The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick, William L. Simon, Steve Wozniak Read Free Book Online
well, very few, at least - give out the direct dial phone numbers of their CEO or board chairman. Most companies, though, have no concern about giving out phone numbers to most departments and workgroups in the, organization - especially to someone who is, or appears to be, an employee. A possible countermeasure: Implement a policy that prohibits giving internal phone numbers of employees, contractors, consultants, and temps to outsiders. More importantly, develop a step-by-step procedure to positively identify whether a caller asking for phone numbers is really an employee.
Accounting codes for workgroups and departments, as well as copies of the corporate directory (whether hard copy, data file, or electronic phone book on the intranet) are frequent targets of social engineers. Every company needs a written, well-publicized policy on disclosure of this type of information. The safeguards should include maintaining an audit log that records instances when sensitive information is disclosed to people outside of the company.
Information such as an employee number, by itself, should not be used as any sort of authentication. Every employee must be trained to verify not just the identity of a requestor, but also the requestor's need to know. In your security training, consider teaching employees this approach: Whenever asked a question or asked for a favor by a stranger, learn first to politely decline until the request can be verified. Then - before giving in to the natural desire to be Mr. or Ms. Helpful - follow company policies and procedures with respect to verification and disclosure of non public information. This style may go against our natural tendency to help others, but a little healthy paranoia may be necessary to avoid being the social engineer's next dupe.
As the stories in this chapter have shown, seemingly innocuous information can be the key to your company's most prized secrets.
Chapter 3 The Direct Attack: Just Asking for It
Many social engineering attacks are intricate, involving a number of steps and elaborate planning, combining a mix of manipulation and technological know- how.
But I always find it striking that a skillful social engineer can often achieve his goal with a simple, straightforward, direct attack. Just asking outright for the information may be all that's needed - as you'll see.
AN MLAC QUICKIE Want to know someone's unlisted phone number? A social engineer can tell you half a dozen ways (and you'll find some of them described in other stories in these pages), but probably the simplest scenario is one that uses a single phone call, like this one.
Number, Please The attacker dialed the private phone company number for the MLAC, the Mechanized Line Assignment Center. To the woman who answered, he said:
"Hey, this is Paul Anthony. I'm a cable splicer. Listen, a terminal box out here got fried in a fire. Cops think some creep tried to burn his own house down for the insurance. They got me out here alone trying to rewire this entire two hundred- pair terminal. I could really use some help right now. What facilities should be working at 6723 South Main?"
In other parts of the phone company, the person called would know that reverse lookup information on non pub (non published) numbers is supposed to be given out only to authorized phone company MLAC is supposed to be known only to company employees. And while they'd never give out information to the public, who would want to refuse a little help to a company man coping with that heavy- duty assignment?. She feels sorry for him, she's had bad days on the job herself, and she'll bend the rules a little to help out a fellow employee with a problem. She gives him the cable and pairs and each working number assigned to the address.
MITNICK MESSAGE It's human nature to trust our fellow man, especially when the request meets the test of being reasonable. Social engineers use this knowledge to exploit their victims and to achieve their
Accounting codes for workgroups and departments, as well as copies of the corporate directory (whether hard copy, data file, or electronic phone book on the intranet) are frequent targets of social engineers. Every company needs a written, well-publicized policy on disclosure of this type of information. The safeguards should include maintaining an audit log that records instances when sensitive information is disclosed to people outside of the company.
Information such as an employee number, by itself, should not be used as any sort of authentication. Every employee must be trained to verify not just the identity of a requestor, but also the requestor's need to know. In your security training, consider teaching employees this approach: Whenever asked a question or asked for a favor by a stranger, learn first to politely decline until the request can be verified. Then - before giving in to the natural desire to be Mr. or Ms. Helpful - follow company policies and procedures with respect to verification and disclosure of non public information. This style may go against our natural tendency to help others, but a little healthy paranoia may be necessary to avoid being the social engineer's next dupe.
As the stories in this chapter have shown, seemingly innocuous information can be the key to your company's most prized secrets.
Chapter 3 The Direct Attack: Just Asking for It
Many social engineering attacks are intricate, involving a number of steps and elaborate planning, combining a mix of manipulation and technological know- how.
But I always find it striking that a skillful social engineer can often achieve his goal with a simple, straightforward, direct attack. Just asking outright for the information may be all that's needed - as you'll see.
AN MLAC QUICKIE Want to know someone's unlisted phone number? A social engineer can tell you half a dozen ways (and you'll find some of them described in other stories in these pages), but probably the simplest scenario is one that uses a single phone call, like this one.
Number, Please The attacker dialed the private phone company number for the MLAC, the Mechanized Line Assignment Center. To the woman who answered, he said:
"Hey, this is Paul Anthony. I'm a cable splicer. Listen, a terminal box out here got fried in a fire. Cops think some creep tried to burn his own house down for the insurance. They got me out here alone trying to rewire this entire two hundred- pair terminal. I could really use some help right now. What facilities should be working at 6723 South Main?"
In other parts of the phone company, the person called would know that reverse lookup information on non pub (non published) numbers is supposed to be given out only to authorized phone company MLAC is supposed to be known only to company employees. And while they'd never give out information to the public, who would want to refuse a little help to a company man coping with that heavy- duty assignment?. She feels sorry for him, she's had bad days on the job herself, and she'll bend the rules a little to help out a fellow employee with a problem. She gives him the cable and pairs and each working number assigned to the address.
MITNICK MESSAGE It's human nature to trust our fellow man, especially when the request meets the test of being reasonable. Social engineers use this knowledge to exploit their victims and to achieve their
Similar Books
A Reason to Kill
Michael Kerr
Monster Madness
Dean Lorey
The Nero Prediction
Humphry Knipe
Heart of the Hunter
Madeline Baker
Mystery of Tally-Ho Cottage
Enid Blyton
Mistress to the Crown
Isolde Martyn
DeadEarth: Mr. 44 Magnum
Michael Anthony
The Pirate Lord
Sabrina Jeffries
The Heart Doctor and the Baby
Lynne Marshall
Death Run
Don Pendleton