maita droši vien priecāsies, uzzinot, ka beidzot esmu atsācis lasīt viņa aizdoto grāmatu – «The Art of Deception (Controlling the Human Element of Security)», autori – Kevin D. Mitnick & William L. Simon. Drīz dabūsi, drīz. :) Nu, jā. Kā jau parasti, kad lasu kādu grāmatu, šis tas vienmēr atrodas, ko gribu citēt. Arī šoreiz tā ir. Pagaidām tikai viens citāts, taču garš. Tekstu es nokopēju, nevis pārrakstīju, tāpēc par kļūdām vainojiet trz. No viņa nāca kopējamais materiāls. :) Un autortiesības pieder Mitnikam. Tikai mieru! :)
Grāmata ir par sociālo inženieriju, un, ja nu kādam nav īsti skaidrs, ko tas nozīmē, šis varētu būt labs piemērs. Kā iegūt vajadzīgo informāciju no bankas par citiem, izliekoties par vienu vai otru un neko nemaz nelaužot. Grāmata gan rakstīta tādā īsteni amerikāniskā stilā, taču saturs ir labs tik un tā.
THE ART OF FRIENDLY PERSUASION
When the average person conjures up the picture of a computer hacker, what usually comes to mind is the uncomplimentary image of a lonely, introverted nerd whose best friend is his computer and who has difficulty carrying on a conversation, except by instant messaging. The social engineer, who often has hacker skills, also has people skills at the opposite end of the spectrum -- well-developed abilities to use and manipulate people that allow him to talk his way into getting information in ways you would never have believed possible.
Place: Valley branch, Industrial Federal Bank.
Time: 11:27 A.M.
Angela Wisnowski answered a phone call from a man who said he was just about to receive a sizeable inheritance and he wanted information on the different types of savings accounts, certificates of deposit, and whatever other investments she might be able to suggest that would be safe, but earn decent interest. She explained there were quite a number of choices and asked if he'd like to come in and sit down with her to discuss them. He was leaving on a trip as soon as the money arrived, he said, and had a lot of arrangements to make. So she began suggesting some of the possibilities and giving him details of the interest rates, what happens if you sell a CD early, and so on, while trying to pin down his investment goals.
She seemed to be making progress when he said, "Oh, sorry, I've got to take this other call. What time can I finish this conversation with you so I can make some decisions? When do you leave for lunch?" She told him 12:30 and he said he'd try to call back before then or the following day.
Major banks use internal security codes that change every day. When somebody from one branch needs information from another branch, he proves he's entitled to the information by demonstrating he knows the day's code. For an added degree of security and flexibility, some major banks issue multiple codes each day. At a West Coast outfit I'll call Industrial Federal Bank, each employee finds a list of five codes for the day, identified as A through E, on his or her computer each morning.
Time: 12:48 P.M., same day.
Louis Halpburn didn't think anything of it when a call came in that
afternoon, a call like others he handled regularly several times a week.
'Hello," the caller said. "This is Neil Webster. I'm calling from branch 3182 in Boston. Angela Wisnowski, please."
"She's at lunch. Can I help?"
"Well, she left a message asking us to fax some information on one of our customers."
The caller sounded like he had been having a bad day.
"The person who normally handles those requests is out sick," he said.
"I've got a stack of these to do, it's almost 4 o'clock here and I'm supposed to be out of this place to go to a doctor's appointment in half an hour."
The manipulation -- giving all the reasons why the other person should feel sorry for him -- was part of softening up the mark. He went on, "Whoever took her phone message, the fax number is unreadable. It's 213-something. What's the rest?"
Louis gave the fax number, and the caller said, "Okay, thanks. Before I can fax this, I need to ask you for Code B."
"But you called me," he said with just enough chill so the man from Boston would get the message.
This is good, the caller thought. It's so cool when people don't fall over at the first gentle shove. If the, don't resist a little, the job is too easy and I could start getting lazy.
To Louis, he said, "I've got a branch manager that's just turned paranoid about getting verification before we send anything out, is all. But listen, if you don't need us to fax the information, it's okay. No need to verify."
"Look," Louis said, "Angela will be back in half an hour or so. I can have her call you back."
"I'll just tell her I couldn't send the information today because you wouldn't identify this as a legitimate request by giving me the code. If I'm not out sick tomorrow, I'll call her back then."
"The message says 'Urgent.' Never mind, without verification my hands are tied. You'll tell her I tried to send it but you wouldn't give the code, okay?"
Louis gave up under the pressure. An audible sigh of annoyance came winging its way down the phone line.
