Using Sympathy, Guilt, and Intimidation

As discussed in Chapter 15, a social engineer uses the psychology of influence to lead his target to comply with his request. Skilled social engineers are very adept at developing a ruse that stimulates emotions, such as fear, excitement, or guilt. They do this by using psychological triggers--automatic mechanisms that lead people to respond to requests without in-depth analysis of all the available information.

 

We all want to avoid difficult situations for ourselves and others. Based on this positive impulse, the attacker can play on a person's sympathy, make his victim feel guilty, or use intimidation as a weapon.

 

Here are some graduate-school lessons in popular tactics that play on the emotions.

 

A VISIT TO THE STUDIO

Have you ever noticed how some people can walk up to the guard at the door of, say, a hotel ballroom where some meeting, private party, or book-launching function is under way, and just walk past that person without being asked for his ticket or pass?

 

In much the same way, a social engineer can talk his way into places that you would not have thought possible - as the following story about the movie industry makes clear.

 

The Phone Call

"Ron Hillyard's office, this is Dorothy."

"Dorothy, hi. My name is Kyle Bellamy. I've just come on board to work in Animation Development on Brian Glassman's staff. You folks sure do things different over here."

"I guess. I never worked on any other movie lot so I don't really know. What can I do for you?"

"To tell you the truth, I'm feeling sort of stupid. I've got a writer coming over this afternoon for a pitch session and I don't know who I'm supposed to talk to about getting him onto the lot. The people over here in Brian's office are really nice but I hate to keep bothering them, how do I do this, how do I do that. It's like I just started junior high and can't find my way to the bathroom. You know what I mean?"

 

Dorothy laughed.

 

"You want to talk to Security. Dial 7, and then 6138. If you
get Lauren, tell her Dorothy said she should take good
care of you."
"Thanks, Dorothy. And if I can't find the men's room, I may call you back!"
 

They chuckled together over the idea, and hung up.

 

David Harold's Story
I love the movies and when I moved to Los Angeles, I thought I'd get to
meet all kinds of people in the movie business and they'd take me along
to parties and have me over to lunch at the studios. Well, I was there for
a year, I was turning twenty-six years old, and the closest I got was going
on the Universal Studios tour with all the nice people from Phoenix and
Cleveland. So finally it got to the point where I figured, if they won't
invite me in, I'll invite myself. Which is what I did.
                                                                                           

I bought a copy of the Los Angeles Times and read the entertainment column

for a couple of days, and wrote down the names of some producers
at different studios. I decided I'd try hitting on one of the big studios first.
So I called the switchboard and asked for the office of this producer I
had read about in the paper. The secretary that answered sounded like the
motherly type, so I figured I had gotten lucky; if it was some young girl
who was just there hoping she'd be discovered, she probably wouldn't have
given me the time of day.

But this Dorothy, she sounded like somebody that would take in a stray kitten, somebody who'd feel sorry for the new kid that was feeling a little overwhelmed on the new job. And I sure got just the right touch with her. It's not every day you try to trick somebody and they give you even more than you asked for. Out of pity, she not only gave me the name of one of the people in Security, but said I should tell the lady that Dorothy wanted her to help me.

 

Of course I had planned to use Dorothy's name anyway. This made it even better. Lauren opened right up and never even bothered to look up the name I gave to see if it was really in the employee database.

 

When I drove up to the gate that afternoon, they not only had my name on the visitor's list, they even had a parking space for me. I had a late lunch at the commissary, and wandered the lot until the end of the day. I even sneaked into a couple of sound stages and watched them shooting movies. Didn't leave till 7 o'clock. It was one of my most exciting days ever.

 

Analyzing the Con

Everybody was a new employee once. We all have memories of what that first day was like, especially when we were young and inexperienced. So when a new employee asks for help, he can expect that many people-- especially entry-level people--will remember their own new-kid on-the- block feelings and go out of their way to lend a hand. The social engineer knows this, and he understands that he can use it to play on the sympathies of his victims.

 

We make it too easy for outsiders to con their way into our company

plants and offices. Even with guards at entrances and sign-in procedures for anyone who isn't an employee, any one of several variations on the ruse used in this story will allow an intruder to obtain a visitor's badge and walk right in. And if your company requires that visitors be escorted? That's a good rule, but it's only effective if your employees are truly conscientious about stopping anyone with or without a visitor's badge who is on his own, and questioning him. And then, if the answers aren't satisfactory, your employees have to be willing to contact security.

 

Making it too easy for outsiders to talk their way into your facilities endangers your company's sensitive information. In today's climate, with the threat of terrorist attacks hanging over our society, it's more than just information that could be at risk.

 

"DO IT NOW"

Not everyone who uses social engineering tactics is a polished social engineer. Anybody with an insider's knowledge of a particular company can turn dangerous. The risk is even greater for any company that holds in its files and databases any personal information about its employees, which, of course, most companies do.

 

When workers are not educated or trained to recognize social engineering attacks, determined people like the jilted lady in the following story can do things that most honest people would think impossible.

 

Doug's Story

Things hadn't been going all that well with Linda anyway, and I knew as soon as I met Erin that she was the one for me. Linda is, like, a little bit... well, sort of not exactly unstable but she can sort of go off the deep end when she gets upset.

 

I told her as gentle as I could that she had to move out, and I helped her pack and even let her take a couple of the Queensryche CDs that were really mine. As soon as she was gone I went to the hardware store for a new Medico lock to put on the front door and put it on that same night. The next morning I called the phone company and had them change my phone number, and made it unpublished.

