The reason is the electronic devices divert your attention and also cause strains while reading eBooks. Since his release from federal prison, in , Mitnick has turned his life around and established himself as one of the most sought-after computer security experts worldwide.
Focusing on the human factors involved with information security, Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system. With the help of many fascinating true stories of successful attacks on business and government, he illustrates just how susceptible even the most locked-down information systems are to a slick con artist impersonating an IRS agent.
Narrating from the points of view of both the attacker and the victims, he explains why each attack was so successful and how it could have been prevented in an engaging and highly readable style reminiscent of a true-crime novel. And, perhaps most importantly, Mitnick offers advice for preventing these types of social engineering hacks through security protocols, training programs, and manuals that address the human element of security.
This is not chauvinism; it simply reflects the truth that most practitioners in these fields are male. In fact, female social engineers have a distinct advantage because they can use their sexuality to obtain cooperation. This caller said he had had a very good experience dealing with the store, and he wanted to send the manager a letter about it.
He asked for the manager's name and the mailing address, and she told him it was Tommy Allison, and gave him the address. As he was about to hang up, he had another idea and said, "I might want to write to your company headquarters, too. What's your store number? He said thanks, added something pleasant about how helpful she had been, and said goodbye. How nice it would be if people did that more often. This is Ginny, how can I help you?
We have a customer in here who wants to rent Rocky 5 and we're all out of copies. Can you check on what you've got? Listen, thanks. If you ever need any help from our store, just call and ask for Tommy. I'll be glad to do whatever I can for you.
They were seemingly legitimate requests, and he was always very friendly without sounding like he was trying to come on to her. He was a little chatty along the way, as well - "Did you hear about the big fire in Oak Park? Bunch of streets closed over there," and the like. The calls were a little break from the routine of the day, and Ginny was always glad to hear from him.
One day Tommy called sounding stressed. He asked, "Have you guys been having trouble with your computers? Was the man hurt? Anyway, I could use a little help. I've got a customer of yours here who wants to rent Godfather II and doesn't have his card with him. Could you verify his information for me?
She gave Tommy the account number. I'll sign him up by hand for an account here and put it in our database later on when the computers come back up again. And he wants to put this charge on the Visa card he uses at your store, and he doesn't have it with him. What's the card number and expiration date?
Tommy said, "Hey, thanks for the help. Talk to you soon," and hung up. Doyle Lonnegan's Story Lonnegan is not a young man you would want to find waiting when you open your front door.
A one-time collection man for bad gambling debts, he still does an occasional favor, if it doesn't put him out very much. In this case, he was offered a sizable bundle of cash for little more than making some phone calls to a video store. Sounds easy enough. It's just that none of his "customers" knew how to run this con; they needed somebody with Lonnegan's talent and know- how. People don't write checks to cover their bets when they're unlucky or stupid at the poker table.
Everybody knows that. Why did these friends of mine keep on playing with a cheat that didn't have green out on the table? Don't ask. Maybe they're a little light in the IQ department. But they're friends of mine--what can you do? This guy didn't have the money, so they took a check. I ask you! Should of drove him to an ATM machine, is what they should of done. But no, a check. Naturally, it bounced. What would you expect? So then they call me; can I help? I don't close doors on people's knuckles any more.
Besides, there are better ways nowadays. I told them, 30 percent commission, I'd see what I could do. So they give me his name and address, and I go up on the computer to see what's the closest video store to him.
I wasn't in a big hurry. Four phone calls to cozy up to the store manager, and then, bingo, I've got the cheat's Visa card number. Another friend of mine owns a topless bar. For fifty bucks, he put the guy's poker money through as a Visa charge from the bar.
Let the cheat explain that to his wife. You think he might try to tell Visa it's not his charge? Think again. He knows we know who he is. And if we could get his Visa number, he'll figure we could get a lot more besides.
No worries on that score. Analyzing the Con Tommy's initial calls to Ginny were simply to build up trust. When time came for the actual attack, she let her guard down and accepted Tommy for who he claimed to be, the manager at another store in the chain.
And why wouldn't she accept him--she already knew him. She'd only met him over the telephone, of course, but they had established a business friendship that is the basis for trust. Once she had accepted him as an authority figure, a manager in the same company, the trust had been established and the rest was a walk in the park. You have to think whether you really know the person you're talking to.
In some rare instances, the person might not be who he claims to be. Accordingly, we all have to learn to observe, think, and question authority. I recall one incident I witnessed where five minutes was all it took. Surprise, Dad I once sat at a table in a restaurant with Henry and his father. In the course of conversation, Henry scolded his father for giving out his credit card number as if it were his phone number. Conklin said, naming the same chain of video stores. If they started running up charges, I'd know it.
