Cracking a Social Engineer Enterprising thieves use a variety of common techniques to pilfer information By Al Berg Smart crackers don't want to break into your systems. According to experienced hacker Susan Thunder's speech, "Social Engineering and Psychological Subversion," at DEFCON III in Las Vegas last August, they'd rather use a technique called social engineering to get users to open the door for them. DEFCON is an annual convention for hackers, "feds," corporate-security types, and others interested in the computer underground. The convention is neutral territory where U.S. Customs Service representatives, FBI agents, and other law-enforcement personnel gather with their mostly teenage adversaries--each side trying to gain insight into the other's methods. Many of the attendees and speakers at DEFCON promote hacking as a means of making systems more secure. They argue that hackers provide a valuable service to system administrators by breaking in and pointing out security problems to MIS before the real bad guys show up and exploit security holes for profit. Whether or not this is the case, DEFCON is a treasure trove of hacker and cracker information open to anyone who has $40 for a ticket. Compromising Wetware Social engineering is hacker jargon for getting needed information (for example, a password) from a person rather than breaking into a system. Psychological subversion is Thunder's term for using social engineering over an extended period of time to maintain a continuing stream of information and help from unsuspecting users. She presented this scenario: A cracker has been hired by a private investigator to gain a list of unredeemed, inactive life-insurance policies of older people from an insurance company's files. The motive? If a policy is inactive (no payments made for six months) and the insured is more than 80 years old, he or she may have died and the beneficiary may not know about the policy's existence. Our cracker-hiring detective would take the list, match the names against publicly available death records, and then contact the beneficiaries, offering to "find" the money due to them for a fee. Thunder made an observation all LAN managers should take very seriously: "Increased security measures make psychological attacks easier because users think that their data is safe." All the locks in the world won't save you from the thief you invite in. Your first line of defense against social engineering is your garbage. Crackers love to go "trashing" to find documents that help them piece together the structure of your company, provide clues about what kinds of computer systems you use, and most important, obtain the names, titles, and telephone numbers of your employees. Think for a moment about the documents your company throws out each day and how an attacker could use them. Do your own dumpster dive and see if you find: Company phone books; Organizational charts; Memos; Company policy manuals; Calendars of meetings, events, and vacations; System manuals; Printouts of sensitive data or login names and passwords; Printouts of source code; Disks and tapes; Company letterhead and memo forms; Outdated hardware (especially hard drives). These items provide a wealth of information to crackers. A copy of the company phone book is an extremely valuable tool. Knowing who to call and who to impersonate are the first steps to gaining access to sensitive data. Having the right names and titles at their fingertips can let smart crackers sound as though they actually work for your company. A cracker interested in finding dial-in access numbers will use the phone book to determine the telephone exchange of your company and may use a war dialer to find modem phone numbers. There are some defensive tactics you can use against the trasher: Use a paper shredder to prevent a cracker from gaining the first vital toehold into your firm. Make sure all magnetic media you discard is bulk erased--data can be retrieved from formatted disks and hard drives. Dumpsters should be kept in secured areas--"down-on-their-luck" can collectors rooting through your trash may not be what they seem. A smart cracker will call your central help desk. "After all, it's their job to be helpful and they are usually overwhelmed," Thunder said. A quick call can reveal much information about your systems and procedures. Your help desk staff should be on the alert for the following: Calls from "employees" coming in on outside lines. Most PBX systems indicate a call from an outside location by a special ring or the phone display. Make help-desk personnel aware of these indicators and train them to be suspicious of such calls, limiting information given until the caller is properly identified. New employees or temporary workers. Help-desk staffers should verify the identity of all employees before addressing their problems or questions. One way to do this is to check a company phone book and call the employee back before working with him or her. Another is to assign each employee a personal identification number (PIN) that must be given before support is offered. Calls regarding password changes are a security mine field. If crackers have found one of your dial-up numbers or gained physical access to a networked workstation, they may try a variation on the following ploy. Password Patsy With the use of a discarded corporate phone book, the cracker first identifies a person believed to have legitimate access to the targeted system or desired data. The target gets a call from the cracker saying something like, "Hi, this is Joe from the MIS department. We were doing a routine systems check and found a problem with your account. Your data is corrupted and we're losing files. I'll need your username and password to make the fix." "Sure, my username is JDOE and my password is mittleschmertz. Thanks for fixing the problem." A variation of this tactic is the cracker calling the help desk and impersonating a user reporting a forgotten password. In many cases the help desk will change the user's password over the phone. Just to clean up the loose ends, our wily cracker then calls the user who was impersonated and says something like, "This is Joe from the MIS department. We had some problems with security today, so we've changed your password. Your new password is swordfish." Assuming the cracker has dial-in or physical access to a PC, the hacker now has a legitimate username and password to work with. Help-Desk Security Users should be told that their passwords should never be given out, even to support personnel, without verifying the individual requesting it. Any call or request in which a user is asked for his or her password should immediately be directed to the MIS department. Users should be assigned a PIN that must be given to access help-desk support. Passwords should not be changed without a written request and should be delivered via the company mail or in person, not over the telephone. Help-desk personnel should be trained to withhold support when a call does not feel right--for example, when a user in the marketing department is calling for help with the personnel database, or when a user sounds unfamiliar with company policies and procedures. Offer to call the user back and check the name and phone number in the company directory. If the caller claims to be a temporary worker or a new employee, verify his or her employment before offering support. Most companies' physical security won't keep out a reasonably resourceful cracker, according to Thunder. Simply donning a courier's uniform or a tool belt has been enough preparation for many an intruder to gain entrance to a computing facility. In Search of the Holy Grail Once inside, the intruder has a whole menu of tactics to choose from, including: Wandering the halls of the building looking for the Holy Grail-- vacant offices with employees' login names and passwords attached to their PCs; Going to the mail room to insert forged memos (on forms or letterhead recovered from the trash or during an earlier foray) in to the corporate mail system; Attempting to gain physical access to a server or telephone room to get more information on the systems in use; Finding dial-in equipment and noting the telephone numbers (which are probably written on the jacks); Placing a protocol analyzer in a wiring closet to capture data, user names, and passwords (remember that when telnet is used with Unix-based systems on the other end, login names and passwords are not encrypted); Simply stealing targeted information. You can prevent this type of activity with some of the following countermeasures: Require that all visitors are to be escorted at all times; Instruct employees to report any repair people that show up without being called, and to not grant access to equipment until the workers' identities are established; Keep wire closets, server rooms, phone closets, and other locations containing sensitive equipment locked at all times; Keep an inventory of the equipment that is supposed to be in each server room, wire closet, and so on. Periodically check for extra or missing equipment. The Sting Remember the insurance company scenario mentioned earlier? According to Thunder, this was a blueprint for a real crime. The crackers pulled off the heist without breaking in to the system. A trash search netted a company phone book. With a few phone calls, the intruders identified a person authorized to request the report they wanted and a person in MIS whose job was to help users get the report. Company memo forms, also taken from the trash, were used to prepare a properly formatted request (with the help of the unwitting MIS staffer). These were dropped into the company mail during a quick foray into the building by the infiltrator disguised as a courier. Finally, the crackers called the MIS department to let the staff know that the report would be picked up by a courier--who then walked out the door with the multithousand-page report. It's important to note that the crackers did not even have to physically access the company's computer systems to pull this off. Companies and government offices are becoming aware that crackers can be used as effective espionage tools. In turn, crackers are discovering that it is much easier, and less risky, to compromise people and procedures than to break in to its computer systems. This combination of factors makes it vital for LAN managers and security personnel to understand the threats posed by social engineering.