THE ART OF DECEPTION
Controlling the Human Element of Security
About the book
(2003, ISBN 978-0764542800)
Other books on corporate security focus on hardware and software technology, and do not adequately cover the most serious threat of all: human deception. The purpose of this book, in contrast, is to help you understand how you, your co-workers, and others in your company are being manipulated, and the barriers you can erect to stop being victims. The book focuses mainly on the non-technical methods that hostile intruders use to steal information, compromise the integrity of information that is believed to be safe but isn’t., or destroy company work product.
There’s a popular saying that a secure computer is one that’s turned off. Clever, but false: The pretexter simply talks someone into going into the office and turning that computer on. An adversary who wants your information can obtain it, usually in any one of several different ways. It’s just a matter of time, patience, personality, and persistence. That’s where the art of deception comes in. That’s where the book is about.
About the Author
“Despite the media-created myth of Kevin Mitnick, I am not a malicious hacker.” – Kevin Mitnick
Kevin Mitnick (http://en.wikipedia.org/wiki/Kevin_Mitnick) born August 6, 1963 is an American computer security consultant, author and hacker. In 1999, he was convicted of various computer and communications-related crimes. At the time of his arrest, he was the most-wanted computer criminal in the United States. He now runs a security firm named Mitnick Security Consulting, LLC that helps test a company’s security strengths, weaknesses, and potential loopholes, and is the Chief Hacking Officer of security awareness training company KnowBe4.
Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.
The book is full of incredible examples and therefore a real pleasure to read. Every example concludes with some suggestions to prevent certain type of cons. The last few chapters put all those guides and principles together to form a good guideline for your company to harden and protect yourself to social engineers (assuming your technical security is in place).
The examples are somewhat lengthy for an abstract or book review, but they illustrate so well what the book is about and they are so amusing to read. Therefore I have picked two examples and put them at the end of this review. You could read them in advance if you like to get the idea.
Outline of the book
In Part 1 reveals security’s weakest link and shows you why you and your company are at risk from social engineering attacks.
In Part 2 you’ll see how social engineers toy with your trust, your desire to be helpful, your sympathy, and your human gullibility to get what they want. Fictional stories of typical attacks will demonstrate that social engineers can wear many hats and many faces. If you think you’ve never encountered one, you’re probably wrong.
Part 3 is the part of the book where you see how the social engineer ups the ante, in made-up stories that show how he can step onto your corporate premises, steal the kind of secret that can make or break your company, and thwart your hi-tech security measures. The scenarios in this section will make you aware of threats that range from simple employee revenge to cyber terrorism. If you value the information that keeps your business running and the privacy of your data, you’ll want to read Chapters 10 through 14 from beginning to end. It’s important to note that unless otherwise stated, the anecdotes in this book are purely fictional.
In Part 4 The corporate talk about how to prevent successful social engineering attacks on your organization is discussed. Chapter 15 provides a blueprint for a successful security-training program. And Chapter 16 might just save your neck – it’s a complete security policy you can customize for your organization and implement right away to keep your company and information safe.
Finally, a Security at a Glance section, which includes checklists, tables, and charts that summarize key information you can use to help your employees foil a social engineering attack on the job. These tools also provide valuable information you can use in devising your own security-training program.