That left me free to pursue Erin.

 

Linda's Story

I was ready to leave, anyway, I just hadn't decided when. But nobody likes to feel rejected. So it was just a question of, what could I do to let him know what a jerk he was?

 

It didn't take long to figure out. There had to be another girl, otherwise he wouldn't of sent me packing in such a hurry. So I'd just wait a bit and then start calling him late in the evening. You know, around the time they would least want to be called.

 

I waited till the next weekend and called around 11 o'clock on Saturday night. Only he had changed his phone number. And the new number was unlisted. That just shows what kind of SOB the guy was.

 

It wasn't that big of a setback. I started rummaging through the papers I had managed to take home just before I left my job at the phone company. And there it was--I had saved a repair ticket from once when there was a problem with the telephone line at Doug's, and the printout listed

 

the cable and pair for his phone. See, you can change your phone number
all you want, but you still have the same pair of copper wires running from
your house to the telephone company switching office, called the Central
Office, or CO. The set of copper wires from every house and apartment
is identified by these numbers, called the cable and pair. And if you know
how the phone company does things, which I do, knowing the target's
cable and pair is all you need to find out the phone number.
                                                                                 

I had a list giving all the COs in the city, with their addresses and phone
numbers. I looked up the number for the CO in the neighborhood where
I used to live with Doug the jerk, and called, but naturally nobody was
there. Where's the switchman when you really need him? Took me all of
about twenty seconds to come up with a plan. I started calling around to
the other COs and finally located a guy. But he was miles away and he was
probably sitting there with his feet up. I knew he wouldn't want to do
what I needed. I was ready with my plan.
                                                                                 

"This is Linda, Repair Center," I said. "We have an emergency. Service
for a paramedic unit has gone down. We have a field tech trying to restore
service but he can't find the problem. We need you to drive over to the
Webster CO immediately and see if we have dial tone leaving the central
office."
                                                                                 

And then I told him, 'I'll call you when you get there," because of
course I couldn't have him calling the Repair Center and asking for me.
                                                                                 

I knew he wouldn't want to leave the comfort of the central office to
bundle up and go scrape ice off his windshield and drive through the slush
late at night. But it was an emergency, so he couldn't exactly say he was
too busy.
                                                                                 

When I reached him forty-five minutes later at the Webster CO, I told
him to check cable 29 pair 2481, and he walked over to the flame and
checked and said, Yes, there was dial tone. Which of course I already knew.
                                                                                 

So then I said, "Okay, I need you to do an LV," which means line verification,

which is asking him to identify the phone number. He does this
by dialing a special number that reads back the number he called from.
He doesn't know anything about if it's an unlisted number or that it's just
been changed, so he did what I asked and I heard the number being
announced over his lineman's test set. Beautiful. The whole thing had
worked like a charm.

 

I told him, "Well, the problem must be out in the field," like I knew the,,umber all along. I thanked him and told him we'd keep working on it, and said good night.

MITNICK MESSAGE

Once a social engineer knows how things work inside the targeted company, it becomes easy to use that knowledge to develop rapport with legitimate employees. Companies need to prepare for social engineering attacks from current or former employees who may have an axe to grind. Background checks may be helpful to weed out prospects who may have a propensity toward this type of behavior. But in most cases, these people will be extremely difficult to detect. The only reasonable safeguard in these cases is to enforce and audit procedures for verifying identity, including the person's employment status, prior to disclosing any information to anyone not personally known to still be with the company.

 

So much for that Doug and trying to hide from me behind an unlisted number. The fun was about to begin.

 

Analyzing the Con

The young lady in this story was able to get the information she wanted to carry out her revenge because she had inside knowledge: the phone numbers, procedures, and lingo of the telephone company. With it she was not only able to find out a new, unlisted phone number, but was able to do it in the middle of a wintry night, sending a telephone switchman chasing across town for her.

 

"MR. BIGG WANTS THIS"

A popular and highly effective form of intimidation--popular in large measure because it's so simple--relies on influencing human behavior by using authority.

 

Just the name of the assistant in the CEO's office can be valuable. Private investigators and even head-hunters do this all the time. They'll call the switchboard operator and say they want to be connected to the CEO's office. When the secretary or executive assistant answers, they'll say they have a document or package for the CEO, or if they send an email attachment, would she print it out? Or else they'll ask, what's the fax number? And by the way, what's your name?

 

Then they call the next person, and say, "Jeannie in Mr. Bigg's office told me to call you so you can help me with something."

 

The technique is called name-dropping, and it's usually used as a method to quickly establish rapport by influencing the target to believe that the attacker is connected with somebody in authority. A target is more likely to do a favor for someone who knows somebody he knows.

If the attacker has his eyes set on highly sensitive information, he may use this kind of approach to stir up useful emotions in the victim, such as fear of getting into trouble with his superiors. Here's an example.

 

Scott's Story

"Scott Abrams."

 

"Scott, this is Christopher Dalbridge. I just got off the phone with Mr. Biggley, and he's more than a little unhappy. He says he sent a note ten days ago that you people were to get copies of all your market penetration research over to us for analysis. We never got a thing."

 

"Market penetration research? Nobody said anything to me about it.

What department are you in?"

"We're a consulting firm he hired, and we're already behind schedule." "Listen, I'm just on my way to a meeting. Let me get your phone number

 and..."

