The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [46]
Once logged into the temporary account, Danny was able to connect over the network to the Secure Communications Group’s computer systems. After an hour of on-line searching for a technical vulnerability that would give him access to a main development server, he hit the jackpot. Apparently the system or network administrator wasn’t vigilant in keeping up with the latest news on security bugs in the operating system that allowed remote access. But Danny was.
Within a short time he had located the source code files that he was after and was transferring them remotely to an e-commerce site that offered free storage space. On this site, even if the files were ever discovered, they would never be traced back to him.
He had one final step before signing off: the methodical process of erasing his tracks. He finished before the Jay Leno show had gone off the air for the night. Danny figured this had been one very good weekend’s work. And he had never had to put himself personally at risk. It was an intoxicating thrill, even better than snowboarding or skydiving.
Danny got drunk that night, not on scotch, gin, beer, or sake, but on his sense of power and accomplishment as he poured through the files he had stolen, closing in on the elusive, extremely secret radio software.
Analyzing the Con
As in the previous story, this ruse only worked because one company employee was all too willing to accept at face value that a caller was really the employee he claimed to be. That eagerness to help out a coworker with a problem is, on the one hand, part of what greases the wheels of industry, and part of what makes the employees of some companies more pleasant to work with than employees of others. But on the other hand, this helpfulness can be a major vulnerability that a social engineer will attempt to exploit.
One bit of manipulation Danny used was delicious: When he made the request that someone get his Secure ID from his desk, he kept saying he wanted somebody to “fetch” it for him. Fetch is a command you give your dog. Nobody wants to be told to fetch something. With that one word, Danny made it all the more certain the request would be refused and some other solution accepted instead, which was exactly what he wanted.
The Computer Center operator, Kowalski, was taken in by Danny dropping the names of people Kowalski happened to know. But why would Kowalski’s manager—an IT manager, no less—allow some stranger access to the company’s internal network? Simply because the call for help can be a powerful, persuasive tool in the social engineer’s arsenal.
mitnick message
This story goes to show that time-based tokens and similar forms of authentication are not a defense against the wily social engineer. The only defense is a conscientious employee who follows security policies and understands how others can maliciously influence his behavior.
Could something like that ever happen in your company? Has it already?
PREVENTING THE CON
It seems to be an often-repeated element in these stories that an attacker arranges to dial in to a computer network from outside the company, without the person who helps him taking sufficient measures to verify that the caller is really an employee and entitled to the access. Why do I return to this theme so often? Because it truly is a factor in so many social engineering attacks. For the social engineer, it’s the easiest way to reach his goal. Why should an attacker spend hours trying to break in, when he can do it instead with a simple phone call?
One of the most powerful methods for the social engineer to carry out this kind of attack is the simple ploy of pretending to need help—an approach frequently used by attackers. You don’t want to stop your employees from being helpful