Keeping Sensitive Information Safe

When people are approached by a stranger offering to help, as seen in the stories in this chapter, they have to fall back on corporate security policy that is tailored as appropriate to the business needs, size, and culture of your company.

 

NOTE

Personally, I don’t believe any business should allow any exchange of passwords. Its much easier to establish a hard rule that forbids personnel from ever sharing or exchanging confidential passwords. Its safer, too. But each business has to assess its own culture and security concerns in making this choice

 

Never cooperate with a stranger who asks you to look up information,

enter unfamiliar commands into a computer, make changes to software settings or - the most potentially disastrous of all - open an email attachment

 

 

 

or download unchecked software. Any software program - even one that appears to do nothing at all - may not be as innocent as it appears to be.

 

There are certain procedures that, no matter how good our training, we tend to grow careless about over time. Then we forget about that training at crunch time, just when we need it. You would think that not giving out your account name and password is something that just about everybody knows (or should know) and hardly needs to be told: it's simple common sense. But in fact, every employee needs to be reminded frequently that giving out the account name and password to their office computer, their home computer, or even the postage machine in the mail room is equivalent to giving out the PIN number for their ATM card.

 

There is occasionally - very occasionally - a quite valid circumstance when it's necessary, perhaps even important, to give someone else confidential information. For that reason, it's not appropriate to make an absolute rule about "never." Still, your security policies and procedures do need to be very specific about circumstances under which an employee may give out his or her password and - most importantly--who is authorized to ask for the information.

 

Consider the Source

In most organizations, the rule should be that any information that can possibly cause harm to the company or to a. fellow employee may be given only to someone who is known on a face-to-face basis, or whose voice is so familiar that you recognize it without question.

 

In high-security situations, the only requests that should be granted are ones delivered in person or with a strong form of authentication--for example, two separate items such as a shared secret and a time-based token.

 

Data classification procedures must designate that no information be provided from a part of the organization involved with sensitive work to anyone not personally known or vouched for in some manner.

 

NOTE

Incredibly, even looking up the name and phone number of the caller in the company's employee database and calling him back is not an absolute guarantee social engineers know ways of planting names in a corporate database or redirecting telephone calls.

 

So how do you handle a legitimate-sounding request for information from another company employee, such as the list of names and email addresses of people in your group? In fact, how do you raise awareness so that an item like this, which is clearly less valuable than, say, a spec sheet for a product under development, is recognized as something for internal use only? One major part of the solution: Designate employees in each department who will handle all requests for information to be sent outside the group. An advanced security-training program must then be

 

 

 

provided to make these designated employees aware of the special verification procedures they should follow.

 

Forget Nobody

Anyone can quickly rattle off the identity of organizations within her company that need a high degree of protection against malicious attacks. But we often overlook other places that are less obvious, yet highly vulnerable. In one of these stories, the request for a fax to be sent to a phone number within the company seemed innocent and secure enough, yet the attacker took advantage of this security loophole. The lesson here: Everybody from secretaries and administrative assistants to company executives and high-level managers needs to have special security training so that they can be alert to these types of tricks. And don't forget to guard the front door: Receptionists, too, are often prime targets for social engineers and must also be made aware of the deceptive techniques used by some visitors and callers.

 

Corporate security should establish a single point of contact as a kind of central clearinghouse for employees who think they may have been the target of a social engineering ruse. Having a single place to report security incidents will provide an effective early-warning system that will make it dear when a coordinated attack is under way, so that any damage can be controlled immediately.

 

Chapter 6

"Can You Help Me?"

 

You’ve seen how social engineers trick people by offering to help.

Another favorite approach turns the tables: The social engineer
manipulates by pretending he needs the other person to help
him. We can all sympathize with people in a tight spot, and the approach
proves effective over and over again in allowing a social engineer to reach
his goal.

 

THE OUT-OF TOWNER

A story in Chapter 3 showed how an attacker can talk a victim into revealing his employee number. This one uses a different approach for achieving the same result, and then shows how the attacker can make use of that

 

Keeping Up with the Joneses

In Silicon Valley there is a certain global company that shall be nameless.

