The Fourth Call: Bart in Publications
In Publications, she spoke with a man named Bart. Didi said she was from
Thousand Oaks, and they had a new consultant who needed a copy of the
company directory. She told him a print copy would work better for the
consultant, even if it was somewhat out of date. Bart told her she'd have to
fill out a requisition form and send the form over to him.
Didi said she was out of forms and it was a rush, and could Bart be a
sweetheart and fill out the form for her? He agreed with a little too much
enthusiasm, and Didi gave him the details. For the address of the fictional
contractor, she drawled the number of what social engineers call a mail
drop, in this case a Mail Boxes Etc.-type of commercial business where
her company rented boxes for situations just like this.
The earlier spadework now came in handy: There would be a charge for
the cost and shipping of the directory. Fine - Didi gave the cost center for
Thousand Oaks:
"IA5N, that's N like in Nancy."
A few days later, when the corporate directory arrived, Didi found it was
an even bigger payoff than she had expected: It not only listed the names
and phone numbers, but also showed who worked for whom - the
corporate structure of the whole organization.
The lady of the husky voice was ready to start making her head-hunter,
people-raiding phone calls. She had conned the information she needed to
launch her raid using the gift of gab honed to a high polish by every
skilled social engineer. Now she was ready for the payoff.
LINGO
MAIL DROP: The social engineer’s term for a rental mailbox, typically
rented under an assumed name, which is used to deliver documents or
packages the victim has been duped into sending
MITNICK MESSAGE
Just like pieces of a jigsaw puzzle, each piece of information may be
irrelevant by itself. However, when the pieces are put together, a clear
picture emerges. In this I case, the picture the social engineer saw was the entire internal structure of the company .
Analyzing the Con
In this social engineering attack, Didi started by getting phone numbers
for three departments in the target company. This was easy, because the
numbers she was asking for were no secret, especially to employees. A
social engineer learns to sound like an insider, and Didi was skilled at this game. One of the phone numbers led her to a cost center number, which
she then used to obtain a copy of the firm's employee directory.
The main tools she needed: sounding friendly, using some corporate
lingo, and, with the last victim, throwing in a little verbal eyelash-batting.
And one more tool, an essential element not easily acquired - the
manipulative skills of the social engineer, refined through extensive
practice and the unwritten lessons of bygone generations of confidence
men.
MORE "WORTHLESS" INFO
Besides a cost center number and internal phone extensions, what other
seemingly useless information can be extremely valuable to your enemy?.
Peter Abel’s Phone Call
"Hi," the voice at the other end of the line says. "This is Tom at Parkhurst
Travel. Your tickets to San Francisco are ready. Do you want us to deliver
them, or do you want to pick them up?"
"San Francisco?" Peter says. "I'm not going to San Francisco." "Is this
Peter Abels?"
"Yes, but I don't have any trips coming up."
"Well," the caller says with a friendly laugh, "you sure you don't want to
go to San Francisco?" "If you think you can talk my boss into it..." Peter says, playing along
with the friendly conversation.
"Sounds like a mix-up," the caller says. "On our system, we book travel
arrangements under the employee number. Maybe somebody used the
wrong number. What's your employee number?"
Peter obligingly recites his number. And why not? It goes on just about
every personnel form he fills out, lots of people in the company have
access to it - human resources, payroll, and, obviously, the outside travel
agency. No one treats an employee number like some sort of secret. What
difference could it make?
The answer isn't hard to figure out. Two or three pieces of information
might be all it takes to mount an effective impersonation - the social
engineer cloaking himself in someone else's identity. Get hold of an
employee's name, his phone number, his employee number--and maybe,
for good measure, his manager's name and phone number--and a halfway-
competent social engineer is equipped with most of what he's likely to
need to sound authentic to the next target he calls.
If someone who said he was from another department in your company
had called yesterday, given a plausible reason, and asked for your
employee number, would you have had any reluctance in giving it to him?
