The Art of Deception Part 16

In time I discovered that all three of my co-workers in the IT group amused themselves by looking up the take-home pay of this or that cute secretary or (for the one girl in the group) neat-looking guy they had spotted. And they were all finding out the salary and bonuses of anybody at the company they were curious about, including senior management.

a.n.a.lyzing the Con This story ill.u.s.trates an interesting problem. The payroll files were accessible to the people who had the responsibility of maintaining the company's computer systems. So it all comes down to a personnel issue: deciding who can be trusted.

In some cases, IT staff might find it irresistible to snoop around. And they have the ability to do so because they have privileges allowing them to bypa.s.s access controls on those files.

One safeguard would be to audit any access to particularly sensitive files, such as payroll. Of course, anyone with the requisite privileges could disable auditing or possibly remove any entries that would point back to them, but each additional step takes more effort to hide on the part of an unscrupulous employee.

PREVENTING THE CON.

From pawing through your trash to duping a security guard or receptionist, social engineers can physically invade your corporate s.p.a.ce. But you'll be glad to hear that there are preventive measures you can take.

Protection After Hours All employees who arrive for work without their badges should be required to stop at the lobby desk or security office to obtain a temporary badge for the day.

The incident in the first story of this chapter could have come to a much different conclusion if the company security guards had had a specific set of steps to follow when encountering anyone without the required employee badge.

For companies or areas within a company where security is not a high-level concern, it may not be important to insist that every person have a badge visible at all times. But in companies with sensitive areas, this should be a standard requirement, rigidly enforced. Employees must be trained and motivated to challenge people who do not display a badge, and higher-level employees must be taught to accept such challenges without causing embarra.s.sment to the person who stops them.

Company policy should advise employees of the penalties for those who consistently fail to wear their badges; penalties might include sending the employee home for the day without pay, or a notation in his personnel file. Some companies inst.i.tute a series of progressively more stringent penalties that may include reporting the problem to the person's manager, then issuing a formal warning.

In addition, where there is sensitive information to protect, the company should establish procedures for authorizing people who need to visit during non-business hours. One solution: require that arrangements be made through corporate security or some other designated group. This group would routinely verify the ident.i.ty of any employee calling to arrange an off-hours visit by a call back to the person's supervisor or some other reasonably secure method.

Treating Trash with Respect The Dumpster-diving story dug into the potential misuses of your corporate trash.

The eight keys to wisdom regarding trash: Cla.s.sify all sensitive information based on the degree of sensitivity.

Establish company-wide procedures for discarding sensitive information.

Insist that all sensitive information to be discarded first be shredded, and provide for a safe way for getting rid of important information on sc.r.a.ps of paper too small for shredding. Shredders must not be the low-end budget type, which turn out strips of paper that a determined attacker, given enough patience, can rea.s.semble. Instead, they need to be the kind called cross-shredders, or those that render the output into useless pulp.

Provide a way for rendering unusable or completely erasing computer media-- floppy disks, Zip disks, CDs and DVDs used for storing files, removable tapes, old hard drives, and other computer media--before they are discarded. Remember that deleting files does not actually remove them; they can still be recovered--as Enron executives and many others have learned to their dismay. Merely dropping computer media in the trash is an invitation to your local friendly Dumpster diver. (See Chapter 16 for specific guidelines on disposal of media and devices.) Maintain an appropriate level of control over the selection of people on your cleaning crews, using background checks if appropriate.

Remind employees periodically to think about the nature of the materials they are tossing into the trash.

Lock trash Dumpsters.

Use separate disposal containers for sensitive materials, and contract to have the materials disposed of by a bonded company that specializes in this work.

Saying Good-Bye to Employees The point has been made earlier in these pages about the need for ironclad procedures when a departing employee has had access to sensitive information, pa.s.swords, dial-in numbers, and the like. Your security procedures need to provide a way to keep track of who has authorization to various systems. It may be tough to keep a determined social engineer from slipping past your security barriers, but don't make it easy for an ex-employee.