Essence: THE HUMAN FACTOR
Testifying before Congress not long ago, I explained that I could often get passwords and other pieces of sensitive information from companies by pretending to be someone else and just asking for it. It’s natural to yearn for a feeling of absolute safety, leading many people to settle for a false sense of security. Consider the responsible and loving homeowner who has a Medico, a tumbler lock known as being pickproof, installed in his front door to protect his wife, his children, and his home. He’s now comfortable that he has made his family much safer against intruders. But what about the intruder-who breaks a window, or cracks the code to the garage door opener? How about installing a robust security system? Better, but still no guarantee. Expensive locks or no, the homeowner remains vulnerable. Why? Because the human factor is truly security’s weakest link. Security is too often merely an illusion, an illusion sometimes made even worse when gullibility, naivete, or ignorance come into play. The world’s most respected scientist of the twentieth century, Albert Einstein, is quoted as saying, “Only two things are infinite, the universe and human stupidity, and I’m not sure about the former.” In the end, social engineering attacks can succeed when people are stupid or, more commonly, simply ignorant about good security practices. With the same attitude as our security-conscious homeowner, many information technology (IT) professionals hold to the misconception that they’ve made their companies largely immune to attack because they’ve deployed standard security products – firewalls, intrusion detection systems, or stronger authentication devices such as time-based tokens or biometric smart cards. Anyone who thinks that security products alone offer true security is settling for. the illusion of security. It’s a case of living in a world of fantasy: They will inevitably, later if not sooner, suffer a security incident. As noted security consultant Bruce Schneier puts it, “Security is not a product, it’s a process.” Moreover, security is not a technology problem – it’s a people and management problem. As developers invent continually better security technologies, making it increasingly difficult to exploit technical vulnerabilities, attackers will turn more and more to exploiting the human element. Cracking the human firewall is often easy, requires no investment beyond the cost of a phone call, and involves minimal risk.
Contemporary side note: TERRORISTS AND DECEPTION
Of course, deception isn’t an exclusive tool of the social engineer. Physical terrorism makes the biggest news, and we have come to realize as never before that the world is a dangerous place. Civilization is, after all, just a thin veneer. The attacks on New York and Washington, D.C., in September 2001 infused sadness and fear into the hearts of every one of us – not just Americans, but well-meaning people of all nations. We’re now alerted to the fact that there are obsessive terrorists located around the globe, well – trained and waiting to launch further attacks against us. The recently intensified effort by our government has increased the levels of our security consciousness. We need to stay alert, on guard against all forms of terrorism. We need to understand how terrorists treacherously create false identities, assume roles as students and neighbors, and melt into the crowd. They mask their true beliefs while they plot against us – practicing tricks of deception similar to those you will read about in these pages. And while, to the best of my knowledge, terrorists have not yet used social engineering ruses to infiltrate corporations, water-treatment plants, electrical generation facilities, or other vital components of our national infrastructure, the potential is there. It’s just too easy. The security awareness and security policies that I hope will be put into place and enforced by corporate senior management because of this book will come none too soon.
How can this book help you
I hope this abstract encourages you to read the book yourself. If you know enough by now, then, at least read the final two chapters which will explain how to harden your human pitfalls to social engineers and try to imagine how well you are prepared:
Information Security Awareness and Training and Recommended Corporate Information Security Policies
The measures in those chapters are rather general, all very true, but the most important and differentiating in this book are the tables and checklists below about how to Identify a Social Engineered Attack.
IDENTIFYING A SECURITY ATTACK
The Social Engineering Cycle
||May include open source information such as SEC filings and annualreports, marketing brochures, patent applications, press clippings, industry magazines, Web site content. Also Dumpster diving.
|Developing rapport and trust
||Use of insider information, misrepresenting identity, citing those known to victim, need for help, or authority.
||Asking for information or an action on the part of the victim. In reverse sting, manipulate victim to ask attacker for help.
||If the information obtained is only a step to final goal, attacker returns to earlier steps in cycle till goal is reached.
