Art Sealy's Research Project

Art Sealy had given up working as a freelance editor for small publishing houses when he found he could make more money doing research for writers and businesses. He soon figured out that the fee he could charge went up in proportion to how close the assignment took him to the sometimes hazy line between the legal and the illegal. Without ever realizing it, certainly without ever giving it a name, Art became a social engineer, using techniques familiar to every information broker. He turned out to have a native talent for the business, figuring out for himself techniques that most social engineers had to learn from others. After a while, he crossed the line without the least twinge of guilt.

 

A man contacted me who was writing a book about the Cabinet in the Nixon years, and was looking for a researcher who could get the inside scoop on William E. Simon, who had been Nixon's Treasury secretary. Mr. Simon had died, but the author had the name of a woman who had been on his staff. He was pretty sure she still lived in D.C., but hadn't been able to get an address. She didn't have a telephone in her name, or at least none that was listed. So that's when he called me. I told him, sure, no problem.

 

This is the kind of job you can usually bring off in a phone call or two, if you know what you're doing. Every local utility company can generally be counted on to give the information away. Of course, you have to BS a little. But what's a little white lie now and then - right?

 

I like to use a different approach each time, just to keep things interesting. "This is so-and-so in the executive offices" has always worked well for me. So has "I've got somebody on the line from Vice President Somebody's office," which worked this time, too.

 

 

MITNICK MESSAGE

Never think all social engineering attacks need to be elaborate ruses so complex that they're likely to be recognized before they can be completed. Some are in- and-out, strike-and-disappear, very simple attacks that are no more than.., well, just asking for it.

 

You have to sort of develop the social engineer's instinct, get a sense of how cooperative the person on the other end is going to be with you. This time I lucked out with a friendly, helpful lady. In a single phone call, I had the address and phone number. Mission accomplished.

 

Analyzing the Con
Certainly Janie knew that customer information is sensitive. She would
never discuss one customer's account with another customer, or give out
private information to the public.
            

But naturally, for a caller from within the company, different rules apply.
For a fellow employee it's all about being a team player and helping each
other get the job done. The man from Billing could have looked up the
details himself if his computer hadn't been down with a virus, and she was
glad to be able to help a co-worker.
            

Art built up gradually to the key information he was really after, asking
questions along the way about things he didn't really need, such as the
account number. Yet at the same time, the account number information
provided a fallback: If the clerk had become suspicious, he'd call a second
time and stand a better chance of success, because knowing the account
number would make him sound all the more authentic to the next clerk
he reached.
            

It never occurred to Janie that somebody might actually lie about some
thing like this, that the caller might not really be from the billing department

at all. Of course, the blame doesn't lie at Janie's feet. She wasn't well
versed in the rule about making sure you know who you're talking to
before discussing information in a customer's file. Nobody had ever told
her about the danger of a phone call like the one from Art. It wasn't in the
company policy, it wasn't part of her training, and her supervisor had
never mentioned it.

 

PREVENTING THE CON

A point to include in your security training: Just because a caller or visitor knows the names of some people in the company, or knows some of the corporate lingo or procedures, doesn't mean he is who he claims to be. And it definitely doesn't establish him as anybody authorized to be given internal information, or access to your computer system or network.

 

Security training needs to emphasize: When in doubt, verify, verify, verify.

 

In earlier times, access to information within a company was a mark of

rank and privilege. Workers stoked the furnaces, ran the machines, typed the letters, and filed the reports. The foreman or boss told them what to do, when, and how. It was the foreman or boss who knew how many widgets each worker should be producing on a shift, how many and in what colors and sizes the factory needed to turn out this week, next week, and by the end of the month.

 

Workers handled machines and tools and materials, and bosses handled information. Workers needed only the information specific to their specific jobs.

 

The picture is a little different today, isn't it? Many factory workers use

some form of computer or computer-driven machine. For a large part of the workforce, critical information is pushed down to the users' desktops so that they can fulfill their responsibility to get their work done. In today's environment, almost everything employees do involves the handling of information.

 

That's why a company's security policy needs to be distributed enterprise-

wide, regardless of position. Everybody must understand that it's not just the bosses and executives who have the information that an attacker might be after. Today, workers at every level, even those who don't use a computer, are liable to be targeted. The newly hired rep in the customer service group may be just the weak link that a social engineer breaks to achieve his objective.

Security training and corporate security policies need to strengthen that

link.

Chapter 4

Building Trust

Some of these stories might lead you to think that I believe everyone in business is a complete idiot, ready, even eager, to give away every secret in his or her possession. The social engineer knows isn't true. Why are social engineering attacks so successful? It isn't because people are stupid or lack common sense. But we, as human beings are all vulnerable to being deceived because people can misplace their trust if manipulated in certain ways.

 

The social engineer anticipates suspicion and resistance, and he's always prepared to turn distrust into trust. A good social engineer plans his attack like a chess game, anticipating the questions his target might ask so he can be ready with the proper answers.

 

One of his common techniques involves building a sense of trust on the part of his victims. How does a con man make you trust him? Trust me, he can.

 

TRUST: THE KEY TO DECEPTION

The more a social engineer can make his contact seem like business as usual, the more he allays suspicion. When people don't have a reason to be suspicious, it's easy for a social engineer to gain their trust.

 

Once he's got your trust, the drawbridge is lowered and the castle door thrown open so he can enter and take whatever information he wants.

NOTE

You may notice I refer to social engineers, phone phreaks, and con-game operators as 'he" through most of these stories. This is not chauvinism; it simply reflects the truth that most practitioners in these fields are male. But though there aren’t many women social engineers, the number is growing. There are enough female social engineers out there that you shouldn’t let your guard down just because you hear a women’s voice. In fact, female social engineers have a distinct advantage because they can use their sexuality to obtain cooperation. You’ll find a small number of the so-called gentler sex represented in these pages