"Let Me Help You"
We're all grateful when we're plagued by a problem and somebody with
the knowledge, skill, and willingness comes along offering to lend us a
hand. The social engineer understands that, and knows how to take
advantage of it.
He also knows how to cause a problem for you.., then make you grateful
when he resolves the problem.., and finally play on your gratitude to
extract some information or a small favor from you that will leave your
company (or maybe you, individually) very much worse off for the
encounter. And you may never even know you've lost something of value.
Here are some typical ways that social engineers step forward to "help."
THE NETWORK OUTAGE
Day/Time: Monday, February 12, 3:25 p.m.
Place: Offices of Starboard Shipbuilding
The First Call: Tom Delay
"Tom DeLay, Bookkeeping."
"Hey, Tom, this is Eddie Martin from the Help Desk. We're trying to
troubleshoot a computer networking problem. Do you know if anyone in
your group has been having trouble staying on line?"
"Uh, not that I know of."
"And you're not having any problems yourself."
"No, seems fine."
"Okay, that's good. Listen, we're calling people who might be affected
'cause itLs important you let us know right away if you lose your network
connection."
"That doesn't sound good. You think it might happen?"
"We hope not, but you'll call if it does, right?"
"You better believe it."
"Listen, sounds like having your network connection go down would be a
problem for you..."
"You bet it would."
"... so while we're working on this, let me give you my cell phone
number. Then you can reach me directly if you need to."
"That'd be great. Go ahead."
"It's 555 867 5309."
"555 867 5309. Got it. Hey, thanks. What was your name again?"
"It's Eddie. Listen, one other thing--I need to check which port your
computer is connected to. Take a look on your computer and see if there's
a sticker somewhere that says something like 'Port Number'."
"Hang on No, don't see anything like that."
"Okay, then in the back of the computer, can you recognize the network
cable."
"Yeah."
"Trace it back to where it's plugged in. See if there's a label on the jack it's
plugged into."
"Hold on a second. Yeah, wait a minute - I have to squat down here so I
can get close enough to read it. Okay - it says Port 6 dash 47."
"Good - that's what we had you down as, just making sure." The Second Call: The IT Guy
Two days later, a call came through to the same company's Network
Operations Center.
"Hi, this is Bob; I'm in Tom DeLay's office in Bookkeeping. We're trying
to troubleshoot a cabling problem. I need you to disable Port 6-47."
The IT guy said it would be done in just a few minutes, and to let them
know when he was ready to have it enabled.
The Third Call: Getting Help from the Enemy
About an hour later, the guy who called himself Eddie Martin was
shopping at Circuit City when his cell phone rang. He checked the caller
ID, saw the call was from the shipbuilding company, and hurried to a
quiet spot before answering.
"Help Desk, Eddie."
"Oh, hey, Eddie. You've got an echo, where are you?"
"I'm, uh, in a cabling closet. Who's this?
"It's Tom DeLay. Boy, am I glad I got ahold of you. Maybe you
remember you called me the other day? My network connection just went
down like you said it might, and I'm a little panicky here."
"Yeah, we've got a bunch of people down right now. We should have it
taken care of by the end of the day. That okay?"
"NO! Damn, I'll get way behind if I'm down that long. What's the best you
can do for me?"
"How pressed are you?"
"I could do some other things for right now. Any chance you could take
care of it in half an hour?"
"HALF AN HOUR! You don't want much. Well, look, I'll drop what I'm
doing and see if I can tackle it for you."
"Hey, I really appreciate that, Eddie."
The Fourth Call: Gotcha!
Forty-five minutes later...
"Tom? It's Eddie. Go ahead and try your network connection."
After a couple of moments:
"Oh, good, it's working. That's just great."
"Good, glad I could take care of it for you."
"Yeah, thanks a lot."
"Listen, if you want to make sure your connection doesn't go down again,
there's some software you oughta be running. Just take a couple of
minutes."
"Now's not the best time."
"I understand... It could save us both big headaches the next time this network problem happens."
"Well . . . if it's only a few minutes."
