The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [17]
• Sometimes just knowing inside terminology can make the social engineer appear authoritative and knowledgeable. The attacker often relies on this common misconception to dupe his or her victims into compliance. For example, a Merchant ID is an identifier that people in the New Accounts department of a bank casually use every day. But such an identifier is exactly the same as a password. If each and every employee understands the nature of this identifier—that it is used to positively authenticate a requestor—they might treat it with more respect.
• No companies—well, very few, at least—give out the direct-dial phone numbers of their CEO or board chairman. Most companies, though, have no concern about giving out phone numbers to most departments and workgroups in the organization—especially to someone who is, or appears to be, an employee. A possible countermeasure: Implement a policy that prohibits giving internal phone numbers of employees, contractors, consultants, and temps to outsiders. More importantly, develop a step-by-step procedure to positively identify whether a caller asking for phone numbers is really an employee.
mitnick message
As the old adage goes—even real paranoids probably have enemies. We must assume that every business has its enemies, too—attackers that target the network infrastructure to compromise business secrets. Don’t end up being a statistic on computer crime—it’s high time to shore up the necessary defenses by implementing proper controls through well-thought-out security policies and procedures.
• Accounting codes for workgroups and departments, as well as copies of the corporate directory (whether hard copy, data file, or electronic phone book on the intranet) are frequent targets of social engineers. Every company needs a written, well-publicized policy on disclosure of this type of information. The safeguards should include maintaining an audit log that records instances when sensitive information is disclosed to people outside of the company.
• Information such as an employee number, by itself, should not be used as any sort of authentication. Every employee must be trained to verify not just the identity of a requestor, but also the requestor’s need to know.
• In your security training, consider teaching employees this approach: Whenever asked a question or asked for a favor by a stranger, learn first to politely decline until the request can be verified. Then—before giving in to the natural desire to be Mr. or Ms. Helpful—follow company policies and procedures with respect to verification and disclosure of nonpublic information. This style may go against our natural tendency to help others, but a little healthy paranoia may be necessary to avoid being the social engineer’s next dupe.
As the stories in this chapter have shown, seemingly innocuous information can be the key to your company’s most prized secrets.
chapter 3
The Direct Attack: Just Asking for It
Many social engineering attacks are intricate, involving a num ber of steps and elaborate planning, combining a mix of manipulation and technological know-how.
But I always find it striking that a skillful social engineer can often achieve his goal with a simple, straightforward, direct attack. Just asking outright for the information may be all that’s needed—as you’ll see.
AN MLAC QUICKIE
Want to know someone’s unlisted phone number? A social engineer can tell you half a dozen ways (and you’ll find some of them described in other stories in these pages), but probably the simplest scenario is one that uses a single phone call, like this one.
Number, Please
The attacker dialed the private phone company number for the MLAC, the Mechanized