Chapter 11
"Any other wages?"
"No."
"Thanks," he said. "You've been very kind."
Then he tried to arrange to call her whenever he needed information and couldn't get to his computer, again using the favorite trick of social engineers of always trying to establish a connection so that he can keep going back to the same person, avoiding the nuisance of having to find a new mark each time.
"Not next week," she told him, because she was going to Kentucky for her sister's wedding.' Any other time, she'd do whatever she could.
When she put the phone down, May Linn felt good that she had been able to offer a little help to a fellow unappreciated public servant.
Keith Carter's Story To judge from the movies and from best-selling crime novels, a private investigator is short on ethics and long on knowledge of how to get the juicy facts on people. They do this by using thoroughly illegal methods, while just barely managing to avoid getting arrested. The truth, of course, is that most PIs run entirely legitimate businesses. Since many of them started their working lives as sworn law enforcement officers, they know perfectly well what's legal and what isn't, and most are not tempted to cross the line.
There are, however, exceptions. Some Pis - more than a few - do indeed fit the mold of the guys in the crime stories. These guys are known in the trade as information brokers, a polite term for people who are willing to break the rules.
They know they can get any a.s.signment done a good deal faster and a good deal easier if they take some shortcuts. That these shortcuts happen to be potential felonies that might land them behind bars for a few years doesn't seem to deter the more unscrupulous ones.
Meanwhile the upscale PIs--the ones who work out of a fancy office suite in a high-rent part of town--don't do this kind of work themselves. They simply hire some information broker to do it for them.
The guy we'll call Keith Carter was the kind of private eye unenc.u.mbered by ethics.
It was a typical case of "Where's he hiding the money?" Or sometimes it's "Where's she hiding the money?" Sometimes it was a rich lady who wanted to know where her husband had hidden her money (though why a woman with money ever marries a guy without was a riddle Keith Carter wondered about now and then but had never found a good answer for).
In this case the husband, whose name was Joe Johnson, was the one keeping the money on ice. He "was a very smart guy who had started a high-tech company with ten thousand dollars he borrowed from his wife's family and built into a hundred-million dollar firm. According to her divorce lawyer, he had done an impressive job of hiding his a.s.sets, and the lawyer wanted a complete rundown.
Keith figured his starting point would be the Social Security Administration, targeting their files on Johnson, which would be packed with highly useful information for a situation like this. Armed with their info, Keith could pretend to be the target and get the banks, brokerage firms, and offsh.o.r.e inst.i.tutions to tell him everything.
His first phone call was to a local district office, using the same 800 number that any member of the public uses, the number listed in the local phone book. When a clerk came on the line, Keith asked to be connected to someone in Claims.
Another wait, and then a voice. Now Keith s.h.i.+fted gears; "Hi," he began. "This is Gregory Adams, District Office 329. Listen, I'm trying to reach a claims adjuster that handles an account number that ends in 6363, and the number I have goes to a fax machine."
"That's Mod 2," the man said. He looked up the number and gave it to Keith.
Next he called Mod 2. When May Linn answered, he switched hats and went through the routine about being from the Office of the Inspector General, and the problem about somebody else having to use his computer. She gave him the information he was looking for, and agreed to do whatever she could when he needed help in the future.
a.n.a.lyzing the Con What made this approach effective was the play on the employee's sympathy with the story about someone else using his computer and "my boss is not happy with me." People don't show their emotions at work very often; when they do, it can roll right over someone else's ordinary defenses against social engineering attacks. The emotional ploy of "I'm in trouble, won't you help me?" was all it took to win the day.
Social Insecurity Incredibly, the Social Security Administration has posted a copy of their entire Program Operations Manual on the Web, crammed with information that's useful for their people, but also incredibly valuable to social engineers. It contains abbreviations, lingo, and instructions for how to request what you want, as described in this story.
Want to learn more inside information about the Social Security Administration?
Just search on Google or enter the following address into your browser: http://policy.ssa.gov/poms.nsf/. Unless the agency has already read this story and removed the manual by the time you read this, you'll find on-line instructions that even give detailed information on what data an SSA clerk is allowed to give to the law enforcement community. In practical terms, that community includes any social engineer who can convince an SSA clerk that he is from a law enforcement organization. The attacker could not have been successful in obtaining this information from one of the clerks who handles phone calls from the general public. The kind of attack Keith used only works when the person on the receiving end of the call is someone whose phone number is unavailable to the public, and who therefore has the expectation that anyone calling must be somebody on the inside--another example of speakeasy security'. The elements that helped this attack to work included: Knowing the phone number to the Mod.