Another step easily overlooked: When an employee who was authorized to retrieve backup tapes from storage leaves, a written policy must call for the storage company to be immediately notified to remove her name from its authorization list.

Chapter 16 of this book provides .detailed information on this vital subject, but it will be helpful to list here some of the key security provisions that should be in place, as highlighted by this story: A complete and thorough checklist of steps to be taken upon the departure of an employee, with special provisions for workers who had access to sensitive data.

A policy of terminating the employee's computer access immediately--preferably before the person has even left the building.

A procedure to recover the person's ID badge, as well as any keys or electronic access devices.

Provisions that require security guards to see photo ID before admitting any employee who does not have his or her security pa.s.s, and for checking the name against a list to verify that the person is still employed by the organization.

Some further steps will seem excessive or too expensive for some companies, but they are appropriate to others. Among these more stringent security measures are: Electronic ID badges combined with scanners at entrances; each employee swipes his badge through the scanner for an instantaneous electronic determination that the person is still a current employee and ent.i.tled to enter the building. (Note, however, that security guards must still be trained to be on the alert for piggybacking--an unauthorized person slipping by in the wake of a legitimate employee.) A requirement that all employees in the same workgroup as the person leaving (especially if the person is being fired) change their pa.s.swords. (Does this seem extreme? Many years after my short time working at General Telephone, I learned that the Pacific Bell security people, when they heard General Telephone had hired me, "rolled on the ground with laughter." But to General Telephone's credit when they realized they had a reputed hacker working for them after they laid me off, they then required that pa.s.swords be changed for everyone in the company!) You don't want your facilities to feel like jails, but at the same time you need to defend against the guy who was fired yesterday but is back today intent on doing damage.

Don't Forget Anybody Security policies tend to overlook the entry-level worker, people like receptionists who don't handle sensitive corporate information. We've seen elsewhere that receptionists are a handy target for attackers, and the story of the break-in at the auto parts company provides another example: A friendly person, dressed like a professional, who claims to be a company employee from another facility may not be what he appears. Receptionists need to be well-trained about politely asking for company ID when appropriate, and the training needs to be not just for the main receptionist but also for everyone who sits in as relief at the reception desk during lunchtime or coffee breaks.

For visitors from outside the company, the policy should require that a photo ID be shown and the information recorded. It isn't hard to get fake ID, but at least demanding ID makes pre-texting one degree harder for the would-be attacker.

In some companies, it makes sense to follow a policy requiring that visitors be escorted from the lobby and from meeting to meeting. Procedures should require that the escort make clear when delivering the visitor to his first appointment that this person has entered the building as an employee , or non-employee. Why is this important? Because, as we've seen in earlier stories, an attacker will often pa.s.s himself off in one guise to the first person encountered, and as someone else to the next. It's too easy for an attacker to show up in the lobby, convince the receptionist that he has an appointment with, say, an engineer.., then be escorted to the engineer's office where he claims to be a rep from a company that wants to sell some product to the company.., and then, after the meeting with the engineer, he has free access to roam the building.

Before admitting an off-site employee to the premises, suitable procedures must be followed to verify that the person is truly an employee; receptionists and guards must be aware of methods used by attackers to pretext the ident.i.ty of an employee in order to gain access to company buildings.

How about protecting against the attacker who cons his way inside the building and manages to plug his laptop into a network port behind the corporate firewall?

Given today's technology, this is a challenge: conference rooms, training rooms, and similar areas should not leave network ports unsecured but should protect them with firewalls or routers. But better protection would come from the use of a secure method to authenticate any users who connect to the network.

Secure IT!

A word to the wise: In your own company, every worker in IT probably knows or can find out in moments how much you are earning, how much the CEO takes home, and who's using the corporate jet to go on skiing vacations.

