The Art of Deception: Controlling the Human Element of Security (28 page)

Read The Art of Deception: Controlling the Human Element of Security Online

Authors: Kevin D. Mitnick,William L. Simon,Steve Wozniak

Tags: #Computer Hackers, #Computer Security, #Electronic Books, #Computer Networks, #Computers, #Information Management, #Data Protection, #General, #Social Aspects, #Information Technology, #Internal Security, #Security, #Business & Economics, #Computer Science

BOOK: The Art of Deception: Controlling the Human Element of Security
10.92Mb size Format: txt, pdf, ePub

A few moments later, the operator came back on the line. She said in a challenging tone, "Sir, where did you get this number?" Larry told her it was on the business card of a man he needed to contact urgently. The operator, said, "I'm sorry. That's a phone company test number. It always rings busy."

Larry started making a list of what information had been shared with Rick. The picture was not pretty.

Two police detectives came and took a report. After listening to the story, they pointed out that no state crime had been committed; there was nothing they could do. They advised Larry to contact the FBI because they have jurisdiction over any crimes involving interstate commerce. When Rick Daggot asked the engineer to forward the test results by misrepresenting himself, he may have committed a federal crime, but Rick would have to speak with the FBI to find out.

Three months later Larry was in his kitchen reading the morning paper over breakfast, and almost spilled his coffee. The thing he had been dreading since he had first heard about Rick had come true, his worst nightmare. There it was in black and white, on the front page of the business section: A company he'd never heard of was announcing the release of a new product that sounded exactly like the C2Alpha his company had been developing for the past two years.

Through deceit, these people had beaten him to market. His dream was destroyed. The millions of dollars invested in research and development wasted. And he probably couldn't prove a single thing against them.

Sammy Sanford's Story Smart enough to be earning a big salary at a legitimate job, but crooked enough to prefer making a living as a con man, Sammy Sanford had done very well for himself. In time he came to the attention of a spy who had been forced into early retirement because of a drinking problem; bitter and revengeful, the man had found a way of selling the talents that the government had made him an expert in. Always on the lookout for people he could use, he had spotted Sammy the first time they met. Sammy had found it easy, and very profitable, to shift his focus from lifting people's money to lifting company secrets.

Most people wouldn't have the guts to do what I do. Try to cheat people over the telephone or over the Internet and nobody ever gets to see you. But any good con man, the old-fashioned, face-to-face kind (and there are plenty of them still around, more than you would think) can look you in the eye, tell you a whopper, and get you to believe it. I've known a prosecutor or two who think that's criminal. I think it's a talent.

But you can't go walking in blind, you have to size things up first. A street con, you can take a man's temperature with a little friendly conversation and couple of carefully worded suggestions. Get the right responses and Bingo!--you've bagged a pigeon.

A company job is more like what we call a big con. You've got setup to do. Find out what their buttons are, find out what they want. What they need. Plan an attack. Be patient, do your homework. Figure out the role you're going to play and learn your lines. And don't walk in the door until you're ready.

I spent better than three weeks getting up to speed for this one. The client gave me a two-day session in what I should say "my" company did and how to describe why it was going to be such a good joint marketing alliance.

Then I got lucky. I called the company and said I was from a venture capital firm and we were interested in setting up a meeting and I was juggling schedules to find a time when all of our partners would be available sometime in the next couple of months, and was there any time slot I should avoid, any period when Larry wasn't going to be in town? And she said, Yes, he hadn't had any time off in the two years since they started the company but his wife was dragging him away on a golf vacation the first week in August.

That was only two weeks away. I could wait.

Meanwhile an industry magazine gave me the name of the firm's PR company. I said I liked the amount of space they were getting for their robotics company client and I wanted to talk to whoever was handling that account about handling my company. It turned out to be an energetic young lady who liked the idea she might be able to bring in a new account. Over a pricey lunch with one more drink than she really wanted, she did her best to convince me they were oh, so good at understanding a client's problems and finding the right PR solutions. I played hard to convince. I needed some details. With a little prodding, by the time the plates were being cleared she had told me more about the new product and the company's problems than I could have hoped for.

