• Choose a category
• All
• Classic-Fiction

The answer was music to his ears: No, they weren’t tied into the NCIC, they only checked against the state’s Criminal Information Index (CII).

mitnick message

Savvy information swindlers have no qualms about ringing up federal, state, or local government officials to learn about the procedures of law enforcement. With such information in hand, the social engineer may be able to circumvent your company’s standard security checks.

That was all Frank needed to know. He didn’t have any record in that state, so he submitted his application, was hired for the job, and nobody ever showed up at his desk one day with the greeting, “These gentlemen are from the FBI and they’d like to have a little talk with you.”

ON THE DOORSTEP

In spite of the myth of the paperless office, companies continue to print out reams of paper every day. Information in print at your company may be vulnerable, even if you use security precautions and stamp it confidential.

Here’s one story that shows you how social engineers might obtain your most secret documents.

Loop-Around Deception

Every year the phone company publishes a volume called the Test Number Directory (or at least they used to, and because I am still on supervised release, I’m not going to ask if they still do). This document was highly prized by phone phreaks because it was packed with a list of all the closely guarded phone numbers used by company craftsmen, technicians, and others for things like trunk testing or checking numbers that always ring busy.

One of these test numbers, known in the lingo as a loop-around, was particularly useful. Phone phreaks used it as a way to find other phone phreaks to chat with, at no cost to them. Phone phreaks also used it as a way to create a callback number to give to, say, a bank. A social engineer would tell somebody at the bank the phone number to call to reach him at his office. When the bank called back to the test number (loop-around), the phone phreak would be able to receive the call, yet he had the protection of having used a phone number that could not be traced back to him.

A Test Number Directory provided a lot of neat information that could be used by any information-hungry phone phreak. So when the new directories were published each year, they were coveted by a lot of kids whose hobby was exploring the telephone network.

mitnick message

Security training with respect to company policy designed to protect information assets needs to be for everyone in the company, not just any employee who has electronic or physical access to the company’s IT assets.

Stevie’s Scam

Naturally phone companies don’t make these books easy to get hold of, so phone phreaks have to be creative to get one. How can they do this? An eager kid with a mind bent on acquiring the directory might enact a scenario like this.

Late one day, a mild evening in the southern California autumn, a guy I’ll call Stevie phones a small telephone company central office, which is the building from which phone lines run to all the homes and businesses in the established service area.

When the switchman on duty answers the call, Stevie announces that he’s from the division of the phone company that publishes and distributes printed materials. “We have your new Test Number Directory,” he says. “But for security reasons, we can’t deliver your copy until we pick up the old one. And the delivery guy is running late. If you wanna leave your copy just outside your door, he can swing by, pick up yours, drop the new one, and be on his way.”

The unsuspecting switchman seems to think that sounds reasonable. He does exactly as asked, putting out on the doorstep of the building his copy of the directory, its cover clearly marked in big red letters with the warning, “COMPANY CONFIDENTIAL—WHEN NO LONGER NEEDED, THIS DOCUMENT MUST BE SHREDDED.”

Stevie drives by and looks around carefully to spot any cops or phone company security people who might be lurking behind trees or watching for him from parked