Chapter 22
John Le Carre, author of The Spy Who Came in from the Cold, A Perfect Spy, and many other remarkable books, grew up as the son of a polished, engaging lifelong can man. Le Carre was struck as a youngster to discover that, successful as his father was in deceiving other, he was also gullible, a victim more than once to another con man or woman. Which just goes to show that everyone is at risk of being taken in by a social engineer, even another social engineer.
What leads a group of smart men and women to accept an imposter? We size up a situation by both instinct and intellect. If the story adds up-- that's the intellect part--and a con man manages to project a believable image, we're usually willing to let down our guard. It's the believable image that separates a successful con man or social engineer from one who quickly lands behind bars.
Ask yourself: How sure am I that I would never fall for a story like Rick's? If you're sure you wouldn't, ask yourself whether anyone has ever put anything over on you. If the answer to this second question is yes, it's probably the correct answer to the first question, as well.
LEAPFROG.
A challenge: The following story does not involve industrial espionage. As you read it, see if you can understand why I decided to put it in this chapter!
Harry Tardy was back living at home, and he was bitter. The Marine Corps had seemed like a great escape until he washed out of boot camp. Now he had returned to the hometown he hated, was taking computer courses at the local community college," and looking for a way to strike out at the world.
Finally he hit upon a plan. Over beers with a guy in one of his cla.s.ses, he'd been complaining about their instructor, a sarcastic know-it-all, and together they cooked up a wicked scheme to burn the guy: They'd grab the source code for a popular personal digital a.s.sistant (PDA) and have it sent to the instructor's computer, and make sure to leave a trail so the company would think the instructor was the bad guy.
The new friend, Karl Alexander, said he "knew a few tricks" and would tell Harry how to bring this off. Arid get away with it.
Doing Their Homework A little initial research showed Harry that the product had been engineered at the Development Center located at the PDA manufacturer's headquarters overseas.
But there was also an R&D facility in the United States. That was good, Karl pointed out, because for the attempt to work there had to be some company facility in the United States that also needed access to the source code.
At that point Harry was ready to call the overseas Development Center. Here's where a plea for sympathy came in, the "Oh, dear, I'm in trouble, I need help, please, please, help me." Naturally the plea was a little more subtle than that. Karl wrote out a script, but Harry sounded completely phony trying to read it. In the end, he practiced with Karl so he could say what he needed to in a conversational tone.
What Harry finally said, with Karl sitting by his side, went something like this: "I'm calling from R&D Minneapolis. Our server had a worm that infected the whole department. We had to install the operating system again and then when we went to restore from backup, none of the backups was any good. Guess who was supposed to be checking the integrity of the backups? Yours truly. So I'm getting yelled at by my boss, and management is up in arms that we've lost the data. Look, I need to have the latest revision of the source-code tree as quick as you can. I need you to gzip the source code and send it to me."
At this point Karl scribbled him a note, and Harry told the man on the other end of the phone that he just wanted him to transfer the file internally, to Minneapolis R&D. This was highly important: When the man on the other end of the phone was clear that he was just being asked to send the file to another part of the company, his mind was at ease--what could be wrong with that?
LINGO.
GZIP To archive files in a single compressed file using a Linux GNU utility. To archive files in a single compressed file using a Linux GNU utility.
He agreed to gzip and send it. Step by step, with Karl at his elbow, Harry talked the man there through getting started on the procedure for compressing the huge source code into a single, compact file. He also gave him a file name to use on the compressed file, "newdata," explaining that this name would avoid any confusion with their old, corrupted files.
Karl had to explain the next step twice before Harry got it, but it was central to the little game of leapfrog Karl had dreamed up. Harry was to call R&D Minneapolis and tell somebody there "I want to send a file to you, and then I want you to send it somewhere else for me"-of course all dressed up with reasons that would make it all sound plausible. What confused Harry was this: He was supposed to say "I'm going to send you a file," when it wasn't going to be Harry sending the file at all. He had to make the guy he was talking to at the R&D Center think the file was coming from him, when what the Center was really going to receive was the file of proprietary source code from Europe. "Why would I tell him it's coming from me when it's really coming from overseas?"
Harry wanted to know.