 

The attacker now sounded just short of truly frustrated: "Is that what

you want me to tell Mr. Biggley?! Listen, he expects our analysis by tomorrow morning and we have to work on it tonight. Now, do you want me to tell him we couldn't do it 'cause we couldn't get the report from you, or do you want to tell him that yourself?."

 

An angry CEO can ruin your week. The target is likely to decide that maybe this is something he better take care of before he goes into that meeting. Once again, the social engineer has pressed the right button to get the response he wanted.

 

Analyzing the Con

The ruse of intimidation by referencing authority works especially well if the other person is at a fairly low level in the company. The use of an important person's name not only overcomes normal reluctance or suspicion, but often makes the person eager to please; the natural instinct of wanting to be helpful is multiplied when you think that the person you're helping is important or influential.

 

The social engineer knows, though, that it's best when running this particular deceit to use the name of someone at a higher level than the person's own boss. And this gambit is tricky to use within a small organization: The attacker doesn't want his victim making a chance comment to the VP of marketing. "I sent out the product marketing plan you had that guy call me about," can too easily produce a response of "What marketing plan? What guy?" And that could lead to the discovery that the company has been victimized.

 

MITNICKS MESSAGE

Intimidation can create a fear of punishment, influencing people to cooperate. Intimidation can also raise the fear of embarrassment or of being disqualified from that new promotion.

People must be trained that it's not only acceptable but expected to challenge authority when security is at stake. Information security training should include teaching people how to challenge authority in customer-friendly ways, without damaging relationships. Moreover, this expectation must be supported from the top down. If an employee is not going to be backed up for challenging people regardless of their status, the normal reaction is to stop challenging--just the opposite of what you want.

WHAT THE SOCIAL SECURITY ADMINISTRATION KNOWS ABOUT YOU
We like to think that government agencies with les on us keep the information safely locked away from people without an authentic need to know. The reality is that even the federal government isn't as immune to penetration as we would like to imagine.

 

May Linn’s Phone Call

Place: A regional office of the Social Security Administration

Time: 1 0:1 8 A.M., Thursday morning

 

"Mod Three. This is May Linn Wang."

 

The voice on the other end of the phone sounded apologetic, almost timid.

 

"Ms. Wang, this is Arthur Arondale, in the Office of the Inspector General. Can I call you 'May'?

"It's 'May Linn'," she said.

 "Well, it's like this, May Linn. We've got a new guy in here who there's no computer for yet, and right now he's got a priority project and he's using mine. We're the government of the United States, for cryin' out loud, and they say they don't have enough money in the budget to buy a computer for this guy to use. And now my boss thinks I'm falling behind and doesn't want to hear any excuses, you know?"

 

"I know what you mean, all right."

"Can you help me with a quick inquiry on MCS?" he asked, using the name of the computer system for looking up taxpayer information.

"Sure, what'cha need?"

"The first thing I need you to do is an alphadent on Joseph Johnson, DOB 7/4/69." (Alphadent means to have the computer search for an account alphabetically by taxpayer name, further identified by date of birth.)

 

After a brief pause, she asked:

 

"What do you need to know?"

"What's his account number?" he said, using the insider's

shorthand for the social security number. She read it off.

"Okay, I need you to do a numident on that account number,"

 the caller said.

 

That was a request for her to read off the basic taxpayer data,
and May Linn responded by giving the taxpayer's place of
birth, mother's maiden name, and father's name. The caller
listened patiently while she also gave him the month and year
the card was issued, and the district office it was issued by.

 

He next asked for a DEQY. (Pronounced "DECK-wee," it's short
for "detailed earnings query.")

 

The DEQY request brought the response, "For what year?"
The caller replied, "Year 2001."
May Linn said, "The amount was $190,286, the payer was Johnson MicroTech."
"Any other wages?"
"No."
"Thanks," he said. "You've been very kind."
Then he tried to arrange to call her whenever he needed information and couldn't get to his computer, again using the favorite trick of social engineers of always trying to establish a connection so that he can keep going back to the same person, avoiding the nuisance of having to find a new mark each
time.

 

"Not next week," she told him, because she was going to Kentucky for her sister's wedding.' Any other time, she'd do whatever she could.

 

When she put the phone down, May Linn felt good that she
had been able to offer a little help to a fellow unappreciated
public servant.

Keith Carter's Story

To judge from the movies and from best-selling crime novels, a private investigator is short on ethics and long on knowledge of how to get the juicy facts on people. They do this by using thoroughly illegal methods, while just barely managing to avoid getting arrested. The truth, of course, is that most PIs run entirely legitimate businesses. Since many of them started their working lives as sworn law enforcement officers, they know perfectly well what's legal and what isn't, and most are not tempted to cross the line.

 

There are, however, exceptions. Some Pis - more than a few - do indeed fit the mold of the guys in the crime stories. These guys are known in the trade as information brokers, a polite term for people who are willing to break the rules. They know they can get any assignment done a good deal faster and a good deal easier if they take some shortcuts. That these shortcuts happen to be potential felonies that might land them behind bars for a few years doesn't seem to deter the more unscrupulous ones.

 

Meanwhile the upscale PIs--the ones who work out of a fancy office suite in a high-rent part of town--don't do this kind of work themselves. They simply hire some information broker to do it for them.

 

The guy we'll call Keith Carter was the kind of private eye unencumbered by ethics.

 

It was a typical case of "Where's he hiding the money?" Or sometimes it's "Where's she hiding the money?" Sometimes it was a rich lady who wanted to know where her husband had hidden her money (though why a woman with money ever marries a guy without was a riddle Keith Carter wondered about now and then but had never found a good answer for).

