Cracking a Social Engineer

Enterprising thieves use a variety of common techniques to pilfer information

By Al Berg
Smart crackers don't want to break into your systems. According to experienced hacker Susan Thunder's speech, "Social Engineering and Psychological Subversion," at DEFCON III in Las Vegas last August, they'd rather use a technique called social engineering to get users to open the door for them.

DEFCON is an annual convention for hackers, "feds," corporate-security types, and others interested in the computer underground. The convention is neutral territory where U.S. Customs Service representatives, FBI agents, and other law-enforcement personnel gather with their mostly teenage adversaries--each side trying to gain insight into the other's methods. Many of the attendees and speakers at DEFCON promote hacking as a means of making systems more secure. They argue that hackers provide a valuable service to system administrators by breaking in and pointing out security problems to MIS before the real bad guys show up and exploit security holes for profit. Whether or not this is the case, DEFCON is a treasure trove of hacker and cracker information open to anyone who has $40 for a ticket.

Compromising Wetware

Social engineering is hacker jargon for getting needed information (for example, a password) from a person rather than breaking into a system. Psychological subversion is Thunder's term for using social engineering over an extended period of time to maintain a continuing stream of information and help from unsuspecting users.

She presented this scenario: A cracker has been hired by a private investigator to gain a list of unredeemed, inactive life-insurance policies of older people from an insurance company's files. The motive? If a policy is inactive (no payments made for six months) and the insured is more than 80 years old, he or she may have died and the beneficiary may not know about the policy's existence. Our cracker-hiring detective would take the list, match the names against publicly available death records, and then contact the beneficiaries, offering to "find" the money due to them for a fee.

Thunder made an observation all LAN managers should take very seriously: "Increased security measures make psychological attacks easier because users think that their data is safe." All the locks in the world won't save you from the thief you invite in.

Your first line of defense against social engineering is your garbage. Crackers love to go "trashing" to find documents that help them piece together the structure of your company, provide clues about what kinds of computer systems you use, and most important, obtain the names, titles, and telephone numbers of your employees. Think for a moment about the documents your company throws out each day and how an attacker could use them. Do your own dumpster dive and see if you find:

These items provide a wealth of information to crackers. A copy of the company phone book is an extremely valuable tool. Knowing who to call and who to impersonate are the first steps to gaining access to sensitive data. Having the right names and titles at their fingertips can let smart crackers sound as though they actually work for your company. A cracker interested in finding dial-in access numbers will use the phone book to determine the telephone exchange of your company and may use a war dialer to find modem phone numbers.

There are some defensive tactics you can use against the trasher:

A smart cracker will call your central help desk. "After all, it's their job to be helpful and they are usually overwhelmed," Thunder said. A quick call can reveal much information about your systems and procedures. Your help desk staff should be on the alert for the following:

Calls regarding password changes are a security mine field. If crackers have found one of your dial-up numbers or gained physical access to a networked workstation, they may try a variation on the following ploy.

Password Patsy

With the use of a discarded corporate phone book, the cracker first identifies a person believed to have legitimate access to the targeted system or desired data.

The target gets a call from the cracker saying something like, "Hi, this is Joe from the MIS department. We were doing a routine systems check and found a problem with your account. Your data is corrupted and we're losing files. I'll need your username and password to make the fix."

"Sure, my username is JDOE and my password is mittleschmertz. Thanks for fixing the problem."

A variation of this tactic is the cracker calling the help desk and impersonating a user reporting a forgotten password. In many cases the help desk will change the user's password over the phone. Just to clean up the loose ends, our wily cracker then calls the user who was impersonated and says something like, "This is Joe from the MIS department. We had some problems with security today, so we've changed your password. Your new password is swordfish." Assuming the cracker has dial-in or physical access to a PC, the hacker now has a legitimate username and password to work with.

Help-Desk Security

Users should be told that their passwords should never be given out, even to support personnel, without verifying the individual requesting it. Any call or request in which a user is asked for his or her password should immediately be directed to the MIS department.

Users should be assigned a PIN that must be given to access help-desk support.

Passwords should not be changed without a written request and should be delivered via the company mail or in person, not over the telephone.

Help-desk personnel should be trained to withhold support when a call does not feel right--for example, when a user in the marketing department is calling for help with the personnel database, or when a user sounds unfamiliar with company policies and procedures. Offer to call the user back and check the name and phone number in the company directory. If the caller claims to be a temporary worker or a new employee, verify his or her employment before offering support.

Most companies' physical security won't keep out a reasonably resourceful cracker, according to Thunder. Simply donning a courier's uniform or a tool belt has been enough preparation for many an intruder to gain entrance to a computing facility.

In Search of the Holy Grail

Once inside, the intruder has a whole menu of tactics to choose from, including:

You can prevent this type of activity with some of the following countermeasures:

The Sting

Remember the insurance company scenario mentioned earlier? According to Thunder, this was a blueprint for a real crime. The crackers pulled off the heist without breaking in to the system. A trash search netted a company phone book. With a few phone calls, the intruders identified a person authorized to request the report they wanted and a person in MIS whose job was to help users get the report.

Company memo forms, also taken from the trash, were used to prepare a properly formatted request (with the help of the unwitting MIS staffer). These were dropped into the company mail during a quick foray into the building by the infiltrator disguised as a courier. Finally, the crackers called the MIS department to let the staff know that the report would be picked up by a courier--who then walked out the door with the multithousand-page report. It's important to note that the crackers did not even have to physically access the company's computer systems to pull this off.

Companies and government offices are becoming aware that crackers can be used as effective espionage tools. In turn, crackers are discovering that it is much easier, and less risky, to compromise people and procedures than to break in to its computer systems. This combination of factors makes it vital for LAN managers and security personnel to understand the threats posed by social engineering.