It's even possible in some companies for IT people or accounting people to increase their own salaries, make payments to a phony vendor, remove negative ratings from HR records, and so on. Sometimes it's only the fear of getting caught that keeps them honest.., and then one day along comes somebody whose greed or native dishonesty makes him (or her) ignore the risk and take whatever he thinks he can get away with.

There are solutions, of course. Sensitive files can be protected by installing proper access controls so that only authorized people can open them. Some operating systems have audit controls that can be configured to maintain a log of certain events, such as each person who attempts to access a protected file, regardless of whether or not the attempt succeeds.

If your company has understood this issue and has implemented proper access controls and auditing that protects sensitive files--you're taking powerful steps in the right direction.

Chapter 11.

Combining Technology and Social Engineering A social engineer lives by his ability to manipulate people into doing things that help him achieve his goal, but success often also requires a large measure of knowledge and skill with computer systems and telephone systems.

Here's a sampling of typical social engineering scams where technology played an important role.

HACKING BEHIND BARS.

What are some of the most secure installations you can think of, protected against break-in, whether physical, telecommunications, or electronic in nature? Fort Knox? Sure. The White House? Absolutely. NORAD, the North American Air Defense installation buried deep under a mountain? Most definitely.

How about federal prisons and detention centers? They must be about as secure as any place in the country, right? People rarely escape, and when they do, they are normally caught in short order. You would think that a federal facility would be invulnerable to social engineering attacks. But you would be wrong--there is no such thing as foolproof security, anywhere.

A few years ago, a pair of grifters (professional swindlers) ran into a problem. It turned out they had lifted a large bundle of cash from a local judge. The pair had been in trouble with the law on and off through the years, but this time the federal authorities took an interest. They nabbed one of the grifters, Charles Gondorff, and tossed him into a correctional center near San Diego. The federal magistrate ordered him detained as flight risk and a danger to the community. of the grifters, Charles Gondorff, and tossed him into a correctional center near San Diego. The federal magistrate ordered him detained as flight risk and a danger to the community.

His pal Johnny Hooker knew that Charlie was going to need a defense attorney.

But where was the money going to come from? most grifters, their money had always gone for good clothes, fancy cam and the ladies as fast as it came in.

Johnny larely had enough to live on.

The money for a good lawyer would have to come from running another scam.

Johnny wasn't up to doing this on this own. Charlie Gondorff had always been the brains behind their cons. But Johnny didn't dare visit the detention center to ask Charlie what to do, not when the Feds knew there had been two men involved in the scam and were so eager to lay their hands on the other one. Especially since only family can visit. which meant he'd have to show fake identification and claim to be a family member. Trying to use fake ID in a federal prison didn't sound like a smart idea.

No, he'd have to get in touch with Gondorff some other way.

It wouldn't be easy. No inmate in any federal, state, or local facility is allowed to receive phone calls. A sign posted by every inmate telephone in a federal detention center says something like, "This notice is to advise the user that all conversations from this telephone are subject to monitoring. and the use of the telephone const.i.tutes consent to the monitoring. Having government officials listen in on your phone calls while committing a crime has a way of extending your federally funded vacation plans.

Johnny knew, though, that certain phone calls were not monitored: calls between a prisoner and his attorney, protected by the Const.i.tution as client-attorney communications, for example. In fact, the facility where Gondorff was being held had telephones connected directly to the federal Public Defender's Office. Pick up one of those phones, and a direct connection is made to the corresponding telephone in the PDO. The phone company calls this service Direct Connect. The unsuspecting authorities a.s.sume the service is secure and invulnerable to tampering because outgoing calls can only go to the PDO, and incoming calls are blocked. Even if someone were somehow able to find out the phone number, the phones are programmed in the telephone company switch as deny terminate, which is a clumsy phone company term for service where incoming calls are not permitted.