Common Social Engineering Methods
- Posing as an employee of a vendor, partner company, or law enforcement
- Posing as someone in authority
- Posing as a new employee requesting help
- Posing as a vendor or systems manufacturer calling to offer a system
- patch or update
- Offering help if a problem occurs, then making the problem occur, thereby manipulating the victim to call them for help
- Sending free software or patch for victim to install
- Sending a virus or Trojan Horse as an email attachment
- Using a false pop-up window asking user to log in again or sign on with password
- Capturing victim keystrokes with expendable computer system or program
- Leaving a floppy disk or CD around the workplace with malicious software on it
- Using insider lingo and terminology to gain trust
- Offering a prize for registering at a Web site with username and password
- Dropping a document or file at company mail room for intraoffice delivery
- Modifying fax machine heading to appear to come from an internal location
- Asking receptionist to receive then forward a fax
- Asking for a file to be transferred to an apparently internal location
- Getting a voice mailbox set up so call backs perceive attacker as internal
- Pretending to be from remote office and asking for email access locally
Warning Signs of an Attack
- Refusal to give call back number
- Out-of-ordinary request
- Claim of authority
- Stresses urgency
- Threatens negative consequences of non compliance
- Shows discomfort when questioned
- Name dropping
- Compliments or flattery
Common Targets of Attacks
|Unaware of value of information
||Receptionists, telephone operators, administrative assistants, security guards.
||Help desk or technical support, system administrators, computer ooperators, telephone system administrators.
|Manufacturer / vendor
||Computer hardware, software manufacturers, voice mail systems vendors.
||Accounting, human resources.
Factors That Make Companies More Vulnerable to Attacks
- Large number of employees
- Multiple facilities
- Information on employee whereabouts left in voice mail messages
- Phone extension information made available
- Lack of security training
- Lack of data classification system
- No incident reporting/response plan in place
Example 1 – CREDITCHEX
It’s standard practice at many banks to get a quick thumbs-up or thumbs-down on a prospective new customer credibility. One of the major companies that banks contract with for this information is an outfit we’ll call CreditChex. They provide a valuable service to their clients, but like many companies, can also unknowingly provide a handy service to knowing social engineers.
The First Call: Kim Andrews
“National Bank, this is Kim. Did you want to open an account today?”
“Hi, Kim. I have a question for you. Do you guys use CreditChex?”
“When you phone in to CreditChex, what do you call the number you give them–is it a ‘Merchant ID’?”
A pause; she was weighing the question, wondering what this was about and whether she should answer. The caller quickly continued without missing a beat:
“Because, Kim, I’m working on a book. It deals with private investigations.”
“Yes,” she said, answering the question with new confidence, pleased to be helping a writer.
“So it’s called a Merchant ID, right?”
“Uh huh.” [confirmative]
“Okay, great. Because I wanted to male sure I had the lingo right. For the book. Thanks for your help. Good-bye, Kim.”
The Second Call: Chris Talbert
“National Bank, New Accounts, this is Chris.”
“Hi, Chris. This is Alex,” the caller said. “I’m a customer service rep with CreditChex. We’re doing a survey to improve our services. Can you spare me a couple of minutes?”
She was glad to, and the caller went on:
“Okay – what are the hours your branch is open for business?” She answered, and continued answering his string of questions.
“How many employees at your branch use our service?”
“How often do you call us with an inquiry?”
“Which of our 800-numbers have we assigned you for calling us?”
“Have our representatives always been courteous?”
“How’s our response time?”
“How long have you been with the bank?”
“What Merchant ID are you currently using?”
“Have you ever found any inaccuracies with the information we’ve provided you?”
“If you had any suggestions for improving our service, what would they be?”
“Would you be willing to fill out periodic questionnaires if we send them to your branch?”
She agreed, they chatted a bit, the caller rang off, and Chris went back to work.
The Third Call: Henry McKinsey
“CreditChex, this is Henry McKinsey, how can I help you?”
The caller said he was from National Bank. He gave the proper Merchant ID and then gave the name and social security number of the person he was looking for information on. Henry asked for the birth date, and the caller gave that, too. After a few moments, Henry read the listing from his computer screen.
“Wells Fargo reported NSF in 1998, one time, amount of $2,066.” NSF – non sufficient funds – is the familiar banking lingo for checks that have been written when there isn’t enough money in the account to cover them.
“Any activities since then?”
“Have there been any other inquiries?”
