• Choose a category
• All
• Classic-Fiction

He said, “If you read me the names, maybe I’ll recognize it.” So she did: “Barry, Joseph, and Gordon.”

“Joe. I’m pretty sure that was it,” he said. “And he was in ... which department?”

“Business Development.”

“Fine. Can you connect me, please?”

She put the call through. When Jones answered, the attacker said, “Mr. Jones? Hi, this is Tony in Payroll. We just put through your request to have your paycheck deposited directly to your credit union account.”

“WHAT???!!! You’ve got to be kidding. I didn’t make any request like that. I don’t even have an account at a credit union.”

“Oh, damn, I already put it through.”

Jones was more than a little upset at the idea that his paycheck might be going to someone else’s account, and he was beginning to think the guy on the other end of the phone must be a little slow. Before he could even reply, the attacker said, “I better see what happened. Payroll changes are entered by employee number. What’s your employee number?”

Jones gave the number. The caller said, “No, you’re right, the request wasn’t from you, then.”They get more stupid every year, Jones thought.

“Look, I’ll see it’s taken care of. I’ll put in a correction right now. So don’t worry—you’ll get your next paycheck okay,” the guy said reassuringly.

A Business Trip

Not long after, the system administrator in the company’s Austin, Texas, sales office received a phone call. “This is Joseph Jones,” the caller announced. “I’m in Business Development at corporate. I’ll be in town for the week, at the Driskill Hotel. I’d like to have you set me up with a temporary account so I can access my email without making a long distance call.”

“Let me get that name again, and give me your employee number,” the sys admin said. The false Jones gave the number and went on, “Do you have any high speed dial-up numbers?”

“Hold on, buddy. I gotta verify you in the database.” After a bit, he said, “Okay, Joe. Tell me, what’s your building number?” The attacker had done his homework and had the answer ready.

mitnick message

Don’t rely on network safeguards and firewalls to protect your information. Look to your most vulnerable spot. You’ll usually find that vulnerability lies in your people.

“Okay,” the sys admin told him, “you convinced me.”

It was as simple as that. The sys admin had verified the name Joseph Jones, the department, and the employee number, and “Joe” had given the right answer to the test question. “Your username’s going to be the same as your corporate one, jbjones,” the sys admin said, “and I’m giving you an initial password of ‘changeme.’”

Analyzing the Con

With a couple of phone calls and fifteen minutes of time, the attacker had gained access to the company’s wide area network. This was a company that, like many, had what I refer to as candy security,after a description first used by two Bell Labs researchers, Steve Bellovin and Steven Cheswick. They described such security as “a hard crunchy shell with a soft chewy center”—like an M&M candy. The outer shell, the firewall, Bellovin and Cheswick argued, is not sufficient protection, because once an intruder is able to circumvent it, the internal computer systems have soft, chewy security. Most of the time, they are inadequately protected.

This story fits the definition. With a dial-up number and an account, the attacker didn’t even have to bother trying to defeat an Internet firewall, and, once inside, he was easily able to compromise most of the systems on the internal network.

Through my sources, I understand a similar ruse was worked on one of the largest computer software manufacturers in the world. You would think the systems administrators in such a company would be trained to detect this type of ruse. But in my experience, nobody is completely safe if a social engineer is clever and persuasive enough.

lingo

CANDY SECURITY A term coined by Bellovin and Cheswick of Bell Labs to describe a security scenario where the outer perimeter, such as a firewall, is strong, but the