Since any halfway decent grifter is well versed in the art of deception, Johnny figured there had to be a way around this problem. From the inside, Gondorff had already tried picking up one of the PDO phones and saying, "This is Tom, at the phone company repair center.

LINGO.

DIRECT CONNECT Phone company term for a phone line that goes directly to a specific number when picked up Phone company term for a phone line that goes directly to a specific number when picked up DENY TERMINATE A phone company service option where switching equipment is set that incoming calls cannot be received at a phone number We're running a test on this line and I need you to try dialing nine, and then zero-zero." The nine would have accessed an outside line, the zero-zero would then have reached a long-distance operator. It didn't work the person answering the phone at the PDO was already hip to that trick. A phone company service option where switching equipment is set that incoming calls cannot be received at a phone number We're running a test on this line and I need you to try dialing nine, and then zero-zero." The nine would have accessed an outside line, the zero-zero would then have reached a long-distance operator. It didn't work the person answering the phone at the PDO was already hip to that trick.

Johnny was having better success. He readily found out that there were ten housing units in the detention center, each with a direct connect telephone line to the Public Defender's Office. Johnny encountered some obstacles, but like a social engineer, he was able to think his way around these annoying stumbling blocks. Which unit was Gondorff in? What was the telephone number to the direct connect services in that housing unit? And how would he initially get a message to Gondorff without it being intercepted by prison officials?

What may appear to be the impossible to average folks, like obtaining the secret telephone numbers located in federal inst.i.tutions, is very often no more than a few phone calls away for a con artist. After a couple of tossing-and-turning nights brainstorming a plan, Johnny woke up one mormng with the whole thing laid out in his mind, in five steps.

First, he'd find out the phone numbers for those ten direct-connect telephones to the PDO.

He'd have all ten changed so that the phones would allow incoming calls.

He'd find out which housing unit Gondorff was on.

Then he'd find out which phone number went to that unit.

Finally, he'd arrange with Gondorff when to expect his call, without the government suspecting a thing.

Piece a' cake, he thought.

Calling Ma Bell...

Johnny began by calling the phone company business office under the pretext of being from the General Services Administration, the agenc responsible for purchasing goods and services for the federal government.

He said he was working on an acquisition order for additional services and needed to know the billing information for any direct connect services currently in use, including the working telephone numbers and monthly cost at the San Diego detention center. The lady was happy to help.

Just to make sure, he tried dialing into one of those lines and was answered by the typical audichron recording, "This line has been disconnected or is no longer in service"-which he knew meant nothing of kind but instead meant that the line was programmed to block incoming calls, just as he expected.

He knew from his extensive knowledge of phone company operations and procedures that he'd need to reach a department called the Recent Change Memory Authorization Center or RCMAC (I will always wonder who makes up these names!). He began by calling the phone company Business Office, said he was in Repair and needed to know the number for the RCMAC that handled the service area for the area code and prefix he gave, which was served out of the same central office for all the to telephone lines in the detention center. It was a routine request, the kind provided for technicians out in the field in need of some a.s.sistance, and the clerk had no hesitation in giving him the number.

He called RCMAC, gave a phony name and again said he was in Repair He had the lady who answered access one of the telephone numbers he had conned out of the business office a few calls earlier; when she had it up, Johnny asked, "Is the number set to deny termination?

"Yes," she said.

"Well, that explains why the customer isn't able to receive calls!" Johnny said.

"Listen, can you do me a favor. I need you to change the line cla.s.s code or remove the deny terminate feature, okay?" There was a pause as she checked another computer system to verify that a service order had been placed to authorize the change. She said, "That number is supposed to be restricted for outgoing calls only. There's no service order for a change."

"Right, it's a mistake. We were supposed to process the order yesterday but the regular account rep that handles this customer went home sick and forgot to have someone else take care of the order for her. So now of course the customer is up in arms about it."

After a momentary pause while the lady pondered this request, which would be out of the ordinary and against standard operating procedures, she said, "Okay."

