MITNICK MESSAGE

MITNICK MESSAGE
Never think all social engineering attacks need to be
elaborate ruses so complex that they're likely to be
recognized before they can be completed. Some are in- and-
out, strike-and-disappear, very simple attacks that are no
more than.., well, just asking for it.
You have to sort of develop the social engineer's instinct, get a sense of
how cooperative the person on the other end is going to be with you. This
time I lucked out with a friendly, helpful lady. In a single phone call, I had
the address and phone number. Mission accomplished.
Analyzing the Con
Certainly Janie knew that customer information is sensitive. She would
never discuss one customer's account with another customer, or give out
private information to the public.
But naturally, for a caller from within the company, different rules apply.
For a fellow employee it's all about being a team player and helping each
other get the job done. The man from Billing could have looked up the
details himself if his computer hadn't been down with a virus, and she was
glad to be able to help a co-worker.

Art built up gradually to the key information he was really after, asking
questions along the way about things he didn't really need, such as the
account number. Yet at the same time, the account number information
provided a fallback: If the clerk had become suspicious, he'd call a
second
time and stand a better chance of success, because knowing the account
number would make him sound all the more authentic to the next clerk
he reached.
It never occurred to Janie that somebody might actually lie about some
thing like this, that the caller might not really be from the billing
department
at all. Of course, the blame doesn't lie at Janie's feet. She wasn't well
versed in the rule about making sure you know who you're talking to
before discussing information in a customer's file. Nobody had ever told
her about the danger of a phone call like the one from Art. It wasn't in the company policy, it wasn't part of her training, and her supervisor had
never mentioned it.
PREVENTING THE CON
A point to include in your security training: Just because a caller or visitor
knows the names of some people in the company, or knows some of the
corporate lingo or procedures, doesn't mean he is who he claims to be.
And it definitely doesn't establish him as anybody authorized to be given
internal information, or access to your computer system or network.
Security training needs to emphasize: When in doubt, verify, verify,
verify.
In earlier times, access to information within a company was a mark of
rank and privilege. Workers stoked the furnaces, ran the machines, typed
the letters, and filed the reports. The foreman or boss told them what to
do, when, and how. It was the foreman or boss who knew how many
widgets each worker should be producing on a shift, how many and in
what colors and sizes the factory needed to turn out this week, next week,
and by the end of the month. Workers handled machines and tools and materials, and bosses handled
information. Workers needed only the information specific to their
specific jobs.
The picture is a little different today, isn't it? Many factory workers use
some form of computer or computer-driven machine. For a large part of
the workforce, critical information is pushed down to the users' desktops
so that they can fulfill their responsibility to get their work done. In
today's environment, almost everything employees do involves the
handling of information.
That's why a company's security policy needs to be distributed enterprise-
wide, regardless of position. Everybody must understand that it's not just
the bosses and executives who have the information that an attacker might
be after. Today, workers at every level, even those who don't use a
computer, are liable to be targeted. The newly hired rep in the customer
service group may be just the weak link that a social engineer breaks to
achieve his objective.
Security training and corporate security policies need to strengthen that
link.