People often don't stop to think about what materials their organization is
making available on the Web. For my weekly show on KFI Talk Radio in
Los Angeles, the producer did a search on line and found a copy of an
instruction manual for accessing-the database of the National Crime
Information Center. Later he found the actual NCIC manual itself on line,
a sensitive document that gives all the instructions for retrieving
information from the FBI's national crime database.
The manual is a handbook for law enforcement agencies that gives the
formatting and codes for retrieving information on criminals and crimes
from the national database. Agencies all over the country can search the
same database for information to help solve crimes in their own
jurisdiction. The manual contains the codes used in the database for
designating everything from different kinds of tattoos, to different boat
hulls, to denominations of stolen money and bonds.
Anybody with access to the manual can look up the syntax and the
commands to extract information from the national database. Then,
following instructions from the procedures guide, with a little nerve,
anyone can extract information from the database. The manual also gives
phone numbers to call for support in using the system. You may have
similar manuals in your company offering product codes or codes for retrieving sensitive information.
The FBI almost certainly has never discovered that their sensitive manual
and procedural instructions are available to anyone on line, and I don't
think they'd be very happy about it if they knew. One copy was posted by
a government department in Oregon, the other by a law enforcement
agency in Texas. Why? In each case, somebody probably thought the
information was of no value and posting it couldn't do any harm. Maybe
somebody posted it on their intranet just as a convenience to their own
employees, never realizing that it made the information available to
everyone on the Internet who has access to a good search engine such as
Google - including the just-plain-curious, the wannabe cop, the hacker,
and the organized crime boss.
Tapping into the System
The principle of using such information to dupe someone in the
government or a business setting is the same: Because a social engineer
knows how to access specific databases or applications, or knows the names of a company's computer servers, or the like, he gains credibility.
Credibility leads to trust.
Once a social engineer has such codes, getting the information he needs
is an easy process. In this example, he might begin by calling a clerk in a
local state police Teletype office, and asking a question about one of the
codes in the manual - for example, the offense code. He might say
something like, "When I do an OFF inquiry in the NCIC, I'm getting a
"System is down' error. Are you getting the same thing when you do an
OFF? Would you try it for me?" Or maybe he'd say he was trying to look
up a wpf - police talk for a wanted person's file.
The Teletype clerk on the other end of the phone would pick up the cue
that the caller was familiar with the operating procedures and the
commands to query the NCIC database. Who else other than someone
trained in using NCIC would know these procedures?
After the clerk has confirmed that her system is working okay, the
conversation
might go something like this:
"I could use a little help." "What're you looking for?"
"I need you to do an OFF command on Reardon, Martin. DOB
10118/66."
"What's the sosh?" (Law enforcement people sometimes refer to the
social security number as the sosh.)
"700-14-7435."
After looking for the listing, she might come back with something like,
"He's got a 2602." The attacker would only have to look at the NCIC on line to find the
meaning of the number: The man has a case of swindling on his record.
Analyzing the Con
An accomplished social engineer wouldn't stop for a minute to ponder
ways of breaking into the NCIC database. Why should he, when a simple
call to his local police department, and some smooth talking so he sounds
convincingly like an insider, is all it takes to get the information he wants?
And the next time, he just calls a different police agency and uses the
same pretext.
LINGO
SOSH: Law enforcement slang for a social security number
You might wonder, isn't it risky to call a police department, a sheriff's
station, or a highway patrol office? Doesn't the attacker run a huge risk?
The answer is no . . . and for a specific reason. People in law enforcement,
like people in the military, have ingrained in them from the first day in the
academy a respect for rank. As long as the social engineer is posing as a
sergeant or lieutenant--a higher rank than the person he's talking to - the
victim will be governed by that well-learned lesson that says you don't
question people who are in a position of authority over you. Rank, in
other words, has its privileges, in particular the privilege of not being
challenged by people of lower rank.
But don't think law enforcement and the military are the only places
where this respect for rank can be exploited by the social engineer. Social
engineers often use authority or rank in the corporate hierarchy as a
weapon in their attacks on businesses - as a number of the stories in these
pages demonstrate.
PREVENTING THE CON
What are some steps your organization can take to reduce the likelihood
that social engineers will take advantage of your employees' natural
instinct to trust people? Here are some suggestions. Protect Your Customers
In this electronic age many companies that sell to the consumer keep
credit cards on file. There are reasons for this: It saves the customer the
nuisance of having to provide the credit card information each time he
visits the store or the Web site to make a purchase. However, the practice
should be discouraged.
If you must keep credit card numbers on file, that process needs to be
accompanied by security provisions that go beyond encryption or using
access control. Employees need to be trained to recognize social
engineering scams like the ones in this chapter. That fellow employee
you've never met in person but who has become a telephone friend may
not be who he or she claims to be. He may not have the "need to know" to
access sensitive customer information, because he may not actually work
for the company at all.
MITNICK MESSAGE Everyone should be aware of the social engineer's modus operandi:
Gather as much information about the target as possible, and use that
information to gain trust as an insider. Then go for the jugular!
Trust Wisely
It's not just the people who have access to clearly sensitive information -
the software engineers, the folks in R&D, and so on - who need to be on
the defensive against intrusions. Almost everyone in your organization
needs training to protect the enterprise from industrial spies and
information thieves.
Laying the groundwork for this should begin with a survey of enterprise-
wide information assets, looking separately at each sensitive, critical, or
valuable asset, and asking what methods an attacker might use to
compromise those assets through the use of social engineering tactics.
Appropriate training for people who have trusted access to such
information should be designed around the answers to these questions.
When anyone you don't know personally requests some information or
material, or asks you to perform any task on your computer, have your
employees ask themselves some. questions. If I gave this information to
my worst enemy, could it be used to injure me or my company? Do I
completely understand the potential effect of the commands I am being
asked to enter into my computer? We don't want to go through life being suspicious of every new person we
encounter. Yet the more trusting we are, the more likely that the next
social engineer to arrive in town will be able to deceive us into giving up
our company's proprietary information.
What Belongs on Your Intranet?
Parts of your intranet may be open to the outside world, other parts
restricted to employees. How careful is your company in making sure
sensitive information isn't posted where it's accessible to audiences you
meant to protect it from? When is the last time anyone in your
organization checked to see if any sensitive information on your
company's intranet had inadvertently been made available through the
public-access areas of your Web site?
If your company has implemented proxy servers as intermediaries to
protect the enterprise from electronic security threats, have those servers
been checked recently to be sure they're configured properly? In fact, has anyone ever checked the security of your intranet?
Tidak ada komentar:
Posting Komentar