Art of Deception: Controlling the Human Element of Security

Chapter 2, The Art of Deception \ Security is too often merely an illusion, an illusion sometimes made even worse when gullibility, naïveté, or ignorance come into play. The world’s most respected scientist of the twentieth century, Albert Einstein, is quoted as saying, “Only two things are infinite, the universe and human stupidity, and I’m not sure about the former.” In the end, social engineering attacks can succeed when people are stupid or, more commonly, simply ignorant about good security practices.\ Many information technology (IT) professionals hold to the misconception that they’ve made their companies largely immune to attack because they’ve deployed standard security products. Anyone who thinks that security products alone offer true security is settling for the illusion of security. It’s a case of living in a world of fantasy: They will inevitably, later if not sooner, suffer a security incident.\ A Classic Case of Deception\ One day in 1978, Stanley Rifkin moseyed over to Security Pacific’s authorized-personnel-only wire-transfer room, where the staff sent and received transfers totaling several billion dollars every day.\ Arriving in the wire room, he took some notes on operating procedures, supposedly to make sure the backup system his company was developing would mesh properly with the regular systems. Meanwhile, he surreptitiously read the day’s security code from a posted slip of paper, and memorized it. A few minutes later he walked out.\ As he said afterward, he felt as if he had just won the lottery.\ Leaving the room at about 3 o’clock in the afternoon, he headed straight for the pay phone in the building’s marble lobby, where he deposited a coin and dialed into the wire-transfer room. He then changed hats, transforming himself from Stanley Rifkin, bank consultant, into Mike Hansen, a member of the bank’s International Department.\ According to one source, the conversation went something like this:\ “Hi, this is Mike Hansen in International,” he said to the young woman who answered the phone.\ She asked for the office number. That was standard procedure, and he was prepared: “286,” he said.\ The girl then asked, “Okay, what’s the code?”\ Rifkin has said that his adrenaline-powered heartbeat “picked up its pace” at this point. He responded smoothly, “4789.” Then he went on to give instructions for wiring “Ten million, two-hundred thousand dollars exactly” to the Irving Trust Company in New York, for credit of the Wozchod Handels Bank of Zurich, Switzerland, where he had already established an account.\ She took the number and said, “Thanks.”\ A few days later Rifkin flew to Switzerland, picked up his cash, and handed over $8 million to a Russian agency for a pile of diamonds. He flew back, passing through U.S. Customs with the stones hidden in a money belt.\ He had pulled off the biggest bank heist in history-and done it without using a gun, even without a computer. Oddly, his caper eventually made it into the pages of the Guinness Book of World Records in the category of “biggest computer fraud.”

ForewordviiPrefaceixIntroductionxvPart 1Behind the Scenes1Chapter 1Security's Weakest Link3Part 2The Art of the Attacker13Chapter 2When Innocuous Information Isn't15Chapter 3The Direct Attack: Just Asking for It31Chapter 4Building Trust41Chapter 5"Let Me Help You"55Chapter 6"Can You Help Me?"77Chapter 7Phony Sites and Dangerous Attachments93Chapter 8Using Sympathy, Guilt, and Intimidation105Chapter 9The Reverse Sting133Part 3Intruder Alert147Chapter 10Entering the Premises149Chapter 11Combining Technology and Social Engineering173Chapter 12Attacks on the Entry-Level Employee195Chapter 13Clever Cons209Chapter 14Industrial Espionage225Part 4Raising the Bar243Chapter 15Information Security Awareness and Training245Chapter 16Recommended Corporate Information Security Policies259Security at a Glance331Sources339Acknowledgments341Index347