The thing went like clockwork. The story about being so embarrassed that the meeting was next week but I might as well meet the team as long as I'm here, the receptionist swallowed whole. She even felt sorry for me into the bargain. The lunch set me back all of $150. With tip. And I had what I needed. Phone numbers, job titles, and one very key guy who believed I was who I said I was.

Brian had me fooled, I admit. He seemed like the kind of guy who'd just email me anything I asked for. But he sounded like he was holding back a little when I brought up the subject. It pays to expect the unexpected. That email account in Larry's name, I had it in my back pocket just in case. The Yahoo security people are probably still sitting there waiting for somebody to use the account again so they can trace him. They'll have a long wait. The fat lady has sung. I'm off on another project.

Analyzing the Con Anyone who works a face-to-face con has to cloak himself in a look that will make him acceptable to the mark. He'll put himself together one way to appear at the race track, another to appear at a local watering hole, still another for an upscale bar at a fancy hotel.

It's the same way with industrial espionage. An attack may call for a suit and tie and an expensive briefcase if the spy is posing as an executive of an established firm, a consultant, or a sales rep. On another job, trying to pass as a software engineer, a technical person, or someone from the mail room, the clothes, the uniform--the whole look would be different.

For infiltrating the company, the man who called himself Rick Daggot knew he had to project an image of confidence and competence, backed by a thorough knowledge of the company's product and industry.

Not much difficulty laying his hands on the information he needed in advance. He devised an easy ruse to find out when the CEO would be away. A small challenge, but still not very tough, was finding out enough details about the project that he could sound "on the inside" about what they were doing. Often this information is known to various company suppliers, as well as investors, venture capitalists they've approached about raising money, their banker, and their law firm. The attacker has to take care, though: Finding someone who will part with insider knowledge can be tricky, but trying two or three sources to turn up someone who can be squeezed for information runs the risk that people will catch on to the game. That way lies danger. The Rick Daggots of the world need to pick carefully and tread each information path only once.

The lunch was another sticky proposition. First there was the problem of arranging things so he'd have a few minutes alone with each person, out of earshot of the others. He told Jessica 12:30 but booked the table for 1 P.M., at an upscale, expense-account type of restaurant. He hoped that would mean they'd have to have drinks at the bar, which is exactly what happened. A perfect opportunity to move around and chat with each individual.

Still, there were so many ways that a misstep--a wrong answer or a careless remark could reveal Rick to be an imposter. Only a supremely confident and wily industrial spy would dare take a chance of exposing himself that way. But years of working the streets as a confidence man had built Rick's abilities and given him the confidence that, even if he made a slip, he'd be able to cover it up well enough to quiet any suspicions. This was the most challenging, most dangerous time of the entire operation, and the elation he felt at bringing off a sting like this made him realize why he didn't have to drive fast cars or skydive or cheat on his wife--he got plenty of excitement just doing his job. How many people, he wondered, could say as much?

MITNICK MESSAGE While most social engineering attacks occur over the telephone or email, don't assume that a bold attacker will never appear in person at your business. In most cases, the imposter uses some form of social engineering to gain access to a building after counterfeiting an employee badge using a commonly available software program such as Photoshop. What about the business cards with the phone company test line? The television show The Rockford Files, which was a series about a private investigator, illustrated a clever and somewhat humorous technique. Rockford (played by actor James Garner) had a portable business card printing machine in his car, which he used to print out a card appropriate to whatever the occasion called for. These days, a social engineer can get business cards printed in an hour at any copy store, or print them on a laser printer.

NOTE John Le Carre, author of The Spy Who Came in from the Cold, A Perfect Spy, and many other remarkable books, grew up as the son of a polished, engaging lifelong can man. Le Carre was struck as a youngster to discover that, successful as his father was in deceiving other, he was also gullible, a victim more than once to another con man or woman. Which just goes to show that everyone is at risk of being taken in by a social engineer, even another social engineer. What leads a group of smart men and women to accept an imposter? We size up a situation by both instinct and intellect. If the story adds up-- that's the intellect part--and a con man manages to project a believable image, we're usually willing to let down our guard. It's the believable image that separates a successful con man or social engineer from one who quickly lands behind bars.

