Mitnick K.D., Simon V.L. - The Art of Deception (2003)(en)

good social engineer with a phone-phreaking background knows that Nortel switches provide a default account name for software updates: NTAS (the abbreviation for Nortel Technical Assistance Support; not very subtle). But what about a password? Eric dialed in several times, each time

trying one of the obvious and commonly used choices. Entering the same as the account name, NTAS, didn't work. Neither did "helper." Nor did "patch."

Then he tried "update" . . . and he was in. Typical. Using an obvious, easily guessed password is only very slightly better than having no password at all.

It helps to be up to speed in your field; Eric probably knew as much about that switch and how to program and troubleshoot it as the technician. Once he was able to access the switch as an authorized user, he would gain full control over the telephone lines that were his target. From his computer, he queried the switch for the phone number he had been given for law enforcement calls to the DMV, 555-6127. He found there were nineteen other phone lines into the same department. Obviously they handled a high volume of calls.

For each incoming call, the switch was programmed to "hunt" through the twenty lines until it found one that wasn't busy.

He picked line number eighteen in the sequence, and entered the code that added call forwarding to that line. For the call-forwarding number, he entered the phone number of his new, cheap, prepaid cell phone, the kind that drug dealers are so fond of because they're inexpensive enough to throw away after the job is over.

With call forwarding now activated on the eighteenth line, as soon as the office got busy enough to have seventeen calls in progress, the next call to come in would not ring in the DMV office but would instead be forwarded to Eric's cell phone. He sat back and waited.

A Call to DMV

Shortly before 8 o'clock that morning, the cell phone rang. This part was the best, the most delicious. Here was Eric, the social engineer, talking to a cop, someone with the authority to come and arrest him, or get a search warrant and conduct a raid to collect evidence against him.

And not just one cop would call, but a string of them, one after another. On one occasion, Eric was sitting in a restaurant having lunch with friends, fielding a call every five minutes or so, writing the information on a paper napkin using a borrowed pen. HE still finds this hilarious.

But talking to police officers doesn't faze a good social engineer in the least. In fact, the thrill of deceiving these law enforcement agencies probably added to Eric s enjoyment of the act.

According to Eric, the calls went something like this: "DMV, may I help you?"

"This is Detective Andrew Cole."

"Hi, detective. What can I do for you today?"

"I need a Soundex on driver's license 005602789," he might say, using the term familiar in law enforcement to ask for a photo--useful, for example, when officers are going out to arrest a suspect and want to know what he looks like.

"Sure, let me bring up the record," Eric would say. "And, Detective Cole, what's your agency?"

"Jefferson County." And then Eric would ask the hot questions: "Detective, what's your requestor code?

What's your driver's license number. "What's your date of birth"

The caller would give his personal identifying information. Eric would go through some pretense of verifying the information, and then tell the caller that the identifying information had been confirmed, and ask for the details of what the caller wanted to find out from the DMV. He'd pretend to start looking up the name, with the caller able to hear the clicking of the keys, and then say something like, "Oh, damn, my computer just went down again. Sorry, detective, my computer has been on the blink, all week. Would you mind calling back and getting another clerk to help you?"

This way he'd end the call tying up the loose ends without arousing any suspicion about why he wasn't able to assist the officer with his request. Meanwhile Eric had a stolen identity--details he could use to obtain confidential DMV information whenever he needed to.

After taking calls for a few hours and obtaining dozens of requestor codes, Eric dialed into the switch and deactivated the call forwarding.

For months after that, he'd carry on the assignments jobbed out to him by legitimate PI firms that didn't want to know how he was getting his information. Whenever he needed to, he'd dial back into the switch, turn on call forwarding, and gather another stack of police officer credentials.

Analyzing the Con

Let's run a playback on the ruses Eric pulled on a series of people to make this deceit work. In the first successful step, he got a sheriff's deputy in a Teletype room to give out a confidential DMV phone number to a

complete stranger, accepting the man as a deputy without requesting any verification.

Then someone at the state Telecom Department did the same thing, accepting Eric's claim that he was with an equipment manufacturer, and providing the stranger with a phone number for dialing into the telephone switch serving the DMV.

