Social Engineering - Christopher Hadnagy [159]
Discussing the aspects of professional social engineer attacks is often difficult because they were either done illegally or cannot be openly discussed due to client contracts. Fortunately, Kevin Mitnick—world famous social engineer and computer security expert—has published many of his stories for our reading pleasure. I have taken some of these stories from his book The Art of Deception.
In this chapter I pick two of Mitnick’s most famous stories from his books and give a brief recap of what Kevin did, analyzing what aspects of social engineering he used and discussing what everyone can learn from it.
After dissecting those two accounts I do the same with two of my own accounts that demonstrate the ease with which you can obtain information and how easily you can use the information to compromise an entire company. Finally, I will disclose two “top-secret” stories whose sources I can’t even mention, but as you will see, you will learn a lot from these accounts. What I am aiming to accomplish is to show you how dangerous even little bits of information can be, and how devastating they can be in the hands of a skilled social engineer. At the same time, you will see where a social engineer can learn from past successes and failures to enhance their own skill set.
Let’s get started with the first case study.
Mitnick Case Study 1: Hacking the DMV
Kevin Mitnick is widely known as one of the world’s most notorious social engineers. He has performed some of the boldest and most famous exploits in the world—and the exploit examined here is especially so.
A driver’s license can often come in handy for obtaining information on people. Having the target’s driver’s license number can allow a social engineer to gain all sorts of personal information. However, no free services exist that allow a person to gain access to this personal information. A social engineer or private investigator must go through some lengths to be able to obtain and then use this information on a target.
Kevin Mitnick, in his book The Art of Deception, has a story he called “The Reverse Sting.” The following sections provide some background information and analysis of this account.
The Target
In one of Mitnick’s greatest stories, he discusses how “Eric” wanted to use the non-public Department of Motor Vehicles (DMV) and police systems to obtain people’s driver’s license numbers. He regularly needed to obtain license information on targets. Eric had a method of obtaining this information but feared repeated social engineering calls would render calling the DMV useless or alert the police to his ways.
He needed a different method to access the DMV’s network and with some knowledge of the how the DMV works he knew just how to do it. His target was twofold—not only the DMV but also the police would assist him (of course, without knowing it) in accomplishing his goal of obtaining this information.
The Story
Eric knew that the DMV could give privileged information to insurance agencies, private investigators (PIs), and certain other groups. Each industry has access to only certain types of data.
An insurance company is privy to different information than a PI, whereas a law enforcement agent can get it all. Eric’s goal was to get all the information.
Obtaining an Unpublished DMV Phone Number
Eric took a few steps that really proved his excellent social engineering skills. First he called telephone information and asked for the phone number for DMV headquarters. Of course, the number he was given was for the public and what he wanted was something that would get him deeper.
He then called the local sheriff’s office and asked for Teletype, which is the office where communications are sent to and received by other law enforcement agencies. When he reached the Teletype department, he asked the person for the number that law enforcement would use when calling