 

In this case the husband, whose name was Joe Johnson, was the one keeping the money on ice. He "was a very smart guy who had started a high-tech company with ten thousand dollars he borrowed from his wife's family and built into a hundred-million dollar firm. According to her divorce lawyer, he had done an impressive job of hiding his assets, and the lawyer wanted a complete rundown.

 

Keith figured his starting point would be the Social Security Administration, targeting their files on Johnson, which would be packed with highly useful information for a situation like this. Armed with their info, Keith could pretend to be the target and get the banks, brokerage firms, and offshore institutions to tell him everything.

 

His first phone call was to a local district office, using the same 800 number that any member of the public uses, the number listed in the local

 

phone book. When a clerk came on the line, Keith asked to be connected to someone in Claims. Another wait, and then a voice. Now Keith shifted gears; "Hi," he began. "This is Gregory Adams, District Office 329. Listen, I'm trying to reach a claims adjuster that handles an account number that ends in 6363, and the number I have goes to a fax machine."

 

"That's Mod 2," the man said. He looked up the number and gave it to Keith.

 

Next he called Mod 2. When May Linn answered, he switched hats and went through the routine about being from the Office of the Inspector General, and the problem about somebody else having to use his computer. She gave him the information he was looking for, and agreed to do whatever she could when he needed help in the future.

 

Analyzing the Con

What made this approach effective was the play on the employee's sympathy with the story about someone else using his computer and "my boss is not happy with me." People don't show their emotions at work very often; when they do, it can roll right over someone else's ordinary defenses against social engineering attacks. The emotional ploy of "I'm in trouble, won't you help me?" was all it took to win the day.

 

Social Insecurity

Incredibly, the Social Security Administration has posted a copy of their entire Program Operations Manual on the Web, crammed with information that's useful for their people, but also incredibly valuable to social engineers. It contains abbreviations, lingo, and instructions for how to request what you want, as described in this story.

 

Want to learn more inside information about the Social Security Administration? Just search on Google or enter the following address into your browser: http://policy.ssa.gov/poms.nsf/. Unless the agency has already read this story and removed the manual by the time you read this, you'll find on-line instructions that even give detailed information on what data an SSA clerk is allowed to give to the law enforcement community. In practical terms, that community includes any social engineer who can convince an SSA clerk that he is from a law enforcement organization.

The attacker could not have been successful in obtaining this information from one of the clerks who handles phone calls from the general public. The kind of attack Keith used only works when the person on the receiving end of the call is someone whose phone number is unavailable to the public, and who therefore has the expectation that anyone calling must be somebody on the inside--another example of speakeasy security'. The elements that helped this attack to work included:

 

Knowing the phone number to the Mod.

 

Knowing the terminology they used--numident, alphadent, and DEQY.

 

Pretending to be from the Office of the Inspector General, which every federal government employee knows as a government-wide investigative agency with broad powers. This gives the attacker an aura of authority.

 

One interesting sidelight: Social engineers seem to know how to make requests so that hardly anyone ever thinks, "Why are you calling me.'- even when, logically; it would have made more sense if the call had gone to some other person in some completely different department. Perhaps it simply offers such a break in the monotony of the daily grind to help the caller that the victim discounts how unusual the call seems.
   

Finally, the attacker in this incident, not satisfied with getting the information just for the case at hand, wanted to establish a contact he could call on regularly. He might otherwise have been able to use a common ploy for the sympathy attack--"I spilled coffee on my keyboard." That was no good here, though, because a keyboard can be replaced in a day.
Hence he used the story about somebody else using his computer, which he could reasonably string out for weeks: "Yep, I thought he'd have his own computer yesterday, but one came in and another guy pulled some kind of deal and got it instead. So this joker is still showing up in my cubicle." And so on.
   

Poor me, I need help. Works like a charm.

 

ONE SIMPLE CALL

One of an attacker's main hurdles is to make his request sound reasonable something typical of requests that come up in the victim's workday, something that doesn't put the victim out too much. As with a lot of other things in life, making a request sound logical may be a challenge one day, but the next, it may be a piece of cake.

 

Mary H's Phone Call

Date/Time: Monday, November 23, 7:49 A.M.

Place: Mauersby & Storch Accounting, New York

 

To most people, accounting work is number crunching and bean counting, generally viewed as being about as enjoyable as having a root canal. Fortunately, not everyone sees the work that way. Mary Harris, for example, found her work as a senior accountant absorbing, part of the reason she was one of the most dedicated accounting employees at her

firm.

 

On this particular Monday, Mary arrived early to get a head start on what she expected to be a long day, and was surprised to find her phone ringing. She picked it up and gave her name.

 

"Hi, this is Peter Sheppard. I'm with Arbuclde Support, the company that does tech support for your firm. We logged a couple of complaints over the weekend from people having problems with the computers there. I thought I could troubleshoot before everybody comes into work this morning. Are you having any problems with your computer or connecting to the network?"

 

She told him she didn't know yet. She turned her computer on and while it was booting, he explained what he wanted to do.

 

"I'd like to run a couple of tests with you, he said. "I'm able to see on my screen the keystrokes you type, and I want to make sure they're going across the network correctly. So every time you type a stroke, I want you to tell me what it is, and I'll see if the same letter or number is appearing here. Okay?"

