Part 8 (1/2)

This story fits the definition. With a dial-up number and an account, the attacker didn't even have to bother trying to defeat an Internet firewall, and, once inside, he was easily able to compromise most of the systems on the internal network.

Through my sources, I understand this exact ruse was worked on one of the largest computer software manufacturers in the world. You would think the systems administrators in such a company would be trained to detect this type of ruse. But in my experience, n.o.body is completely safe if a social engineer is clever and persuasive enough.

LINGO.

CANDY SECURITY A term coined by Bellovin and Cheswick of Bell Labs to describe a security scenario where the outer perimeter, such as firewall, is strong, but the infrastructure behind it is weak. The term refers to M&M candy, which has a hard outer sh.e.l.l and soft center.

LINGO.

SPEAKEASY SECURITY Security that relies on knowing where desired information is, and using a word or name to gain access to that information or computer system. Security that relies on knowing where desired information is, and using a word or name to gain access to that information or computer system.

SPEAKEASY SECURITY.

In the old days of speakeasies - those Prohibition-era nightclubs where so-called bathtub gin flowed--a would-be customer gained admission by showing up at the door and knocking. After a few moments, a small flap in the door would swing open and a tough, intimidating face would peer out. If the visitor was in the know, he would speak the name of some frequent patron of the place (”Joe sent me” was often enough), whereupon the bouncer inside would unlatch the door and let him in.

The real trick lay in knowing the location of the speakeasy because the door was unmarked, and the owners didn't exactly hang out neon signs to mark their presence. For the most part, just showing up at the right place was about all it took to get in. The same degree of safekeeping is, unhappily, practiced widely in the corporate world, providing a level of non protection that I call speakeasy security.

I Saw It at the Movies Here's an ill.u.s.tration from a favorite movie that many people will remember. In Three Days of the Condor the central character, Turner (played by Robert Redford), works for a small research firm contracted by the CIA. One day he comes back from a lunch run to find that all his co workers have been gunned down. He's left to figure out who has done this and why, all the while knowing that the bad guys, whoever they are, are looking for him.

Late in the story, Turner manages to get the phone number of one the bad guys.

But who is this person, and how can Turner pin down his location? He's in luck: The screenwriter, David Rayfiel, has happily given Turner a background that includes training as a telephone lineman with the Army Signal Corps, making him knowledgeable about techniques and practices of the phone company. With the bad guy's phone number in hand, Turner knows exactly what to do. In the screenplay, the scene reads like this: TURNER RECONNECTS and TAPS OUT ANOTHER NUMBER.

RING! RING! Then: WOMAN'S VOICE (FILTER) CNA, Mrs. Coleman speaking. VOICE (FILTER) CNA, Mrs. Coleman speaking.

TURNER (into test set) This is Harold Thomas, Mrs. Coleman. Customer Service.

CNA on 202-555-7389, please.

WOMAN'S VOICE (FILTER) One moment, please. (almost at once) Leonard Atwood, 765 MacKensie Lane, Chevy Chase, Maryland. VOICE (FILTER) One moment, please. (almost at once) Leonard Atwood, 765 MacKensie Lane, Chevy Chase, Maryland.

Ignoring the fact that the screenwriter mistakenly uses a Was.h.i.+ngton, D.C., area code for a Maryland address, can you spot what just happened here?

Turner, because of his training as a telephone lineman, knew what number to dial in order to reach a phone company office called CNA, the Customer Name and Address bureau. CNA is set up for the convenience of installers and other authorized phone company personnel. An installer could call CNA, and give them a phone number. The CNA clerk wouldrespond by providing the name of the person the phone belongs to andhis address.

Fooling the Phone Company In the real world, the phone number for CNA is a closely guarded secret.

Although the phone companies finally caught on and these days are less generous about handing out information so readily, at the time they operated on a variation of speakeasy security that security professionals call security through obscurity. They presumed that anybody who called CNA and knew the proper lingo (”Customer service. CNA on 555-1234, please for example) was a person authorized to have the information.

LINGO.

SECURITY THROUGH OBSCURITY An ineffective method of computer security that relies on keeping secret the details of how the system works (protocols, algorithms, and internal systems). Security through obscurity relies on the false a.s.sumption that no one outside a trusted group of people will be able to circ.u.mvent the system. An ineffective method of computer security that relies on keeping secret the details of how the system works (protocols, algorithms, and internal systems). Security through obscurity relies on the false a.s.sumption that no one outside a trusted group of people will be able to circ.u.mvent the system.

MITNICK MESSGAE.

Security through obscurity does not have any effect in blocking social engineering attacks. Every computer system in the world has at least one human that use it. So, if the attacker is able to manipulate people who use the systems, the obscurity of the system is irrelevant. obscurity of the system is irrelevant.

There was no need to verify or identify oneself, no need to give an employee number, no need for a pa.s.sword that was changed daily. If you knew the number to call and you sounded authentic, then you must be ent.i.tled to the information.

That was not a very solid a.s.sumption on the part of the telephone company. Their only effort at security was to change the phone number on l periodic basis, at least once a year. Even so, the current number at any particular moment was very widely known among phone phreaks, who delighted in taking advantage of this convenient source of information and in sharing the how-to-do-it with their fellow phreaks. The CN,' Bureau trick was one of the first things I learned when I was in to the hobby of phone phreaking as a teenager.

Throughout the world of business and government, speakeasy security. is still prevalent. It's likely that about your company's departments, people, and lingo.

Sometimes les to than that: Sometimes an internal phone number is all it takes.

THE CARELESS COMPUTER MANAGER.

