Part 18 (1/2)
The door had side open for Ivan to hunt around until he found the prograleefully downloaded it, he took one further step typical of systeed the password of a dorhts, just in case he wanted to get an updated version of the software at so the Con In this attack that called on both technical and people-based vulnerabilities, the attacker began with a pretext telephone call to obtain the location and host names of the development servers that held the proprietary information
He then used a software utility to identify valid account-user names for everyone who had an account on the development server Next he ran two successive password attacks, including a dictionary attack, which searches for colish dictionary, so names, places, and items of special interest
Because both co tools can be obtained by anyone for whatever purpose they have in ilant in protecting enterprise conitude of this threat cannot be overestiazine, an analysis at New York-based Oppenhei discovery The firm's Vice President of Network Security and Disaster Recovery ran a password attack against the ees The ed to crack the passwords of 800 ey of the game Monopoly, if you use a dictionary word for your password--Go directly to Jail Do not pass Go, do not collect 200 You have to teach your employees how to choose passwords that truly protect your assets
PREVENTING THE CON
Social engineering attacks may becoy ele steps on both human and technical levels
Just Say No In the first story of the chapter, the telephone company RCMAC clerk should not have removed the deny terminate status from the ten phone lines when no service order existed authorizing the change It's not enough for employees to know the security policies and procedures; employees must understand how ie
Security policies should discourage deviation froh a system of rewards and consequences Naturally, the policieson employees to carry out steps so burdensonored
Also, a security awareness program needs to convince en a shortcut that circumvents proper security procedures can be detrimental to the company and co workers
The sa inforer on the telephone No ardless of the person's status or seniority in the company, absolutely no infornated as publicly available until the caller's identity has been positively verified If this policy had been strictly observed, the social engineering scheme in this story would have failed and federal detainee Gondorff would never have been able to plan a new scare with his pal Johnny
This one point is so ihout this book: Verify, verify, verify Any request notthe requestor's identity--period
Cleaning Up For any couards around the clock, the scheains access to an office after hours presents a challenge
Cleaning people will ordinarily treat with respect anyone who appears to be with the coitiet the crehether internal or contracted froency, must be trained on physical security matters
Janitorial work doesn't exactly require a college education, or even the ability to speak English, and the usual training, if any, involves non-security related issues such as which kind of cleaning product to use for different tasks Generally these people don't get an instruction like, ”If someone asks you to let them in after hours, you need to see their co company office, explain the situation, and wait for authorization”
An organization needs to plan for a situation like the one in this chapter before it happens and train people accordingly In my personal experience, I have found that most, if not all, private sector businesses are very lax in this area of physical security Youthe burden on your couard service should tell its e their own keys or electronic access cards, andwho it is okay to admit Then tell the janitorial company that their people must always be trained that no one is to be admitted to your premises by them at any time This is a simple rule: Do not open the door for anyone If appropriate, this could be put into writing as a condition of the contract with the cleaning coybacking techniques (unauthorized persons following an authorized person into a secure entrance)
They should also be trained not to allow another person to follow the just because the person looks like they ht be an employee
Follow up every now and then--say, three or four ti a penetration test or vulnerability assess crew is at work and try to talk her way into the building
Rather than using your own employees, you can hire a fir
Pass It On: Protect Your Passwords More and ilant about enforcing security policies through technicalsystem to enforce password policies and liin atte out the account In fact, Microsoft Windows business platfor how easily annoyed customers are by features that require extra effort, the products are usually delivered with security features turned off It's really about ti products with security features disabled by default when it should be the other way around (I suspect they'll figure this out soon enough) Of course, corporate security policy should mandate systeh technicalon fallible humans any more than necessary It's a no-brainer that when you liin attempts to a particular account, for exanificantly anization faces that uneasy balance between strong security and enore security policies, not accepting how essential these safeguards are for protecting the integrity of sensitive corporate information
