The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [73]
When he reached the technician, he claimed to be with the Nortel Technical Assistance Support Center in Texas, and explained that they were creating a master database to update all switches with the latest software upgrades. It would all be done remotely—no need for any switch technician to participate. But they needed the dial-in number to the switch so that they could perform the updates directly from the Support Center.
It sounded completely plausible, and the technician gave Eric the phone number. He Could now dial directly into one of the state’s telephone switches.
To defend against outside intruders, commercial switches of this type are password-protected, just like every corporate computer network. Any good social engineer with a phone-phreaking background knows that Nortel switches provide a default account name for software updates: NTAS (the abbreviation for Nortel Technical Assistance Support; not very subtle). But what about a password? Eric dialed in several times, each time trying one of the obvious and commonly used choices. Entering the same as the account name, NTAS, didn’t work. Neither did “helper.” Nor did “patch.”
Then he tried “update” ... and he was in. Typical. Using an obvious, easily guessed password is only very slightly better than having no password at all.
It helps to be up to speed in your field; Eric probably knew as much about that switch and how to program and troubleshoot it as the technician. Once he was able to access the switch as an authorized user, he would gain full control over the telephone lines that were his target. From his computer, he queried the switch for the phone number he had been given for law enforcement calls to the DMV, 555-6127. He found there were nineteen other phone lines into the same department. Obviously they handled a high volume of calls.
For each incoming call, the switch was programmed to “hunt” through the twenty lines until it found one that wasn’t busy.
He picked line number eighteen in the sequence, and entered the code that added call forwarding to that line. For the call-forwarding number, he entered the phone number of his new, cheap, prepaid cell phone, the kind that drug dealers are so fond of because they’re inexpensive enough to throw away after the job is over.
With call forwarding now activated on the eighteenth line, as soon as the office got busy enough to have seventeen calls in progress, the next call to come in would not ring in the DMV office but would instead be forwarded to Eric’s cell phone. He sat back and waited.
A Call to DMV
Shortly before 8 o‘clock that morning, the cell phone rang. This part was the best, the most delicious. Here was Eric, the social engineer, talking to a cop, someone with the authority to come and arrest him, or get a search warrant and conduct a raid to collect evidence against him.
And not just one cop would call, but a string of them, one after another. On one occasion, Eric was sitting in a restaurant having lunch with friends, fielding a call every five minutes or so, writing the information on a paper napkin using a borrowed pen. He still finds this hilarious.
But talking to police officers doesn’t faze a good social engineer in the least. In fact, the thrill of deceiving these law enforcement agencies probably added to Eric’s enjoyment of the act.
According to Eric, the calls went something like this:
“DMV, may I help you?”
“This is Detective Andrew Cole.”
“Hi, detective. What can I do for you today?”
“I need a Soundex on driver’s license 005602789,” he might say, using the term familiar in law enforcement to ask for a photo—useful, for example, when officers are going out to arrest a suspect and want to know what he looks like.
“Sure, let me bring up the record,” Eric would say. “And, Detective Cole, what’s your agency?”
“Jefferson County.” And then Eric would ask the hot questions: