The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [55]
Making it too easy for outsiders to talk their way into your facilities endangers your company’s sensitive information. In today’s climate, with the threat of terrorist attacks hanging over our society, it’s more than just information that could be at risk.
“DO IT NOW”
Not everyone who uses social engineering tactics is a polished social engineer. Anybody with an insider’s knowledge of a particular company can turn dangerous. The risk is even greater for any company that holds in its files and databases any personal information about its employees, which, of course, most companies do.
When workers are not educated or trained to recognize social engineering attacks, determined people like the jilted lady in the following story can do things that most honest people would think impossible.
Doug’s Story
Things hadn’t been going all that well with Linda anyway, and I knew as soon as I met Erin that she was the one for me. Linda is, like, a little bit ... well, sort of not exactly unstable but she can sort of go off the deep end when she gets upset.
I told her as gentle as I could that she had to move out, and I helped her pack and even let her take a couple of the Queensryche CDs that were really mine. As soon as she was gone I went to the hardware store for a new Medico lock to put on the front door and put it on that same night. The next morning I called the phone company and had them change my phone number, and made it unpublished.
That left me free to pursue Erin.
Linda’s Story
I was ready to leave, anyway, I just hadn’t decided when. But nobody likes to feel rejected. So it was just a question of, what could I do to let him know what a jerk he was?
It didn’t take long to figure out. There had to be another girl, otherwise he wouldn’t of sent me packing in such a hurry. So I’d just wait a bit and then start calling him late in the evening. You know, around the time they would least want to be called.
I waited till the next weekend and called around 11 o‘clock on Saturday night. Only he had changed his phone number. And the new number was unlisted. That just shows what kind of SOB the guy was.
It wasn’t that big of a setback. I started rummaging through the papers I had managed to take home just before I left my job at the phone company. And there it was—I had saved a repair ticket from once when there was a problem with the telephone line at Doug‘s, and the printout listed the cable and pair for his phone. See, you can change your phone number all you want, but you still have the same pair of copper wires running from your house to the telephone company switching office, called the Central Office, or CO. The set of copper wires from every house and apartment is identified by these numbers, called the cable and pair. And if you know how the phone company does things, which I do, knowing the target’s cable and pair is all you need to find out the phone number.
I had a list giving all the COs in the city, with their addresses and phone numbers. I looked up the number for the CO in the neighborhood where I used to live with Doug the jerk, and called, but naturally nobody was there. Where’s the switchman when you really need him? Took me all of about twenty seconds to come up with a plan. I started calling around to the other COs and finally located a guy. But he was miles away and he was probably sitting there with his feet up. I knew he wouldn’t want to do what I needed. I was ready with my plan.
“This is Linda, Repair Center,” I said. “We have an emergency. Service for a paramedic unit has gone down. We have a field tech trying to restore service but he can’t find the problem. We need you to drive over to the Webster CO immediately and see if we have