The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [42]
There was no need to verify or identify oneself, no need to give an employee number, no need for a password that was changed daily. If you knew the number to call and you sounded authentic, then you must be entitled to the information.
That was not a very solid assumption on the part of the telephone company. Their only effort at security was to change the phone number on a periodic basis, at least once a year. Even so, the current number at any particular moment was very widely known among phone phreaks, who delighted in taking advantage of this convenient source of information, and in sharing the how-to-do-it with their fellow phreaks. The CNA Bureau trick was one of the first things I learned when I was introduced to the hobby of phone phreaking as a teenager.
Throughout the world of business and government, speakeasy security is still prevalent. It’s likely that any semiskilled intruder can pass himself off as an authorized person just by putting together enough information about your company’s departments, people, and lingo. Sometimes less than that: Sometimes an internal phone number is all it takes.
THE CARELESS COMPUTER MANAGER
Though many employees in organizations are negligent, unconcerned, or unaware of security dangers, you’d expect someone with the title of manager in the computer center of a Fortune 500 corporation to be thoroughly knowledgeable about best security practices, right?
You would not expect a computer center manager—someone who is part of his company’s Information Technology department—to fall victim to a simplistic and obvious social engineering con game. Especially not if the social engineer is hardly more than a kid, barely out of his teens. But sometimes your expectations can be wrong.
Tuning In
Years ago it was an amusing pastime for many people to keep a radio tuned to the local police or fire department frequencies, listening in on the occasional highly charged conversations about a bank robbery in progress, an office building on fire, or a high-speed chase as the event unfolded. The radio frequencies used by law enforcement agencies and fire departments used to be available in books at the corner bookstore; today they’re provided in listings on the Web, and from a book you can buy at Radio Shack—frequencies for local, county, state, and, in some cases, even federal agencies.
Of course, it wasn’t just the curious who were listening in. Crooks robbing a store in the middle of the night could tune in to hear if a police car was being dispatched to the location. Drug dealers could keep a check on activities of the local Drug Enforcement Agency agents. An arsonist could enhance his sick pleasure by lighting a blaze and then listening to all the radio traffic while firemen struggled to put it out.
Over recent years developments in computer technology have made it possible to encrypt voice messages. As engineers found ways to cram more and more computing power onto a single microchip, they began to build small, encrypted radios for law enforcement that kept the bad guys and the curious from listening in.
Danny the Eavesdropper
A scanner enthusiast and skilled hacker we’ll call Danny decided to see if he couldn’t find a way to get his hands on the super-secret encryption software—the source code—from one of the top manufacturers of secure radio systems. He was hoping a study of the code would enable him to learn how to eavesdrop on law enforcement, and possibly also use the technology so that even the most powerful government agencies would find it difficult to monitor his conversations with his friends.
The Dannys of the shadowy world of hackers belong to a special category that falls somewhere in between the merely-curious-but-entirely-benign and the dangerous. Dannys have the knowledge of the expert, combined with the mischievous hacker’s desire to break into systems