If a company's policies leave some issues un-addressed, employees may use the path of least resistance and do whatever action is most convenient and e and openly disregard good security habits You may have encountered such an eth and complexity but then writes the password on a Post-it note and defiantly sticks it to his anization is the use of hard-to-discover passwords, coy
For a detailed discussion of recommended password policies, see Chapter 16
Chapter 12
Attacks on the Entry-Level Employee As ineer often targets lower-level personnel in the organizational hierarchy It can be easy to ly innocuous information that the attacker uses to advance one step closer to obtaining ets entry-level employees because they are typically unaware of the value of specific company information or of the possible results of certain actions Also, they tend to be easily influenced by so approaches--a caller who invokes authority; a person who seems friendly and likeable; a person who appears to know people in the company who are known to the victient; or the inference that the victinition
Here are some illustrations of the attack on the lower-level employee in action
THE HELPFUL SECURITY GUARD
Swindlers hope to find a person who's greedy because they are the ones ineers, when targeting souard, hope to find so of others They are the onesto help That's just what the attacker had instory
Elliot's View Date/ti in February 1998
Location: Marchand Microsystems facility, Nashua, New Hampshi+re Elliot Staley kneasn't supposed to leave his station when he wasn't on his scheduled rounds But it was theout loud, and he hadn't seen a single person since he had come on duty And it was nearly tiuy on the telephone sounded like he really needed help And it ood for sooal, one he had held on to, unaltered, since age twelve: to retire by age twenty-four, not ever touching a penny of his trust fund
To show his father, the al banker, that he could be a success on his own
Only two years left and it's by now perfectly clear he won'ta brilliant business a sharp investor He once wondered about robbing banks with a gun but that's just the stuff of fiction--the risk-benefit trade-off is so lousy Instead he daydrea a bank electronically The last time Bill was in Europe with the family, he opened a bank account in Monaco with 100 Francs It still has only 100 francs in it, but he has a plan that could help it reach seven digits in a hurry Maybe even eight if he's lucky
Bill's girlfriend Anne-e Boston bank One day while waiting at her offices until she got out of a late ed his laptop into an Ethernet port in the conference roo Yes!--he was on their internal network, connected inside the bank's network, behind the corporate firewall That gave him an idea
He pooled his talent with a class woman na an internshi+p at Marchand Microsystereat source for essential insider infor a script for a ht it was funthe off the caper they had described She thought the idea was brilliant, actually, and kept badgering the her a screen credit, too
They warned her about how often screenplay ideas get stolen and made her swear she'd never tell anyone
Suitably coached by Julia, Bill did the risky part hi it off
I called in the afternoon and ht supervisor of the security force was a ht I called the building and talked to the guard on the lobby security desk My story was all based on urgency and Icar trouble and I can't get to the facility,” I said ”I have this euard supervisor, Isaiah, but he's not at home
Can you just do me this onetime favor, I'd really appreciate it?”
The roo facility were each labeled with a ave him the mail-stop of the computer lab and asked hireed to go there for et to the roo the excuse that I was using the only phone line available toit to dial into the network to try to fix the proble by the time I called, and I told hi for one with a paper banner reading ”elmer”--the host that Julia had said was used to build the release versions of the operating system that the company marketed When he said he had found it, I knew for sure that Julia had been feeding us good information and my heart skipped a beat I had him hit the Enter key a couple of tin Which told ed in as root, the super-user account with all systeot all in a shen I tried to talk hi my next command, which was more than a bit tricky: echo 'fix:x:0:0::/:/bin/sh' >> /etc/passwd Finally he got it right, and we had now provided an account with a name fix And then I had him type echo 'fix: :10300:0:0' 55 /etc/shadow This established the encrypted password, which goes between the double colon
Putting nothing between those two colons meant the account would have a null password So just those two commands was all it took to append the account fix to the password file, with a null password Best of all, the account would have the sa I had him do was to enter a recursive directory co list of file names Then I had him feed the paper forward, tear it off, and take it with hiuard desk because ”Ifrom it later on”