The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick, William L. Simon, Steve Wozniak
Tags: General, Computers, Business & Economics, Electronic Books, security, Computer Hackers, Computer Security, Computer Networks, Information Management, Data Protection, Social Aspects, Information Technology, Internal Security, Computer Science
Ads: Link
meantime should call Michelle on 9137. Very helpful, these people. Very helpful.
I hung up and called Michelle, got her on the phone and said, "This is Bill Thomas. Jerry told me I should call you when I had the spec ready that he wanted the guys on his team to review. You're working on the heart stent, right?" She said they were.
Now we were getting to the sweaty part of the scam. If she started sounding suspicious, I was ready to play the card about how I was just trying to do a favor Jerry had asked me for. I said, "Which system are you on?" "System?" "Which computer servers does your group use?" "Oh," she said, "RM22. And some of the group also use GM16." Good. I needed that, and it was a piece of information I could get from her without making her suspicious. Which softened her up for the next bit, done as casually as I could manage. "Jerry said you could give me a list of email addresses for people on the development team," I said, and held my breath. "Sure. The distribution list is too long to read off, can I email it to you?"
Oops. Any email address that didn't end in GeminiMed.com would be a huge red flag. "How about you fax it to me?" I said. She had no problem with doing that.
"Our fax machine is on the blink. I'll have to get the number of another one. Call you back in a bit," I said, and hung up.
Now, you might think I was saddled with a sticky problem here, but it's just another routine trick of the trade. I waited a while so my voice wouldn't sound familiar to the receptionist, then called her and said, "Hi, it's Bill Thomas, our fax machine isn't working up here, can I have a fax sent to your machine?" She said sure, and gave me the number.
Then I just walk in and pick up the fax, right? Of course not. First rule: Never visit the premises unless you absolutely have to. They have a hard time identifying you if you're just a voice on the telephone. And if they can't identify you, they can't arrest you. It's hard to put handcuffs around a voice. So I called the receptionist back after a little while and asked her, did my fax come? "Yes," she said.
"Look," I told her, "I've got to get that to a consultant we're using. Could you send it out for me?" She agreed. And why not--how could any receptionist be expected to recognize sensitive data? While she sent the fax out to the "consultant," I had my exercise for the day walking over to a stationery store near me, the one with the sign out front "Faxes Sent/Rcvd." My fax was supposed to arrive before I did, and as expected, it was there waiting for me when I walked in. Six pages at $1.75. For a $10 bill and change, I had the group's entire list of names and email addresses.
Getting Inside Okay, so I had by now talked to three or four different people in only a few hours and was already one giant step closer to getting inside the company's computers. But I'd need a couple more pieces before I was home.
Number one was the phone number for dialing into the Engineering server from outside. I called GeminiMed again and asked the switchboard operator for the IT Department, and asked the guy who answered for somebody who could give me some computer help. He transferred me, and I put on an act of being confused and kind of stupid about anything technical. "I'm at home, just bought a new laptop, and I need to set it up o I can dial in from outside."
The procedure was obvious but I patiently let him talk me through it until he got to the dial-in phone number. He gave me the number like it was just another routine piece of information. Then I made him wait while I tried it. Perfect.
So now I had passed the hurdle of connecting to the network. I dialed in and found they were set up with a terminal server that would let a caller connect to any computer on their internal network. After a bunch of tries I stumbled across somebody's computer that had a guest account with no password required. Some operating systems, when first installed, direct the user to set up
I hung up and called Michelle, got her on the phone and said, "This is Bill Thomas. Jerry told me I should call you when I had the spec ready that he wanted the guys on his team to review. You're working on the heart stent, right?" She said they were.
Now we were getting to the sweaty part of the scam. If she started sounding suspicious, I was ready to play the card about how I was just trying to do a favor Jerry had asked me for. I said, "Which system are you on?" "System?" "Which computer servers does your group use?" "Oh," she said, "RM22. And some of the group also use GM16." Good. I needed that, and it was a piece of information I could get from her without making her suspicious. Which softened her up for the next bit, done as casually as I could manage. "Jerry said you could give me a list of email addresses for people on the development team," I said, and held my breath. "Sure. The distribution list is too long to read off, can I email it to you?"
Oops. Any email address that didn't end in GeminiMed.com would be a huge red flag. "How about you fax it to me?" I said. She had no problem with doing that.
"Our fax machine is on the blink. I'll have to get the number of another one. Call you back in a bit," I said, and hung up.
Now, you might think I was saddled with a sticky problem here, but it's just another routine trick of the trade. I waited a while so my voice wouldn't sound familiar to the receptionist, then called her and said, "Hi, it's Bill Thomas, our fax machine isn't working up here, can I have a fax sent to your machine?" She said sure, and gave me the number.
Then I just walk in and pick up the fax, right? Of course not. First rule: Never visit the premises unless you absolutely have to. They have a hard time identifying you if you're just a voice on the telephone. And if they can't identify you, they can't arrest you. It's hard to put handcuffs around a voice. So I called the receptionist back after a little while and asked her, did my fax come? "Yes," she said.
"Look," I told her, "I've got to get that to a consultant we're using. Could you send it out for me?" She agreed. And why not--how could any receptionist be expected to recognize sensitive data? While she sent the fax out to the "consultant," I had my exercise for the day walking over to a stationery store near me, the one with the sign out front "Faxes Sent/Rcvd." My fax was supposed to arrive before I did, and as expected, it was there waiting for me when I walked in. Six pages at $1.75. For a $10 bill and change, I had the group's entire list of names and email addresses.
Getting Inside Okay, so I had by now talked to three or four different people in only a few hours and was already one giant step closer to getting inside the company's computers. But I'd need a couple more pieces before I was home.
Number one was the phone number for dialing into the Engineering server from outside. I called GeminiMed again and asked the switchboard operator for the IT Department, and asked the guy who answered for somebody who could give me some computer help. He transferred me, and I put on an act of being confused and kind of stupid about anything technical. "I'm at home, just bought a new laptop, and I need to set it up o I can dial in from outside."
The procedure was obvious but I patiently let him talk me through it until he got to the dial-in phone number. He gave me the number like it was just another routine piece of information. Then I made him wait while I tried it. Perfect.
So now I had passed the hurdle of connecting to the network. I dialed in and found they were set up with a terminal server that would let a caller connect to any computer on their internal network. After a bunch of tries I stumbled across somebody's computer that had a guest account with no password required. Some operating systems, when first installed, direct the user to set up
Similar Books
