Mitnick K.D., Simon V.L. - The Art of Deception (2003)(en)

"DO IT NOW"

Not everyone who uses social engineering tactics is a polished social engineer. Anybody with an insider's knowledge of a particular company can turn dangerous. The risk is even greater for any company that holds in its files and databases any personal information about its employees, which, of course, most companies do.

When workers are not educated or trained to recognize social engineering attacks, determined people like the jilted lady in the following story can do things that most honest people would think impossible.

Doug's Story

Things hadn't been going all that well with Linda anyway, and I knew as soon as I met Erin that she was the one for me. Linda is, like, a little bit...

well, sort of not exactly unstable but she can sort of go off the deep end when she gets upset.

I told her as gentle as I could that she had to move out, and I helped her pack and even let her take a couple of the Queensryche CDs that were really mine. As soon as she was gone I went to the hardware store for a new Medico lock to put on the front door and put it on that same night. The next morning I called the phone company and had them change my phone number, and made it unpublished.

That left me free to pursue Erin.

Linda's Story

I was ready to leave, anyway, I just hadn't decided when. But nobody likes to feel rejected. So it was just a question of, what could I do to let him know what a jerk he was?

It didn't take long to figure out. There had to be another girl, otherwise he wouldn't of sent me packing in such a hurry. So I'd just wait a bit and then start calling him late in the evening. You know, around the time they would least want to be called.

I waited till the next weekend and called around 11 o'clock on Saturday night. Only he had changed his phone number. And the new number was unlisted. That just shows what kind of SOB the guy was.

It wasn't that big of a setback. I started rummaging through the papers I had managed to take home just before I left my job at the phone company.

And there it was--I had saved a repair ticket from once when there was a problem with the telephone line at Doug's, and the printout listed

the cable and pair for his phone. See, you can change your phone number

all you want, but you still have the same pair of copper wires running from

your house to the telephone company switching office, called the Central Office, or CO. The set of copper wires from every house and apartment is identified by these numbers, called the cable and pair. And if you know

how the phone company does things, which I do, knowing the target's cable and pair is all you need to find out the phone number.

I had a list giving all the COs in the city, with their addresses and phone numbers. I looked up the number for the CO in the neighborhood where I used to live with Doug the jerk, and called, but naturally nobody was there. Where's the switchman when you really need him? Took me all of about twenty seconds to come up with a plan. I started calling around to the other COs and finally located a guy. But he was miles away and he was

probably sitting there with his feet up. I knew he wouldn't want to do what I needed. I was ready with my plan.

"This is Linda, Repair Center," I said. "We have an emergency. Service for a paramedic unit has gone down. We have a field tech trying to restore

service but he can't find the problem. We need you to drive over to the Webster CO immediately and see if we have dial tone leaving the central office."

And then I told him, 'I'll call you when you get there," because of course I couldn't have him calling the Repair Center and asking for me.

I knew he wouldn't want to leave the comfort of the central office to bundle up and go scrape ice off his windshield and drive through the slush

late at night. But it was an emergency, so he couldn't exactly say he was too busy.

When I reached him forty-five minutes later at the Webster CO, I told him to check cable 29 pair 2481, and he walked over to the flame and checked and said, Yes, there was dial tone. Which of course I already

knew.

So then I said, "Okay, I need you to do an LV," which means line verification,

which is asking him to identify the phone number. He does this

by dialing a special number that reads back the number he called from. He doesn't know anything about if it's an unlisted number or that it's just been changed, so he did what I asked and I heard the number being announced over his lineman's test set. Beautiful. The whole thing had worked like a charm.

I told him, "Well, the problem must be out in the field," like I knew the ,,umber all along. I thanked him and told him we'd keep working on it, and said good night.

MITNICK MESSAGE

Once a social engineer knows how things work inside the targeted company, it becomes easy to use that knowledge to develop rapport with legitimate employees. Companies need to prepare for social engineering attacks from current or former employees who may have an axe to grind. Background checks may be helpful to weed out prospects who may have a propensity toward this type of behavior. But in most cases, these people will be extremely difficult to detect. The only reasonable safeguard in these cases is to enforce and audit procedures for verifying identity, including the person's employment status, prior to disclosing any information to anyone not personally known to still be with the company.

So much for that Doug and trying to hide from me behind an unlisted number. The fun was about to begin.