 

With nightmare visions of her computer not working and a frustrating day of not being able to get any work done, she was more than happy to have this man help her. After a few moments, she told him, "I have the login screen, and I'm going to type in my ID. I'm typing it now--M...A...R...Y...D."

 

"Great so far," he said. "I'm seeing that here. Now, go ahead and type your password but don't tell me what it is. You should never tell anybody your password, not even tech support. I'll just see asterisks here--your password is protected so I can't see it.': None of this was true, but it made sense to Mary. And then he said, "Let me know once your computer has started up."

 

When she said it was running, he had her open two of her applications, and she reported that they launched "just fine."

Mary was relieved to see that everything seemed to be working normally. Peter said, "I'm glad I could make sure you'll be able to use your computer okay. And listen," he went on, "we just installed an update that allow people to change their passwords. Would you be willing to take a couple of minutes with me so I can see if we got it working right?

 

She was grateful for the help he had given her and readily agreed. Peter talked her through the steps of launching the application that allows a user to change passwords, a standard element of the Windows 2000 operating system. "Go ahead and enter your password," he told her. "But remember not to say it out loud."

 

When she had done that, Peter said, "Just for this quick test, when it asks for your new password, enter 'test123.' Then type it again in the Verification box, and click Enter."

 

He walked her through the process of disconnecting from the server. He had her wait a couple of minutes, then connect again, this time trying to log on with her new password. It worked like a charm, Peter seemed very pleased, and talked her through changing back to her original password or choosing a new one--once more cautioning her about not saying the password out loud.

 

"Well, Mary," Peter told her. "We didn't find any trouble, and that's great. Listen, if any problems do come up, just call us over here at Arbuckle. I'm usually on special projects but anybody here who answers can help you." She thanked him and they said goodbye.

 

Peter's Story

The word had gotten around about Peter--a number of the people in his community who had gone to school with him had heard he turned into some kind of a computer whiz who could often find out useful information that other people couldn't get. When Alice Conrad came to him to ask a favor, he said no at first. Why should he help? When he ran into her once and tried to ask for a date, she had turned him down cold.

 

But his refusal to help didn't seem to surprise her. She said she didn't think it was something he could do anyway. That was like a challenge, because of course he was sure he could. And that was how he came to

agree.

 

Alice had been offered a contract for some consulting work for a marketing company, but the contract terms didn't seem very good. Before she went back to ask for a better deal, she wanted to know what terms other consultants had on their contracts.

 

This is how Peter tells the story.

 

I wouldn't tell Alice but I got off on people wanting me to do something they didn't think I could, when I knew it would be easy. Well, not easy, exactly, not this time. It would take a bit of doing. But that was okay.

 

I could show her what smart was really all about.

 

A little after 7:30 Monday morning, I called the marketing company's offices and got the receptionist, said that I was with the company that handled their pension plans and I need to talk to somebody in Accounting. Had she noticed if any of the Accounting people had come in yet? She said, "I think I saw Mary come in a few minutes ago, I'll try her for you."

 

When Mary picked up the phone, I told her my little story about computer problems, which was designed to give her the jitters so she'd be glad to cooperate. As soon as I had talked her through changing her password, I then quickly logged onto the system with the same temporary password I had asked her to use, test123.

 

Here's where the mastery comes in--I installed a small program that

allowed me to access the company's computer system whenever I wanted, using a secret password of my own. After I hung up with Mary, my first step was to erase the audit trail so no one would even know I had been on his or her system. It was easy. After elevating my system privileges, I was able to download a free program called clearlogs that I found on a security- related Web site at www.ntsecurity.nu.

 

Time for the real job. I ran a search for any documents with the word contract" in the filename, and downloaded the files. Then I searched some more and came on the mother lode--the directory containing all the consultant payment reports. So I put together all the contract files and a list of payments.

 

Alice could pore through the contracts and see how much they were paying other consultants. Let her do the donkeywork of poring through all those files. I had done what she asked me to.

 

From the disks I put the data onto, I printed out some of the files so I

could show her the evidence. I made her meet me and buy dinner. You should have seen her face when she thumbed through the stack of papers. "No way," she said. "No way."

 

I didn't bring the disks with me. They were the bait. I said she'd have to come over to get them, hoping maybe she'd want to show her gratitude for the favor I just did her.

 

MITNICK MESSAGE

It's amazing how easy it is for a social engineer to get people to do things based on how he structures the request. The premise is to trigger an automatic response based on psychological principles, and rely on the mental shortcuts people take when they perceive the caller as an ally.

 

Analyzing the Con

Peter's phone call to the marketing company represented the most basic form of social engineering--a simple attempt that needed little preparation, worked on the first attempt, and took only a few minutes to bring off.

 

Even better, Mary, the victim, had no reason to think that any sort of trick or ruse had been played on her, no reason to file a report or raise a ruckus.

 

The scheme worked through Peter's use of three social engineering tactics. First he got Mary's initial cooperation by generating fear--making her think that her computer might not be usable. Then he took the time to have her open two of her applications so she could be sure they were working okay, strengthening the rapport between the two of them, a sense of being allies. Finally, he got her further cooperation for the essential part of his task by playing on her gratitude for the help he had provided in making sure her computer was okay.

 

By telling her she shouldn't ever reveal her password, should not reveal it even to him, Peter did a thorough but subtle job of convincing her that he was concerned about the security of her company's files. This boosted her confidence that he must be legitimate because he was protecting her and the company.

