The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [102]
I was now set up with an account, a password, and full privileges. A little before midnight I dialed in and followed the instructions Julia had carefully typed up “for the screenplay.” In a blink I had access to one of the development systems that contained the master copy of the source code for the new version of the company’s operating system software.
I uploaded a patch that Julia had written, which she said modified a routine in one of the operating system’s libraries. That patch would, in effect, create a covert backdoor that would allow remote access into the system with a secret password.
note
The type of backdoor used here does not change the operating system login program itself. Rather, a specific function contained within the dynamic library used by the login program is replaced to create the secret entry point. In typical attacks, computer intruders often replace or patch the login program itself, but sharp system administrators can detect the change by comparing it to the version shipped on media such as CD, or by other distribution methods.
I carefully followed the instructions she had written down for me, first installing the patch, then taking steps that removed the fix account and wiped clean all audit logs so there would be no trace of my activities, effectively erasing my tracks.
Soon the company would begin shipping the new operating system upgrade to their customers: Financial institutions all over the world. And every copy they sent out would include the backdoor I had placed into the master distribution before it was sent out, allowing me to access any computer system of every bank and brokerage house that installed the upgrade.
lingo
PATCH Traditionally a piece of code that, when placed in an executable program, fixes a problem.
Of course, I wasn’t quite home free—there would still be work to do. I’d still have to gain access to the internal network of each financial institution I wanted to “visit.” Then I’d have to find out which of their computers was used for money transfers, and install surveillance software to learn the details of their operations and exactly how to transfer funds.
All of that I could do long distance. From a computer located anywhere. Say, overlooking a sandy beach. Tahiti, here I come.
I called the guard back, thanked him for his help, and told him he could go ahead and toss the printout.
Analyzing the Con
The security guard had instructions about his duties, but even thorough, well-thought-out instructions can’t anticipate every possible situation. Nobody had told him the harm that could be done by typing a few keystrokes on a computer for a person he thought was a company employee.
With the cooperation of the guard, it was relatively easy to gain access to a critical system that stored the distribution master, despite the fact that it was behind the locked door of a secure laboratory. The guard, of course, had keys to all locked doors.
Even a basically honest employee (or, in this case, the Ph.D. candidate and company intern, Julia) can sometimes be bribed or deceived into revealing information of crucial importance to a social engineering attack, such as where the target computer system is located and—the key to the success of this attack—when they were going to build the new release of the software for distribution. That’s important, since a change of this kind made too early has a higher chance of being detected or being nullified if the operating system is rebuilt from a clean source.
Did you catch the detail of having the guard take the printout back to the lobby desk and later destroying it? This was an important step. When the computer operators came to work the next workday, the attacker didn’t want