The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [124]
Karl then talked Harry through the steps of removing the FTP server from the instructor’s machine, and erasing the audit trail so there would be no evidence of what they had done—only the stolen file, left where it could be located easily.
As a final step, they posted a section of the source code on Usenet directly from the instructor’s computer. Only a section, so they wouldn’t do any great damage to the company, but leaving clear tracks directly back to the instructor. He would have some difficult explaining to do.
Analyzing the Con
Although it took the combination of a number of elements to make this escapade work, it could not have succeeded without some skillful play-acting of an appeal for sympathy and help: I’m getting yelled at by my boss, and management is up in arms, and so on. That, combined with a pointed explanation of how the man on the other end of the phone could help solve the problem, proved to be a powerfully convincing con. It worked here, and has worked many other times.
The second crucial element: The man who understood the value of the file was asked to send it to an address within the company.
And the third piece of the puzzle: The computer operator could see that the file had been transferred to him from within the company. That could only mean—or so it seemed—that the man who sent it to him could himself have sent it on to the final destination if only his external network connection had been working. What could possibly be wrong with helping him out by sending it for him?
But what about having the compressed file assigned a different name? Seemingly a small item, but an important one. The attacker couldn’t afford taking a chance of the file arriving with a name identifying it as source code, or a name related to the product. A request to send a file with a name like that outside the company might have set off alarm bells. Having the file relabeled with an innocuous name was crucial. As worked out by the attackers, the second young man had no qualms about sending the file outside the company; a file with a name like newdata, giving no clue as to the true nature of the information, would hardly make him suspicious.
Finally, did you figure out what this story is doing in a chapter on industrial espionage? If not, here’s the answer: What these two students did as a malicious prank could just as easily have been done by a professional industrial spy, perhaps in the pay of a competitor, or perhaps in the pay of a foreign government. Either way, the damage could have been devastating to the company, severely eroding the sales of their new product once the competitive product reached the market.
mitnick message
The underlying rule that every employee should have firmly planted in his or her brain: Except with management approval, don’t transfer files to people you don’t personally know, even if the destination appears to be within your company’s internal network.
How easily could the same type of attack be carried out against your company?
PREVENTING THE CON
Industrial espionage, which has long been a challenge to businesses, has now become the bread and butter of traditional spies who have focused their efforts on obtaining company secrets for a price, now that the Cold War has ended. Foreign governments and corporations are now using freelance industrial spies to steal information. Domestic companies also hire information brokers who cross the line in their efforts to obtain competitive intelligence. In many cases these are former military spies turned industrial information brokers who have the prerequisite knowledge and experience to easily exploit organizations, especially those that have failed to deploy safeguards to protect their information and educate their people.
Safety Off-Site
What could have helped the company that ran into problems with their off-site storage facility? The danger here could have been avoided