The Art of Deception: Controlling the Human Element of Security
inventory and we don't have any phones left. I'm so embarrassed. Can you do me a favor? I'll send him over to your store to pick up a phone. Can you sell him the phone for one cent and write him up a receipt? And he's supposed to call me back once he's got the phone so I can talk him through how to program it." "Yeah, sure. Send him over." "Okay. His name is Ted. Ted Yancy."

    When the guy who calls himself Ted Yancy shows up at the North Broad St. store, Katie writes up an invoice and sells him the cell phone for one cent, just as she had been asked to do by her "co worker." She fell for the con hook, line, and sinker.

    When it's time to pay, the customer doesn't have any pennies in his pocket, so he reaches into the little dish of pennies at the cashier's counter, takes one out, and gives it to the girl at the register. He gets the phone without paying even the one cent for it.

    He's then free to go to another wireless company that uses the same model of phone, and choose any service plan he likes. Preferably one on a month-to-month basis, with no commitment required.

    Analyzing the Con Its natural for people to have a higher degree of acceptance for anyone who claims to be a fellow employee, and who knows company procedures ,d lingo. The social engineer in this story took advantage of that by finding out the details of a promotion, identifying himself as a company employee, and asking for a favor from another branch. This happens between branches of retail stores and between departments in a company, people are physically separated and deal with fellow employees they have never actually met day in and day out.

    HACKING INTO THE FEDS People often don't stop to think about what materials their organization is making available on the Web. For my weekly show on KFI Talk Radio in Los Angeles, the producer did a search on line and found a copy of an instruction manual for accessing-the database of the National Crime Information Center. Later he found the actual NCIC manual itself on line, a sensitive document that gives all the instructions for retrieving information from the FBI's national crime database.

    The manual is a handbook for law enforcement agencies that gives the formatting and codes for retrieving information on criminals and crimes from the national database. Agencies all over the country can search the same database for information to help solve crimes in their own jurisdiction. The manual contains the codes used in the database for designating everything from different kinds of tattoos, to different boat hulls, to denominations of stolen money and bonds.

    Anybody with access to the manual can look up the syntax and the commands to extract information from the national database. Then, following instructions from the procedures guide, with a little nerve, anyone can extract information from the database. The manual also gives phone numbers to call for support in using the system. You may have similar manuals in your company offering product codes or codes for retrieving sensitive information.

    The FBI almost certainly has never discovered that their sensitive manual and procedural instructions are available to anyone on line, and I don't think they'd be very happy about it if they knew. One copy was posted by a government department in Oregon, the other by a law enforcement agency in Texas. Why? In each case, somebody probably thought the information was of no value and posting it couldn't do any harm. Maybe somebody posted it on their intranet just as a convenience to their own employees, never realizing that it made the information available to everyone on the Internet who has access to a good search engine such as Google - including the just-plain-curious, the wannabe cop, the hacker, and the organized crime boss.

    Tapping into the System The principle of using such information to dupe someone in the government or a business setting is the same: Because a social engineer knows how to access specific

Similar Books

Amanda Scott

The Bath Eccentric’s Son

Winterfinding

Daniel Casey

Reflection Pond

Kacey Vanderkarr

Die for Me

Karen Rose

Just a Little Honesty

Tracie Puckett

Organized to Death

Jan Christensen

Fatelessness

Imre Kertész