Mitnick K.D., Simon V.L. - The Art of Deception (2003)(en)

SHOULDER SURFING The act of watching a person type at his computer keyboard to detect and steal his password or other user information.

When most everybody was gone at lunch, she cut Mr. Cartright's signature from the original memo, pasted it onto her new version, and daubed Wite-Out around the edges. She made a copy of the result, and then made a copy of the copy. You could barely see the edges around the signature. She sent the fax from the machine "near Mr. Cartright's office.

Three days later, she stayed after hours and waited till everyone left. She walked into Johannson's office, and tried logging onto the network with his username and the password, marry63. It worked.

In minutes she had located the product specification files for the Cobra 273, and downloaded them to a Zip disk.

The disk was safely in her purse as she walked in the cool night-time breeze to the parking lot. It would be on its way to the reporter that night.

Analyzing the Con

A disgruntled employee, a search through the files, a quick cut-paste-and Wite-Out operation, a little creative copying, and a fax. And, voila!--she has access to confidential marketing and product specifications.

And a few days later, a trade magazine journalist has a big scoop with the specs and marketing plans of a hot new product that will be in the hands of magazine subscribers throughout the industry months in

advance of the product's release. Competitor companies will have several months head start on developing equivalent products and having their ad campaigns ready to undermine the Cobra 273.

Naturally the magazine will never say where they got the scoop.

PREVENTING THE CON

When asked for any valuable, sensitive, or critical information that could be of benefit to a competitor or anyone else, employees must be aware that using caller ID as a means of verifying the identity of an outside caller is not acceptable. Some other means of verification must be used, such as checking with the person's supervisor that the request was appropriate and that the user has authorization to receive the information.

The verification process requires a balancing act that each Company must define for itself: Security versus productivity. What priority is going to be assigned to enforcing security measures? Will employees be resistant to

following security procedures, and even circumvent them in order to complete their job responsibilities? Do employees understand why security is important to the company and themselves? These questions need to

be answered to develop a security policy based on corporate culture and business needs.

Most people inevitably see anything that interferes with getting their work done as an annoyance, and may circumvent any security measures that appear to be a waste of time. Motivating employees to make security part of their everyday responsibilities through education and awareness is key.

Although caller ID service should never be used as a means of authentication for voice calls from outside the company, another method called automatic number identification (ANI) can. This service is provided when a company subscribes to toll-flee services where the company pays for the incoming calls and is reliable for identification. Unlike caller ID, the telephone company switch does not use any information that is sent from a customer when providing the calling number. The number transmitted by ANI is the billing number assigned to the calling party.

Note that several modem manufacturers have added a caller ID feature into their products, protecting the corporate network by allowing remoteaccess calls only from a list ofpreauthorized telephone numbers. Caller ID modems are an acceptable means of authentication in a low-security environment but, as should be clear by now, spoofing caller ID is a relatively easy technique for computer intruders, and so should not be relied on for proving the caller's identity or location in a high-security setting.

To address the case of identity theft, as in the story about deceiving an administrator to create a voice mailbox on the corporate phone system, make it a policy that all phone service, all voice mailboxes, and all entries to the corporate directory, both in print and on line, must be requested in writing, on a form provided for the purpose. The employee's manager should sign the request, and the voice mail administrator should verify the signature.

Corporate security policy should require that new computer accounts or increases in access rights be granted only after positive verification of the person making the request, such as a callback to the system manager or administrator, or his or her designee, at the phone number listed in the print or on-line company directory. If the company uses secure email

where employees can digitally sign messages, this alternative verification method may also be acceptable.

Remember that every employee, regardless of whether he has access to company computer systems, may be duped by a social engineer. Everyone must be included in security awareness training. Administrative assistants,

receptionists, telephone operators, and security guards must be made familiar with the types of social engineering attack most likely to be directed against them so that they will be better prepared to defend against those attacks.

Chapter 14 Industrial Espionage

The threat of information attacks against government, corporations, and university systems is well established. Almost every day, the media reports a new computer virus, denial of service attack, or theft of credit card information from an e-commerce Web site.

We read about cases of industrial espionage such as Borland accusing Symantec of stealing trade secrets, Cadence Design Systems filing a suit charging the theft of source code by a competitor. Many business people read these stories and think it could never happen at their company.