"The guy at the R&D Center is the linchpin," Karl explained. "He's got to think he's just doing a favor for a fellow employee here in the U.S., getting a file from you and then just forwarding it for you."
Harry finally understood. He called the R&D Center, where he asked the receptionist to connect him to the Computer Center, where he asked to speak to a computer operator. A guy came on the line who sounded as young as Harry himself. Harry greeted him, explained he was calling from the Chicago fabricating division of the company and that he had this file he'd been trying to send to one of their partners working on a project with them, but, he said, "We've got this router problem and can't reach their network. I'd like to transfer the file to you, and after you receive it, I'll phone you so I can walk you through transferring it to the partner's computer.
So far, so good. Harry then asked the young man whether his computer center had an anonymous FTP account, a setup that allows anyone to transfer files in and out of a directory where no pa.s.sword is required. Yes, an anonymous FTP was available, and he gave Harry the internal Internet Protocol (IP) address for reaching it.
LINGO.
ANONYMOUS FTP A program that provides access to a remote computer even though you don't have an account by using the File Transfer protocol (FTP). A program that provides access to a remote computer even though you don't have an account by using the File Transfer protocol (FTP).
Although anonymous FTP can be accessed without a pa.s.sword, generally user-access rights to certain folders are restricted.
With that information in hand, Harry called back the Development Center overseas. By now the compressed file was ready, and Harry gave the instructions for transferring the file to the anonymous FTP site. In less than five minutes, the compressed source-code file was sent to the kid at the R&D Center.
Setting Up the Victim Halfway to the goal. Now Harry and Karl had to wait to make sure the file had arrived before proceeding. During the wait, they walked across the room to the instructor's desk and took care of two other necessary steps. They first set up an anonymous FTP server on his machine, which would serve as a destination for the file in the last leg of their scheme.
The second step provided a solution for an otherwise tricky problem. Clearly they couldn't tell their man at the R&D Center to send the file to an address such as, say, [email protected] The ".edu" domain would be a dead giveaway, since any half-awake computer guy would recognize it as the address of a school, immediately blowing the whole operation. To avoid this, they went into Windows on the instructor's computer and looked up the machine's IP address, which they would give as the address for sending the file.
By then it was time to call back the computer operator at the R&D Center. Harry got him on the phone and said, "I just transferred the file that I talked to you about. Can you check that you received it "
Yes, it had arrived. Harry then asked him to try forwarding it, and gave him the IP address. He stayed on the phone while the young man made the connection and started transmitting the file, and they watched with big grins from across the room as the light on the hard drive of the instructor's computer blinked and blinked--busy receiving the download.
Harry exchanged a couple of remarks with the guy about how maybe one day computers and peripherals would be more reliable, thanked him and said goodbye.
The two copied the file from the instructor's machine onto a pair of Zip disks, one for each of them, just so they could look at it later, like stealing a painting from a museum that you can enjoy yourself but don't dare show to your friends. Except, in this case, it was more like they had taken a duplicate original of the painting, and the museum still had their own original.
Karl then talked Harry through the steps of removing the FTP server from the instructor's machine, and erasing the audit trail so there would be no evidence of what they had done--only the stolen file, left where it could be located easily.
As a final step, they posted a section of the source code on Usenet
a.n.a.lyzing the Con Although it took the combination of a number of elements to make this escapade work, it could not have succeeded without some skill-ful playacting of an appeal for sympathy and help: I'm getting yelled at by my boss, and management is up in arms, and so on. That, combined with a pointed explanation of how the man on the other end of the phone could help solve the problem, proved to be a powerfully convincing con. It worked here, and has worked many other times.
The second crucial element: The man who understood the value of the file was asked to send it to an address within the company.
And the third piece of the puzzle: The computer operator could see that the file had been transferred to him from within the company. That could only mean--or so it seemed--that the man who sent it to him could himself have sent it on to the final destination if only his external network connection had been working. What could possibly be wrong with helping him out by sending it for him?
But what about having the compressed file a.s.signed a different name? Seemingly a small item, but an important one. The attacker couldn't afford taking a chance of the file arriving with a name identifying it as source code, or a name related to the product. A request to send a file with a name like that outside the company might have set off alarm bells. Having the file re-labeled with an innocuous name was crucial. As worked out by the attackers, the second young man had no qualms about sending the file outside the company; a file with a name like new data, giving no clue as to the true nature of the information, would hardly make him suspicious.
