Mitnick K.D., Simon V.L. - The Art of Deception (2003)(en)
.pdfANONYMOUS FTP A program that provides access to a remote computer even though you don’t have an account by using the File Transfer protocol (FTP). Although anonymous FTP can be accessed without a password, generally user-access rights to certain folders are restricted.
With that information in hand, Harry called back the Development Center overseas. By now the compressed file was ready, and Harry gave the instructions for transferring the file to the anonymous FTP site. In less than five minutes, the compressed source-code file was sent to the kid at the R&D Center.
Setting Up the Victim
Halfway to the goal. Now Harry and Karl had to wait to make sure the file had arrived before proceeding. During the wait, they walked across the room to the instructor's desk and took care of two other necessary steps. They first set up an anonymous FTP server on his machine, which would serve as a destination for the file in the last leg of their scheme.
The second step provided a solution for an otherwise tricky problem. Clearly they couldn't tell their man at the R&D Center to send the file to an address such as, say, warren@rms.ca.edu. The ".edu" domain would be a dead giveaway, since any half-awake computer guy would recognize it as the address of a school, immediately blowing the whole operation. To avoid this, they went into Windows on the instructor's computer and looked up the machine's IP address, which they would give as the address for sending the file.
By then it was time to call back the computer operator at the R&D Center. Harry got him on the phone and said, "I just transferred the file that I talked to you about. Can you check that you received it "
Yes, it had arrived. Harry then asked him to try forwarding it, and gave him the IP address. He stayed on the phone while the young man made the connection and started transmitting the file, and they watched with big grins from across the room as the light on the hard drive of the instructor's computer blinked and blinked--busy receiving the download.
Harry exchanged a couple of remarks with the guy about how maybe one day computers and peripherals would be more reliable, thanked him and said goodbye.
The two copied the file from the instructor's machine onto a pair of Zip disks, one for each of them, just so they could look at it later, like stealing a painting from a museum that you can enjoy yourself but don't dare show to your friends. Except, in this case, it was more like they had taken a
duplicate original of the painting, and the museum still had their own original.
Karl then talked Harry through the steps of removing the FTP server from the instructor's machine, and erasing the audit trail so there would be no evidence of what they had done--only the stolen file, left where it could be located easily.
As a final step, they posted a section of the source code on Usenet directly from the instructor's computer. Only a section, so they wouldn't do any great damage to the company, but leaving clear tracks directly back to the instructor. He would have some difficult explaining to do.
Analyzing the Con
Although it took the combination of a number of elements to make this escapade work, it could not have succeeded without some skill-ful playacting of an appeal for sympathy and help: I'm getting yelled at by my boss, and management is up in arms, and so on. That, combined with a pointed explanation of how the man on the other end of the phone could help solve the problem, proved to be a powerfully convincing con. It worked here, and has worked many other times.
The second crucial element: The man who understood the value of the file was asked to send it to an address within the company.
And the third piece of the puzzle: The computer operator could see that the file had been transferred to him from within the company. That could only mean--or so it seemed--that the man who sent it to him could himself have sent it on to the final destination if only his external network connection had been working. What could possibly be wrong with helping him out by sending it for him?
But what about having the compressed file assigned a different name? Seemingly a small item, but an important one. The attacker couldn't afford taking a chance of the file arriving with a name identifying it as source code, or a name related to the product. A request to send a file with a name like that outside the company might have set off alarm bells. Having the file re-labeled with an innocuous name was crucial. As worked out by the attackers, the second young man had no qualms about sending the file outside the company; a file with a name like new data, giving no clue as to the true nature of the information, would hardly make him suspicious.
MITNICK MESSGAE
The underlying rule that every employee should have firmly planted in his or her brain: Except with management approval, don't transfer files to people you don't personally know, even if the destination appears to be within your company's internal network.
Finally, did you figure out what this story is doing in a chapter on industrial espionage? If not, here's the answer: What these two students did as a malicious prank could just as easily have been done by a professional industrial spy, perhaps in the pay of a competitor, or perhaps in the pay of a foreign government. Either way, the damage could have been devastating to the company, severely eroding the sales of their new product once the competitive product reached the market.