Sure," said Henry, "but once they have your number, it's so easy for somebody to steal it " You mean a crooked employee. Conklin said. I can call up right now and get them to tell me your Visa number," Henry shot back.
No, you can't, "his father said. Conklin looked tight around the eyes, the look of somebody feeling sure of himself, but not wanting to show it. He pulled out his cell phone, asked his father which branch he used, and called Directory Assistance for the phone number, as well as the number of the store in nearby Sherman Oaks.
He then called the Sherman Oaks store. Using pretty much the same approach described in the previous story, he quickly got the manager's name and the store number. Then he called the store where his father had an account. He pulled the old impersonate-the-manager trick, using the manager's name as his own and giving the store number he had just obtained. Then he used the same ruse: "Are your computers working okay? Ours have been up and down. I need you to look up the customer account and make sure he's a customer at your branch.
Then, using only a slight variation in technique, he made the request to read off the account information: address, phone number, and date the account was opened. And then he said, "Hey, listen, I'm holding up a long line of customers here.
What's the credit card number and expiration date? As he finished the call, he slid the napkin in front of his father, who stared at it with his mouth hanging open. The to poor guy looked totally shocked, as if his whole system of trust had just gone down the drain. Analyzing the Con Think of your own attitude when somebody you don't know asks you for something.
If a shabby stranger comes to your door, you're not likely to let him in; if a stranger comes to your door nicely dressed, shoes shined, hair perfect, with polite manner and a smile, you're likely to be much less suspicious. Maybe he's really Jason from the Friday the 13th movies, but you're willing to start out trusting that person as long as he looks normal and doesn't have a carving knife in his hand.
What's less obvious is that we judge people on the telephone the same way. Does this person sound like he's trying to sell me something? Is he friendly and outgoing or do I sense some kind of hostility or pressure? We judge these things and perhaps a dozen others unconsciously, in a flash, often in the first few moments of the conversation.
We weigh the risks and then, most of the time, give people the benefit of the doubt. That's the natural behavior of civilized people.. As children our parents taught us not to trust strangers. Maybe we should all heed this age-old principle in today's workplace.
At work, people make requests of us all the time. Do you have an email address for this guy? Where's the latest version of the customer list? Who's the subcontractor on this part of the project?
Please send me the latest project update. I need the new version of the source code. And guess what: Sometimes people who make those requests are people your don't personally know, folks who work for some other part of the company, or claim they do. But if the information they give checks out, and they appear to be in the know "Marianne said. Sure, we may stumble a little, asking ourselves "Why does somebody in the Dallas plant need to see the new product plans?
If the answers appear reasonable and the person's manner is reassuring, we let down our guard, return to our natural inclination to trust our fellow man or woman, and do within reason whatever it is we're being asked to do.
And don't think for a moment that the attacker will only target people 'ho use company computer systems. What about the guy in the mail room? Drop this into the intra company mail pouch?
Now that attacker gets his own personal copy of the CEO's email. Could that really happen at your company? The answer is, absolutely. Not long ago, a nationwide wireless company had a major promotion underway offering a brand-new phone for one cent when you signed up for one of their calling plans. As lots of people have discovered too late, there are a good many questions a prudent shopper should ask before signing up for a cell phone calling plan whether the service is analog, digital, or a combination; the number of anytime minutes you can use in a month; whether roaming charges are included..
Especially important to understand up front is the contract term of commitment--how many months or years will you have to commit to? Picture a social engineer in Philadelphia who is attracted by a cheap phone model offered by a cellular phone company on sign-up, but he hates the calling plan that goes with it. Not a problem. Here's one way he might handle the situation.
This is Ted. This is Adam. Listen, I was in a few nights ago talking to a sales guy about a cell phone.
I said I'd call him back when I decided on the plan I wanted, and I forgot his name. Who's the guy who works in that department on the night shift? Was it William? Maybe it was William. What's he look like? Kind of skinny. What's his last name, again? When's he going to be on? I'll try him this evening, then. Thanks, Ted. Katie speaking, how can I help you? This is William Hadley, over at the West Girard store.
How're you today? You know the one I mean? I sold a couple of those last week. The guy passed credit; we signed him up on the contract. I checked the damned inventory and we don't have any phones left. I'm so embarrassed. Can you do me a favor? I'll send him over to your store to pick up a phone. Can you sell him the phone for one cent and write him up a receipt?
And he's supposed to call me back once he's got the phone so I can talk him through how to program it. Send him over. His name is Ted. Ted Yancy. When it's time to pay, the customer doesn't have any pennies in his pocket, so he reaches into the little dish of pennies at the cashier's counter, takes one out, and gives it to the girl at the register.