Knowing the terminology they used--numident, alphadent, and DEQY.
Pretending to be from the Office of the Inspector General, which every federal government employee knows as a government-wide investigative agency with broad powers. This gives the attacker an aura of authority.
One interesting sidelight: Social engineers seem to know how to make requests so that hardly anyone ever thinks, "Why are you calling me.'- even when, logically; it would have made more sense if the call had gone to some other person in some completely different department. Perhaps it simply offers such a break in the monotony of the daily grind to help the caller that the victim discounts how unusual the call seems.
Finally, the attacker in this incident, not satisfied with getting the information just for the case at hand, wanted to establish a contact he could call on regularly. He might otherwise have been able to use a common ploy for the sympathy attack-- "I spilled coffee on my keyboard." That was no good here, though, because a keyboard can be replaced in a day.
Hence he used the story about somebody else using his computer, which he could reasonably string out for weeks: "Yep, I thought he'd have his own computer yesterday, but one came in and another guy pulled some kind of deal and got it instead. So this joker is still showing up in my cubicle." And so on.
Poor me, I need help. Works like a charm.
ONE SIMPLE CALL.
One of an attacker's main hurdles is to make his request sound reasonable something typical of requests that come up in the victim's workday, something that doesn't put the victim out too much. As with a lot of other things in life, making a request sound logical may be a challenge one day, but the next, it may be a piece of cake.
Mary H's Phone Call Date/Time: Monday, November 23, 7:49 A.M. Monday, November 23, 7:49 A.M.
Place: Mauersby & Storch Accounting, New York To most people, accounting work is number crunching and bean counting, generally viewed as being about as enjoyable as having a root ca.n.a.l. Fortunately, not everyone sees the work that way. Mary Harris, for example, found her work as a senior accountant absorbing, part of the reason she was one of the most dedicated accounting employees at her Mauersby & Storch Accounting, New York To most people, accounting work is number crunching and bean counting, generally viewed as being about as enjoyable as having a root ca.n.a.l. Fortunately, not everyone sees the work that way. Mary Harris, for example, found her work as a senior accountant absorbing, part of the reason she was one of the most dedicated accounting employees at her firm.
On this particular Monday, Mary arrived early to get a head start on what she expected to be a long day, and was surprised to find her phone ringing. She picked it up and gave her name.
"Hi, this
She told him she didn't know yet. She turned her computer on and while it was booting, he explained what he wanted to do.
"I'd like to run a couple of tests with you, he said. "I'm able to see on my screen the keystrokes you type, and I want to make sure they're going across the network correctly. So every time you type a stroke, I want you to tell me what it is, and I'll see if the same letter or number is appearing here. Okay?"
With nightmare visions of her computer not working and a frustrating day of not being able to get any work done, she was more than happy to have this man help her. After a few moments, she told him, "I have the login screen, and I'm going to type in my ID. I'm typing it now--M...A...R...Y...D."
"Great so far," he said. "I'm seeing that here. Now, go ahead and type your pa.s.sword but don't tell me what it is. You should never tell anybody your pa.s.sword, not even tech support. I'll just see asterisks here--your pa.s.sword is protected so I can't see it.': None of this was true, but it made sense to Mary. And then he said, "Let me know once your computer has started up."
When she said it was running, he had her open two of her applications, and she reported that they launched "just fine."
Mary was relieved to see that everything seemed to be working normally. Peter said, "I'm glad I could make sure you'll be able to use your computer okay. And listen," he went on, "we just installed an update that allow people to change their pa.s.swords. Would you be willing to take a couple of minutes with me so I can see if we got it working right?
She was grateful for the help he had given her and readily agreed. Peter talked her through the steps of launching the application that allows a user to change pa.s.swords, a standard element of the Windows 2000 operating system. "Go ahead and enter your pa.s.sword," he told her. "But remember not to say it out loud."
When she had done that, Peter said, "Just for this quick test, when it asks for your new pa.s.sword, enter 'test123.' Then type it again in the Verification box, and click Enter."
He walked her through the process of disconnecting from the server. He had her wait a couple of minutes, then connect again, this time trying to log on with her new pa.s.sword. It worked like a charm, Peter seemed very pleased, and talked her through changing back to her original pa.s.sword or choosing a new one--once more cautioning her about not saying the pa.s.sword out loud.