It's happening every day.

VARIATION ON A SCHEME

The ruse described in the following tale has probably been pulled off many times, even though it sounds like something taken out of a Hollywood movie like The Insider, or from the pages of a John Grisham novel.

Class Action

Imagine that a massive class-action lawsuit is raging against a major pharmaceutical company, Pharmomedic. The suit claims that they knew one of their very popular drugs had a devastating side effect, but one that would not be evident until a patient had been on the medication for years. The suit alleges that they had results from a number of research studies that revealed this danger, but suppressed the evidence and never turned it over to the FDA as required.

William ("Billy") Chaney, the attorney of record on the masthead of the New York law firm that filed the class-action suit, has depositions from two Pharmomedic doctors supporting the claim. But both are retired, neither has any files or documentation, and neither would make a strong, convincing witness. Billy knows he's on shaky ground. Unless he can get a copy of one of those reports, or some internal memo or communication between company executives, his whole case will fall apart.

So he hires a firm he's used before: Andreeson and Sons, private investigators. Billy doesn't know how Pete and his people get the stuff they do, and he doesn't want to know. All he knows is that Pete Andreeson is one good investigator.

To Andreeson, an assignment like this is what he calls a black bag job. The first rule is that the law firms and companies that hire him never learn how he gets his information so that they always have complete, plausible deniability. If anybody is going to have his feet shoved into boiling water, it's going to be Pete, and for what he collects in fees on the big jobs, he figures it's worth the risk. Besides, he gets such personal satisfaction from outsmarting smart people.

If the documents that Chaney wants him to find actually existed and haven't been destroyed, they'll be somewhere in the files of Pharmomedic. But finding them in the massive files of a large corporation would be a huge task. On the other hand, suppose they've turned copies over to their law firm, Jenkins and Petry? If the defense attorneys knew those documents existed and didn't turn them over as part of the discovery process, then they have violated the legal profession's canon of ethics, and violated the law, as well. In Pete's book, that makes any attack fair game.

Pete's Attack

Pete gets a couple of his people started on research and within days he knows what company Jenkins and Petty uses for storing their offsite backups. And he knows that the storage company maintains a list of the names of people whom the law firm has authorized to pick up tapes from storage. He also knows that each of these people has his or her own password. Pete sends two of his people out on a black bag job.

The men tackle the lock using a lock pick gun ordered on the Web at www.southord.com. Within several minutes they slip into the offices of the storage firm around 3 a.m. one night and boot up a PC. They smile

when they see the Windows 98 logo because it means this will be a piece of cake. Windows 98 does not require any form of authentication. After a

bit of searching, they locate a Microsoft Access database with the names of people authorized by each of the storage company customers to pick up tapes. They add a phony name to the authorization list for Jenkins and Petry, a name matching one on a phony driver's license one of the men has already obtained. Could they have broken into the locked storage area and tried to locate the tapes their client wanted? Sure--but then all the company's customers, including the law firm, would have certainly been notified of the breach. And the attackers would have lost an advantage: Professionals always like to leave an opening for future access, should the need arise.

Following a standard practice of industrial spies to keep something in the back pocket for future use, just in case, they also made a copy of the file containing the authorization list onto a floppy disk. None of them had any idea how it might ever prove useful, but it's just one of those "We're here, we might just as well" things that every now and then turns out to be valuable.

The next day, one of the same men called the storage company, used the name they had added to the authorization list, and gave the corresponding password. He asked for all the Jenkins and Petry tapes dated within the last month, and said that a messenger service would come by to pick up the package. By mid-afternoon, Andreeson had the tapes. His people restored all the data to their own computer system, ready to search at leisure. Andreeson was very pleased that the law firm, like most other businesses, didn't bother encrypting their backup data.

The tapes were delivered back to the storage company the next day and no one was the wiser.

MITNICK MESSAGE

Valuable information must be protected no matter what form it takes or where it is located. An organization's customer list has the same value whether in hardcopy form or an electronic file at your office or in a storage box. Social engineers always prefer the easiest to circumvent, least defended point of attack. A company's offsite backup storage facility is seen as having less risk of detection or getting caught. Every organization that stores any valuable, sensitive, or critical data with third parties should encrypt their data to protect its confidentiality.

Analyzing the Con