The scattered sales offices and other field installations around the world

are all connected to that company's headquarters over a WAN, a wide area

network. The intruder, a smart, feisty guy named Brian Atterby, knew

it was almost always easier to break into a network at one of the remote

sites where security is practically guaranteed to be more lax than at headquarters.

Theintruder phoned the Chicago office and asked to speak with Mr Jones.

The receptionist asked if he knew Mr. Jones's first name; he

 

answered, "I had it here, I'm looking for it. How many Joneses do you
have?" She said, "Three. Which department would he be in?"
He said, "If you read me the names, maybe I'll recognize it." So she did:
"Barry, Joseph, and Gordon."
"Joe. I'm pretty sure that was it," he said. "And he was in... which
department?"
"Business Development."
"Fine. Can you connect me, please?"
She put the call through. When Jones answered, the attacker said, "Mr.
Jones? Hi, this is Tony in Payroll. We just put through your request to
have your paycheck deposited directly to your credit union account."
"WHAT???!!! You've got to be kidding. I didn't make any request like
that. I don't even have an account at a credit union."
"Oh, damn, I already put it through."
Jones was more than a little upset at the idea that his paycheck might be
going to someone else's account, and he was beginning to think the guy
on the other end of the phone must be a little slow. Before he could even
reply, the attacker said, "I better see what happened. Payroll changes are
 entered by employee number. What's your employee number?"

Jones gave the number. The caller said, "No, you're right, the request
wasn't from you, then." They get more stupid every year, Jones thought.

"Look, I'll see it's taken care of. I'll put in a correction right now. So

don't worry - you'll get your next paycheck okay," the guy said reassuringly.

 

A Business Trip

Not long after, the system administrator in the company's Austin, Texas, sales office received a phone call. "This is Joseph Jones," the caller announced. "I'm in Business Development at corporate. I'll be in to, for the week, at the Driskill Hotel. I'd like to have you set me up with a temporary account so I can access my email without making a long distance call."

 

"Let me get that name again, and give me your employee number," the sys admin said. The false Jones gave the number and went on, "Do you have any high speed dial-up numbers.

 

"Hold on, buddy. I gotta verify you in the database." After a bit, he said, "Okay, Joe. Tell me, what's your building number?" The attacker had done his homework and had the answer ready

 

MITNICK MESSAGE

Don't rely on network safeguards and firewalls to protect your information. Look to your most vulnerable spot. You'll usually find that vulnerability lies in your people.

 

"Okay," the sys admin told him, "you convinced me."

 

It was as simple as that. The sys admin had verified the name Joseph Jones, the department, and the employee number, and "Joe" had given the right answer to the test question. "Your username's going to be the same as your corporate one, jbjones," the sys admin said, "and I'm giving you an initial password of 'changeme.'"

 

Analyzing the Con

With a couple of phone calls and fifteen minutes of time, the attacker had gained access to the company's wide area network. This was a company that, like many, had what I refer to as candy security, after a description first used by two Bell Labs researchers, Steve Bellovin and Steven Cheswick. They described such security as "a hard crunchy shell with a oft chewy center" - like an M&M candy. The outer shell, the firewall, Bellovin and Cheswick argued, is not sufficient protection, because once an intruder is able to circumvent it, the internal computer systems have soft, chewy security. Most of the time, they are inadequately protected.

 

This story fits the definition. With a dial-up number and an account,

the attacker didn't even have to bother trying to defeat an Internet firewall, and, once inside, he was easily able to compromise most of the systems on the internal network.

 

Through my sources, I understand this exact ruse was worked on one of

the largest computer software manufacturers in the world. You would think the systems administrators in such a company would be trained to detect this type of ruse. But in my experience, nobody is completely safe if a social engineer is clever and persuasive enough.

 

LINGO

CANDY SECURITY A term coined by Bellovin and Cheswick of Bell Labs to describe a security scenario where the outer perimeter, such as firewall, is strong, but the infrastructure behind it is weak. The term refers to M&M candy, which has a hard outer shell and soft center.

 

 

LINGO

SPEAKEASY SECURITY Security that relies on knowing where desired information is, and using a word or name to gain access to that information or computer system.