"Well, Mary," Peter told her. "We didn't find any trouble, and that's great. Listen, if any problems do come up, just call us over here at Arbuckle. I'm usually on special projects but anybody here who answers can help you." She thanked him and they said goodbye.
Peter's Story The word had gotten around about Peter--a number of the people in his community who had gone to school with him had heard he turned into some kind of a computer whiz who could often find out useful information that other people couldn't get. When Alice Conrad came to him to ask a favor, he said no at first.
Why should he help? When he ran into her once and tried to ask for a date, she had turned him down cold.
But his refusal to help didn't seem to surprise her. She said she didn't think it was something he could do anyway. That was like a challenge, because of course he was sure he could. And that was how he came to agree.
Alice had been offered a contract for some consulting work for a marketing company, but the contract terms didn't seem very good. Before she went back to ask for a better deal, she wanted to know what terms other consultants had on their contracts.
This is how Peter tells the story.
I wouldn't tell Alice but I got off on people wanting me to do something they didn't think I could, when I knew it would be easy. Well, not easy, exactly, not this time. It would take a bit of doing. But that was okay.
I could show her what smart was really all about.
A little after 7:30 Monday morning, I called the marketing company's offices and got the receptionist, said that I was with the company that handled their pension plans and I need to talk to somebody in Accounting. Had she noticed if any of the Accounting people had come in yet? She said, "I think I saw Mary come in a few minutes ago, I'll try her for you."
When Mary picked up the phone, I told her my little story about computer problems, which was designed to give her the jitters so she'd be glad to cooperate.
As soon as I had talked her through changing her pa.s.sword, I then quickly logged onto the system with the same temporary pa.s.sword I had asked her to use, test123.
Here's where the mastery comes in--I installed a small program that allowed me to access the company's computer system whenever I wanted, using a secret pa.s.sword of my own. After I hung up with Mary, my first step was to erase the audit trail so no one would even know I had been on his or her system. It was easy. After elevating my system privileges, I was able to download a free program called clearlogs that I found on a security- related Web site at www.ntsecurity.nu.
Time for the real job. I ran a search for any doc.u.ments with the word contract" in the filename, and downloaded the files. Then I searched some more and came on the mother lode--the directory containing all the consultant payment reports. So I put together all the contract files and a list of payments.
Alice could pore through the contracts and see how much they were paying other consultants. Let her do the donkeywork of poring through all those files. I had done what she asked me to.
From the disks I put the data onto, I printed out some of the files so I could show her the evidence. I made her meet me and buy dinner. You should have seen her face when she thumbed through the stack of papers. "No way," she said. "No way."
I didn't bring the disks with me. They were the bait. I said she'd have to come over to get them, hoping maybe she'd want to show her grat.i.tude for the favor I just did her.
MITNICK MESSAGE.
It's amazing how easy it is for a social engineer to get people to do things based on how he structures the request. The premise is to trigger an automatic response based on psychological principles, and rely on the mental shortcuts people take when they perceive the caller as an ally.
a.n.a.lyzing the Con Peter's phone call to the marketing company represented the most basic form of social engineering--a simple attempt that needed little preparation, worked on the first attempt, and took only a few minutes to bring off.
Even better, Mary, the victim, had no reason to think that any sort of trick or ruse had been played on her, no reason to file a report or raise a ruckus.
The scheme worked through Peter's use of three social engineering tactics. First he got Mary's initial cooperation by generating fear--making her think that her computer might not be usable. Then he took the time to have her open two of her applications so she could be sure they were working okay, strengthening the rapport between the two of them, a sense of being allies. Finally, he got her further cooperation for the essential part of his task by playing on her grat.i.tude for the help he had provided in making sure her computer was okay.
By telling her she shouldn't ever reveal her pa.s.sword, should not reveal it even to him, Peter did a thorough but subtle job of convincing her that he was concerned about the security of her company's files. This boosted her confidence that he must be legitimate because he was protecting her and the company.
THE POLICE RAID.
Picture this scene: The government has been trying to lay a trap for a man named Arturo Sanchez, who has been distributing movies free over the Internet. The Hollywood studios say he's violating their copyrights, he says he's just trying to nudge them to recognize an inevitable market so they'll start doing something about making new movies available for download. He points out (correctly) that this could be a huge source of revenue for the studios that they seem to be completely ignoring.
Search Warrant, Please Coming home late one night, he checks the windows of his apartment from across the street and notices the lights are off, even though he always leaves one on when he goes out.