 

THE POLICE RAID

Picture this scene: The government has been trying to lay a trap for a man named Arturo Sanchez, who has been distributing movies free over the Internet. The Hollywood studios say he's violating their copyrights, he says he's just trying to nudge them to recognize an inevitable market so they'll start doing something about making new movies available for download. He points out (correctly) that this could be a huge source of revenue for the studios that they seem to be completely ignoring.

 

Search Warrant, Please

Coming home late one night, he checks the windows of his apartment from across the street and notices the lights are off, even though he always leaves one on when he goes out.

 

He pounds and bangs on a neighbor's door until he wakes the man up, and learns that there was indeed a police raid in the building. But they made the neighbors stay downstairs, and he still isn't sure what apartment they went into. He only knows they left carrying some heavy things, only they were wrapped up and he couldn't tell what they were. And they didn't take anybody away in handcuffs.

 

Arturo checks his apartment. The bad news is that there's a paper from

the police requiring that he call immediately and set up an appointment for an interview within three days. The worse news is that his computers are missing.

 

Arturo vanishes into the night, going to stay with a friend. But the uncertainty gnaws at him. How much do the police know? Have they caught up with him at last, but left him a chance to flee? Or is this about something else entirely, something he can clear up without having to leave town?

 

Before you read on, stop and think for a moment: Can you imagine any way you could find out what the police know about you? Assuming you don't have any political contacts or friends in the police department or the prosecutor s office, do you imagine there's any way that you, as an ordinary citizen, could get this information? Or that even someone with social engineering skills could?

 

Scamming the Police

Arturo satisfied his need to know like this: To start with, he got the phone number for a nearby copy store, called them, and asked for their fax number.

 

Then he called the district attorney's office, and asked for Records. When he was connected with the records office, he introduced himself as an investigator with Lake County, and said he needed to speak with the clerk who files the active search warrants.

 

"I do," the lady said. "Oh, great," he answered. "Because we raided a

suspect last night and I'm trying to locate the affidavit."

 

"We file them by address," she told him.

 

He gave his address, and she sounded almost excited. "Oh, yeah," she bubbled, "I know about that one. 'The Copyright Caper.'"

"That's the one," he said. "I'm looking for the affidavit and copy of the warrant.

 

"Oh, I have it right here."

 

"Great," he said. "Listen, I'm out in the field and I have a meeting with the Secret Service on this case if I fifteen minutes. I've been so absentminded lately, I left the file at home, and I'll never make it there and back in time. Could I get copies from you?"

 

"Sure, no problem. I'll make copies; you can come right over and pick them up."

 

"Great," he said. "That's great. But listen, I'm on the other side of town. Is it possible you could fax them to me?"

 

That created a small problem, but not insurmountable. "We don't have a fax up here in Records," she said. "But they have one downstairs in the Clerk's office they might let me use."

 

He said, "Let me call the Clerk's office and set it up."

 

The lady in the Clerk's office said she'd be glad to take care of it but wanted to know "Who's going to pay for it?" She needed an accounting code.

   

"I'll get the code and call you back," he told her.
He then called the DA's office, again identified himself as a police officer and simply asked the receptionist, "What's the accounting code for the DA's office?" Without hesitation, she told him.
   

Calling back to the Clerk's office to provide the accounting number gave him the excuse for manipulating the lady a little further: He talked her into walking upstairs to get the copies of the papers to be faxed.

 

NOTE

How does a social engineer know the details of so many operation – police departments, prosecutors offices, phone company practices, the organization of specific companies that are in fields useful in his attacks, such as telecommunications and computers? Because it’s his business to find out. This knowledge is a social engineers stock in the trade because information can aid him in his efforts to deceive.

 

 

Covering His Tracks

Arturo still had another couple of steps to take. There was always a possibility that someone would smell something fishy, and he might arrive at the copy store to find a couple of detectives, casually dressed and trying to

 

look busy until somebody showed up asking for that particular fax. He waited a while, and then called the Clerk's office back to verify that the lady had sent the fax. Fine so far.

 

He called another copy store in the same chain across town and used the ruse about how he was "pleased with your handling of a job and want to write the manager a letter of congratulations, what's her name?" With that essential piece of information, he called the first copy store again and said he wanted to talk to the manager. When the man picked up the phone, Arturo said, "Hi, this is Edward at store 628 in Hartfield. My manager, Anna, told me to call you. We've got a customer who's all upset--somebody gave him the fax number of the wrong store. He's here waiting for an important fax, only the number he was given is for your store." The manager promised to have one of his people locate the fax and send it on to the Hartfield store immediately.

 

Arturo was already waiting at the second store when the fax arrived there. Once he had it in hand, he called back to the Clerk's office to tell the lady thanks, and 'It's not necessary to bring those copies back upstairs, you can just throw them away now." Then he called the manager at the first store and told him, too, to throw away their copy of the fax. This way there wouldn't be any record of what had taken place, just in case somebody later came around asking questions. Social engineers know you can never be too careful.

 

Arranged this way, Arturo didn't even have to pay charges at the first copy store for receiving the fax and for sending it out again to the second store. And if it turned out that the police did show up at the first store, Arturo would already have his fax and be long gone by the time they could arrange to get people to the second location.

 

The end of the story: The affidavit and warrant showed that the police had well-documented evidence of Arturo's movie-copying activities. That was what he needed to know. By midnight, he had crossed the state line. Arturo was on the way to a new life, somewhere else with a new identity, ready to get started again on his campaign.