Ask yourself: How sure am I that I would never fall for a story like Rick's? If you're sure you wouldn't, ask yourself whether anyone has ever put anything over on you. If the answer to this second question is yes, it's probably the correct answer to the first question, as well.

LEAPFROG A challenge: The following story does not involve industrial espionage. As you read it, see if you can understand why I decided to put it in this chapter!

Harry Tardy was back living at home, and he was bitter. The Marine Corps had seemed like a great escape until he washed out of boot camp. Now he had returned to the hometown he hated, was taking computer courses at the local community college," and looking for a way to strike out at the world. Finally he hit upon a plan. Over beers with a guy in one of his classes, he'd been complaining about their instructor, a sarcastic know-it-all, and together they cooked up a wicked scheme to burn the guy: They'd grab the source code for a popular personal digital assistant (PDA) and have it sent to the instructor's computer, and make sure to leave a trail so the company would think the instructor was the bad guy.

The new friend, Karl Alexander, said he "knew a few tricks" and would tell Harry how to bring this off. Arid get away with it.

Doing Their Homework A little initial research showed Harry that the product had been engineered at the Development Center located at the PDA manufacturer's headquarters overseas. But there was also an R&D facility in the United States. That was good, Karl pointed out, because for the attempt to work there had to be some company facility in the United States that also needed access to the source code.

At that point Harry was ready to call the overseas Development Center. Here's where a plea for sympathy came in, the "Oh, dear, I'm in trouble, I need help, please, please, help me." Naturally the plea was a little more subtle than that. Karl wrote out a script, but Harry sounded completely phony trying to read it. In the end, he practiced with Karl so he could say what he needed to in a conversational tone. What Harry finally said, with Karl sitting by his side, went something like this:

"I'm calling from R&D Minneapolis. Our server had a worm that infected the whole department. We had to install the operating system again and then when we went to restore from backup, none of the backups was any good. Guess who was supposed to be checking the integrity of the backups? Yours truly. So I'm getting yelled at by my boss, and management is up in arms that we've lost the data. Look, I need to have the latest revision of the source-code tree as quick as you can. I need you to gzip the source code and send it to me."

At this point Karl scribbled him a note, and Harry told the man on the other end of the phone that he just wanted him to transfer the file internally, to Minneapolis R&D. This was highly important: When the man on the other end of the phone was clear that he was just being asked to send the file to another part of the company, his mind was at ease--what could be wrong with that?

LINGO GZIP To archive files in a single compressed file using a Linux GNU utility. He agreed to gzip and send it. Step by step, with Karl at his elbow, Harry talked the man there through getting started on the procedure for compressing the huge source code into a single, compact file. He also gave him a file name to use on the compressed file, "newdata," explaining that this name would avoid any confusion with their old, corrupted files.

Karl had to explain the next step twice before Harry got it, but it was central to the little game of leapfrog Karl had dreamed up. Harry was to call R&D Minneapolis and tell somebody there "I want to send a file to you, and then I want you to send it somewhere else for me"--of course all dressed up with reasons that would make it all sound plausible. What confused Harry was this: He was supposed to say "I'm going to send you a file," when it wasn't going to be Harry sending the file at all. He had to make the guy he was talking to at the R&D Center think the file was coming from him, when what the Center was really going to receive was the file of proprietary source code from Europe. "Why would I tell him it's coming from me when it's really coming from overseas?" Harry wanted to know.

"The guy at the R&D Center is the linchpin," Karl explained. "He's got to think he's just doing a favor for a fellow employee here in the U.S., getting a file from you and then just forwarding it for you."

Other books

Gilbert Morris by The Angel of Bastogne
Adjourned by Lee Goldberg
Red Army by Ralph Peters
Shattering Inside by Lisa Ahne
Dual Assassins by Edward Vogler
The Wife by S.P. Cervantes
Chance of a Ghost by E.J. Copperman