Eric was able to get into the switch in large measure because of weak security practices on the part of the switch manufacturer in using the same account name on all their switches. That carelessness made it a walk in the park for the social engineer to guess the password, knowing once again that switch technicians, just like almost everybody else, choose passwords that will be a cinch for them to remember.

With access to the switch, he set up call forwarding from one of the DMV phone lines for law enforcement to his own cell phone.

And then, the capper and most blatant part, he conned one law enforcement officer after another into revealing not only their requestor codes but their own personal identifying information, giving Eric the ability to impersonate them.

While there was certainly technical knowledge required to pull off this stunt, it could not have worked without the help of a series of people who had no clue that they were talking to an imposter.

This story was another illustration of the phenomenon of why people don't ask "Why me?" Why would the Teletype officer give this information to some sheriff's deputy he didn't know--or, in this case, a stranger passing himself off as a sheriff's deputy--instead of suggesting he get the information from a fellow deputy or his own sergeant? Again, the only answer I can offer is that people rarely ask this question. It doesn't occur to them to ask? They don't want to sound challenging and unhelpful? Maybe. Any further explanation would just be guesswork. But social engineers don't care why; they only care that this little fact makes it easy to get information that otherwise might be a challenge to obtain.

MITNICK MESSAGE

If you have a telephone switch at your company facilities, what would the person in charge do if he received a call from the vendor, asking for the

dial-in number? And by the way, has that person ever changed the default password for the switch? Is that password an easy-to-guess word found in any dictionary?

PREVENTING THE CON

A security code, properly used, adds a valuable layer of protection. A security code improperly used can be worse than none at all because it gives the illusion of security where it doesn't really exist. What good are codes if your employees don't keep them. secret?

Any company with a need for verbal security codes needs to spell out clearly for its employees when and how the codes are used. Properly trained, the character in the first story in this chapter would not have had to rely on his instincts, easily overcome, when asked to give a security code to a stranger. He sensed that he should not be asked for this information under the circumstances, but lacking a clear security policy-- and good common sense--he readily gave in.

Security procedures should also set up steps to follow when an employee fields an inappropriate request for a security code. All employees should be trained to immediately report any request for authentication credentials, such as a daily code or password, made under suspicious circumstances. They should also report when an attempt to verify the identity of a requestor doesn't check out.

At the very least, the employee should record the caller's name, phone number, and office or department, and then hang up. Before calling back he should verify that the organization really does have an employee of that name, and that the call back phone number matches the phone number in the on-line or hard-copy company directory. Most of the time, this simple tactic will be all that's needed to verify that the caller is who he says he is.

Verifying becomes a bit trickier when the company has a published phone directory instead of an on-line version. People get hired; people leave; people change departments, job positions, and phone. The hardcopy directory is already out of date the day after it's published, even before being distributed. Even on-line directories can't always be relied on, because social engineers know how to modify them. If an employee can't verify the phone number from an independent source, she should be instructed to verify by some other means, such as contacting the employee's manager.

Part 3

Intruder Alert

Entering the Premises

Why is it so easy for an outsider to assume the identity of a company employee and carry off an impersonation so convincingly that even people who are highly security conscious are taken in? Why is it so easy to dupe individuals who may be fully aware of security procedures, suspicious of people they don't personally know, and protective of their company's interests?

Ponder these questions as you read the stories in this chapter.

THE EMBARRASSED SECURITY GUARD Date/Time: Tuesday, October 17, 2:16 A.M.

Place: Skywatcher Aviation, Inc. manufacturing plant on the outskirts of Tucson, Arizona.

The Security Guard's Story

Hearing his leather heels click against the floor in the halls of the nearly deserted plant made Leroy Greene feel much better than spending the night hours of his watch in front of the video monitors in the security office. There he wasn't allowed to do anything but stare at the screens, not even read a magazine or his leather-bound Bible. You just had to sit there looking at the displays of still images where nothing ever moved.

But walking the halls, he was at least stretching his legs, and when he remembered to throw his arms and shoulders into the walk, it got him a little exercise, too. Although it didn't really count very much as exercise for a man who had played right tackle on the All-City champion high school football team. Still, he thought, a job is a job.