Mitnick K.D., Simon V.L. - The Art of Deception (2003)(en)
.pdfIn particular, people such as database administrators who work with software belong to that category of those with technology expertise, and they need to operate under special and very restrictive rules about verifying the identity of people who call them for information or advice.
People who regularly provide any. kind of computer help need to be well trained in what kinds of requests should be red flags, suggesting that the caller may be attempting a social engineering attack.
It's worth noting, though, that from the perspective of the database administrator in the last story in this chapter, the caller met the criteria for being legitimate: He was calling from on campus, and he was obviously on a site that required an account name and password. This just makes clear once again the importance of having standardized procedures for verifying the identity of anybody requesting information, especially in a case like this where the caller was asking for help in obtaining access to confidential records.
All of this advice goes double for colleges and universities. It's not news that computer hacking is a favorite pastime for many college students, and it should also be no surprise that student records--and sometimes faculty records, as well--are a tempting target. This abuse is so rampant that some corporations actually consider campuses a hostile environment, and create firewall rules that block access from educational institutions with addresses that end in .edu.
The long and short of it is that all student and personnel records of any kind should be seen as prime targets of attack, and should be well protected as sensitive information.
Training Tips
Most social engineering attacks are ridiculously easy to defend against...
for anyone who knows what to be on the lookout for.
From the corporate perspective, there is a fundamental need for good training. But there is also a need for something else: a variety of ways to remind people of what they've learned.
Use splash screens that appear when the user's computer is turned on, with a different security message each day. The message should be designed so
that it does not disappear automatically, but requires the user to click on some kind of acknowledgement that he/she has read it.
Another approach I recommend is to start a series of security reminders. Frequent reminder messages are important; an awareness program needs to be ongoing and never-ending. In delivering content, the reminders
should not be worded the same in every instance. Studies have shown that these messages are more effectively received when they vary in wording or when used in different examples.
One excellent approach is to use short blurbs in the company newsletter. This should not be a full column on the subject, although a security column would certainly be valuable. Instead, design a twoor three- column-wide insert, something like a small display ad in your local newspaper. In each issue of the newsletter, present a new security reminder in this short, attention-catching way.
Chapter 9
The Reverse Sting
The sting, mentioned elsewhere in this book (and in my opinion probably the best movie that s ever been made about a con operation), lays out its tricky plot in fascinating detail. The sting operation
in the movie is an exact depiction of how top grifters run "the wire," one of the three types of major swindles referred to as "big cons." If you want to know how a team of professionals pulls off a scam raking in a great deal of money in a single evening, there's no better textbook.
But traditional cons, whatever their particular gimmick, run according
to a pattern. Sometimes a ruse is worked in the opposite direction, which is called a reverse sting. This is an intriguing twist in which the attacker sets up the situation so that the victim calls on the attacker for help, or a co worker has made a request, which the attacker is responding to.
How does this work? You're about to find out.
LINGO
REVERSE STING A con in which the person being attacked asks the attacker for help
THE ART OF FRIENDLY PERSUASION
When the average person conjures up the picture of a computer hacker, what usually comes to mind is the uncomplimentary image of a lonely, introverted nerd whose best friend is his computer and who has difficulty carrying on a conversation, except by instant messaging. The social engineer, who often has hacker skills, also has people skills at the opposite end
of the spectrum--well-developed abilities to use and manipulate people that allow him to talk his way into getting information in ways you would never have believed possible.
Angela's Caller
Place: Valley branch, Industrial Federal Bank.
Time: 11:27 A.M.
Angela Wisnowski answered a phone call from a man who said he was just about to receive a sizeable inheritance and he wanted information on the different types of savings accounts, certificates of deposit, and whatever other investments she might be able to suggest that would be safe, but earn decent interest. She explained there were quite a number of choices and asked if he'd like to come in and sit down with her to discuss them. He was leaving on a trip as soon as the money arrived, he said, and had a lot of arrangements to make. So she began suggesting some of the possibilities and giving him details of the interest rates, what happens if you sell a CD early, and so on, while trying to pin down his investment goals.
She seemed to be making progress when he said, "Oh, sorry, I've got to take this other call. What time can I finish this conversation with you so I can make some decisions? When do you leave for lunch?" She told him 12:30 and he said he'd try to call back before then or the following day.
Louis’s Caller
Major banks use internal security codes that change every day. When somebody from one branch needs information from another branch, he proves he's entitled to the information by demonstrating he knows the day's code. For an added degree of security and flexibility, some major banks issue multiple codes each day. At a West Coast outfit I'll call Industrial Federal Bank, each employee finds a list of five codes for the day, identified as A through E, on his or her computer each morning.
Place: Same.
Time: 12:48 '.M., same day.
Louis Halpburn didn't think anything of it when a call came in that afternoon, a call like others he handled regularly several times a week.