 

Analyzing the Con

The people who work in any district attorney's office, anywhere, are in constant contact with law enforcement officers--answering questions, making arrangements, taking messages. Anybody gutsy enough to call and claim to be a police officer, sheriff's deputy, or whatever will likely be taken at his word. Unless it's obvious that he doesn't know the terminology, or if he's nervous and stumbles over his words, or in some other way

 

doesn't sound authentic, he may not even be asked a single question to verify his claim. That's exactly what happened here, with two different

workers.

 

MITNICK MESSAGE

The truth of the matter is that no one is immune to being duped by a good social engineer. Because of the pace of normal life, we don't always take the time for thoughtful decisions, even on matters that are important to us. Complicated situations, lack of time, emotional state, or mental fatigue can easily distract us. So we take a mental shortcut, making our decisions without analyzing the information carefully and completely, a mental process known as automatic responding. This is even true for federal, state, and local law enforcement officials. We're all human.

 

Obtaining a needed charge code was handled with a single phone call. Then Arturo played the sympathy card with the story about "a meeting with the Secret Service in fifteen minutes, I've been absent-minded and left the file at home." She naturally felt sorry for him, and went out of her way to help.

 

Then by using not one but two copy stores, Arturo made himself extra safe when he went to pick up the fax. A variation on this that makes the fax even more difficult to trace: Instead of having the document sent to another copy store, the attacker can give what appears to be a fax number, but is really an address at a free Internet service that will receive a fax for you and automatically forward it to your email address. That way it can be downloaded directly to the attacker's computer, and he never has to show his face anyplace where someone might later be able to identify him. And the email address and electronic fax number can be abandoned as soon as the mission has been accomplished.

 

TURNING THE TABLES

A young man I'll call Michael Parker was one of those people who figured out a bit late that the better-paying jobs mostly go to people with college degrees. He had a chance to attend a local college on a partial scholarship plus education loans, but it meant working nights and weekends to pay his rent, food, gas, and car insurance. Michael, who always liked to find shortcuts, thought maybe there was another way, one that paid off faster and with less effort. Because he had been learning about computers from the time he got to play with one at age ten and became fascinated with finding out how they worked, he decided to see if he could "create" his own accelerated bachelor's degree in computer science.

 

Graduating--Without Honors

He could have broken into the computer systems of the state university, found the record of someone who had graduated with a nice B+ or A-average, copied the record, put his own name on it, and added it to the records of that year's graduating class. Thinking this through, feeling somehow uneasy about the idea, he realized there must be other records of a student having been on campus--tuition payment records, the housing office, and who knows what else. Creating just the record of courses and grades would leave too many loopholes.

 

Plotting further, feeling his way, it came to him that he could reach his

goal by seeing if the school had a graduate with the same name as his, who had earned a computer science degree any time during an appropriate span of years. If so, he could just put down the other Michael Parker's social security number on employment application forms; any company that checked the name and social security number with the university would be told that, yes, he did have the claimed degree. (It wouldn't be obvious to most people but was obvious to him that he could put one social security number on the job application and then, if hired, put his own real number on the new-employee forms. Most companies would never think to check whether a new hire had used a different number earlier in the hiring process.)

 

Logging In to Trouble

How to find a Michael Parker in the university's records? He went about it like this:

 

Going to the main library on the university campus, he sat down at a computer terminal, got up on the Internet, and accessed the university's Web site. He then called the Registrar's office. With the person who answered, he went through one of the by-now-familiar social engineering routines: "I'm calling from the Computer Center, we're making some changes to the network configuration and we want to make sure we don't

disrupt your access. Which server do you connect to?"

 

"What do you mean, server, he was asked.

 

"What computer do you connect to when you need to look up student academic information.

 

The answer, admin.rnu.edu, gave him the name of the computer where student records were stored. This was the first piece of the puzzle: He now knew his target machine.

 

LINGO

DUMB TERMINAL A terminal that doesn’t contain its own microprocessor. Dumb terminals can only accept simple commands and display text characters and numbers.

He typed that URL into the computer and got no response--as expected, there was a firewall blocking access. So he ran a program to see if he could connect to any of the services running on that computer, and found an open port with a Telnet service running, which allows one computer to connect remotely to another computer and access it as if directly connected using a dumb terminal. All he would need to gain access would be the standard user ID and password.

 

He made another call to the registrar's office, this time listening carefully to make sure he was talking to a different person. He got a lady, and again he claimed to be from the university's Computer Center. They were installing a new production system for administrative records, he told her. As a favor, he'd like her to connect to the new system, still in test mode, to see if she could access student academic records okay. He gave her the IP address to connect to, and talked her through the process.

 

In fact, the IP address took her to the computer Michael was sitting at in the campus library. Using the same process described in Chapter 8, he had created a login simulator--a decoy sign-in screen--looking just like the one she was accustomed to seeing when going onto the system for student records. "It's not working," she told him. "It keeps saying 'Login incorrect.

 

By now the login simulator had fed the keystrokes of her account name and password to Michael's terminal; mission accomplished. He told her, "Oh, some of the accounts haven't been brought over yet to this machine. Let me set up your account, and I'll call you back." Careful about tying up loose ends, as any proficient social engineer needs to be, he would make a point of phoning later to say that the test system wasn't working right yet, and if it was okay with her, they'd call back to her or one of the other folks there when they had figured out what was causing the problem.

 

The Helpful Registrar

Now Michael knew what computer system he needed to access, and he had a user's ID and password. But what commands would he need in

 

order to search the files for information on a computer science graduate with the right name and graduation date? The student database would be a proprietary one, created on campus to meet the specific requirements of the university and the Registrar's office, and would have a unique way of accessing information in the database.

