<HTML>
<HEAD><TITLE>Social Engineering Hackers-LAN Times 11/6/95</TITLE></HEAD>
<BODY BGCOLOR="#FFFFFF" LINK="#CC0000" VLINK="#333333">
<A NAME="top">


<!--story goes here-->



<h4>
SECURITY
</h4>
<H1>
Cracking a Social Engineer
</H1>
<H3>
Enterprising thieves use a variety of common techniques to pilfer
information
</H3>
<EM>
By Al Berg
</EM><HR>

Smart crackers don't want to break into your systems. According to
experienced hacker Susan Thunder's speech, "Social Engineering and
Psychological Subversion," at DEFCON III in Las Vegas last August, they'd
rather use a technique called social engineering to get users to open the
door for them.
<P>
DEFCON is an annual convention for hackers, "feds," corporate-security
types, and others interested in the computer underground. The convention is
neutral territory where U.S. Customs Service representatives, FBI agents,
and other law-enforcement personnel gather with their mostly teenage
adversaries--each side trying to gain insight into the other's methods. Many
of the attendees and speakers at DEFCON promote hacking as a means of
making systems more secure. They argue that hackers provide a valuable
service to system administrators by breaking in and pointing out security
problems to MIS before the real bad guys show up and exploit security holes
for profit. Whether or not this is the case, DEFCON is a treasure trove of
hacker and cracker information open to anyone who has $40 for a ticket.
<H4>Compromising Wetware</H4>

<I>Social engineering</I> is hacker jargon for getting needed information
(for example, a password) from a person rather than breaking into a system.
<I>Psychological subversion</I> is Thunder's term for using social
engineering over an extended period of time to maintain a continuing stream
of information and help from unsuspecting users.
<P>
She presented this scenario: A cracker has been hired by a private
investigator to gain a list of unredeemed, inactive life-insurance policies
of older people from an insurance company's files. The motive? If a policy is
inactive (no payments made for six months) and the insured is more than 80
years old, he or she may have died and the beneficiary may not know about
the policy's existence. Our cracker-hiring detective would take the list,
match the names against publicly available death records, and then contact
the beneficiaries, offering to "find" the money due to them for a fee. 
<P>
Thunder made an observation all LAN managers should take very seriously:
"Increased security measures make psychological attacks easier because
users think that their data is safe." All the locks in the world won't save you
from the thief you invite in.
<P>
Your first line of defense against social engineering is your garbage.
Crackers love to go "trashing" to find documents that help them piece
together the structure of your company, provide clues about what kinds of
computer systems you use, and most important, obtain the names, titles,
and telephone numbers of your employees. Think for a moment about the
documents your company throws out each day and how an attacker could use
them. Do your own dumpster dive and see if you find:
<UL>
<LI>Company phone books;
<LI>Organizational charts;
<LI>Memos;
<LI>Company policy manuals;
<LI>Calendars of meetings, events, and vacations;
<LI>System manuals;
<LI>Printouts of sensitive data or login names and passwords;
<LI>Printouts of source code;
<LI>Disks and tapes;
<LI>Company letterhead and memo forms;
<LI>Outdated hardware (especially hard drives).
</UL>
<P>
These items provide a wealth of information to crackers. A copy of the
company phone book is an extremely valuable tool. Knowing who to call and
who to impersonate are the first steps to gaining access to sensitive data.
Having the right names and titles at their fingertips can let smart crackers
sound as though they actually work for your company. A cracker interested
in finding dial-in access numbers will use the phone book to determine the
telephone exchange of your company and may use a war dialer to find modem
phone numbers.
<P>
There are some defensive tactics you can use against the trasher:
<UL>
<LI>Use a paper shredder to prevent a cracker from gaining the first vital
toehold into your firm. <P>
<LI>Make sure all magnetic media you discard is bulk erased--data can be
retrieved from formatted disks and hard drives.<P>
<LI>Dumpsters should be kept in secured areas--"down-on-their-luck" can
collectors rooting through your trash may not be what they seem.
</UL>
<P>
A smart cracker will call your central help desk. "After all, it's their job to
be helpful and they are usually overwhelmed," Thunder said. A quick call can
reveal much information about your systems and procedures. Your help desk
staff should be on the alert for the following:
<UL>
<LI>Calls from "employees" coming in on outside lines. Most PBX systems
indicate a call from an outside location by a special ring or the phone
display. Make help-desk personnel aware of these indicators and train them
to be suspicious of such calls, limiting information given until the caller is
properly identified.<P>
<LI>New employees or temporary workers. Help-desk staffers should verify
the identity of all employees before addressing  their problems or
questions. One way to do this is to check a company phone book and call the
employee back before working with him or her. Another is to assign each
employee a personal identification number (PIN) that must be given before
support is offered.
</UL>
<P>
Calls regarding password changes are a security mine field. If crackers have
found one of your dial-up numbers or gained physical access to a networked
workstation, they may try a variation on the following ploy.
<H4>Password Patsy</H4>