'Hello," the caller said. "This is Neil Webster. I'm calling from branch 3182 in Boston. Angela Wisnowski, please."
"She's at lunch. Can I help?"
"Well, she left a message asking us to fax some information on one of our customers."
The caller sounded like he had been having a bad day.
"The person who normally handles those requests is out sick," he said. "I've got a stack of these to do, it's almost 4 o'clock here and I'm supposed to be out of this place to go to a doctor's appointment in half an hour."
The manipulation--giving all the reasons why the other person should feel sorry for him--was part of softening up the mark. He went on, "Whoever took her phone message, the fax number is unreadable. It's 213something. What's the rest?"
Louis gave the fax number, and the caller said, "Okay, thanks. Before I can fax this, I need to ask you for Code B."
"But you called me," he said with just enough chill so the man from Boston would get the message.
This is good, the caller thought. It's so cool when people don't fall over at the first gentle shove. If the, don't resist a little, the job is too easy and I could start getting lazy.
To Louis, he said, "I've got a branch manager that's just turned paranoid about getting verification before we send anything out, is all. But listen, if you don't need us to fax the information, it's okay. No need to verify."
"Look," Louis said, "Angela will be back in half an hour or so. I can have her call you back."
"I'll just tell her I couldn't send the information today because you wouldn't identify this as a legitimate request by giving me the code. If I'm not out sick tomorrow, I'll call her back then."
"The message says 'Urgent.' Never mind, without verification my hands are tied. You'll tell her I tried to send it but you wouldn't give the code, okay?"
Louis gave up under the pressure. An audible sigh of annoyance
came winging its way down the phone line.
"Well," he said, "wait a minute; I have to go to my computer. Which code did you want?"
"B," the caller said.
He put the call on hold and then in a bit picked up the line again. "It's 3184."
"That's not the right code." "Yes it is--B is 3184."
"I didn't say B, I said E." "Oh, damn. Wait a minute."
Another pause while he again looked up the codes. "E is 9697."
"9697--right. I'll have the fax on the way. Okay?" "Sure. Thanks."
Walter’s Call
"Industrial Federal Bank, this is Walter."
"Hey, Walter, it's Bob Grabowski in Studio City, branch 38," the caller said. "I need you to pull a sig card on a customer account and fax it to me." The sig card, or signature card, has more than just the customer's signature on it; it also has identifying information, familiar items such as the social security number, date of birth, mother's maiden name, and sometimes even a driver's license number. Very handy to a social engineer.
"Sure thing. What's Code C?"
"Another teller is using my computer right now," the caller said. "But I just used B and E, and I remember those. Ask me one of those."
"Okay, what's E?"
"E is 9697."
A few minutes later, Walter faxed the sig card as requested.
Donna Plaice’s Call
"Hi, this is Mr. Anselmo." "How can I help you today?"
"What's that 800 number I'm supposed to call when I want to see if a deposit has been credited yet?"
"You're a customer of the bank?"
"Yes, and I haven't used the number in a while and now I don't know where I wrote it down."
"The number is 800-555-8600."
"Okay, thanks."
Vince Capelli's Tale
The son of a Spokane street cop, Vince knew from an early age that he wasn't going to spend his life slaving long hours and risking his neck for minimum wage. His two main goals in life became getting out of Spokane, and going into business for himself. The laughter of his homies all through high school only fired him up all the more--they thought it was hilarious that he was so busted on starting his own business but had no idea what business it might be.
Secretly Vince knew they were right. The only thing he was good at was playing catcher on the high school baseball team. But not good enough to capture a college scholarship, no way good enough for professional baseball. So what business was he going to be able to start?
One thing the guys in Vince's group never quite figured out: Anything one of them had---a new switchblade knife, a nifty pair of warm gloves, a sexy new girlfriend if Vince admired it, before long the item was his. He didn't steal it, or sneak behind anybody's back; he didn't have to. The guy who had it would give it up willingly, and then wonder afterward how it had happened. Even asking Vince wouldn't have gotten you anywhere: He didn't know himself. People just seemed to let him have whatever he wanted.
Vince Capelli was a social engineer from an early age, even though he had never heard the term.
His friends stopped laughing once they all had high school diplomas in hand. While the others slogged around town looking for jobs where you didn't have to say "Do you want fries with that?" Vince's dad sent him off to talk to an old cop pal who had left the force to start his own private investigation business in San Francisco. He quickly spotted Vince's talent for the work, and took him on.
That was six years ago. He hated the part about getting the goods on unfaithful spouses, which involved achingly dull hours of sitting and watching, but felt continually challenged by assignments to dig up asset information for attorneys trying to figure out if some miserable stiff was rich enough to be worth suing. These assignments gave him plenty of chances to use his wits.