And by the way, what is your social security number?
MITNICK MESSAGE
The moral of the story is, don't give out any personal or internal company
information or identifiers to anyone, unless his or her voice is
recognizable and the requestor has a need to know.
PREVENTING THE CON
Your company has a responsibility to make employees aware of how a
serious mistake can occur from mishandling non public information. A
well thought-out information security policy combined with proper
education and training, will dramatically increase employee awareness
about the proper handling of corporate business information. A data
classification policy will help you to implement proper controls with
respect to disclosing information. Without a data classification policy, all
internal information must be considered confidential, unless otherwise
specified.
Take these steps to protect your company from the release of seemingly
innocuous information:
The Information Security Department needs to conduct awareness training
detailing the methods used by social engineers. One method, as described
above, is to obtain seemingly non sensitive information and use it as a
poker chip to gain short-term trust. Each and every employee needs to be
aware that when a caller has knowledge about company procedures, lingo,
and internal identifiers it does not in any way, shape, or form authenticate
the requestor or authorize him or her as having a need to know. A caller
could be a former employee or contractor with the requisite insider information. Accordingly, each
corporation has a responsibility to determine the appropriate
authentication method to be used when employees interact with people
they don't recognize in person or over the telephone.
The person or persons with the role and responsibility of drafting a data
classification policy should examine the types of details that may be used
to gain access for legitimate employees that seem innocuous, but could
lead to information that is, sensitive. Though you'd never give out the
access codes for your ATM card, would you tell somebody what server
you use to develop company software products? Could that information
be used by a person pretending to be somebody who has legitimate access
to the corporate network?
Sometimes just knowing inside terminology can make the social engineer
appear authoritative and knowledgeable. The attacker often relies on this
common misconception to dupe his or her victims into compliance. For
example, a Merchant ID is an identifier that people in the New Accounts
department of a bank casually use every day. But such an identifier
exactly the same as a password. If each and every employee understands
the nature of this identifier - that it is used to positively authenticate a
requestor--they might treat it with more respect. MITNICK MESSAGE
As the old adage goes - even real paranoids probably have enemies. We
must assume that every business has its enemies, too - attackers that target
the network infrastructure to compromise business secrets. Don't end up
being a statistic on computer crime - it's high time to shore up the
necessary defenses by implementing proper controls through well-
thought-out security policies and procedures.
No companies - well, very few, at least - give out the direct dial phone
numbers of their CEO or board chairman. Most companies, though, have
no concern about giving out phone numbers to most departments and
workgroups in the, organization - especially to someone who is, or
appears to be, an employee. A possible countermeasure: Implement a
policy that prohibits giving internal phone numbers of employees, contractors,
consultants, and temps to outsiders. More importantly, develop a step-by-
step procedure to positively identify whether a caller asking for phone
numbers is really an employee.
Accounting codes for workgroups and departments, as well as copies of
the corporate directory (whether hard copy, data file, or electronic phone
book on the intranet) are frequent targets of social engineers. Every
company needs a written, well-publicized policy on disclosure of this type
of information. The safeguards should include maintaining an audit log
that records instances when sensitive information is disclosed to people
outside of the company.
Information such as an employee number, by itself, should not be used as
any sort of authentication. Every employee must be trained to verify not
just the identity of a requestor, but also the requestor's need to know.
In your security training, consider teaching employees this approach:
Whenever asked a question or asked for a favor by a stranger, learn first
to politely decline until the request can be verified. Then - before giving
in to the natural desire to be Mr. or Ms. Helpful - follow company policies
and procedures with respect to verification and disclosure of non public information. This style may go against our natural tendency to help
others, but a little healthy paranoia may be necessary to avoid being the
social engineer's next dupe.
As the stories in this chapter have shown, seemingly innocuous
information can be the key to your company's most prized secrets.
Tidak ada komentar:
Posting Komentar