He gets the phone without paying even the one cent for it. He's then free to go to another wireless company that uses the same model of phone, and choose any service plan he likes. Preferably one on a month-to-month basis, with no commitment required. Analyzing the Con Its natural for people to have a higher degree of acceptance for anyone who claims to be a fellow employee, and who knows company procedures ,d lingo. The social engineer in this story took advantage of that by finding out the details of a promotion, identifying himself as a company employee, and asking for a favor from another branch.
This happens between branches of retail stores and between departments in a company, people are physically separated and deal with fellow employees they have never actually met day in and day out. Later he found the actual NCIC manual itself on line, a sensitive document that gives all the instructions for retrieving information from the FBI's national crime database. The manual is a handbook for law enforcement agencies that gives the formatting and codes for retrieving information on criminals and crimes from the national database.
Agencies all over the country can search the same database for information to help solve crimes in their own jurisdiction. The manual contains the codes used in the database for designating everything from different kinds of tattoos, to different boat hulls, to denominations of stolen money and bonds. Anybody with access to the manual can look up the syntax and the commands to extract information from the national database.
Then, following instructions from the procedures guide, with a little nerve, anyone can extract information from the database. The manual also gives phone numbers to call for support in using the system. You may have similar manuals in your company offering product codes or codes for retrieving sensitive information.
The FBI almost certainly has never discovered that their sensitive manual and procedural instructions are available to anyone on line, and I don't think they'd be very happy about it if they knew. One copy was posted by a government department in Oregon, the other by a law enforcement agency in Texas. In each case, somebody probably thought the information was of no value and posting it couldn't do any harm.
Maybe somebody posted it on their intranet just as a convenience to their own employees, never realizing that it made the information available to everyone on the Internet who has access to a good search engine such as Google - including the just-plain-curious, the wannabe cop, the hacker, and the organized crime boss. Tapping into the System The principle of using such information to dupe someone in the government or a business setting is the same: Because a social engineer knows how to access specific databases or applications, or knows the names of a company's computer servers, or the like, he gains credibility.
Credibility leads to trust. Once a social engineer has such codes, getting the information he needs is an easy process. In this example, he might begin by calling a clerk in a local state police Teletype office, and asking a question about one of the codes in the manual - for example, the offense code. Are you getting the same thing when you do an OFF? Would you try it for me? The Teletype clerk on the other end of the phone would pick up the cue that the caller was familiar with the operating procedures and the commands to query the NCIC database.
Who else other than someone trained in using NCIC would know these procedures? After the clerk has confirmed that her system is working okay, the conversation might go something like this: "I could use a little help.
Analyzing the Con An accomplished social engineer wouldn't stop for a minute to ponder ways of breaking into the NCIC database. Why should he, when a simple call to his local police department, and some smooth talking so he sounds convincingly like an insider, is all it takes to get the information he wants?
And the next time, he just calls a different police agency and uses the same pretext. Doesn't the attacker run a huge risk? The answer is no. People in law enforce-ment, like people in the military, have ingrained in them from the first day in the academy a respect for rank.
As long as the social engineer is posing as a sergeant or lieutenant--a higher rank than the person he's talking to - the victim will be governed by that well-learned lesson that says you don't question people who are in a position of authority over you. Rank, in other words, has its privileges, in particular the privilege of not being challenged by people of lower rank. But don't think law enforcement and the military are the only places where this respect for rank can be exploited by the social engineer.
Social engineers often use authority or rank in the corporate hierarchy as a weapon in their attacks on businesses - as a number of the stories in these pages demonstrate. Here are some suggestions. Protect Your Customers In this electronic age many companies that sell to the consumer keep credit cards on file.
There are reasons for this: It saves the customer the nuisance of having to provide the credit card information each time he visits the store or the Web site to make a purchase. However, the practice should be discouraged.
If you must keep credit card numbers on file, that process needs to be accompanied by security provisions that go beyond encryption or using access control. Employees need to be trained to recognize social engineering scams like the ones in this chapter.
That fellow employee you've never met in person but who has become a telephone friend may not be who he or she claims to be. He may not have the "need to know" to access sensitive customer information, because he may not actually work for the company at all. Then go for the jugular! Almost everyone in your organization needs training to protect the enterprise from industrial spies and information thieves.
Laying the groundwork for this should begin with a survey of enterprise- wide information assets, looking separately at each sensitive, critical, or valuable asset, and asking what methods an attacker might use to compromise those assets through the use of social engineering tactics.
