Free The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick, William L. Simon, Steve Wozniak Page A
databases or applications, or knows the names of a company's computer servers, or the like, he gains credibility. Credibility leads to trust. Once a social engineer has such codes, getting the information he needs is an easy process. In this example, he might begin by calling a clerk in a local state police Teletype office, and asking a question about one of the codes in the manual - for example, the offense code. He might say something like, "When I do an OFF inquiry in the NCIC, I'm getting a "System is down' error. Are you getting the same thing when you do an OFF? Would you try it for me?" Or maybe he'd say he was trying to look up a wpf - police talk for a wanted person's file. The Teletype clerk on the other end of the phone would pick up the cue that the caller was familiar with the operating procedures and the commands to query the NCIC database. Who else other than someone trained in using NCIC would know these procedures?
After the clerk has confirmed that her system is working okay, the conversation
might go something like this: "I could use a little help." "What're you looking for?" "I need you to do an OFF command on Reardon, Martin. DOB 10118/66." "What's the sosh?" (Law enforcement people sometimes refer to the social security number as the sosh.) "700-14-7435." After looking for the listing, she might come back with something like, "He's got a 2602." The attacker would only have to look at the NCIC on line to find the meaning of the number: The man has a case of swindling on his record.
Analyzing the Con An accomplished social engineer wouldn't stop for a minute to ponder ways of breaking into the NCIC database. Why should he, when a simple call to his local police department, and some smooth talking so he sounds convincingly like an insider, is all it takes to get the information he wants? And the next time, he just calls a different police agency and uses the same pretext.
LINGO SOSH: Law enforcement slang for a social security number
You might wonder, isn't it risky to call a police department, a sheriff's station, or a highway patrol office? Doesn't the attacker run a huge risk?
The answer is no . . . and for a specific reason. People in law enforce-ment, like people in the military, have ingrained in them from the first day in the academy a respect for rank. As long as the social engineer is posing as a sergeant or lieutenant--a higher rank than the person he's talking to - the victim will be governed by that well-learned lesson that says you don't question people who are in a position of authority over you. Rank, in other words, has its privileges, in particular the privilege of not being challenged by people of lower rank.
But don't think law enforcement and the military are the only places where this respect for rank can be exploited by the social engineer. Social engineers often use authority or rank in the corporate hierarchy as a weapon in their attacks on businesses - as a number of the stories in these pages demonstrate. PREVENTING THE CON What are some steps your organization can take to reduce the likelihood that social engineers will take advantage of your employees' natural instinct to trust people? Here are some suggestions.
Protect Your Customers In this electronic age many companies that sell to the consumer keep credit cards on file. There are reasons for this: It saves the customer the nuisance of having to provide the credit card information each time he visits the store or the Web site to make a purchase. However, the practice should be discouraged.
If you must keep credit card numbers on file, that process needs to be accompanied by security provisions that go beyond encryption or using access control. Employees need to be trained to recognize social engineering scams like the ones in this chapter. That fellow employee you've never met in person but who has become a telephone friend may not be who he or she claims to be. He may not have the "need to know" to access
After the clerk has confirmed that her system is working okay, the conversation
might go something like this: "I could use a little help." "What're you looking for?" "I need you to do an OFF command on Reardon, Martin. DOB 10118/66." "What's the sosh?" (Law enforcement people sometimes refer to the social security number as the sosh.) "700-14-7435." After looking for the listing, she might come back with something like, "He's got a 2602." The attacker would only have to look at the NCIC on line to find the meaning of the number: The man has a case of swindling on his record.
Analyzing the Con An accomplished social engineer wouldn't stop for a minute to ponder ways of breaking into the NCIC database. Why should he, when a simple call to his local police department, and some smooth talking so he sounds convincingly like an insider, is all it takes to get the information he wants? And the next time, he just calls a different police agency and uses the same pretext.
LINGO SOSH: Law enforcement slang for a social security number
You might wonder, isn't it risky to call a police department, a sheriff's station, or a highway patrol office? Doesn't the attacker run a huge risk?
The answer is no . . . and for a specific reason. People in law enforce-ment, like people in the military, have ingrained in them from the first day in the academy a respect for rank. As long as the social engineer is posing as a sergeant or lieutenant--a higher rank than the person he's talking to - the victim will be governed by that well-learned lesson that says you don't question people who are in a position of authority over you. Rank, in other words, has its privileges, in particular the privilege of not being challenged by people of lower rank.
But don't think law enforcement and the military are the only places where this respect for rank can be exploited by the social engineer. Social engineers often use authority or rank in the corporate hierarchy as a weapon in their attacks on businesses - as a number of the stories in these pages demonstrate. PREVENTING THE CON What are some steps your organization can take to reduce the likelihood that social engineers will take advantage of your employees' natural instinct to trust people? Here are some suggestions.
Protect Your Customers In this electronic age many companies that sell to the consumer keep credit cards on file. There are reasons for this: It saves the customer the nuisance of having to provide the credit card information each time he visits the store or the Web site to make a purchase. However, the practice should be discouraged.
If you must keep credit card numbers on file, that process needs to be accompanied by security provisions that go beyond encryption or using access control. Employees need to be trained to recognize social engineering scams like the ones in this chapter. That fellow employee you've never met in person but who has become a telephone friend may not be who he or she claims to be. He may not have the "need to know" to access
Similar Books
You Know Who Killed Me
Loren D. Estleman
A Dance with Dragons: A Song of Ice and Fire: Book Five
George R. R. Martin
Capturing A Highland Knight
F.S. Hyman
Limit of Vision
Linda Nagata
Love Beat
Flora Dain
Monstrous Regiment
Terry Pratchett
The Island
Jen Minkman
Sister Carrie (Barnes & Noble Classics Series)
Theodore Dreiser