“Let’s see. Okay, two of them, both last month. Third United Credit Union of Chicago.” He stumbled over the next name, Schenectady Mutual Investments, and had to spell it. “That’s in New York State,” he added.
All three of those calls were made by the same person: a private investigator, working on a case for a woman who would like to divorce, but first wanted to know where large parts of the marriage savings were secretly transfered to by her husband.
Analyzing the Con
This entire ruse was based on one of the fundamental tactics of social engineering: Gaining access to information that a company employee treats as innocuous, when it isn’t.
Kevin ends every example with a message of how to help strengthen your security strategy and recognise the malintentions of a social engineer.
Example 2 – THE ART OF FRIENDLY PERSUASION
Place: Valley branch, Industrial Federal Bank
Time: 11:27 A.M
Angela Wisnowski answered a phone call from a man who said he was just about to receive a sizeable inheritance and he wanted information on the different types of savings accounts, certificates of deposit, and whatever other investments she might be able to suggest that would be safe, but earn decent interest. She explained there were quite a number of choices and asked if he’d like to come in and sit down with her to discuss them. He was leaving on a trip as soon as the money arrived, he said, and had a lot of arrangements to make. So she began suggesting some of the possibilities and giving him details of the interest rates, what happens if you sell a CD early, and so on, while trying to pin down his investment goals.
She seemed to be making progress when he said, “Oh, sorry, I’ve got to take this other call. What time can I finish this conversation with you so I can make some decisions? When do you leave for lunch?”
She told him 12:30 and he said he’d try to call back before then or the following day.
Major banks use internal security codes that change every day. When somebody from one branch needs information from another branch, he proves he’s entitled to the information by demonstrating he knows the day’s code. For an added degree of security and flexibility, some major banks issue multiple codes each day. At a West Coast outfit I’ll call Industrial Federal Bank, each employee finds a list of five codes for the day, identified as A through E, on his or her computer each morning.
Time: 12:48 P.M., same day.
Louis Halpburn didn’t think anything of it when a call came in that afternoon, a call like others he handled regularly several times a week.
“Hello,” the caller said. “This is Neil Webster. I’m calling from branch 3182 in Boston. Angela Wisnowski, please.”
“She’s at lunch. Can I help?”
“Well, she left a message asking us to fax some information on one of our customers.”
The caller sounded like he had been having a bad day.
“The person who normally handles those requests is out sick,” he said.
“I’ve got a stack of these to do, it’s almost 4 o’clock here and I’m supposed to be out of this place to go to a doctor’s appointment in half an hour.”
The manipulation–giving all the reasons why the other person should feel sorry for him–was part of softening up the mark. He went on,
“Whoever took her phone message, the fax number is unreadable. It’s 213-something. What’s the rest?”
Louis gave the fax number, and the caller said, “Okay, thanks. Before I can fax this, I need to ask you for Code B.”
“But you called me,” he said with just enough chill so the man from Boston would get the message.
This is good, the caller thought. It’s so cool when people don’t fall over at the first gentle shove. If the, don’t resist a little, the job is too easy and I could start getting lazy. To Louis, he said,
“I’ve got a branch manager that’s just turned paranoid about getting verification before we send anything out, is all. But listen, if you don’t need us to fax the information, it’s okay. No need to verify.”
“Look,” Louis said, “Angela will be back in half an hour or so. I can have her call you back.”
“I’ll just tell her I couldn’t send the information today because you wouldn’t identify this as a legitimate request by giving me the code. If I’m not out sick tomorrow, I’ll call her back then.”
“The message says ‘Urgent.’ Never mind, without verification my hands are tied. You’ll tell her I tried to send it but you wouldn’t give the code, okay?”
Louis gave up under the pressure. An audible sigh of annoyance came winging its way down the phone line.
“Well,” he said, “wait a minute; I have to go to my computer. Which code did you want?”
“B,” the caller said.
He put the call on hold and then in a bit picked up the line again. “It’s 3184.”
“That’s not the right code.”
