The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [103]
mitnick message
When the computer intruder cannot gain physical access to a computer system or network himself, he will try to manipulate another person to do it for him. In cases where physical access is necessary for the plan, using the victim as a proxy is even better than doing it himself, because the attacker assumes much less risk of detection and apprehension.
THE EMERGENCY PATCH
You would think a tech support guy would understand the dangers of giving access to the computer network to an outsider. But when that outsider is a clever social engineer masquerading as a helpful software vendor, the results might not be what you expect.
A Helpful Call
The caller wanted to know Who’s in charge of computers there? and the telephone operator put him through to the tech support guy, Paul Ahearn.
The caller identified himself as “Edward, with SeerWare, your database vendor. Apparently a bunch of our customers didn’t get the email about our emergency update, so we’re calling a few for a quality control check to see whether there was a problem installing the patch. Have you installed the update yet?”
Paul said he was pretty sure he hadn’t seen anything like that.
Edward said, “Well, it could cause intermittent catastrophic loss of data, so we recommend you get it installed as soon as possible.” Yes, that was something he certainly wanted to do, Paul said. “Okay,” the caller responded. “We can send you a tape or CD with the patch, and I want to tell you, it’s really critical—two companies already lost several days of data. So you really should get this installed as soon as it arrives, before it happens to your company.”
“Can’t I download it from your Web site?” Paul wanted to know.
“It should be available soon—the tech team has been putting out all these fires. If you want, we can have our customer support center install it for you, remotely. We can either dial up or use Telnet to connect to the system, if you can support that.”
“We don’t allow Telnet, especially from the Internet—it’s not secure,” Paul answered. “If you can use SSH, that’d be okay,” he said, naming a product that provides secure file transfers.
“Yeah. We have SSH. So what’s the IP address?”
Paul gave him the IP address, and when Andrew asked, “and what username and password can I use,” Paul gave him those, as well.
Analyzing the Con
Of course that phone call might really have come from the database manufacturer. But then the story wouldn’t belong in this book.
The social engineer here influenced the victim by creating a sense of fear that critical data might be lost, and offered an immediate solution that would resolve the problem.
Also, when a social engineer targets someone who knows the value of the information, he needs to come up with very convincing and persuasive arguments for giving remote access. Sometimes he needs to add the element of urgency so the victim is distracted by the need to rush, and complies before he has had a chance to give much thought to the request.
THE NEW GIRL
What kind of information in your company’s files might an attacker want to gain access to? Sometimes it can be something you didn’t think you needed to protect at all.
Sarah’s Call
“Human Resources, this is Sarah.”
“Hi, Sarah. This is George, in the parking garage. You know the access card you use to get into the parking garage and elevators? Well, we had a problem and we need to reprogram the cards for all the new hires from the last fifteen days.”
“So you need their names?”
“And their phone numbers.”
“I can check our new hire list and call you back. What’s your phone number?”
“I’m at 73 ... Uh, I’m going on break, how about if I call you back in a half-hour?”
“Oh. Okay.”
When he called back, she said:
“Oh, yes. Well, there’s just two. Anna Myrtle, in Finance, she’s a secretary. And that new VP, Mr. Underwood.”
“And the