The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [117]
Following a standard practice of industrial spies to keep something in the back pocket for future use, just in case, they also made a copy of the file containing the authorization list onto a floppy disk. None of them had any idea how it might ever prove useful, but it’s just one of those “We’re here, we might just as well” things that every now and then turns out to be valuable.
The next day, one of the same men called the storage company, used the name they had added to the authorization list, and gave the corresponding password. He asked for all the Jenkins and Petry tapes dated within the last month, and said that a messenger service would come by to pick up the package. By midafternoon, Andreeson had the tapes. His people restored all the data to their own computer system, ready to search at leisure. Andreeson was very pleased that the law firm, like most other businesses, didn’t bother encrypting their backup data.
The tapes were delivered back to the storage company the next day and no one was the wiser.
Analyzing the Con
Because of lax physical security, the bad guys were easily able to pick the lock of the storage company, gain access to the computer, and modify the
mitnick message
Valuable information must be protected no matter what form it takes or where it is located. An organization’s customer list has the same value whether in hard-copy form or an electronic file at your office or in a storage box. Social engineers always prefer the easiest to circumvent, least defended point of attack. A company’s offsite backup storage facility is seen as having less risk of detection or getting caught. Every organization that stores any valuable, sensitive, or critical data with third parties should encrypt their data to protect its confidentiality.
database containing the list of people authorized to have access to the storage unit. Adding a name to the list allowed the imposters to obtain the computer backup tapes they were after, without having to break into the firm’s storage unit. Because most businesses don’t encrypt backup data, the information was theirs for the taking.
This incident provides one more example of how a vendor company that does not exercise reasonable security precautions can make it easy for an attacker to compromise their customer’s information assets.
THE NEW BUSINESS PARTNER
Social engineers have a big advantage over con men and grifters, and the advantage is distance. A grifter can only cheat you by being in your presence, allowing you to give a good description of him afterward or even call the cops if you catch on to the ruse early enough.
Social engineers ordinarily avoid that risk like the plague. Sometimes, though, the risk is necessary, and justified by the potential reward.
Jessica’s Story
Jessica Andover was feeling very good about getting a job with a hot-shot robotics company. Sure, it was only a start-up and they couldn’t pay very much, but it was small, the people were friendly, and there was the excitement of knowing her stock options just might turn out to make her rich. Okay, maybe not a millionaire like the company founders would be, but rich enough.
Which was how it happened that Rick Daggot got a glowing smile when he walked into the lobby that Tuesday morning in August. In his expensive-looking suit (Armani) and his heavy gold wrist-watch (a Rolex President), with his immaculate haircut, he had that same manly, self-confident air that had driven all the girls crazy when Jessica was in high school.
“Hi,” he said. “I’m Rick Daggot and I’m here for my meeting with Larry.”
Jessica’s smile faded. “Larry?” she said. “Larry’s on vacation all week.”
“I have an appointment with him at one o‘clock. I just flew in from Louisville to meet with him,” Rick said, as he drew out his Palm, turned it on, and showed her.
She looked at it and gave a small