The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [123]
“The guy at the R&D Center is the linchpin,” Karl explained. “He’s got to think he’s just doing a favor for a fellow employee here in the U.S., getting a file from you and then just forwarding it for you.”
Harry finally understood. He called the R&D Center, where he asked the receptionist to connect him to the Computer Center, where he asked to speak to a computer operator. A guy came on the line who sounded as young as Harry himself. Harry greeted him, explained he was calling from the Chicago fabricating division of the company and that he had this file he’d been trying to send to one of their partners working on a project with them, but, he said, “We’ve got this router problem and can’t reach their network. I’d like to transfer the file to you, and after you receive it, I’ll phone you so I can walk you through transferring it to the partner’s computer.”
So far, so good. Harry then asked the young man whether his computer center had an anonymous FTP account, a setup that allows anyone to transfer files in and out of a directory where no password is required. Yes, an anonymous FTP was available, and he gave Harry the internal Internet Protocol (IP) address for reaching it.
lingo
ANONYMOUS FTP A program that provides access to a remote computer even though you don’t have an account by using the File Transfer protocol (FTP). Although anonymous FTP can be accessed without a password, generally user-access rights to certain folders are restricted.
With that information in hand, Harry called back the Development Center overseas. By now the compressed file was ready, and Harry gave the instructions for transferring the file to the anonymous FTP site. In less than five minutes, the compressed source-code file was sent to the kid at the R&D Center.
Setting Up the Victim
Halfway to the goal. Now Harry and Karl had to wait to make sure the file had arrived before proceeding. During the wait, they walked across the room to the instructor’s desk and took care of two other necessary steps. They first set up an anonymous FTP server on his machine, which would serve as a destination for the file in the last leg of their scheme.
The second step provided a solution for an otherwise tricky problem. Clearly they couldn’t tell their man at the R&D Center to send the file to an address such as, say, warren@rms.ca.edu. The “.edu” domain would be a dead giveaway, since any half-awake computer guy would recognize it as the address of a school, immediately blowing the whole operation. To avoid this, they went into Windows on the instructor’s computer and looked up the machine’s IP address, which they would give as the address for sending the file.
By then it was time to call back the computer operator at the R&D Center. Harry got him on the phone and said, “I just transferred the file that I talked to you about. Can you check that you received it?” Yes, it had arrived. Harry then asked him to try forwarding it, and gave him the IP address. He stayed on the phone while the young man made the connection and started transmitting the file, and they watched with big grins from across the room as the light on the hard drive of the instructor’s computer blinked and blinked—busy receiving the download.
Harry exchanged a couple of remarks with the guy about how maybe one day computers and peripherals would be more reliable, thanked him and said good-bye.
The two copied the file from the instructor’s machine onto a pair of Zip disks, one for each of them, just so they could look at it later, like stealing a painting from a museum that you can enjoy yourself but don’t dare show to your