Appropriate training for people who have trusted access to such information should be designed around the answers to these questions.
When anyone you don't know personally requests some information or material, or asks you to perform any task on your computer, have your employees ask themselves some. If I gave this information to my worst enemy, could it be used to injure me or my company? Do I completely understand the potential effect of the commands I am being asked to enter into my computer? We don't want to go through life being suspicious of every new person we encounter.
Yet the more trusting we are, the more likely that the next social engineer to arrive in town will be able to deceive us into giving up our company's proprietary information. What Belongs on Your Intranet? Parts of your intranet may be open to the outside world, other parts restricted to employees. How careful is your company in making sure sensitive information isn't posted where it's accessible to audiences you meant to protect it from? When is the last time anyone in your organization checked to see if any sensitive information on your company's intranet had inadvertently been made available through the public-access areas of your Web site?
If your company has implemented proxy servers as intermediaries to protect the enterprise from electronic security threats, have those servers been checked recently to be sure they're configured properly? In fact, has anyone ever checked the security of your intranet? Chapter 5 "Let Me Help You" We're all grateful when we're plagued by a problem and somebody with the knowledge, skill, and willingness comes along offering to lend us a hand.
The social engineer understands that, and knows how to take advantage of it. He also knows how to cause a problem for you.. And you may never even know you've lost something of value. Here are some typical ways that social engineers step forward to "help.
We're trying to troubleshoot a computer networking problem. Do you know if anyone in your group has been having trouble staying on line? Listen, we're calling people who might be affected 'cause itLs important you let us know right away if you lose your network connection.
You think it might happen? Then you can reach me directly if you need to. Go ahead. Got it. Hey, thanks. What was your name again? Listen, one other thing--I need to check which port your computer is connected to.
Take a look on your computer and see if there's a sticker somewhere that says something like 'Port Number'. See if there's a label on the jack it's plugged into. Yeah, wait a minute - I have to squat down here so I can get close enough to read it. Okay - it says Port 6 dash We're trying to troubleshoot a cabling problem.
I need you to disable Port He checked the caller ID, saw the call was from the shipbuilding company, and hurried to a quiet spot before answering. You've got an echo, where are you? Who's this?
Boy, am I glad I got ahold of you. Maybe you remember you called me the other day? My network connection just went down like you said it might, and I'm a little panicky here. We should have it taken care of by the end of the day. That okay? Damn, I'll get way behind if I'm down that long. What's the best you can do for me? Any chance you could take care of it in half an hour? You don't want much. Well, look, I'll drop what I'm doing and see if I can tackle it for you.
Forty-five minutes later It's Eddie. Go ahead and try your network connection. That's just great. Just take a couple of minutes. It could save us both big headaches the next time this network problem happens. After the program had downloaded, Eddie told Tom to double-click on it.
He tried, but reported: "It's not working. It's not doing anything. Something must be wrong with the program. Let's just get rid of it, we can try again another time. Total elapsed time, twelve minutes. The Attacker's Story Bobby Wallace always thought it was laughable when he picked up a good assignment like this one and his client pussyfooted around the unasked but obvious question of why they wanted the information.
In this case he could only think of two reasons. Maybe they represented some outfit that was interested in buying the target company, Starboard Shipbuilding, and wanted to know what kind of financial shape they were really in - especially all the stuff the target might want to keep hidden from a potential buyer.
Or maybe they represented investors who thought there was something fishy about the way the money was being handled and wanted to find out whether some of the executives had a case of hands-in-the cookie-jar. And maybe his client also didn't want to tell him the real reason because, if Bobby knew how valuable the information was, he'd probably want more money for doing the job.
There are a lot of ways to crack into a company's most secret files. Bobby spent a few days mulling over the choices and doing a little checking around before he decided on a plan. He settled on one that called for an approach he especially liked, where the target is set up so that he asks the attacker for help. He placed a call to the man he had chosen as his target, passed himself off as being from the company help desk, and set things up so the man would call Bobby's cell phone any time he found a problem with his network connection.
He left a pause of two days so as not to be too obvious, and then made a call to the network operations center NOC at the company. He claimed he was trouble- shooting a problem for Tom, the target, and asked to have Tom's network connection disabled.
Bobby knew this was the trickiest part of the whole escapade - in many companies, the help desk people work closely with the NOC; in fact, he knew the help desk is often part of the IT organization. But the indifferent NOC guy he spoke with treated the call as routine, didn't ask for the name of the help desk person who was supposedly working on the networking problem, and agreed to disable the target's network port.