"Here's what you do..."
Eddie then took Tom through the steps of downloading a small
application from a Web site. After the program had downloaded, Eddie
told Tom to double-click on it. He tried, but reported:
"It's not working. It's not doing anything."
"Oh, what a pain. Something must be wrong with the program. Let's just
get rid of it, we can try again another time." And he talked Tom through
the steps of deleting the program so it couldn't be recovered.
Total elapsed time, twelve minutes.
The Attacker's Story
Bobby Wallace always thought it was laughable when he picked up a
good assignment like this one and his client pussyfooted around the
unasked but obvious question of why they wanted the information. In this
case he could only think of two reasons. Maybe they represented some
outfit that was interested in buying the target company, Starboard
Shipbuilding, and wanted to know what kind of financial shape they were
really in - especially all the stuff the target might want to keep hidden
from a potential buyer. Or maybe they represented investors who thought
there was something fishy about the way the money was being handled
and wanted to find out whether some of the executives had a case of
hands-in-the cookie-jar.
And maybe his client also didn't want to tell him the real reason because,
if Bobby knew how valuable the information was, he'd probably want
more money for doing the job.
There are a lot of ways to crack into a company's most secret files. Bobby
spent a few days mulling over the choices and doing a little checking
around before he decided on a plan. He settled on one that called for an
approach he especially liked, where the target is set up so that he asks the
attacker for help.
For starters, Bobby picked up a $39.95 cell phone at a convenience store.
He placed a call to the man he had chosen as his target, passed himself off
as being from the company help desk, and set things up so the man would
call Bobby's cell phone any time he found a problem with his network
connection. He left a pause of two days so as not to be too obvious, and then made a
call to the network operations center (NOC) at the company. He claimed
he was trouble-shooting a problem for Tom, the target, and asked to have
Tom's network connection disabled. Bobby knew this was the trickiest
part of the whole escapade - in many companies, the help desk people
work closely with the NOC; in fact, he knew the help desk is often part of
the IT organization. But the indifferent NOC guy he spoke with treated
the call as routine, didn't ask for the name of the help desk person who
was supposedly working on the networking problem, and agreed to
disable the target's network port. When done, Tom would be totally
isolated from the company's intranet, unable to retrieve files from the
server, exchange files with his co-workers, download his email, or even
send a page of data to the printer. In today's world, that's like living in a
cave.
As Bobby expected, it wasn't long before his cell phone rang. Of course
he made himself sound eager to help this poor "fellow employee" in
distress. Then he called the NOC and had the man's network connection
turned back on. Finally, he called the man and manipulated him once
again, this time making him feel guilty for saying no after Bobby had
done him a favor. Tom agreed to the request that he download a piece of
software to his computer.
Of course, what he agreed to wasn't exactly what it seemed. The software
that Tom was told would keep his network connection from going down,
was really a Trojan Horse, a software application that did for Tom's
computer what the original deception did for the Trojans: It brought the
enemy inside the camp. Tom reported that nothing happened when he
double-clicked on the software icon; the fact was that, by design, he
couldn't see anything happening, even though the small application was
installing a secret program that would allow the infiltrator covert access to
Tom's computer.
With the software running, Bobby was provided with complete control
over Tom's computer, an arrangement known as a remote command shell.
When Bobby accessed Tom's computer, he could look for the accounting
files that might be of interest and copy them. Then, at his leisure, he'd
examine them for the information that would give his clients what they
were looking for.
LINGO
TROJAN HORSE: A program containing malicious or harmful code,
designed to damage the victim's computer or files, or obtain information
from the victim's computer or network. Some Trojans are designed to hide
within the computer's operating system and spy on every keystroke or
action, or accept instruction over a network connection to perform some
function, all without the victim being aware of its presence. And that wasn't all. He could go back at any time to search through the
email messages and private memos of the company's executives, running
a text search for words that might reveal any interesting tidbits of
information.