"Well," he said, "wait a minute; I have to go to my computer. Which code did you want?"
"B," the caller said.
He put the call on hold and then in a bit picked up the line again. "It's 3184."
"That's not the right code."
"Yes it is -- B is 3184."
"I didn't say B, I said E."
"Oh, damn. Wait a minute."
Another pause while he again looked up the codes.
"E is 9697."
"9697 -- right. I'll have the fax on the way. Okay?"
"Industrial Federal Bank, this is Walter."
"Hey, Walter, it's Bob Grabowski in Studio City, branch 38," the caller said. "I need you to pull a sig card on a customer account and fax it to me." The sig card, or signature card, has more than just the customer's signature on it; it also has identifying information, familiar items such as the social security number, date of birth, mother's maiden name, and sometimes even a driver's license number. Very handy to a social engineer.
"Sure thing. What's Code C?"
"Another teller is using my computer right now," the caller said. "But I just used B and E, and I remember those. Ask me one of those."
"Okay, what's E?"
"E is 9697."
A few minutes later, Walter faxed the sig card as requested.
Donna Plaice’s Call
"Hi, this is Mr. Anselmo."
"How can I help you today?"
"What's that 800 number I'm supposed to call when I want to see if a deposit has been credited yet?"
"You're a customer of the bank?"
"Yes, and I haven't used the number in a while and now I don't know where I wrote it down."
"The number is 800-555-8600."
Vince Capelli's Tale
The son of a Spokane street cop, Vince knew from an early age that he wasn't going to spend his life slaving long hours and risking his neck for minimum wage. His two main goals in life became getting out of Spokane, and going into business for himself. The laughter of his homies all through high school only fired him up all the more -- they thought it was hilarious that he was so busted on starting his own business but had no idea what business it might be.
Secretly Vince knew they were right. The only thing he was good at was playing catcher on the high school baseball team. But not good enough to capture a college scholarship, no way good enough for professional baseball. So what business was he going to be able to start?
One thing the guys in Vince's group never quite figured out: Anything one of them had -- a new switchblade knife, a nifty pair of warm gloves, a sexy new girlfriend if Vince admired it, before long the item was his. He didn't steal it, or sneak behind anybody's back; he didn't have to. The guy who had it would give it up willingly, and then wonder afterward how it had happened. Even asking Vince wouldn't have gotten you anywhere: He didn't know himself. People just seemed to let him have whatever he wanted.
Vince Capelli was a social engineer from an early age, even though he had never heard the term.
His friends stopped laughing once they all had high school diplomas in hand. While the others slogged around town looking for jobs where you didn't have to say "Do you want fries with that?" Vince's dad sent him off to talk to an old cop pal who had left the force to start his own private investigation business in San Francisco. He quickly spotted Vince's talent for the work, and took him on.
That was six years ago. He hated the part about getting the goods on unfaithful spouses, which involved achingly dull hours of sitting and watching, but felt continually challenged by assignments to dig up asset information for attorneys trying to figure out if some miserable stiff was rich enough to be worth suing. These assignments gave him plenty of chances to use his wits.
Like the time he had to look into the bank accounts of a guy named Joe Markowitz. Joe had maybe worked a shady deal on a one-time friend of his, which friend now wanted to know, if he sued, was Markowitz flush enough that the friend might get some of his money back?
Vince's first step would be to find out at least one, but preferably two, of the bank's security codes for the day. That sounds like a nearly impossible challenge: What on earth would induce a bank employee to knock a chink in his own security system? Ask yourself -- if you wanted to do this, would you have any idea of how to go about it?
For people like Vince, it's too easy.
People trust you if you know the inside lingo of their job and their company. It's like showing you belong to their inner circle. It's like a secret handshake.
I didn't need much of that for a job like this. Definitely not brain surgery. All's I needed to get started was a branch number. When I dialed the Beacon Street office in Buffalo, the guy that answered sounded like a teller.
"This is Tim Ackerman," I said. Any name would do, he wasn't going
write it down. "What's the branch number there?"
"The phone number or the branch number, he wanted to know, which was pretty stupid because I had just dialed the phone number, hadn't I?
"3182," he said. Just like that. No, "Whad'ya wanna know for?" or anything. 'Cause it's not sensitive information, it's written on just about every piece of paper they use.
Step Two, call the branch where my target did his banking, get the name of one of their people, and find out when the person would be out for lunch. Angela. Leaves at 12:30. So far, so good.