When done, Tom would be totally isolated from the company's intranet, unable to retrieve files from the server, exchange files with his co-workers, download his email, or even send a page of data to the printer. In today's world, that's like living in a cave. As Bobby expected, it wasn't long before his cell phone rang. Of course he made himself sound eager to help this poor "fellow employee" in distress. Then he called the NOC and had the man's network connection turned back on.
Finally, he called the man and manipulated him once again, this time making him feel guilty for saying no after Bobby had done him a favor. Tom agreed to the request that he download a piece of software to his computer.
Of course, what he agreed to wasn't exactly what it seemed. The software that Tom was told would keep his network connection from going down, was really a Trojan Horse, a software application that did for Tom's computer what the original deception did for the Trojans: It brought the enemy inside the camp. Tom reported that nothing happened when he double-clicked on the software icon; the fact was that, by design, he couldn't see anything happening, even though the small application was installing a secret program that would allow the infiltrator covert access to Tom's computer.
With the software running, Bobby was provided with complete control over Tom's computer, an arrangement known as a remote command shell. Then, at his leisure, he'd examine them for the information that would give his clients what they were looking for.
Some Trojans are designed to hide within the computer's operating system and spy on every keystroke or action, or accept instruction over a network connection to perform some function, all without the victim being aware of its presence. And that wasn't all. He could go back at any time to search through the email messages and private memos of the company's executives, running a text search for words that might reveal any interesting tidbits of information.
Late on the night that he conned his target into installing the Trojan Horse software, Bobby threw the cell phone into a Dumpster. Of course he was careful to clear the memory first and pull the battery out before he tossed it - the last thing he wanted was for somebody to call the cell phone's number by mistake and have the phone start ringing!
Analyzing the Con The attacker spins a web to convince the target he has a problem that, in fact, doesn't really exist - or, as in this case, a problem that hasn't happened yet, but that the attacker knows will happen because he's going to cause it. He then presents himself as the person who can provide the solution.
The setup in this kind of attack is particularly juicy for the attacker: Because of the seed planted in advance, when the target discovers he has a problem, he himself makes the phone call to plead for help. The attacker just sits and waits for the phone to ring, a tactic fondly known in the trade as reverse social engineering.
An attacker who can make the target call him gains instant credibility: If I place a call to someone I think is on the help desk, I'm not going to start asking him to prove his identity.
That's when the attacker has it made. Another form of reverse social engineering turns the tables on the attacker. The target recognizes the attack, and uses psychological principles of influence to draw out as much information as possible from the attacker so that the business can safeguard targeted assets.
In a con like this one, the social engineer tries to pick a target who is likely to have limited knowledge of computers. The more he knows, the more likely that he'll get suspicious, or just plain figure out that he's being manipulated.
What I sometimes call the computer-challenged worker, who is less knowledgeable about technology and procedures, is more likely to comply. He's all the more likely to fall for a ruse like "Just download this little program," because he has no idea of the potential damage a software program can inflict. What's more, there's a much smaller chance he'll understand the value of the information on the computer network that he's placing at risk.
They don't know many people yet, they don't know the procedures or the dos and don'ts of the company. And, in the name of making a good first impression, they're eager show how cooperative and quick to respond they can be. What can I help you with? I want to get the name and phone number of all the new hires in the past month. Can you help me with that? Is that okay? I'll call you when I'm back in my office, probably after four.
A Message for Rosemary Rosemary Morgan was delighted with her new job. She had never worked for a magazine before and was finding the people much friendlier than she expected, a surprise because of the never-ending pressure most of the staff was always under to get yet another issue finished by the monthly deadline. The call she received one Thursday morning reconfirmed that impression of friendliness.
This is Bill Jorday, with the Information Security group. For starters, we don't allow anybody to install software brought in from outside the company. That's because we don't want any liability for unlicensed use of software. And to avoid any problems with software that might have a worm or a virus. We like to make all our new employees aware that it can be dangerous to open any email attachment you aren't expecting. Lots of viruses and worms get sent around and they come in emails that seem to be from people you know.
So if you get an email with an attachment you weren't expecting you should always check to be sure the person listed as sender really did send you the message. You understand? And our policy is that you change your password every ninety days. When did you last change your password?
You can wait the rest of the ninety days. But we need to be sure people are using passwords that aren't too easy to guess. Are you using a password that consists of both letters and numbers? What password are you using now? You should never choose a password that's based on family information. Well, let's see.. It's okay to use what you're using now as the first part of the password, but then each time you change it, add a number for the current month.
I will definitely recommend this book to mystery, young adult lovers. Your Rating:. Your Comment:. Read Online Download. Great book, Sammy Keyes and the Art of Deception pdf is enough to raise the goose bumps alone.
0コメント