\ From Barnes & NobleThe Barnes & Noble Review\ The name “Kevin Mitnick” is a Rorschach test for the digital age. To the government (and to companies like Sun Microsystems, whose Solaris source code he once appropriated), Mitnick was pure menace, marauding through computer systems that didn’t belong to him, causing millions of dollars of losses, and blazing a trail for even worse cybercriminals. To much of the hacker community, Mitnick’s a hero, unjustly persecuted by an ignorant Department of Justice: a prophet in the wilderness, warning folks who are too lazy or dumb to protect their digital assets. Perhaps you’ve seen those Free Kevin bumper stickers. After five years in prison, Mitnick’s on parole and evidently following the straight and narrow, though he’s still not allowed a web connection -- or even a ham radio license. \ Even if you could care less about Mitnick personally, though, his book The Art of Deception is indispensable if you care about the vulnerability of your business computer systems -- or your own personal information. Mitnick presents the best discussion of “social engineering” we’ve ever seen: the art of understanding how to trick people into voluntarily handing over the information needed to break into computer systems.\ It’s a shame you have to worry about folks “toy[ing] with your trust, your desire to be helpful, your sympathy, and your human gullibility to get what they want,” but you do -- and after you’ve read Mitnick’s extensive collection of case studies, you’ll be ready the next time someone tries social engineering on you.\ You’ll learn how crackers have convinced even suspicious employees to reveal their usernames and passwords; six ways “phone phreaks” can get unlisted phone numbers from the telephone company; and how investigators can quickly discover a terrifying amount of information about you and your company. You’ll also learn how, through a chain of “innocuous” conversations, a cracker can get into even the most well protected systems.\ Mitnick closes with a detailed guide to preventing social engineering attacks on your organization, including practical recommendations for employee security training, and a complete, easy-to-adapt security policy you can start implementing now. This may not be where you expected to get your security advice from, but hey, who could possibly know your vulnerabilities better than Kevin Mitnick? Bill Camarda\ Bill Camarda is a consultant, writer, and web/multimedia content developer. His 15 books include Special Edition Using Word 2000 and Upgrading & Fixing Networks For Dummies®, Second Edition.\ \ \ \ \ \ ForbesFinally someone is on to the real cause of data security breaches--stupid humans. Notorious hacker Kevin Mit-nick--released from federal prison in January 2000 and still on probation--reveals clever tricks of the "social engineer-ing" trade and shows how to fend them off in The Art of Deception: Controlling the Human Element of Security (Wiley, $27.50).\ Most of the book, coauthored by William Simon (not the one running for governor of California), is a series of fictional episodes depicting the many breathtakingly clever ways that hackers can dupe trusting souls into breaching corporate and personal security--information as simple as an unlisted phone number or as complicated as plans for a top-secret product under development. The rest lays out a fairly draconian plan of action for companies that want to strengthen their defenses. Takeaway: You can put all the technology you want around critical information, but all it takes to break through is one dolt who gives up his password to a "colleague" who claims to be working from the Peoria office.\ What's useful about this book is its explanation of risks in seemingly innocuous systems few people think about. The caller ID notification that proves you're talking to a top executive of your firm? Easily forged. The password your assistant logs in with? Easily guessed. The memos you tossinto the cheap office shredder? Easily reconstructed. The extension that you call in the IT department? Easily forwarded.\ Physical security can be compromised, too. It's not hard to gain access to a building by "piggybacking" your way in the door amid the happy throng returning from lunch. You'd better have confidence in your IT professionals,because they're likely to have access to everything on the corporate system, including your salary and personal informa-tion. Mitnick offers some ideas for plugging these holes, like color-coded ID cards with really big photos.\ Implementing the book's security action plan in full seems impossible, but it's a good idea to warn employees from the boss down to the receptionist and janitors not to give out even innocuous information to people claiming to be helpful IT folks without confirming their identity--and to use things like encryption technology as fallbacks. Plenty of would-be Mitnicks--and worse--still ply their trade in spaces cyber and psychological.\ —Stephen Manes\ \ \ \ Wired MagazineHe was the FBI's most-wanted hacker. But in his own eyes, Mitnick was simply a small-time con artist with an incredible memory, a knack for social engineering, and an enemy at The New York Times. That foe, John Markoff, made big bucks selling two books about Mitnick -- without ever interviewing him. This is Mitnick's account, complete with advice for how to protect yourself from similar attacks. I believe his story.\ \ \ \ \ Publishers WeeklyMitnick is the most famous computer hacker in the world. Since his first arrest in 1981, at age 17, he has spent nearly half his adult life either in prison or as a fugitive. He has been the subject of three books and his alleged 1982 hack into NORAD inspired the movie War Games. Since his plea-bargain release in 2000, he says he has reformed and is devoting his talents to helping computer security. It's not clear whether this book is a means toward that end or a, wink-wink, fictionalized account of his exploits, with his name changed to protect his parole terms. Either way, it's a tour de force, a series of tales of how some old-fashioned blarney and high-tech skills can pry any information from anyone. As entertainment, it's like reading the climaxes of a dozen complex thrillers, one after the other. As a security education, it's a great series of cautionary tales; however, the advice to employees not to give anyone their passwords is bland compared to the depth and energy of Mitnick's descriptions of how he actually hacked into systems. As a manual for a would-be hacker, it's dated and nonspecific better stuff is available on the Internet but it teaches the timeless spirit of the hack. Between the lines, a portrait emerges of the old-fashioned hacker stereotype: a socially challenged, obsessive loser addicted to an intoxicating sense of power that comes only from stalking and spying. (Oct.) Forecast: Mitnick's notoriety and his well-written, entertaining stories should generate positive word-of-mouth. With the double appeal of a true-crime memoir and a manual for computer security, this book will enjoy good sales. Copyright 2002 Cahners Business Information.\ \ \ \ \ Library JournalThe world's most famous computer hacker and cybercult hero, once the subject of a massive FBI manhunt for computer fraud, has written a blueprint for system security based on his own experiences. Mitnick, who was released from federal prison in 1998 after serving a 22-month term, explains that unauthorized intrusion into computer networks is not limited to exploiting security holes in hardware and software. He focuses instead on a common hacker technique known as social engineering in which a cybercriminal deceives an individual into providing key information rather than trying to use technology to reveal it. Mitnick illustrates the tactics comprising this "art of deception" through actual case studies, showing that even state-of-the-art security software can't protect businesses from the dangers of human error. With Mitnick's recommended security policies, readers gain the information their organizations need to detect and ward off the threat of social engineering. Required reading for IT professionals, this book is highly recommended for public, academic, and corporate libraries. [This should not be confused with Ridley Pearson's new thriller, The Art of Deception. Ed.] Joe Accardi, William Rainey Harper Coll. Lib., Palatine, IL\ \