Analyzing the Con

The young lady in this story was able to get the information she wanted to carry out her revenge because she had inside knowledge: the phone numbers, procedures, and lingo of the telephone company. With it she was not only able to find out a new, unlisted phone number, but was able to do it in the middle of a wintry night, sending a telephone switchman chasing across town for her.

"MR. BIGG WANTS THIS"

A popular and highly effective form of intimidation--popular in large measure because it's so simple--relies on influencing human behavior by using authority.

Just the name of the assistant in the CEO's office can be valuable. Private investigators and even head-hunters do this all the time. They'll call the switchboard operator and say they want to be connected to the CEO's office. When the secretary or executive assistant answers, they'll say they have a document or package for the CEO, or if they send an email attachment, would she print it out? Or else they'll ask, what's the fax number? And by the way, what's your name?

Then they call the next person, and say, "Jeannie in Mr. Bigg's office told me to call you so you can help me with something."

The technique is called name-dropping, and it's usually used as a method to quickly establish rapport by influencing the target to believe that the attacker is connected with somebody in authority. A target is more likely to do a favor for someone who knows somebody he knows.

If the attacker has his eyes set on highly sensitive information, he may use this kind of approach to stir up useful emotions in the victim, such as fear of getting into trouble with his superiors. Here's an example.

Scott's Story

"Scott Abrams."

"Scott, this is Christopher Dalbridge. I just got off the phone with Mr. Biggley, and he's more than a little unhappy. He says he sent a note ten days ago that you people were to get copies of all your market penetration research over to us for analysis. We never got a thing."

"Market penetration research? Nobody said anything to me about it. What department are you in?"

"We're a consulting firm he hired, and we're already behind schedule." "Listen, I'm just on my way to a meeting. Let me get your phone number and . . ."

The attacker now sounded just short of truly frustrated: "Is that what

you want me to tell Mr. Biggley?! Listen, he expects our analysis by tomorrow morning and we have to work on it tonight. Now, do you want me to tell him we couldn't do it 'cause we couldn't get the report from you, or do you want to tell him that yourself?."

An angry CEO can ruin your week. The target is likely to decide that maybe this is something he better take care of before he goes into that meeting. Once again, the social engineer has pressed the right button to get the response he wanted.

Analyzing the Con

The ruse of intimidation by referencing authority works especially well if the other person is at a fairly low level in the company. The use of an important person's name not only overcomes normal reluctance or suspicion, but often makes the person eager to please; the natural instinct of wanting to be helpful is multiplied when you think that the person you're helping is important or influential.

The social engineer knows, though, that it's best when running this particular deceit to use the name of someone at a higher level than the person's own boss. And this gambit is tricky to use within a small organization: The attacker doesn't want his victim making a chance

comment to the VP of marketing. "I sent out the product marketing plan you had that guy call me about," can too easily produce a response of "What marketing plan? What guy?" And that could lead to the discovery that the company has been victimized.

MITNICKS MESSAGE

Intimidation can create a fear of punishment, influencing people to cooperate. Intimidation can also raise the fear of embarrassment or of being disqualified from that new promotion.

People must be trained that it's not only acceptable but expected to challenge authority when security is at stake. Information security training should include teaching people how to challenge authority in customerfriendly ways, without damaging relationships. Moreover, this expectation must be supported from the top down. If an employee is not going to be backed up for challenging people regardless of their status, the normal reaction is to stop challenging--just the opposite of what you want.

WHAT THE SOCIAL SECURITY ADMINISTRATION KNOWS ABOUT YOU

We like to think that government agencies with les on us keep the information safely locked away from people without an authentic need to know. The reality is that even the federal government isn't as immune to penetration as we would like to imagine.

May Linn’s Phone Call

Place: A regional office of the Social Security Administration Time: 1 0:1 8 A.M., Thursday morning

"Mod Three. This is May Linn Wang."

The voice on the other end of the phone sounded apologetic, almost timid.

"Ms. Wang, this is Arthur Arondale, in the Office of the Inspector General. Can I call you 'May'?

"It's 'May Linn'," she said.

"Well, it's like this, May Linn. We've got a new guy in here who there's no computer for yet, and right now he's got a priority project and he's using mine. We're the government of the United States, for cryin' out loud, and they say they don't have enough money in the budget to buy a computer for this guy to use. And now my boss thinks I'm falling behind and doesn't want to hear any excuses, you know?"