Step Three, call back to the same branch during Angela's lunch break, say I'm calling from branch number such-and-such in Boston, Angela needs this information faxed, gimme a code for the day. This is the tricky part; it's where the rubber meets the road. If I was making up a test to be a social engineer, I'd put something like this on it, where your victim gets suspicious -- for good reason -- and you still stick in there until you break him down and get the information you need. You can't do that by reciting lines from a script or learning a routine, you got to be able to read your victim, catch his mood, play him like landing a fish where you let out a little line and reel in, let out and reel in. Until you get him in the net and flop him into the boat, splat!
So I landed him and had one of the codes for the day. A big step. With most banks, one is all they use, so I would've been home flee. Industrial Federal Bank uses five, so having just one out of five is long odds. With two out of five, I'd have a much better chance of getting through the next act of this little drama. I love that part about "I didn't say B, I said E." When it works, it's beautiful. And it works most of the time.
Getting a third one would have been even better. I've actually managed to get three on a single call--"B," "D," and "E" sound so much alike that you can claim they misunderstood you again. But you have to be talking to somebody who's a real pushover. This man wasn't. I'd go with two.
The day codes would be my trump to get the signature card. I call, and the guy asks for a code. C he wants, and I've only got B and E. But it's not the end of the world. You gotta stay cool at a moment like this, sound confident, keep right on going, Real smooth, I played him with the one about, "Somebody's using my computer, ask me one of these others."
We're all employees of the same company, we're all in this together, make it easy on the guy--that's what you're hoping the victim is thinking at a moment like this. And he played it right by the script. He took one of the choices I offered, I gave him the right answer, he sent the fax of the sig card.
Almost home. One more call gave me the 800 number that customers use for the automated service where an electronic voice reads you off the information you ask for. From the sig card, I had all of my target's account numbers and his PIN number, because that bank used the first five or last four digits of the social security number. Pen in hand, I called the 800 number and after a few minutes of pushing buttons, I had the latest balance in all four of the guy's accounts, and just for good measure, his most recent deposits and withdrawals in each.
Everything my client had asked for and more. I always like to give a little extra for good measure. Keep the clients happy. After all, repeat business is what keeps an operation going, right?
Analyzing the Con
The key to this entire episode was obtaining the all-important day codes, and to do that the attacker, Vince, used several different techniques.
He began with a little verbal arm-twisting when Louis proved reluctant to give him a code. Louis was right to be suspicious--the codes are designed to be used in the opposite direction. He knew that in the usual flow of things, the unknown caller would be giving him a security code. This was the critical moment for Vince, he hinge on which the entire success of his effort depended.
In the face of Louis's suspicion, Vince simply laid it on with manipulation, using an appeal to sympathy ("going to the doctor"), and pressure ("I've got a stack to do, it's almost 4 o'clock"), and manipulation ("Tell her you wouldn't give me the code"). Cleverly, Vince didn't actually make a threat, he just implied one: If you don't give me the security code, I won't send the customer information that your co worker needs, and I'll tell her I would have sent it but you wouldn't cooperate.
Still, let's not be too hasty in blaming Louis. After all, the person on the phone knew (or at least appeared to know) that co worker Angela had requested a fax. The caller knew about the security codes, and knew they were identified by letter designation. The caller said his branch manager was requiring it for greater security. There didn't really seem any reason not to give him the verification he was asking for.
Louis isn't alone. Bank employees give up security codes to social engineers every day. Incredible but true.
There's a line in the sand where a private investigator's techniques stop being legal and start being illegal. Vince stayed legal when he obtained the branch number. He even stayed legal when he conned Louis into giving him two of the day's security codes. He crossed the line when he had confidential information on a bank customer faxed to him.
But for Vince and his employer, it's a low-risk crime. When you steal money or goods, somebody will notice it's gone. When you steal information, most of the time no one will notice because the information is still in their possession.
Verbal security codes are equivalent to passwords in providing a convenient and reliable means of protecting data. But employees need to be knowledgeable about the tricks that social engineers use, and trained not to give up the keys to the kingdom.
Un, ja nu kādam liekas, ka ar sociālajiem inženieriem nekad nav saskāries un nekad to nedarīs, tad, lūk, ko par to saka Mitniks.. :)
Every reader will have been manipulated by the grand experts of all time in social engineering - their parents. They found ways to get you - "for your own good" - to do what they thought best. Parents become great storytellers in the same way that social engineers skillfully develop very plausible stories, reasons, and justifications for achieving their goals. Yes, we were all molded by our parents: benevolent (and sometimes not so benevolent) social engineers.