Fast Company
Worker, Hack Thyself
Social engineers hack the one part of IT that can't be patched: humans. The
best line of defense? Learn how to do it yourself.
From: Issue 82 | May 2004, Web Exclusive By: Ryan Underwood
I know it was for demonstration purposes only. But still, when John Nunes,
an information security consultant, called my cell phone and rigged the
caller ID to display my office phone number (even though I was staring at
my office phone at the time and Nunes placed the call from 300 miles away),
it was spooky.
Spooky because it doesn't take a great leap to imagine an overworked,
soon-to-be-outsourced IT grunt running a Fortune 500 company's database in
San Diego getting a call from "someone" at New York headquarters -- hey,
the caller ID checks out -- asking him to shift some of the data to another
server for a few hours. As it turns out, that server happens to belong to
some Filipino teenager in desperate need of some fresh credit card numbers
so he can score a new plasma screen TV. Or worse, it belongs to the
company's fiercest competitor.
There's even a term for these kinds of human-computer shenanigans: social
engineering. It's a phrase that often gets bandied about as an afterthought
when talking about the hacker world of viruses and worms and all the rest.
But, Nunes warns, it's the single area of hackerdom that individuals and
companies have not paid nearly enough attention to.
A familiar cry among hackers these days goes something like this: There's
no patch for human stupidity.
Actually, there is one. "Education," says Barry Kaufman, the chief
technology officer of the Intense School, a hacker bootcamp for corporate
IT staffs.
"Technical controls have just about caught up with the hackers. It's humans
that are the weakest link in the chain."
But for Kaufman, education doesn't mean just having a security consultant
lecture a roomful of corporate IT folks on the latest threats. Instead, the
Intense School teaches its students how to hack for themselves so they can
put their IT department's feet to the fire.
"It's hard to tell people, watch out for this particular scam or that one,"
Kaufman says. "Every organization is different and there needs to be
someone there who can put its controls to the test."
One popular social hack, according to Nunes, goes like this: To retrieve a
password over the phone from America Online, a subscriber must simply
verify the last four digits of the credit card number on file. But, says
Nunes, jam your tongue into your cheek and mumble like you've just had some
form of oral surgery and see what happens. "You try giving them the numbers
but they can't understand you," he says, doing his best post-root-canal
imitation along the way. "You're dealing with tech support people who are
trying to get callers off in under a minute or two. So it doesn't take long
for them to get frustrated and just give you the password."
The online service PayPal, it seems, has to parry a new social engineering
thrust every few months. At any given time someone is spamming tracts of
unsuspecting users, asking them to click on www.paypai.com or
www.paypal.net or even www.paypal.com/nameyourscam to verify their credit
card or account information. From there, it only takes a few careless
readers, who happily supply their credit card numbers for verification, for
some online jackal to start racking up big bucks.
But the stakes involved in social engineering are very often much higher
than merely having one's AOL identity hijacked or PayPal account stolen.
Corporate espionage is perhaps the most insidious breeding ground of social
engineering.
In one of many examples Nunes offers, he tells of a company that hired a
private investigation firm to tell it all it could about one of its
competitors that was bringing one of its core business functions online.
Part of the new IT initiative involved hiring more people. So the
investigative firm worked up the perfect resume and snagged an interview
for one of its henchmen. That person was then able to get inside the
company and talk in serious geek detail with no less than five layers of
the company's management about the new project.
"And at the end of the interview," Nunes says, "this guy, let's call him
Bob, spots purchase orders from customers and a white board that details
the company's new network structure. Bob pretends like he gets a call, he
pulls out his camera-equipped cell phone and starts snapping pictures of
everything."
True story, Nunes adds for emphasis.
It's hard to track numbers relating to social engineering because what gets
counted at the end of the day is the hack itself, not how it started.
However, in a celebrated case last September, Romanian authorities arrested
Dan Marius Stefan for directing eBay users that had lost out on an auction
to a site that purportedly offered better items at lower prices. The site
turned out to be a spoof run by Stefan where users were tricked out of all
manner of bank and credit card numbers, passwords and other critical
account information. In the end, Stefan netted up to $500,000 in ill-gotten
gains before the U.S. Secret Service helped nail him.
Kaufman says most of what he hears about social engineering these days is
anecdotal. One critical measurement that has caught his eye, however, is
the fact that he's seen a remarkable increase in the number of his clients
recently wanting to know how to prevent it.
VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask] In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html
|
