The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [85]
mitnick message
Allowing a stranger into an area where he can plug a laptop into the corporate network increases the risk of a security incident. It’s perfectly reasonable for an employee, especially one from offsite, to want to check his or her email from a conference room, but unless the visitor is established as a trusted employee or the network is segmented to prevent unauthorized connections, this may be the weak link that allows company files to be compromised.
Not until he actually broke in to the computer system did he break the law.
SNOOPING ON KEVIN
Many years ago when I was working in a small business, I began to notice that each time I walked into the office that I shared with the three other computer people who made up the IT department, this one particular guy (Joe, I’ll call him here) would quickly toggle the display on his computer to a different window. I immediately recognized this as suspicious. When it happened two more times the same day, I was sure something was going on that I should know about. What was this guy up to that he didn’t want me to see?
Joe’s computer acted as a terminal to access the company’s minicomputers, so I installed a monitoring program on the VAX minicomputer that allowed me to spy on what he was doing. The program acted as if a TV camera was looking over his shoulder, showing me exactly what he was seeing on his computer.
My desk was next to Joe’s; I turned my monitor as best I could to partly mask his view, but he could have looked over at any moment and realized I was spying on him. Not a problem; he was too enthralled in what he was doing to notice.
What I saw made my jaw drop. I watched, fascinated, as the bastard called up my payroll data. He was looking up my salary!
I had only been there a few months at the time and I guessed Joe couldn’t stand the idea that I might have been making more than he was.
A few minutes later I saw that he was downloading hacker tools used by less experienced hackers who don’t know enough about programming to devise the tools for themselves. So Joe was clueless, and had no idea that one of American’s most experienced hackers was sitting right next to him. I thought it was hilarious.
He already had the information about my pay; so it was too late to stop him. Besides, any employee with computer access at the IRS or the Social Security Administration can look your salary up. I sure didn’t want to tip my hand by letting him know I’d found out what he was up to. My main goal at the time was maintaining a low profile, and a good social engineer doesn’t advertise his abilities and knowledge. You always want people to underestimate you, not see you as a threat.
So I let it go, and laughed to myself that Joe thought he knew some secret about me, when it was the other way around: I had the upper hand by knowing what he had been up to.
In time I discovered that all three of my coworkers in the IT group amused themselves by looking up the take-home pay of this or that cute secretary or (for the one girl in the group) neat-looking guy they had spotted. And they were all finding out the salary and bonuses of anybody at the company they were curious about, including senior management.
Analyzing the Con
This story illustrates an interesting problem. The payroll files were accessible to the people who had the responsibility of maintaining the company’s computer systems. So it all comes down to a personnel issue: deciding who can be trusted. In some cases, IT staff might find it irresistible to snoop around. And they have the ability to do so because they have privileges allowing them to bypass access controls on those files.
One safeguard would be to audit any access to particularly sensitive files, such as payroll. Of course, anyone with the requisite privileges could disable auditing or possibly remove any entries that would point back to them, but