The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [121]
For infiltrating the company, the man who called himself Rick Daggot knew he had to project an image of confidence and competence, backed by a thorough knowledge of the company’s product and industry.
Not much difficulty laying his hands on the information he needed in advance. He devised an easy ruse to find out when the CEO would be away. A small challenge, but still not very tough, was finding out enough details about the project that he Could sound “on the inside” about what they were doing. Often this information is known to various company suppliers, as well as investors, venture capitalists they’ve approached about raising money, their banker, and their law firm. The attacker has to take care, though: Finding someone who will part with insider knowledge can be tricky, but trying two or three sources to turn up someone who can be squeezed for information runs the risk that people will catch on to the game. That way lies danger. The Rick Daggots of the world need to pick carefully and tread each information path only once.
The lunch was another sticky proposition. First there was the problem of arranging things so he’d have a few minutes alone with each person, out of earshot of the others. He told Jessica 12:30 but booked the table for 1 P.M., at an upscale, expense-account type of restaurant. He hoped that would mean they’d have to have drinks at the bar, which is exactly what happened. A perfect opportunity to move around and chat with each individual.
Still, there were so many ways that a misstep—a wrong answer or a careless remark—could reveal Rick to be an imposter. Only a supremely confident and wily industrial spy would dare take a chance of exposing himself that way. But years of working the streets as a confidence man had built Rick’s abilities and given him the confidence that, even if he made a slip, he’d be able to cover it up well enough to quiet any suspicions. This was the most challenging, most dangerous time of the entire operation, and the elation he felt at bringing off a sting like this made him realize why he didn’t have to drive fast cars or skydive or cheat on his wife—he got plenty of excitement just doing his job. How many people, he wondered, could say as much?
mitnick message
While most social engineering attacks occur over the telephone or email, don’t assume that a bold attacker will never appear in person at your business. In most cases, the imposter uses some form of social engineering to gain access to a building after counterfeiting an employee badge using a commonly available software program such as Photoshop.
What about the business cards with the phone company test line? The television show The Rockford Files, which was a series about a private investigator, illustrated a clever and somewhat humorous technique. Rockford (played by actor James Garner) had a portable business card printing machine in his car, which he used to print out a card appropriate to whatever the occasion called for. These days, a social engineer can get business cards printed in an hour at any copy store, or print them on a laser printer.
note
John Le Carré, author of The Spy Who Came in from the Cold, A Perfect Spy. and many other remarkable books, grew up as the son of a polished, engaging lifelong con man. Le Carré was struck as a kid to discover that, successful as his father was in deceiving others, he was also gullible, a victim more than once to another con man or woman. Which just goes to show that everyone is at risk of being taken in by a social engineer, even another social engineer.
What leads a group of smart men and women to accept an imposter? We size up a situation by both instinct and intellect. If the story adds up—that’s the intellect part—and a con man manages to project