Though many employees in organizations are negligent, unconcerned, or unaware of security dangers, you'd expect someone with the t.i.tle manager in the computer center of a Fortune 500 corporation to be thoroughly knowledgeable about best security practices, right?

You would not expect a computer center manager - someone who is part of his company's Information Technology department - to fall victim to a simplistic and obvious social engineering con game. Especially not the social engineer is hardly more than a kid, barely out of his teens. But sometimes your expectations can be wrong.

Tuning In Years ago it was an amusing pastime for many people to keep a radio tuned to the local police or fire department frequencies, listening in on the occasional highly charged conversations about a bank robbery in progress, an office building on fire, or a high-speed chase as the event unfolded. The radio frequencies used by law enforcement agencies and fire departments used to be available in books at the corner bookstore; today they're provided in listings on the Web, and from a book you can buy at Radio Shack frequencies for local, county, state, and, in some cases, even federal agencies.

Of course, it wasn't just the curious who were listening in. Crooks robbing a store in the middle of the night could tune in to hear if a police car was being dispatched to the location. Drug dealers could keep a check on activities of the local Drug Enforcement Agency agents. An arsonist could enhance his sick pleasure by lighting a blaze and then listening to all the radio traffic while firemen struggled to put it out.

Over recent years developments in computer technology have made it possible to encrypt voice messages. As engineers found ways to cram more and more computing power onto a single microchip, they began to build small, encrypted radios for law enforcement that kept the bad guys and the curious from listening in.

Danny the Eavesdropper A scanner enthusiast and skilled hacker we'll call Danny decided to see if he couldn't find a way to get his hands on the super-secret encryption software - the source code - from one of the top manufacturers of secure radio systems. He was hoping a study of the code would enable him to learn how to eavesdrop on law enforcement, and possibly also use the technology so that even the most powerful government agencies would find it difficult to monitor his conversations with his friends.

The Dannys of the shadowy world of hackers belong to a special category that falls somewhere in between the merely-curious but-entirely- benign and the dangerous. Dannys have the knowledge of the expert, combined with the mischievous hacker's desire to break into systems and networks for the intellectual challenge and for the pleasure of gaining insight into how technology works. But their electronic breaking-and- entering stunts are just that--stunts.

These folks, these benign hackers, illegally enter sites for the sheer fun and exhilaration of proving they can do it. They don't steal anything, they don't make any money from their exploits; they don't destroy any files, disrupt any network connections, or crash any computer system. The mere fact of their being there, snaring copies of files and searching emails for pa.s.swords behind the backs of curity and network administrators, tweaks the noses of the people responsible for keeping out intruders like them. The one-upmans.h.i.+p is a big part of the satisfaction.

In keeping with this profile, our Danny wanted to examine the details of his target company's most closely guarded product just to satisfy his own burning curiosity and to admire whatever clever innovations the manufacturer might have come up with.

The product designs were, needless to say, carefully guarded trade secrets, as precious and protected as just about anything in the company's possession. Danny knew that. And he didn't care a bit. After all, it was just some big, nameless company.

But how to get the software source code? As it turned out, grabbing the crown jewels of the company's Secure Communications Group proved to be all too easy, even though the company was one of those that used two- factor authentication, an arrangement under which people are required to use not one but two separate identifiers to prove their ident.i.ty.

Here's an example you're probably already familiar with. When your renewal credit card arrives, you're asked to phone the issuing company to let them know that the card is in possession of the intended customer, and not somebody who stole the envelope from the mail. The instructions with the card these days generally tell you to call from home. When you call, software at the credit card company a.n.a.lyzes the ANI, the automatic number identification, which is provided by the telephone switch on toll- free calls that the credit card company is paying for.

A computer at the credit card company uses the calling party's number provided by the ANI, and matches that number against the company's database of cardholders. By the time the clerk comes on the line, her or his display shows information from the database giving details about the customer. So the clerk already knows the call is coming from the home of a customer; that's one form of authentication.

LINGO.

TWO-FACTOR AUTHENTICATION The use of two different types of authentication to verify ident.i.ty. For example, a person might have to identify himself by calling from a certain identifiable location and knowing a pa.s.sword. The use of two different types of authentication to verify ident.i.ty. For example, a person might have to identify himself by calling from a certain identifiable location and knowing a pa.s.sword.

The clerk then picks an item from the information displayed about you - most often social security number, date of birth, or mother's maiden name - and asks you for this piece of information. If you give the right answer, that's a second form of authentication - based on information you should know. answer, that's a second form of authentication - based on information you should know.

At the company manufacturing the secure radio systems in our story, every employee with computer access had their usual account name and pa.s.sword, but in addition was provided with a small electronic device called Secure ID. This is what's called a time-based token. These devices come in two types: One is about half the size of a credit card but a little thicker; another is small enough that people simply attach it to their key chains.

Derived from the world of cryptography, this particular gadget has a small window that displays a series of six digits. Every sixty seconds, the display changes to show a different six-digit number. When an authorized person needs to access the network from offsite, she must first identify herself as an authorized user by typing in her secret PIN and the digits displayed on her token device.

Once verified by the internal system, she then authenticates with her account name and pa.s.sword.

For the young hacker Danny to get at the source code he so coveted, he would have to not only compromise some employee's account name and pa.s.sword (not much of a challenge for the experienced social engineer) but also get around the time-based token.

Defeating the two-factor authentication of a time-based token combined with a user's secret PIN code sounds like a challenge right out of Mission Impossible.

But for social engineers, the challenge is similar to that aced by a poker player who has more than the usual skill at reading his opponents. With a little luck, when he sits down at a table he knows he's likely to walk away with a large pile of other people's money.