He pounds and bangs on a neighbor's door until he wakes the man up, and learns that there was indeed a police raid in the building. But they made the neighbors stay downstairs, and he still isn't sure what apartment they went into. He only knows they left carrying some heavy things, only they were wrapped up and he couldn't tell what they were. And they didn't take anybody away in handcuffs.
Arturo checks his apartment. The bad news is that there's a paper from the police requiring that he call immediately and set up an appointment for an interview within three days. The worse news is that his computers are missing.
Arturo vanishes into the night, going to stay with a friend. But the uncertainty gnaws at him. How much do the police know? Have they caught up with him at last, but left him a chance to flee? Or is this about something else entirely, something he can clear up without having to leave town?
Before you read on, stop and think for a moment: Can you imagine any way you could find out what the police know about you? a.s.suming you don't have any political contacts or friends in the police department or the prosecutor s office, do you imagine there's any way that you, as an ordinary citizen, could get this information? Or that even someone with social engineering skills could?
Scamming the Police Arturo satisfied his need to know like this: To start with, he got the phone number for a nearby copy store, called them, and asked for their fax number.
Then he called the district attorney's office, and asked for Records. When he was connected with the records office, he introduced himself as an investigator with Lake County, and said he needed to speak with the clerk who files the active search warrants.
"I do," the lady said. "Oh, great," he answered. "Because we raided a suspect last night and I'm trying to locate the affidavit."
"We file them by address," she told him.
He gave his address, and she sounded almost excited. "Oh, yeah," she bubbled, "I know about that one. 'The Copyright Caper.'"
"That's the one," he said. "I'm looking for the affidavit and copy of the warrant.
"Oh, I have it right here."
"Great," he said. "Listen, I'm out in the field and I have a meeting with the Secret Service on this case if I fifteen minutes. I've been so absentminded lately, I left the file at home, and I'll never make it there and back in time. Could I get copies from you?"
"Sure, no problem. I'll make copies; you can come right over and pick them up."
"Great," he said. "That's great. But listen, I'm on the other side of town. Is it possible you could fax them to me?"
That created a small problem, but not insurmountable. "We don't have a fax up here in Records," she said. "But they have one downstairs in the Clerk's office they might let me use."
He said, "Let me call the Clerk's office and set it up."
The lady in the Clerk's office said she'd be glad to take care of it but wanted to know "Who's going to pay for it?" She needed an accounting code.
"I'll get the code and call you back," he told her.
He then called the DA's office, again identified himself as a police officer and simply asked the receptionist, "What's the accounting code for the DA's office?"
Without hesitation, she told him.
Calling back to the Clerk's office to provide the accounting number gave him the excuse for manipulating the lady a little further: He talked her into walking upstairs to get the copies of the papers to be faxed.
NOTE.
How does a social engineer know the details of so many operation police departments, prosecutors offices, phone company practices, the organization of specific companies that are in fields useful in his attacks, such as telecommunications and computers? Because it's his business to find out. This knowledge is a social engineers stock in the trade because information can aid him in his efforts to deceive.
Covering His Tracks Arturo still had another couple of steps to take. There was always a possibility that someone would smell something fishy, and he might arrive at the copy store to find a couple of detectives, casually dressed and trying to look busy until somebody showed up asking for that particular fax. He waited a while, and then called the Clerk's office back to verify that the lady had sent the fax. Fine so far.
He called another copy store in the same chain across town and used the ruse about how he was "pleased with your handling of a job and want to write the manager a letter of congratulations, what's her name?" With that essential piece of information, he called the first copy store again and said he wanted to talk to the manager. When the man picked up the phone, Arturo said, "Hi, this is Edward at store 628 in Hartfield. My manager, Anna, told me to call you. We've got a customer who's all upset--somebody gave him the fax number of the wrong store.
He's here waiting for an important fax, only the number he was given is for your store." The manager promised to have one of his people locate the fax and send it on to the Hartfield store immediately.
Arturo was already waiting at the second store when the fax arrived there. Once he had it in hand, he called back to the Clerk's office to tell the lady thanks, and 'It's not necessary to bring those copies back upstairs, you can just throw them away now." Then he called the manager at the first store and told him, too, to throw away their copy of the fax. This way there wouldn't be any record of what had taken place, just in case somebody later came around asking questions.
Social engineers know you can never be too careful.
Arranged this way, Arturo didn't even have to pay charges at the first copy store for receiving the fax and for sending it out again to the second store. And if it turned out that the police did show up at the first store, Arturo would already have his fax and be long gone by the time they could arrange to get people to the second location.