MITNICK MESSGAE.
The underlying rule that every employee should have firmly planted in his or her brain: Except with management approval, don't transfer files to people you don't personally know, even if the destination appears to be within your company's internal network. destination appears to be within your company's internal network.
Finally, did you figure out what this story is doing in a chapter on industrial espionage? If not, here's the answer: What these two students did as a malicious prank could just as easily have been done by a professional industrial spy, perhaps in the pay of a compet.i.tor, or perhaps in the pay of a foreign government.
Either way, the damage could have been devastating to the company, severely eroding the sales of their new product once the compet.i.tive product reached the market.
How easily could the same type of attack be carried out against your company?
PREVENTING THE CON.
Industrial espionage, which has long been a challenge to businesses, has now become the bread and b.u.t.ter of traditional spies who have focused their efforts on obtaining company secrets for a price, now that the Cold War has ended. Foreign governments and corporations are now using freelance industrial spies to steal information. Domestic companies also hire information brokers who cross the line in their efforts to obtain compet.i.tive intelligence. In many cases these are former military spies turned industrial information brokers who have the prerequisite knowledge and experience to easily exploit organizations, especially those that have failed to deploy safeguards to protect their information and educate their people.
Safety Off-Site What could have helped the company that ran into problems with their off-site storage facility? The danger here could have been avoided if the company had been encrypting their data. Yes, encryption requires extra time and expense, but it's well worth the effort. Encrypted files need to be spot-checked regularly to be sure that the encryption/decryption is working smoothly.
There's always the danger that the encryption keys will be lost or that the only person who knows the keys will be hit by a bus. But the nuisance level can be minimized, and anyone who stores sensitive information off-site with a commercial firm and does not use encryption is, excuse me for being blunt, an idiot. It's like walking down the street in a bad neighborhood with twenty-dollar bills sticking out of your pockets, essentially asking to be robbed.
Leaving backup media where someone could walk off with it is a common flaw in security. Several years ago, I was employed at a firm that could have made better efforts to protect client information. The operation's staff left the firm's backup tapes outside the locked computer room door for a messenger to pick up each day. Anyone could have walked off with the backup tapes, which contained all of the firm's word-processed doc.u.ments in unencrypted text. If backup data is encrypted, loss of the material is a nuisance; if it's not encrypted--well, you can envision the impact on your company better than I can.
The need in larger companies for reliable offsite storage is pretty much a given.
But your company's security procedures need to include an investigation of your storage company to see how conscientious they are about their own security policies and practices. If they're not as dedicated as your own company, all your security efforts could be undermined.
Smaller companies have a good alternate choice for backup: Send the new and changed files each night to one of the companies offering online storage. Again, it's essential that the data be encrypted. Otherwise, the information is available not just to a bent employee at the storage company but to every computer intruder who can breach the on-line storage companys computer systems or network.
And of course, when you set up an encryption system to protect the security of your backup files, you must also set up a highly secure procedure for storing the encryption keys or the pa.s.s phrases that unlock them. Secret keys used to encrypt data should be stored in a safe or vault. Standard company practice needs to provide for the possibility that the employee handling this data could suddenly leave, die, or take another job. There must always be at least two people who know the storage place and the encryption/decryption procedures, as well as the policies for how and when keys are to be changed. The policies must also require that encryption keys be changed immediately upon the departure of any employee who had access to them.
Who Is That?
The example in this chapter of a slick con artist who uses charm to get employees to share information reinforces the importance of verification of ident.i.ty. The request to have source code forwarded to an FTP site also points to the importance of knowing your requester.
In Chapter 16 you will find specific policies for verifying the ident.i.ty of any stranger who makes a request for information or a request that some action be taken. We've talked about the need for verification throughout the book; in Chapter 16 you'll get specifics of how this should be done.
Part 4
Raising the bar
Chapter 15.
Information Security Awareness and Training A social engineer has been given the a.s.signment of obtaining the plans to your hot new product due for release in two months.
