By Al Berg
Smart crackers don't want to break into your systems. According to
experienced hacker Susan Thunder's speech, "Social Engineering and
Psychological Subversion," at DEFCON III in Las Vegas last August, they'd
rather use a technique called social engineering to get users to open the
door for them.
DEFCON is an annual convention for hackers, "feds," corporate-security
types, and others interested in the computer underground. The convention is
neutral territory where U.S. Customs Service representatives, FBI agents,
and other law-enforcement personnel gather with their mostly teenage
adversaries--each side trying to gain insight into the other's methods. Many
of the attendees and speakers at DEFCON promote hacking as a means of
making systems more secure. They argue that hackers provide a valuable
service to system administrators by breaking in and pointing out security
problems to MIS before the real bad guys show up and exploit security holes
for profit. Whether or not this is the case, DEFCON is a treasure trove of
hacker and cracker information open to anyone who has $40 for a ticket.
Social engineering is hacker jargon for getting needed information
(for example, a password) from a person rather than breaking into a system.
Psychological subversion is Thunder's term for using social
engineering over an extended period of time to maintain a continuing stream
of information and help from unsuspecting users.
She presented this scenario: A cracker has been hired by a private
investigator to gain a list of unredeemed, inactive life-insurance policies
of older people from an insurance company's files. The motive? If a policy is
inactive (no payments made for six months) and the insured is more than 80
years old, he or she may have died and the beneficiary may not know about
the policy's existence. Our cracker-hiring detective would take the list,
match the names against publicly available death records, and then contact
the beneficiaries, offering to "find" the money due to them for a fee.
Thunder made an observation all LAN managers should take very seriously:
"Increased security measures make psychological attacks easier because
users think that their data is safe." All the locks in the world won't save you
from the thief you invite in.
Your first line of defense against social engineering is your garbage.
Crackers love to go "trashing" to find documents that help them piece
together the structure of your company, provide clues about what kinds of
computer systems you use, and most important, obtain the names, titles,
and telephone numbers of your employees. Think for a moment about the
documents your company throws out each day and how an attacker could use
them. Do your own dumpster dive and see if you find:
These items provide a wealth of information to crackers. A copy of the
company phone book is an extremely valuable tool. Knowing who to call and
who to impersonate are the first steps to gaining access to sensitive data.
Having the right names and titles at their fingertips can let smart crackers
sound as though they actually work for your company. A cracker interested
in finding dial-in access numbers will use the phone book to determine the
telephone exchange of your company and may use a war dialer to find modem
phone numbers.
There are some defensive tactics you can use against the trasher:
A smart cracker will call your central help desk. "After all, it's their job to
be helpful and they are usually overwhelmed," Thunder said. A quick call can
reveal much information about your systems and procedures. Your help desk
staff should be on the alert for the following:
Calls regarding password changes are a security mine field. If crackers have
found one of your dial-up numbers or gained physical access to a networked
workstation, they may try a variation on the following ploy.
With the use of a discarded corporate phone book, the cracker first
identifies a person believed to have legitimate access to the targeted
system or desired data.
The target gets a call from the cracker saying something like, "Hi, this is
Joe from the MIS department. We were doing a routine systems check and
found a problem with your account. Your data is corrupted and we're losing
files. I'll need your username and password to make the fix."
"Sure, my username is JDOE and my password is mittleschmertz. Thanks for
fixing the problem."
A variation of this tactic is the cracker calling the help desk and
impersonating a user reporting a forgotten password. In many cases the help
desk will change the user's password over the phone. Just to clean up the
loose ends, our wily cracker then calls the user who was impersonated and
says something like, "This is Joe from the MIS department. We had some
problems with security today, so we've changed your password. Your new
password is swordfish." Assuming the cracker has dial-in or physical access
to a PC, the hacker now has a legitimate username and password to work
with.
Users should be told that their passwords should never be given out, even to
support personnel, without verifying the individual requesting it. Any call or
request in which a user is asked for his or her password should immediately
be directed to the MIS department.
Users should be assigned a PIN that must be given to access help-desk
support.
Passwords should not be changed without a written request and should be
delivered via the company mail or in person, not over the telephone.
Help-desk personnel should be trained to withhold support when a call does
not feel right--for example, when a user in the marketing department is
calling for help with the personnel database, or when a user sounds
unfamiliar with company policies and procedures. Offer to call the user back
and check the name and phone number in the company directory. If the caller
claims to be a temporary worker or a new employee, verify his or her
employment before offering support.
Most companies' physical security won't keep out a reasonably resourceful
cracker, according to Thunder. Simply donning a courier's uniform or a tool
belt has been enough preparation for many an intruder to gain entrance to a
computing facility.
Once inside, the intruder has a whole menu of tactics to choose from,
including:
You can prevent this type of activity with some of the following
countermeasures:
Remember the insurance company scenario mentioned earlier? According to
Thunder, this was a blueprint for a real crime. The crackers pulled off the
heist without breaking in to the system. A trash search netted a company
phone book. With a few phone calls, the intruders identified a person
authorized to request the report they wanted and a person in MIS whose job
was to help users get the report.
Company memo forms, also taken from the trash, were used to prepare a
properly formatted request (with the help of the unwitting MIS staffer).
These were dropped into the company mail during a quick foray into the
building by the infiltrator disguised as a courier. Finally, the crackers
called the MIS department to let the staff know that the report would be
picked up by a courier--who then walked out the door with the
multithousand-page report. It's important to note that the crackers did not
even have to physically access the company's computer systems to pull this
off.
Companies and government offices are becoming aware that crackers can be
used as effective espionage tools. In turn, crackers are discovering that it
is much easier, and less risky, to compromise people and procedures than to
break in to its computer systems. This combination of factors makes it
vital for LAN managers and security personnel to understand the threats
posed by social engineering.