Social Engineering - Christopher Hadnagy [56]
Typically—say in the case of a phone company—pretexters call up and falsely represent themselves as the customer; since companies rarely require passwords, a pretexter may need no more than a home address, account number, and heartfelt plea to get the details of an account. According to the Federal Trade Commission’s Web site, pretexters sell the information to individuals who can range from otherwise legitimate private investigators, financial lenders, potential litigants, and suspicious spouses to those who might attempt to steal assets or fraudulently obtain credit. Pretexting, the FTC site states, “is against the law.” The FTC and several state attorneys general have brought enforcement actions against pretexters for allegedly violating federal and state laws on fraud, misrepresentation, and unfair competition. One of HP’s directors is Larry Babbio, the president of Verizon, which has filed various actions against pretexters.
(If you’re interested in exploring it, the Telephone Records and Privacy Protection Act of 2006 can be found at http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=109_cong_bills&docid=f:h4709enr.txt.pdf.)
The end result was that criminal charges were brought not only against Dunn, but against the consultants she hired. You may wonder, “How is that possible considering they were hired and contracted to perform these tests?”
Take a look at what avenues they used and what information they obtained to help answer this question. The consultants obtained the names, addresses, Social Security numbers, telephone call logs, telephone billing records, and other information of the HP board members and reporters. They actually used the Social Security number to establish an online account for one reporter and then obtain records of his personal calls.
Page 32 of a confidential document from Hewlett-Packard to its lawyer and internal legal staff (www.social-engineer.org/resources/book/20061004hewlett6.pdf) lists a communication from Tom Perkins to the HP board members that offers a little more insight about what pretexts were used. A few tactics used were:
They represented themselves as the carrier company to obtain the records of calls illegally.
The identities of the ones being investigated were used and spoofed to obtain their personal call records.
Online accounts with carriers were generated using illegally obtained names, Social Security numbers, and other information to access their call records.
On September 11, 2006, the United States House of Representatives Committee on Energy and Commerce sent Ms. Dunn a letter (see a copy of this letter at www.social-engineer.org/resources/book/20061004hewlett6.pdf) requesting the information she had obtained. They listed in their requests the obtained information as the following:
All published and non-published telephone numbers
Credit card bills
Customer name and address info
Utility bills
Pager numbers
Cell numbers
Social Security numbers
Credit reports
Post office box information
Bank account information
Asset information
Other consumer information
All of this information was obtained through a very gray area of professional social engineering: is what they did ethical and moral, even though they were hired to do it? Many professional social engineers would not go to these lengths. The lesson to be learned from this very important case is that as a professional social engineer you might mimic the methodologies and the thinking of malicious social engineers, but never should you stoop completely to their levels. The problem with these consultants came in that they were authorized to pretext, social engineer, and audit Hewlett-Packard. They were not authorized to social engineer AT&T, Verizon, utility companies, and so on. When employing pretexting you must have it outlined and planned so you know what legal lines you might get near and what lines you must not cross.
HP’s story lends itself to a discussion about policy, contracts, and outlining what you will be offering if you are a social engineer auditor,