What's going to stop him?
Your firewall? No.
Strong authentication devices? No. Intrusion detection systems? No. Encryption?
No.
Limited access to phone numbers for dial-up modems? No.
Code names for servers that make it difficult for an outsider to determine which server might contain the product plans? No.
The truth is that there is no technology in the world that can prevent a social engineering attack.
SECURITY THROUGH TECHNOLOGY, TRAINING, AND.
PROCEDURES.
Companies that conduct security penetration tests report that their attempts to break into client company computer systems by social engineering methods are nearly 100 percent successful. Security technologies can make these types of attacks more difficult by removing people from the decision-making process.
However the only truly effective way to mitigate the threat of social engineering is through the use of security technologies combined with security policies that set ground rules for employee behavior, and appropriate education and training for employees.
There is only one way to keep your product plans safe and that is by having a trained, aware, and a conscientious workforce. This involves training on the policies and procedures, but also--and probably even more important--an ongoing awareness program. Some authorities recommend that 40 percent of a company's overall security budget be targeted to awareness training.
The first step is to make everyone in the enterprise aware that unscrupulous people exist who will use deception to psychologically manipulate them.
Employees must be educated about what information needs to be protected, and how to protect it. Once people have a better understanding of how they can be manipulated, they are in a far better position to recognize that an attack is underway.
Security awareness also means educating everyone in the enterprise on the company's security policies and procedures. As discussed in Chapter 17, policies are necessary rules to guide employee behavior to protect corporate information systems and sensitive information.
This chapter and the next one provide a security blueprint that could save you from costly attacks. If you don't have trained and alert employees following well-thought-out procedures, it's not a matter of if, but when you will lose valuable information to a social engineer. Don't wait for an attack to happen to you before inst.i.tuting these policies: It could be devastating to your business and to your employees' welfare.
UNDERSTANDING HOW ATTACKERS TAKE ADVANTAGE OF.
HUMAN NATURE.
To develop a successful training program, you have to understand why people are vulnerable to attacks in the first place. By identifying these tendencies in your training--for example, by drawing attention to them in role-playing discussions-- you can help your employees to understand why we can all be manipulated by social engineers.
Manipulation has been studied by social scientists for at least fifty years. Robert B. Cialdini, writing in Scientific American (February 2001), summarized this research, presenting six "basic tendencies of human nature" that are involved in an attempt to obtain compliance to a request.
These six tendencies are those that social engineers rely on (consciously or, most often, unconsciously) in their attempts to manipulate.
Authority People have a tendency to comply when a request is made by a person in authority. As discussed elsewhere in these pages, a person can be convinced to comply with a request if he or she believes the requestor is a person in authority or a person who is authorized to make such a request.
In his book Influence, Dr. Cialdini writes of a study at three Midwestern hospitals in which twenty-two separate nurses' stations were contacted by a caller who claimed to be a hospital physician, and given instructions for administering a prescription drug to a patient on the ward. The nurses who received these instructions did not know the caller. They did not even know whether he was really a doctor (he was not). They received the instructions for the prescription by telephone, which was a violation of hospital policy. The drug they were told to administer was not authorized for use on the wards, and the dosage they were told to administer was twice the maximum daily dosage, and thus could have endangered the life of the patient. Yet in 95 percent of the cases, Cialdini reported, "the nurse proceeded to obtain the necessary dosage from the ward medicine cabinet and was on her way to administer it to the patient" before being intercepted by an observer and told of the experiment.
Examples of attacks: A social engineer attempts to cloak himself in the mantle of authority by claiming that he is with the IT department, or that he is an executive or works for an executive in the company. A social engineer attempts to cloak himself in the mantle of authority by claiming that he is with the IT department, or that he is an executive or works for an executive in the company.
Liking People have the tendency to comply when the person making a request has been able to establish himself as likable, or as having similar interests, beliefs, and att.i.tudes as the victim.
Examples of attacks: Through conversation, the attacker manages to learn a hobby or interest of the victim, and claims an interest and enthusiasm for the same hobby or interest. Or he may claim to be from the same state or school, or to have similar goals. The social engineer will also attempt to mimic the behaviors of his target to create the appearance of similarity.
