• Choose a category
• All
• Classic-Fiction

“We’re a consulting firm he hired, and we’re already behind schedule.”

“Listen, I’m just on my way to a meeting. Let me get your phone number and ...”

The attacker now sounded just short of truly frustrated: “Is that what you want me to tell Mr. Biggley?! Listen, he expects our analysis by tomorrow morning and we have to work on it tonight. Now, do you want me to tell him we couldn’t do it ‘cause we couldn’t get the report from you, or do you want to tell him that yourself?”

An angry CEO can ruin your week. The target is likely to decide that maybe this is something he better take care of before he goes into that meeting. Once again, the social engineer has pressed the right button to get the response he wanted.

Analyzing the Con

The ruse of intimidation by referencing authority works especially well if the other person is at a fairly low level in the company. The use of an important person’s name not only overcomes normal reluctance or suspicion, but often makes the person eager to please; the natural instinct of wanting to be helpful is multiplied when you think that the person you’re helping is important or influential.

The social engineer knows, though, that it’s best when running this particular deceit to use the name of someone at a higher level than the person’s own boss. And this gambit is tricky to use within a small organization: The attacker doesn’t want his victim making a chance comment to the VP of marketing. “I sent out the product marketing plan you had that guy call me about,” can too easily produce a response of “What marketing plan? What guy?“ And that could lead to the discovery that the company has been victimized.

mitnick message

Intimidation can create a fear of punishment, influencing people to cooperate. Intimidation can also raise the fear of embarrassment or of being disqualified from that new promotion.

People must be trained that it’s not only acceptable but expected to challenge authority when security is at stake. Information security training should include teaching people how to challenge authority in customer-friendly ways, without damaging relationships. Moreover, this expectation must be supported from the top down. If an employee is not going to be backed up for challenging people regardless of their status, the normal reaction is to stop challenging—just the opposite of what you want.

WHAT THE SOCIAL SECURITY ADMINISTRATION KNOWS ABOUT YOU

We like to think that government agencies with files on us keep the information safely locked away from people without an authentic need to know. The reality is that even the federal government isn’t as immune to penetration as we would like to imagine.

May Linn’s Phone Call

Place: A regional office of the Social Security Administration

Time: 10:18 A.M., Thursday morning

“Mod Three. This is May Linn Wang.”

The voice on the other end of the phone sounded apologetic, almost timid.

“Ms. Wang, this is Arthur Arondale, in the Office of the Inspector General. Can I call you ‘May’?

“It’s ‘May Linn’,” she said.

“Well, it’s like this, May Linn. We’ve got a new guy in here who there’s no computer for yet, and right now he’s got a priority project and he’s using mine. We’re the government of the United States, for cryin’ out loud, and they say they don’t have enough money in the budget to buy a computer for this guy to use. And now my boss thinks I’m falling behind and doesn’t want to hear any excuses, you know?”

“I know what you mean, all right.”

“Can you help me with a quick inquiry on MCS?” he asked, using the name of the computer system for looking up taxpayer information.

“Sure, what‘cha need?”

“The first thing I need you to do is an alphadent on Joseph Johnson, DOB 7/4/69.” (Alphadent means to have the computer search for an account alphabetically by taxpayer name, further identified by date of birth.)

After a brief pause, she asked:

“What do you need to know?”

“What’s his account