to put this charge on the Visa card he uses at your store, and he doesn't have it with him. What's the card number and expiration date?"

She gave it to him, along with the expiration date. Tommy said, "Hey, thanks for the help. Talk to you soon," and hung up.

Doyle Lonnegan's Story Lonnegan is not a young man you would want to find waiting when you open your front door. A one-time collection man for bad gambling debts, he still does an occasional favor, if it doesn't put him out very much. In this case, he was offered a sizable bundle of cash for little more than making some phone calls to a video store. Sounds easy enough. It's just that none of his "customers" knew how to run this con; they needed somebody with Lonnegan's talent and know- how.

People don't write checks to cover their bets when they're unlucky or stupid at the poker table. Everybody knows that. Why did these friends of mine keep on playing with a cheat that didn't have green out on the table? Don't ask. Maybe they're a little light in the IQ department. But they're friends of mine--what can you do? This guy didn't have the money, so they took a check. I ask you! Should of drove him to an ATM machine, is what they should of done. But no, a check. For $3,230. Naturally, it bounced. What would you expect? So then they call me; can I help? I don't close doors on people's knuckles any more. Besides, there are better ways nowadays. I told them, 30 percent commission, I'd see what I could do. So they give me his name and address, and I go up on the computer to see what's the closest video store to him. I wasn't in a big hurry. Four phone calls to cozy up to the store manager, and then, bingo, I've got the cheat's Visa card number. Another friend of mine owns a topless bar. For fifty bucks, he put the guy's poker money through as a Visa charge from the bar. Let the cheat explain that to his wife. You think he might try to tell Visa it's not his charge? Think again. He knows we know who he is. And if we could get his Visa number, he'll figure we could get a lot more besides. No worries on that score. Analyzing the Con Tommy's initial calls to Ginny were simply to build up trust. When time came for the actual attack, she let her guard down and accepted Tommy for who he claimed to be, the manager at another store in the chain.

And why wouldn't she accept him--she already knew him. She'd only met him over the telephone, of course, but they had established a business friendship that is the basis for trust. Once she had accepted him as an authority figure, a manager in the same company, the trust had been established and the rest was a walk in the park.

MITNICK MESSAGE The sting technique of building trust is one of the most effective social engineering tactics. You have to think whether you really know the person you're talking to. In some rare instances, the person might not be who he claims to be. Accordingly, we all have to learn to observe, think, and question authority.

VARIATION ON A THEME: CARD CAPTURE Building a sense of trust doesn't necessarily demand a series of phone calls with the victim, as suggested by the previous story. I recall one incident I witnessed where five minutes was all it took.

Surprise, Dad I once sat at a table in a restaurant with Henry and his father. In the course of conversation, Henry scolded his father for giving out his credit card number as if it were his phone number. "Sure, you have to give your card number when you buy something," he said. "But giving it to a store that files your number in their records - that's real dumb."

The only place I do that is at Studio Video," Mr. Conklin said, naming the same chain of video stores. "But I go over my Visa bill every month. If they started running up charges, I'd know it. Sure," said Henry, "but once they have your number, it's so easy for somebody to steal it "

You mean a crooked employee." No, anybody - not just an employee." You're talking through your hat," Mr. Conklin said. I can call up right now and get them to tell me your Visa number," Henry shot back. No, you can't, "his father said. "I can do it in five minutes, right here in front of you without ever leaving

the table." Mr. Conklin looked tight around the eyes, the look of somebody feeling sure of himself, but not wanting to show it. "I say you don't know that you're talking about," he barked, taking out his wallet and slapping fifty dollar bill down on the table. "If you can do what you say, that's yours. "I don't want your money, Dad," Henry said. He pulled out his cell phone, asked his father which branch he used, and called Directory Assistance for the phone number, as well as the number of the store in nearby Sherman Oaks.

He then called the Sherman Oaks store. Using pretty much the same approach described in the previous story, he quickly got the manager's name and the store number.