How easily could the same type of attack be carried out against your company?
PREVENTING THE CON
Industrial espionage, which has long been a challenge to businesses, has now become the bread and butter of traditional spies who have focused their efforts on obtaining company secrets for a price, now that the Cold War has ended. Foreign governments and corporations are now using freelance industrial spies to steal information. Domestic companies also hire information brokers who cross the line in their efforts to obtain competitive intelligence. In many cases these are former military spies turned industrial information brokers who have the prerequisite knowledge and experience to easily exploit organizations, especially those that have failed to deploy safeguards to protect their information and educate their people.
Safety Off-Site
What could have helped the company that ran into problems with their off-site storage facility? The danger here could have been avoided if the company had been encrypting their data. Yes, encryption requires extra time and expense, but it's well worth the effort. Encrypted files need to be spot-checked regularly to be sure that the encryption/decryption is working smoothly.
There's always the danger that the encryption keys will be lost or that the only person who knows the keys will be hit by a bus. But the nuisance level can be minimized, and anyone who stores sensitive information offsite with a commercial firm and does not use encryption is, excuse me for being blunt, an idiot. It's like walking down the street in a bad
neighborhood with twenty-dollar bills sticking out of your pockets, essentially asking to be robbed.
Leaving backup media where someone could walk off with it is a common flaw in security. Several years ago, I was employed at a firm that could have made better efforts to protect client information. The operation's staff left the firm's backup tapes outside the locked computer room door for a messenger to pick up each day. Anyone could have walked off with the backup tapes, which contained all of the firm's wordprocessed documents in unencrypted text. If backup data is encrypted, loss of the material is a nuisance; if it's not encrypted--well, you can envision the impact on your company better than I can.
The need in larger companies for reliable offsite storage is pretty much a given. But your company's security procedures need to include an investigation of your storage company to see how conscientious they are about their own security policies and practices. If they're not as dedicated as your own company, all your security efforts could be undermined.
Smaller companies have a good alternate choice for backup: Send the new and changed files each night to one of the companies offering online storage. Again, it's essential that the data be encrypted. Otherwise, the information is available not just to a bent employee at the storage company but to every computer intruder who can breach the on-line storage companys computer systems or network.
And of course, when you set up an encryption system to protect the security of your backup files, you must also set up a highly secure proce dure for storing the encryption keys or the pass phrases that unlock them. Secret keys used to encrypt data should be stored in a safe or vault. Standard company practice needs to provide for the possibility that the employee handling this data could suddenly leave, die, or take another job. There must always be at least two people who know the storage place and the encryption/decryption procedures, as well as the policies for how and when keys are to be changed. The policies must also require that encryption keys be changed immediately upon the departure of any employee who had access to them.
Who Is That?
The example in this chapter of a slick con artist who uses charm to get employees to share information reinforces the importance of verification
of identity. The request to have source code forwarded to an FTP site also points to the importance of knowing your requester.
In Chapter 16 you will find specific policies for verifying the identity of any stranger who makes a request for information or a request that some action be taken. We've talked about the need for verification throughout the book; in Chapter 16 you'll get specifics of how this should be done.
Part 4
Raising the bar
Information Security Awareness and Training
A social engineer has been given the assignment of obtaining the plans to your hot new product due for release in two months.
What's going to stop him?
Your firewall? No.
Strong authentication devices? No. Intrusion detection systems? No. Encryption? No.
Limited access to phone numbers for dial-up modems? No.
Code names for servers that make it difficult for an outsider to determine which server might contain the product plans? No.
The truth is that there is no technology in the world that can prevent a social engineering attack.
SECURITY THROUGH TECHNOLOGY, TRAINING, AND PROCEDURES
Companies that conduct security penetration tests report that their attempts to break into client company computer systems by social engineering methods are nearly 100 percent successful. Security technologies can make these types of attacks more difficult by removing people from the decision-making process. However the only truly effective way to mitigate the threat of social engineering is through the use of security technologies combined with security policies that set ground rules for employee behavior, and appropriate education and training for employees.