“Yes it is–B is 3184.”
“I didn’t say B, I said E.”
“Oh, damn. Wait a minute.”
Another pause while he again looked up the codes.
“E is 9697.”
“9697–right. I’ll have the fax on the way. Okay?”
“Industrial Federal Bank, this is Walter.”
“Hey, Walter, it’s Bob Grabowski in Studio City, branch 38,” the caller said.
“I need you to pull a sig card on a customer account and fax it to me.”
The sig card, or signature card, has more than just the customer’s signature on it; it also has identifying information, familiar items such as the social security number, date of birth, mother’s maiden name, and sometimes even a driver’s license number. Very handy to a social engineer.
“Sure thing. What’s Code C?”
“Another teller is using my computer right now,” the caller said. “But I just used B and E, and I remember those. Ask me one of those.”
“Okay, what’s E?”
“E is 9697.”
A few minutes later, Walter faxed the sig card as requested.
Donna Plaice’s Call
“Hi, this is Mr. Anselmo.”
“How can I help you today?”
“What’s that 800 number I’m supposed to call when I want to see if a deposit has been credited yet?”
“You’re a customer of the bank?”
“Yes, and I haven’t used the number in a while and now I don’t know where I wrote it down.”
“The number is 800-555-8600.”
Vince Capelli’s Tale
The son of a Spokane street cop, Vince knew from an early age that he wasn’t going to spend his life slaving long hours and risking his neck for minimum wage. His two main goals in life became getting out of Spokane, and going into business for himself. The laughter of his homies all through high school only fired him up all the more–they thought it was hilarious that he was so busted on starting his own business but had no idea what business it might be.
Secretly Vince knew they were right. The only thing he was good at was playing catcher on the high school baseball team. But not good enough to capture a college scholarship, no way good enough for professional baseball. So what business was he going to be able to start? One thing the guys in Vince’s group never quite figured out: Anything one of them had—a new switchblade knife, a nifty pair of warm gloves, a sexy new girlfriend, if Vince admired it, before long the item was his. He didn’t steal it, or sneak behind anybody’s back; he didn’t have to. The guy who had it would give it up willingly, and then wonder afterward how it had happened. Even asking Vince wouldn’t have gotten you anywhere: He didn’t know himself. People just seemed to let him have whatever he wanted.
Like the time he had to look into the bank accounts of a guy named Joe Markowitz. Joe had maybe worked a shady deal on a one-time friend of his, which friend now wanted to know, if he sued, was Markowitz flush enough that the friend might get some of his money back? Vince’s first step would be to find out at least one, but preferably two, of the bank’s security codes for the day. That sounds like a nearly impossible challenge: What on earth would induce a bank employee to knock a chink in his own security system? Ask yourself–if you wanted to do this, would you have any idea of how to go about it?
For people like Vince, it’s too easy. People trust you if you know the inside lingo of their job and their company. It’s like showing you belong to their inner circle. It’s like a secret handshake. He didn’t need much of that for a job like this. Definitely not brain surgery.
Vince: All I needed to get started was a branch number. When he dialed the Beacon Street office in Buffalo, the guy that answered sounded like a teller. “This is Tim Ackerman,” he said. Any name would do, he wasn’t going to write it down. “What’s the branch number there?” “The phone number or the branch number, he wanted to know, which was pretty stupid because I had just dialed the phone number, hadn’t I? “Branch number.” “3182,” he said. Just like that. No, “Whad’ya wanna know for?” or anything. ‘Cause it’s not sensitive information, it’s written on just about every piece of paper they use.
Step Two, call the branch where my target did his banking, get the name of one of their people, and find out when the person would be out for lunch. Angela. Leaves at 12:30. So far, so good.