 

SPEAKEASY SECURITY

In the old days of speakeasies - those Prohibition-era nightclubs where so-called bathtub gin flowed--a would-be customer gained admission by showing up at the door and knocking. After a few moments, a small flap in the door would swing open and a tough, intimidating face would peer out. If the visitor was in the know, he would speak the name of some frequent patron of the place ("Joe sent me" was often enough), whereupon the bouncer inside would unlatch the door and let him in.

 

The real trick lay in knowing the location of the speakeasy because the door was unmarked, and the owners didn't exactly hang out neon signs to mark their presence. For the most part, just showing up at the right place was about all it took to get in. The same degree of safekeeping is, unhappily, practiced widely in the corporate world, providing a level of non protection that I call speakeasy security.

 

I Saw It at the Movies

Here's an illustration from a favorite movie that many people will remember. In Three Days of the Condor the central character, Turner (played by Robert Redford), works for a small research firm contracted by the CIA. One day he comes back from a lunch run to find that all his co workers have been gunned down. He's left to figure out who has done this and why, all the while knowing that the bad guys, whoever they are, are looking for him.

 

Late in the story, Turner manages to get the phone number of one the bad guys. But who is this person, and how can Turner pin down his location? He's in luck: The screenwriter, David Rayfiel, has happily given Turner a background that includes training as a telephone lineman with the Army Signal Corps, making him knowledgeable about techniques and practices of the phone company. With the bad guy's phone number in hand, Turner knows exactly what to do. In the screenplay, the scene reads like this:

 

TURNER RECONNECTS and TAPS OUT ANOTHER NUMBER.

 

RING! RING! Then:

WOMAN'S VOICE (FILTER) CNA, Mrs. Coleman speaking. TURNER (into test set)

 

This is Harold Thomas, Mrs. Coleman. Customer Service.

 

CNA on 202-555-7389, please.

WOMAN'S VOICE (FILTER) One moment, please. (almost at once)

 

Leonard Atwood, 765 MacKensie Lane, Chevy Chase, Maryland.  

 

Ignoring the fact that the screenwriter mistakenly uses a Washington,
D.C., area code for a Maryland address, can you spot what just happened
here?
                                                                          

Turner, because of his training as a telephone lineman, knew what number to dial in order to reach a phone company office called CNA, the
Customer Name and Address bureau. CNA is set up for the convenience
of installers and other authorized phone company personnel. An installer
could call CNA, and give them a phone number. The CNA clerk would
respond by providing the name of the person the phone belongs to and
his address.

 

Fooling the Phone Company                                 
In the real world, the phone number for CNA is a closely guarded secret.
Although the phone companies finally caught on and these days are less
generous about handing out information so readily, at the time they operated
on a variation of speakeasy security that security professionals call
security through obscurity. They presumed that anybody who called CNA
and knew the proper lingo ("Customer service. CNA on 555-1234,
please for example) was a person authorized to have the information.

 

LINGO

SECURITY THROUGH OBSCURITY An ineffective method of computer security that relies on keeping secret the details of how the system works (protocols, algorithms, and internal systems). Security through obscurity relies on the false assumption that no one outside a trusted group of people will be able to circumvent the system.

 

MITNICK MESSGAE

Security through obscurity does not have any effect in blocking social engineering attacks. Every computer system in the world has at least one human that use it. So, if the attacker is able to manipulate people who use the systems, theobscurity of the system is irrelevant.

 

There was no need to verify or identify oneself, no need to give an employee number, no need for a password that was changed daily. If you knew the number to call and you sounded authentic, then you must be entitled to the information.

 

That was not a very solid assumption on the part of the telephone company. Their only effort at security was to change the phone number on l periodic basis, at least once a year. Even so, the current number at any particular moment was very widely known among phone phreaks, who delighted in taking advantage of this convenient source of information and in sharing the how-to-do-it with their fellow phreaks. The CN,' Bureau trick was one of the first things I learned when I was in to the hobby of phone phreaking as a teenager.

 

Throughout the world of business and government, speakeasy security. is still prevalent. It's likely that

about your company's departments, people, and lingo. Sometimes les to than that: Sometimes an internal phone number is all it takes.