 

First step in clearing this last hurdle: Find out who could guide him through the mysteries of searching the student database. He called the Registrar's office again, this time reaching a different person. He was from the office of the Dean of Engineering, he told the lady, and he asked, "Who are we supposed to call for help when we're having problems accessing the student academic rues.

 

Minutes later he was on the phone with the college's database administrator, pulling the sympathy act: "I'm Mark Sellers, in the registrar's office. You feel like taking pity on a new guy? Sorry to be calling you but they're all in a meeting this afternoon and there's no one around to help me. I need to retrieve a list of all graduates with a computer science degree, between 1990 and 2000. They need it by the end of the day and if I don't have it, I may not have this job for long. You willing to help out a guy in trouble?" Helping people out was part of what this database administrator did, so he was extra patient as he talked Michael step by step through the process.

 

By the time they hung up, Michael had downloaded the entire list of computer science graduates for those years. Within a few minutes he had run a search, located two Michael Parkers, chosen one of them, and obtained the guy's social security number as well as other pertinent information stored in the database.

 

He had just become "Michael Parker, B.S. in Computer Science, graduated with honors, 1998." In this case, the "B.S." was uniquely appropriate.

 

Analyzing the Con

This attack used one ruse I haven't talked about before: The attacker asking the organization's database administrator to walk him through the steps of carrying out a computer process he didn't know how to do. A powerful and effective turning of the tables, this is the equivalent of asking the owner of a store to help you carry a box containing items you've just stolen from his shelves out to your car.

 

MITNICK MESSAGE

Computer users are sometimes clueless about the threats and vulnerabilities associated with social engineering that exist in our world of technology. They have access to information, yet lack the detailed knowledge of what might prove to be a security threat. A social engineer will target an employee who has little understanding of how valuable the information being sought is, so the target is more likely to grant the stranger's request.

 

PREVENTING THE CON

Sympathy, guilt, and intimidation are three very popular psychological triggers used by the social engineer, and these stories have demonstrated the tactics in action. But what can you and your company do to avoid these types of attacks?

 

Protecting Data

Some stories in this chapter emphasize the danger of sending a file to someone you don't know, even when that person is (or appears to be) an employee, and the file is being sent internally, to an email address or tax machine within the company.

 

Company security policy needs to be very specific about the safeguards for surrendering valued data to anyone not personally known to the sender. Exacting procedures need to be established for transferring files with sensitive information. When the request is from someone not personally known, there must be clear steps to take for verification, with different levels of authentication depending on the sensitivity of the information.

 

Here are some techniques to consider:

 

Establish the need to know (which may require obtaining authorization from the designated information owner).

 

Keep a personal or departmental log of these transactions.

 

Maintain a list of people who have been specially trained in the procedures and who are trusted to authorize sending out sensitive information. Require that only these people be allowed to send information to anyone outside the workgroup.

 

If a request for the data is made in writing (email, fax, or mail) take additional security steps to verify that the request actually came from the person it appears to have come from.

 

About Passwords

All employees who are able to access any sensitive information--and today that means virtually every worker who uses a computer--need to understand that simple acts like changing your password, even for a few moments, can lead to a major security breach.

 

Security training needs to cover the topic of passwords, and that has to focus in part on when and how to change your password, what constitutes an acceptable password, and the hazards of letting anyone else become involved in the process. The training especially needs to convey to all employees that they should be suspicious of any request that involves their passwords.

 

On the surface this appears to be a simple message to get across to employees. It's not, because to appreciate this idea requires that employees grasp how a simple act like changing a password can lead to a security compromise. You can tell a child "Look both ways before crossing the street," but until the child understands why that's important, you're relying on blind obedience. And rules requiring blind obedience are typically ignored or forgotten.

 

NOTE

Passwords are such a central focus of social engineering attacks that we devote a separate section to the topic in Chapter 16, where you will find specific recommended policies on managing passwords.

 

A Central Reporting Point
Your security policy should provide a person or group designated as a central point for reporting suspicious activities that appear to be attempts to infiltrate your organization. All employees need to know who to call any time they suspect an attempt at electronic or physical intrusion. The phone number of the place to make these reports should always be close at hand so employees don't have to dig for it if they become suspicious that an attack is taking place.

 

Protect Your Network

Employees need to understand that the name of a computer server or network is not trivial information, but rather it can give an attacker essential knowledge that helps him gain trust or find the location of the information he desires.

In particular, people such as database administrators who work with software belong to that category of those with technology expertise, and they need to operate under special and very restrictive rules about verifying the identity of people who call them for information or advice.

 

People who regularly provide any. kind of computer help need to be well trained in what kinds of requests should be red flags, suggesting that the caller may be attempting a social engineering attack.

 

It's worth noting, though, that from the perspective of the database administrator in the last story in this chapter, the caller met the criteria for being legitimate: He was calling from on campus, and he was obviously on a site that required an account name and password. This just makes clear once again the importance of having standardized procedures for verifying the identity of anybody requesting information, especially in a case like this where the caller was asking for help in obtaining access to confidential records.

 

All of this advice goes double for colleges and universities. It's not news that computer hacking is a favorite pastime for many college students, and it should also be no surprise that student records--and sometimes faculty records, as well--are a tempting target. This abuse is so rampant that some corporations actually consider campuses a hostile environment, and create firewall rules that block access from educational institutions with addresses that end in.edu.