With the use of a discarded corporate phone book, the cracker first
identifies a person believed to have legitimate access to the targeted
system or desired data.
<P>
The target gets a call from the cracker saying something like, "Hi, this is
Joe from the MIS department. We were doing a routine systems check and
found a problem with your account. Your data is corrupted and we're losing
files. I'll need your username and password to make the fix."
<P>
"Sure, my username is JDOE and my password is mittleschmertz. Thanks for
fixing the problem."
<P>
A variation of this tactic is the cracker calling the help desk and
impersonating a user reporting a forgotten password. In many cases the help
desk will change the user's password over the phone. Just to clean up the
loose ends, our wily cracker then calls the user who was impersonated and
says something like, "This is Joe from the MIS department. We had some
problems with security today, so we've changed your password. Your new
password is swordfish." Assuming the cracker has dial-in or physical access
to a PC, the hacker  now has a legitimate username and password to work
with.
<H4>Help-Desk Security</H4>

Users should be told that their passwords should never be given out, even to
support personnel, without verifying the individual requesting it. Any call or
request in which a user is asked for his or her password should immediately
be directed to the MIS department.
<P>
Users should be assigned a PIN that must be given to access help-desk
support.
<P>
Passwords should not be changed without a written request and should be
delivered via the company mail or in person, not over the telephone.
<P>
Help-desk personnel should be trained to withhold support when a call does
not feel right--for example, when a user in the marketing department is
calling for help with the personnel database, or when a user sounds
unfamiliar with company policies and procedures. Offer to call the user back
and check the name and phone number in the company directory. If the caller
claims to be a temporary worker or a new employee, verify his or her
employment before offering support.
<P>
Most companies' physical security won't keep out a reasonably resourceful
cracker, according to Thunder. Simply donning a courier's uniform or a tool
belt has been enough preparation for many an intruder to gain entrance to a
computing facility. 
<H4>In Search of the Holy Grail</H4>

Once inside, the intruder has a whole menu of tactics to choose from,
including:
<UL>
<LI>Wandering the halls of the building  looking for the Holy Grail--vacant
offices with employees' login names and passwords attached to their
PCs;<P>
<LI>Going to the mail room to insert forged memos (on forms or letterhead
recovered from the trash or during an earlier foray) in to the corporate mail
system;<P>
<LI>Attempting to gain physical access to a server or telephone room to get
more information on the systems in use;<P>
<LI>Finding dial-in equipment and noting the telephone numbers (which are
probably written on the jacks);<P>
<LI>Placing a protocol analyzer in a wiring closet to capture data, user
names, and passwords (remember that when telnet is used with Unix-based
systems on the other end, login names and passwords are not encrypted);<P>
<LI>Simply stealing targeted information.
</UL>
<P>
You can prevent this type of activity with some of the following
countermeasures:
<UL>
<LI>Require that all visitors are to be escorted at all times;<P>
<LI>Instruct employees to report any repair people that show up without
being called, and to not grant access to equipment until the workers'
identities are established;<P>
<LI>Keep wire closets, server rooms, phone closets, and other locations
containing sensitive equipment locked at all times;<P>
<LI>Keep an inventory of the equipment that is supposed to be in each server
room, wire closet, and so on. Periodically check for extra or missing
equipment.
</UL>
<H4>The Sting</H4>

Remember the insurance company scenario mentioned earlier? According to
Thunder, this was a blueprint for a real crime. The crackers pulled off the
heist without breaking in to the system. A trash search netted a company
phone book. With a few phone calls, the intruders identified a person
authorized to request the report they wanted and a person in MIS whose job
was to help users get the report.
<P>
Company memo forms, also taken from the trash, were used to prepare a
properly formatted request (with the help of the unwitting MIS staffer).
These were dropped into the company mail during a quick foray into the
building by the infiltrator disguised as a courier. Finally, the crackers
called the MIS department to let the staff know that the report would be
picked up by a courier--who then walked out the door with the
multithousand-page report. It's important to note that the crackers did not
even have to physically access the company's computer systems to pull this
off.
<P>
Companies and government offices are becoming aware that crackers can be
used as effective espionage tools. In turn, crackers are discovering that it
is much easier, and less risky, to compromise people and procedures than to
break in to its computer systems. This combination of factors makes it
vital for LAN managers and security personnel to understand the threats
posed by social engineering.

<P>

</BODY></HTML>