The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [122]
Ask yourself: How sure am I that I would never fall for a story like Rick’s? If you’re sure you wouldn‘t, ask yourself whether anyone has ever put anything over on you. If the answer to this second question is yes, it’s probably the correct answer to the first question, as well.
LEAPFROG
A challenge: The following story does not involve industrial espionage. As you read it, see if you can understand why I decided to put it in this chapter!
Harry Tardy was back living at home, and he was bitter. The Marine Corps had seemed like a great escape until he washed out of boot camp. Now he had returned to the hometown he hated, was taking computer courses at the local community college, and looking for a way to strike out at the world.
Finally he hit upon a plan. Over beers with a guy in one of his classes, he’d been complaining about their instructor, a sarcastic know-it-all, and together they cooked up a wicked scheme to burn the guy: They’d grab the source code for a popular personal digital assistant (PDA) and have it sent to the instructor’s computer, and make sure to leave a trail so the company would think the instructor was the bad guy.
The new friend, Karl Alexander, said he “knew a few tricks” and would tell Harry how to bring this off. And get away with it.
Doing Their Homework
A little initial research showed Harry that the product had been engineered at the Development Center located at the PDA manufacturer’s headquarters overseas. But there was also an R&D facility in the United States. That was good, Karl pointed out, because for the attempt to work there had to be some company facility in the United States that also needed access to the source code.
At that point Harry was ready to call the overseas Development Center. Here’s where a plea for sympathy came in, the “Oh, dear, I’m in trouble, I need help, please, please, help me.” Naturally the plea was a little more subtle than that. Karl wrote out a script, but Harry sounded completely phony trying to read it. In the end, he practiced with Karl so he could say what he needed to in a conversational tone.
What Harry finally said, with Karl sitting by his side, went something like this:
“I’m calling from R&D Minneapolis. Our server had a worm that infected the whole department. We had to install the operating system again and then when we went to restore from backup, none of the backups was any good. Guess who was supposed to be checking the integrity of the backups? Yours truly. So I’m getting yelled at by my boss, and management is up in arms that we’ve lost the data. Look, I need to have the latest revision of the source-code tree as quick as you can. I need you to gzip the source code and send it to me.”
At this point Karl scribbled him a note, and Harry told the man on the other end of the phone that he just wanted him to transfer the file internally, to Minneapolis R&D. This was highly important: When the man on the other end of the phone was clear that he was just being asked to send the file to another part of the company, his mind was at ease—what could be wrong with that?
lingo
GZIP To archive files in a single compressed file using a Linux GNU utility.
He agreed to gzip and send it. Step by step, with Karl at his elbow, Harry talked the man there through getting started on the procedure for compressing the huge source code into a single, compact file. He also gave him a file name to use on the compressed file, “newdata,” explaining that this name would avoid any confusion with their old, corrupted files.
Karl had to explain the next step twice before Harry got it, but it was central to the little game of leapfrog Karl had dreamed up. Harry was to call R&D Minneapolis and tell somebody there “I want to send a file to you, and then I want you to send it somewhere else for me”—of course all dressed up with reasons that would make it all sound