The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick, William L. Simon, Steve Wozniak Page B
Tags: General, Computers, Business & Economics, Electronic Books, security, Computer Hackers, Computer Security, Computer Networks, Information Management, Data Protection, Social Aspects, Information Technology, Internal Security, Computer Science
Ads: Link
be delivered. This deception produced the name of the team leader for the heart-stent engineering group, who was on vacation, but - convenient for any social engineer trying to steal information - he had helpfully left the name and phone number of his assistant. Calling her, Craig defused any suspicions by claiming that he was responding to a request from the team leader. With the team leader out of town, Michelle had no way to verify his claim. She accepted it as the truth and had no problem providing a list of people in the group - for Craig, a necessary and highly prized set of information.
She didn't even get suspicious when Craig wanted the list sent by fax instead of by email, ordinarily more convenient on both ends. Why was she so gullible? Like many employees, she didn't want her boss to return to town and find she had stonewalled a caller who was just trying to do something the boss had asked him for. Besides, the caller said that the boss had not just authorized the request, but asked for his assistance. Once again, here's an example of someone displaying the strong desire to be a team player, which makes most people susceptible to deception.
Craig avoided the risk of physically entering the building simply by having the fax sent to the receptionist, knowing she was likely to be helpful. Receptionists are, after all, usually chosen for their charming personalities and their ability to make a good impression. Doing small favors like receiving a fax and sending it on comes with the receptionist's territory, a fact that Craig was able to take advantage of. What she was ending out happened to be information that might have raised alarm bells with anyone knowing the value of the information - but how could receptionist be expected to know which information is benign and which sensitive? Using a different style of manipulation, Craig acted confused and na�ve to convince the guy in computer operations to provide him with the dial up access number to the company's terminal server, the hardware used as a connection point to other computer systems within the internal network.
MITNICK MESSAGE Everybody's first priority at work is to get the job done. Under that pressure, security practices often take second place and are overlooked or ignored. Social engineers rely on this when practicing their craft.
Craig was able to connect easily by trying a default password that had never been changed, one of the glaring, wide-open gaps that exist throughout many internal networks that rely on firewall security. In fact, the default passwords for many operating systems, routers, and other types of products, including PBXs, are made available on line. Any social engineer, hacker, or industrial spy, as well as the just plain curious, can find the list at http://www.phenoelit.de/dpl/dpl.html. (It's absolutely incredible how easy the Internet makes life for those who know where to look. And now you know, too.)
Cogburne then actually managed to convince a cautious, suspicious man ("What did you say your last name was? Who's your supervisor?") to divulge his username and password so that he could access servers used by the heart-stent development team. This was like leaving Craig with an open door to browse the company's most closely guarded secrets and download the plans for the new product. What if Steve Cramer had continued to be suspicious about Craig's call? It was unlikely he would do anything about reporting his suspicions until he showed up at work on Monday morning, which would have been too late to prevent the attack.
One key to the last part of the ruse: Craig at first made himself sound lackadaisical and uninterested in Steve's concerns, then changed his tune and sounded as if he was trying to help so Steve could get his work done. Most of the time, if the victim believes you're trying to help him or do him some kind of favor, he will part with confidential information that he would have otherwise protected
She didn't even get suspicious when Craig wanted the list sent by fax instead of by email, ordinarily more convenient on both ends. Why was she so gullible? Like many employees, she didn't want her boss to return to town and find she had stonewalled a caller who was just trying to do something the boss had asked him for. Besides, the caller said that the boss had not just authorized the request, but asked for his assistance. Once again, here's an example of someone displaying the strong desire to be a team player, which makes most people susceptible to deception.
Craig avoided the risk of physically entering the building simply by having the fax sent to the receptionist, knowing she was likely to be helpful. Receptionists are, after all, usually chosen for their charming personalities and their ability to make a good impression. Doing small favors like receiving a fax and sending it on comes with the receptionist's territory, a fact that Craig was able to take advantage of. What she was ending out happened to be information that might have raised alarm bells with anyone knowing the value of the information - but how could receptionist be expected to know which information is benign and which sensitive? Using a different style of manipulation, Craig acted confused and na�ve to convince the guy in computer operations to provide him with the dial up access number to the company's terminal server, the hardware used as a connection point to other computer systems within the internal network.
MITNICK MESSAGE Everybody's first priority at work is to get the job done. Under that pressure, security practices often take second place and are overlooked or ignored. Social engineers rely on this when practicing their craft.
Craig was able to connect easily by trying a default password that had never been changed, one of the glaring, wide-open gaps that exist throughout many internal networks that rely on firewall security. In fact, the default passwords for many operating systems, routers, and other types of products, including PBXs, are made available on line. Any social engineer, hacker, or industrial spy, as well as the just plain curious, can find the list at http://www.phenoelit.de/dpl/dpl.html. (It's absolutely incredible how easy the Internet makes life for those who know where to look. And now you know, too.)
Cogburne then actually managed to convince a cautious, suspicious man ("What did you say your last name was? Who's your supervisor?") to divulge his username and password so that he could access servers used by the heart-stent development team. This was like leaving Craig with an open door to browse the company's most closely guarded secrets and download the plans for the new product. What if Steve Cramer had continued to be suspicious about Craig's call? It was unlikely he would do anything about reporting his suspicions until he showed up at work on Monday morning, which would have been too late to prevent the attack.
One key to the last part of the ruse: Craig at first made himself sound lackadaisical and uninterested in Steve's concerns, then changed his tune and sounded as if he was trying to help so Steve could get his work done. Most of the time, if the victim believes you're trying to help him or do him some kind of favor, he will part with confidential information that he would have otherwise protected
Similar Books