He could hear her typing, entering the change. And a few seconds later, it was done.

The ice had been broken, a kind of collusion established between them. Reading the woman's att.i.tude and willingness to help, Johnny didn't hesitate to go for it all. He said, "Do you have a few minutes more to help me?"

"Yeah," she answered. "What do you need?"

"I've got a several other lines that belong to the same customer, and all have the same problem. I'll read off the numbers, so you can make sure that they're not set for deny terminate--okay?" She said that was fine.

A few minutes later, all ten phone lines had been "fixed" to accept incoming calls.

Finding Gondorff Next, find out what housing unit Gondorff was on. This is information that the people who run detention centers and prisons definitely don't want outsiders to know. Once again Johnny had to rely on his social engineering skills.

He placed a call to a federal prison in another city--he called Miami, but any one would have worked--and claimed he was calling from the detention center in New York. He asked to talk to somebody who worked with the Bureau's Sentry computer, the computer system that contains information on every prisoner being held in a Bureau of Prisons facility anywhere in the country.

When that person came on the phone, Johnny put on his Brooklyn accent. "Hi,"

he said. "This is Thomas at the FDC New York. Our connection to Sentry keeps going down, can you find the location of a prisoner for me, I think this prisoner may be at your inst.i.tution," and gave Gondorff's name and his registration number.

"No, he's not here," the guy said after a couple of moments. "He's at the correctional center in San Diego."

Johnny pretended to be surprised. "San Diego! He was supposed to be transferred to Miami on the Marshal's airlift last week! Are we talking about the same guy-- what's the guy's DOB?"

12/3/60," the man read from his screen.

"Yeah, that's the same guy. What housing unit is he on?"

"He's on Ten North," the man said--blithely answering the question even though there isn't any conceivable reason why a prison employee in New York would need to know this.

Johnny now had the phones turned on for incoming calls, and knew which housing unit Gondorff was on. Next, find out which phone number connected to unit Ten North.

This one was a bit difficult. Johnny called one of the numbers. He knew the ringer of the phone would be turned off; no one would know it was ringing. So he sat there reading Fodor's Europe} Great Cities travel guide. while listening to the constant ringing on speakerphone until finally somebody picked up. The inmate on the other end would, of course, be trying to reach his court-appointed lawyer.

Johnny was prepared with the expected response. "Public Defender's Office," he announced.

When the man asked for his attorney, Johnny said, "I'll see if he's available, what housing unit are you calling from?" He jotted down the man's answer, clicked onto hold, came back after half a minute and said, "He's in court, you'll have to call back later," and hung up.

He had spent the better part of a morning, but it could have been worse; his fourth attempt turned out to be from Ten North. So Johnny now knew the phone number to the PDO phone on Gondorff's housing unit.

Synchronize Your Watches Now to get a message through to Gondorff on when to pick up the telephone line that connects inmates directly to the Public Defender's Office. ]'his was easier than it might sound.

Johnny called the detention center using his official-sounding voice, identified himself as an employee, and asked to be transferred to Ten North. The call was put right through. When the correctional officer there picked up, Johnny conned him by using the insider's abbreviation for Receiving and Discharge, the unit that processes new inmates in, and departing ones out: "This is Tyson in R&D," he said. "I need to speak to inmate Gondorff. We have some property of his we have to s.h.i.+p and we need an address where he wants it sent. Could you call him to the phone for me?"

Johnny could hear the guard shouting across the day room. After an impatient several minutes, a familiar voice came on the line.

Johnny told him, "Don't say anything until I explain what this is." He explained the pretext so Johnny could sound like he was discussing where his property should be s.h.i.+pped. Johnny then said, "If you can get to the Public Defender phone at one this afternoon, don't respond. If you can't, then say a time that you can be there." Gondorff didn't reply. Johnny went on, "Good. Be there at one o'clock. I'll call you then. Pick up the phone.