Late on the night that he conned his target into installing the Trojan Horse
software, Bobby threw the cell phone into a Dumpster. Of course he was
careful to clear the memory first and pull the battery out before he tossed
it - the last thing he wanted was for somebody to call the cell phone's
number by mistake and have the phone start ringing!
Analyzing the Con
The attacker spins a web to convince the target he has a problem that, in
fact, doesn't really exist - or, as in this case, a problem that hasn't
happened yet, but that the attacker knows will happen because he's going
to cause it. He then presents himself as the person who can provide the
solution.
The setup in this kind of attack is particularly juicy for the attacker:
Because of the seed planted in advance, when the target discovers he has
a problem, he himself makes the phone call to plead for help. The attacker
just sits and waits for the phone to ring, a tactic fondly known in the trade
as reverse social engineering. An attacker who can make the target call
him
gains instant credibility: If I place a call to someone I think is on the help
desk,
I'm not going to start asking him to prove his identity. That's when the
attacker has it made.
LINGO
REMOTE COMMAND SHELL: A non graphical interface that accepts
text based commands to perform certain functions or run programs. An
attacker who exploits technical vulnerabilities or is able to install a Trojan
Horse program on the victims computer may be able to obtain remote
access to a command shell
REVERSE SOCIAL ENGINEERING: A social
engineering attack in which the attacker sets up a
situation where the victim encounters a problem and
contacts the attacker for help. Another form of reverse
social engineering turns the tables on the attacker. The
target recognizes the attack, and uses psychological
principles of influence to draw out as much information
as possible from the attacker so that the business can
safeguard targeted assets. MITNICK MESSAGE
If a stranger does you a favor, then asks you for a favor,
don't reciprocate without thinking carefully about what
he's asking for.
In a con like this one, the social engineer tries to pick a target who is
likely to have limited knowledge of computers. The more he knows, the
more likely that he'll get suspicious, or just plain figure out that he's being
manipulated. What I sometimes call the computer-challenged worker,
who is less knowledgeable about technology and procedures, is more
likely to comply. He's all the more likely to fall for a ruse like "Just
download this little program," because he has no idea of the potential
damage a software program can inflict. What's more, there's a much
smaller chance he'll understand the value of the information on the
computer network that he's placing at risk.
A LITTLE HELP FOR THE NEW GAL
New employees are a ripe target for attackers. They don't know many
people yet, they don't know the procedures or the dos and don'ts of the
company. And, in the name of making a good first impression, they're
eager show how cooperative and quick to respond they can be.
Helpful Andrea
"Human Resources, Andrea Calhoun."
"Andrea, hi, this is Alex, with Corporate Security."
"Yes?"
"How're you doing today?"
"Okay. What can I help you with?"
"Listen, we're developing a security seminar for new employees and we
need to round up some people to try it out on. I want to get the name and
phone number of all the new hires in the past month. Can you help me
with that?"
"I won't be able to get to it 'til this afternoon. Is that okay?
"What's your extension?"
"Sure, okay, it's 52 . . . oh, uh, but I'll be in meetings most of today. I'll
call you when I'm back in my office, probably after four."
When Alex called about 4:30, Andrea had the list ready, and read him the
names and extensions.
A Message for Rosemary
Rosemary Morgan was delighted with her new job. She had never worked
for a magazine before and was finding the people much friendlier than she
expected, a surprise because of the never-ending pressure most of the staff
was always under to get yet another issue finished by the monthly
deadline. The call she received one Thursday morning reconfirmed that
impression of friendliness.
"Is that Rosemary Morgan?"
"Yes."
"Hi, Rosemary. This is Bill Jorday, with the Information Security
group."
"Yes?"
"Has anyone from our department discussed best security practices with
you?"
"I don't think so."
"Well, let's see. For starters, we don't allow anybody to install software
brought in from outside the company. That's because we don't want any
liability for unlicensed use of software. And to avoid any problems with
software that might have a worm or a virus."
"Okay."
"Are you aware of our email policies?"
"No."
"What's your current email address?" "Rosemary@ttrzine.net."
"Do you sign in under the username Rosemary?"
"No, it's R underscore Morgan."
