The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [30]
And maybe his client also didn’t want to tell him the real reason because, if Bobby knew how valuable the information was, he’d probably want more money for doing the job.
There are a lot of ways to crack into a company’s most secret files. Bobby spent a few days mulling over the choices and doing a little checking around before he decided on a plan. He settled on one that called for an approach he especially liked, where the target is set up so that he asks the attacker for help.
For starters, Bobby picked up a $39.95 prepaid cell phone at a convenience store. He placed a call to the man he had chosen as his target, passed himself off as being from the company help desk, and set things up so the man would call Bobby’s cell phone any time he found a problem with his network connection.
He left a pause of two days so as not to be too obvious, and then made a call to the network operations center (NOC) at the company. He claimed he was trouble-shooting a problem for Tom, the target, and asked to have Tom’s network connection disabled. Bobby knew this was the trickiest part of the whole escapade—in many companies, the help desk people work closely with the NOC; in fact, he knew the help desk is often part of the IT organization. But the indifferent NOC guy he spoke with treated the call as routine, didn’t ask for the name of the help desk person who was supposedly working on the networking problem, and agreed to disable the target’s network port. When done, Tom would be totally isolated from the company’s intranet, unable to retrieve files from the server, exchange files with his coworkers, download his email, or even send a page of data to the printer. In today’s world, that’s like living in a cave.
As Bobby expected, it wasn’t long before his cell phone rang. Of course he made himself sound eager to help this poor “fellow employee” in distress. Then he called the NOC and had the man’s network connection turned back on. Finally, he called the man and manipulated him once again, this time making him feel guilty for saying no after Bobby had done him a favor. Tom agreed to the request that he download a piece of software to his computer.
Of course, what he agreed to wasn’t exactly what it seemed. The software that Tom was told would keep his network connection from going down was really a Trojan Horse, a software application that did for Tom’s computer what the original deception did for the Trojans: It brought the enemy inside the camp. Tom reported that nothing happened when he double-clicked on the software icon; the fact was that, by design, he couldn’t see anything happening, even though the small application was installing a secret program that would allow the infiltrator covert access to Tom’s computer.
With the software running, Bobby was provided with complete control over Tom’s computer, an arrangement known as a remote command shell. When Bobby accessed Tom’s computer, he could look for the accounting files that might be of interest and copy them. Then, at his leisure, he’d examine them for the information that would give his clients what they were looking for.
lingo
TROJAN HORSEA program containing malicious or harmful code, designed to damage the victim’s computer or files, or obtain information from the victim’s computer or network. Some Trojans are designed to hide within the computer’s operating system and spy on every keystroke or action, or accept instructions over a network connection to perform some function, all without