Then he called the store where his father had an account. He pulled the old impersonate-the-manager trick, using the manager's name as his own and giving the store number he had just obtained. Then he used the same ruse: "Are your computers working okay? Ours have been up and down." He listened to her reply and then said, "Well, look, I've got one of your customers here who wants to rent a video, but our computers are down right now. I need you to look up the customer account and make sure he's a customer at your branch." Henry gave him his father's name. Then, using only a slight variation in technique, he made the request to read off the account information: address, phone number, and date the account was opened. And then he said, "Hey, listen, I'm holding up a long line of customers here. What's the credit card number and expiration date?" Henry held the cell phone to his ear with one hand while he wrote on a paper napkin with the other. As he finished the call, he slid the napkin in front of his father, who stared at it with his mouth hanging open. The to poor guy looked totally shocked, as if his whole system of trust had just gone down the drain.

Analyzing the Con Think of your own attitude when somebody you don't know asks you for something. If a shabby stranger comes to your door, you're not likely to let him in; if a stranger comes to your door nicely dressed, shoes shined, hair perfect, with polite manner and a smile, you're likely to be much less suspicious. Maybe he's really Jason from the Friday the 13th movies, but you're willing to start out trusting that person as long as he looks normal and doesn't have a carving knife in his hand. What's less obvious is that we judge people on the telephone the same way. Does this person sound like he's trying to sell me something? Is he friendly and outgoing or do I sense some kind of hostility or pressure? Does he or she have the speech of an educated person? We judge these things and perhaps a dozen others unconsciously, in a flash, often in the first few moments of the conversation.

MITNICK MESSAGE It's human nature to think that it's unlikely you're being deceived in any particular transaction, at least until you have some reason to believe otherwise. We weigh the risks and then, most of the time, give people the benefit of the doubt. That's the natural behavior of civilized people.., at least civilized people who have never been conned or manipulated or cheated out of a large amount of money. As children our parents taught us not to trust strangers. Maybe we should all heed this age-old principle in today's workplace.

At work, people make requests of us all the time. Do you have an email address for this guy? Where's the latest version of the customer list? Who's the subcontractor on this part of the project? Please send me the latest project update. I need the new version of the source code.

And guess what: Sometimes people who make those requests are people your don't personally know, folks who work for some other part of the company, or claim they do. But if the information they give checks out, and they appear to be in the know ("Marianne said . . ."; "It's on the K-16 server..."; "... revision 26 of the new product plans"), we extend our circle of trust to include them, and blithely give them what they're asking for.

Sure, we may stumble a little, asking ourselves "Why does somebody in the Dallas plant need to see the new product plans?" or "Could it hurt anything to give out the name of the server it's on?" So we ask another question or two. If the answers appear reasonable and the person's manner is reassuring, we let down our guard, return to our natural inclination to trust our fellow man or woman, and do (within reason) whatever it is we're being asked to do.

And don't think for a moment that the attacker will only target people 'ho use company computer systems. What about the guy in the mail room? "Will you do me a quick favor? Drop this into the intra company mail pouch?" Does the mail room clerk know it contains a floppy disk with a special little program for the CEO's secretary? Now that attacker gets his own personal copy of the CEO's email. Wow! Could that really happen at your company? The answer is, absolutely.

THE ONE-CENT CELL PHONE Many people look around until the); find a better deal; social engineers don't look for a better deal, they find a way to make a deal better. For example, sometimes a company launches a marketing campaign that's so you can hardly bear to pass it up, while the social engineer looks at the offer and wonders how he can sweeten the deal.

Not long ago, a nationwide wireless company had a major promotion underway offering a brand-new phone for one cent when you signed up for one of their calling plans.

As lots of people have discovered too late, there are a good many questions a prudent shopper should ask before signing up for a cell phone calling plan whether the service is analog, digital, or a combination; the number of anytime minutes you can use in a month; whether roaming charges are included.., and on, and on. Especially important to understand up front is the contract term of commitment--how many months or years will you have to commit to?