"Right. We like to make all our new employees aware that it can be
dangerous to open any email attachment you aren't expecting. Lots of
viruses and worms get sent around and they come in emails that seem to
be from people you know. So if you get an email with an attachment you
weren't expecting you should always check to be sure the person listed as
sender really did send you the message. You understand?"
"Yes, I've heard about that."
"Good. And our policy is that you change your password every ninety
days. When did you last change your password?"
"I've only been here three weeks; I'm still using the one I first set."
"Okay, that's fine. You can wait the rest of the ninety days. But we need
to be sure people are using passwords that aren't too easy to guess. Are
you using a password that consists of both letters and numbers?"
"No."
We need to fix that. What password are you using now?"
"It's my daughter's name - Annette."
"That's really not a secure password. You should never choose a password
that's based on family information. Well, let's see.., you could do the same
thing I do. It's okay to use what you're using now as the first part of the
password, but then each time you change it, add a number for the current month."
"So if I did that now, for March, would I use three, or oh-three."
"That's up to you. Which would you be more comfortable with?"
"I guess Annette-three."
"Fine. Do you want me to walk you through how to make the change?"
"No, I know how."
"Good. And one more thing we need to talk about. You have anti-virus
software on your computer and it's important to keep it up to date. You
should never disable the automatic update even if your computer slows
down every once in a while. Okay?"
"Sure."
"Very good. And do you have our phone number over here,
so you can call us if you have any computer problems?"
She didn't. He gave her the number, she wrote it down carefully, and went
back to work, once again, pleased at how well taken care of she felt.
Analyzing the Con
This story reinforces an underlying theme you'll find throughout this
book: The most common information that a social engineer wants from an
employee, regardless of his ultimate goal, is the target's authentication
credentials. With an account name and password in hand from a single
employee in the right area of the company, the attacker has what he needs
to get inside and locate whatever information he's after. Having this
information is like finding the keys to the kingdom; with them in hand, he
can move freely around the corporate landscape and find the treasure he
seeks.
MITNICK MESSAGE
Before new employees are allowed access to any company
computer systems, they must be trained to follow good security
practices, especially policies about never disclosing their
passwords.
NOT AS SAFE AS YOU THINK
"The company that doesn't make an effort to protect its sensitive
information is just plain negligent." A lot of people would agree with that
statement. And the world would be a better place if life were so obvious
and so simple. The truth is that even those companies that do make an
effort to protect confidential information may be at serious risk.
Here's a story that illustrates once again how companies fool themselves
every day into thinking their security practices, designed by experienced,
competent, professionals, cannot be circumvented.
Steve Cramer's Story
It wasn't a big lawn, not one of those expensively seeded spreads. It
garnered no envy. And it certainly wasn't big enough to give him an
excuse for buying a sit-down mower, which was fine because he wouldn't
have used one anyway. Steve enjoyed cutting the grass with a hand-
mower because it took longer, and the chore provided a convenient excuse
to focus on his own thoughts instead of listening to Anna telling him
stories about the people at the bank where she worked or explaining
errands for him to do. He hated those honey-do lists that had become an
integral part of his weekends. It flashed though his mind that 12-year-old
Pete was damn smart to join the swimming team. Now he'd have to be at
practice or a meet every Saturday so he wouldn't get stuck with Saturday
chores.
Some people might think Steve's job designing new devices for
GeminiMed Medical Products was boring; Steve knew he was saving
lives. Steve thought of himself as being in a creative line of work. Artist,
music composer, engineer - in Steve's view they all faced the same kind
of challenge he did: They created something that no one had ever done
before. And his latest, an intriguingly clever new type of heart stent,
would be his proudest achievement yet.
It was almost 11:30 on this particular Saturday, and Steve was annoyed
because he had almost finished cutting the grass and hadn't made any real
progress in figuring out how to reduce the power requirement on the heart
stent, the last remaining hurdle. A perfect problem to mull over while
mowing, but no solution had come.
Anna appeared at the door, her hair covered in the red paisley cowboy
Tidak ada komentar:
Posting Komentar