Reciprocation We may automatically comply with a request when we have been given or promised something of value. The gift may be a material item, or advice, or help.
When someone has done something for you, you feel an inclination to reciprocate. This strong tendency to reciprocate exists even in situations where the person receiving the gift hasn't asked for it. One of the most effective ways to influence people to do us a "favor" (comply with a request) is by giving some gift r a.s.sistance that forms an underlying obligation.
Members of the Hare Krishna religious cult were very effective at influencing people to donate to their cause by first giving them a book or flower as a gift. If the recipient tried to return the gift, the giver would refuse remarking, "It's our gift to you." This behavioral principle of reciprocation was used by the Krishnas to substantially increase donations.
Examples of attacks: An employee receives a call from a person who identifies himself as being from the IT department. The caller explains that some company computers have been infected with a new virus not recognized by the antivirus software that can destroy all files on a computer, and offers to talk the person through some steps to prevent problems. Following this, the caller asks the person to test a software utility that has just been recently upgraded for allowing users to change pa.s.swords. The employee is reluctant to refuse, because the caller has just provided help that will supposedly protect the user from a virus. He reciprocates by complying with the caller's request. An employee receives a call from a person who identifies himself as being from the IT department. The caller explains that some company computers have been infected with a new virus not recognized by the antivirus software that can destroy all files on a computer, and offers to talk the person through some steps to prevent problems. Following this, the caller asks the person to test a software utility that has just been recently upgraded for allowing users to change pa.s.swords. The employee is reluctant to refuse, because the caller has just provided help that will supposedly protect the user from a virus. He reciprocates by complying with the caller's request.
Consistency People have the tendency to comply after having made a public commitment or endors.e.m.e.nt for a cause. Once we have promised we will do something, we don't want to appear untrustworthy or undesirable and will tend to follow through in order to be consistent with our statement or promise.
Example of attack: The attacker contacts a relatively new employee and advises her of the agreement to abide by certain security policies and procedures as a condition of being allowed to use company information systems. After discussing a few security practices, the caller asks the user for her pa.s.sword "to verify compliance" with policy on choosing a difficult-to-guess pa.s.sword. Once the user reveals her pa.s.sword, the caller makes a recommendation to construct future pa.s.swords in such a way that the attacker will be able to guess it. The victim complies because of her prior agreement to abide by company policies and her a.s.sumption that the caller is merely verifying her compliance.
Social Validation People have the tendency to comply when doing so appears to be in line with what others are doing. The action of others is accepted as validation that the behavior in question is the correct and appropriate action.
Examples of attacks: The caller says he is conducting a survey and names other people in the department who he claims have already cooperated with him. The victim, believing that cooperation by others validates the authenticity of the request, agrees to take part. The caller then asks a series of questions, among which are questions that draw the victim into revealing his computer username and pa.s.sword. The caller says he is conducting a survey and names other people in the department who he claims have already cooperated with him. The victim, believing that cooperation by others validates the authenticity of the request, agrees to take part. The caller then asks a series of questions, among which are questions that draw the victim into revealing his computer username and pa.s.sword.
Scarcity People have the tendency to comply when it is believed that the object sought is in short supply and others are competing for it, or that it is available only for a short period of time.
Example of attack: The attacker sends emails claiming that the first 500 people to register at the company's new Web site will win free tickets to a hot new movie. When an unsuspecting employee registers at the site, he is asked to provide his company email address and to choose a pa.s.sword. Many people, motivated by convenience, have the propensity to use the same or a similar pa.s.sword on every computer system they use. Taking advantage of this, the attacker then attempts to compromise the target's work and home computer systems with the username and pa.s.sword that have been entered during the Web site registration process. The attacker sends emails claiming that the first 500 people to register at the company's new Web site will win free tickets to a hot new movie. When an unsuspecting employee registers at the site, he is asked to provide his company email address and to choose a pa.s.sword. Many people, motivated by convenience, have the propensity to use the same or a similar pa.s.sword on every computer system they use. Taking advantage of this, the attacker then attempts to compromise the target's work and home computer systems with the username and pa.s.sword that have been entered during the Web site registration process.
CREATING TRAINING AND AWARENESS PROGRAMS.