Step Three, call back to the same branch during Angela’s lunch break, say I’m calling from branch number such-and-such in Boston, Angela needs this information faxed, gimme a code for the day. This is the tricky part; it’s where the rubber meets the road. If I was making up a test to be a social engineer, I’d put something like this on it, where your victim gets suspicious–for good reason–and you still stick in there until you break him down and get the information you need. You can’t do that by reciting lines from a script or learning a routine, you got to be able to read your victim, catch his mood, play him like landing a fish where you let out a little line and reel in, let out and reel in. Until you get him in the net and flop him into the boat, splat! So I landed him and had one of the codes for the day. A big step. With most banks, one is all they use, so I would’ve been home flee. Industrial Federal Bank uses five, so having just one out of five is long odds. With two out of five, I’d have a much better chance of getting through the next act of this little drama. I love that part about “I didn’t say B, I said E.” When it works, it’s beautiful. And it works most of the time. Getting a third one would have been even better. I’ve actually managed to get three on a single call–“B,” “D,” and “E” sound so much alike that you can claim they misunderstood you again. But you have to be talking to somebody who’s a real pushover. This man wasn’t. I’d go with two. The day codes would be my trump to get the signature card. I call, and the guy asks for a code. C he wants, and I’ve only got B and E. But it’s not the end of the world. You gotta stay cool at a moment like this, sound confident, keep right on going, Real smooth, I played him with the one about, “Somebody’s using my computer, ask me one of these others.” We’re all employees of the same company, we’re all in this together, make it easy on the guy–that’s what you’re hoping the victim is thinking at a moment like this. And he played it right by the script. He took one of the choices I offered, I gave him the right answer, he sent the fax of the sig card.
Almost home. One more call gave me the 800 number that customers use for the automated service where an electronic voice reads you off the information you ask for. From the sig card, I had all of my target’s account numbers and his PIN number, because that bank used the first five or last four digits of the social security number. Pen in hand, I called the 800 number and after a few minutes of pushing buttons, I had the latest balance in all four of the guy’s accounts, and just for good measure, his most recent deposits and withdrawals in each.
Everything my client had asked for and more. I always like to give a little extra for good measure. Keep the clients happy. After all, repeat business is what keeps an operation going, right?
Analyzing the Con
The key to this entire episode was obtaining the all-important day codes, and to do that the attacker, Vince, used several different techniques. He began with a little verbal arm-twisting when Louis proved reluctant to give him a code. Louis was right to be suspicious–the codes are designed to be used in the opposite direction. He knew that in the usual flow of things, the unknown caller would be giving him a security code. This was the critical moment for Vince, he hinge on which the entire success of his effort depended. In the face of Louis’s suspicion, Vince simply laid it on with manipulation, using an appeal to sympathy (“going to the doctor”), and pressure (“I’ve got a stack to do, it’s almost 4 o’clock”), and manipulation (“Tell her you wouldn’t give me the code”). Cleverly, Vince didn’t actually make a threat, he just implied one: If you don’t give me the security code, I won’t send the customer information that your co worker needs, and I’ll tell her I would have sent it but you wouldn’t cooperate. Still, let’s not be too hasty in blaming Louis. After all, the person on the phone knew (or at least appeared to know) that co worker Angela had requested a fax. The caller knew about the security codes, and knew they were identified by letter designation. The caller said his branch manager was requiring it for greater security. There didn’t really seem any reason not to give him the verification he was asking for. Louis isn’t alone. Bank employees give up security codes to social engineers every day. Incredible but true. There’s a line in the sand where a private investigator’s techniques stop being legal and start being illegal. Vince stayed legal when he obtained the branch number. He even stayed legal when he conned Louis into giving him two of the day’s security codes. He crossed the line when he had confidential information on a bank customer faxed to him. But for Vince and his employer, it’s a low-risk crime. When you steal money or goods, somebody will notice it’s gone. When you steal information, most of the time no one will notice because the information is still in their possession.
Verbal security codes are equivalent to passwords in providing a convenient and reliable means of protecting data. But employees need to be knowledgeable about the tricks that social engineers use, and trained not to give up the keys to the kingdom.