A Study on People's Skill During The Social Engineering of The Digital Age and Owning The Box

Social Engineering and Owning the Box

I once worked as a Security guard for Quebecor World in Lincoln, NE. Nothing glamorous by any means, but unique in the fact that my 5.75 an hour rent-a-cop security guard job required me to go through a 1 month background check complete with credit record and criminal record pulls, interviews with the State Patrol, and multiple inquiries into my previous employment history. Why would this be necessary for such a mundane job? Who cares about the criminal background of a security guy on third shift at a printer?

Quebecor prints, among other things, AOL CDs and pre-approved credit card applications and has at any time several hundred thousand names, addresses, phone numbers, credit card numbers, and social security numbers in (relatively) plain view. The dumpsters are locked outside. A special shredder devours waste paper into confetti pieces smaller than the end of an infants little fingernail, and then shreds them again. Not that these precautions are not a good start, but in about 10 minutes, an employee inside with a grudge or someone with access to some money can enlist the help of a for profit company to reconstruct paper shreddings into a semblance of the original document or just walk out of the facility outright with thousands of peoples' private lives in their hands. Noticed anything unusual in your credit report lately?

In this paper I researched social engineering. I examine a bit of its history, designate it as a non-technical means of obtaining information about and ultimately entry into a computer information system, I looked at two prominent 'old school' social engineers. I then describe some basic precautions that are effective no matter what level of information system is employed.

Social engineering, and its related type of information attack 'dumpster diving', is IT slang for using non-technical means to compromise an information system. It is one of the most interesting aspects of computer network security and most effective means of intrusion because the human element of computing will never go away. Someone must design the systems, implement, train, and ultimately use them. Even with the science-fiction horror stories of computer gone amuck we will always have humans at terminals somewhere, sometime; thus any computers information is vulnerable to a psychological attack. The gray goo scenario of Eric Drexler (famous for saying that 'smart, microscopic computers could take over the earth), though a possibility in the future, is not possible at this time because of the current limitations of technology. The author himself has stepped away from his landmark mid-80s theory as well, saying that he wishes he'd never made the statement because of the immense impact it has had on stifling new research into computer miniaturization.

Social engineering is not a new intrusion technique. CERT/CC published an alert describing increased incidence of unauthorized entry attempts to computer systems in 1991. The explosion of the Internet amongst those former non-computer users made successful attempts all the more probable, a security issue that still occurs every day despite more than ten years of familiarity. Prior to the Internet, social engineering was evidenced in the cracking of the phone system with red and blue tone generator boxes, enabling the user to make calls to other locales (including across continents) while charging the costs to another extension. Sometimes the calls were charged to the phone company itself as a way of thumbing a nose at the establishment. The tone boxes themselves and their use did not require any personal contact since they could be built from plans that were freely accessible in cracker 'zines like 2600(named after the frequency of 2600HZ required to generate a call accept tone in early AT&T phone systems) and Phrack.

The originators of the tone boxes needed to have an intimate knowledge of the phone system and how it operated from the local exchanges and on thorough the greater network. This knowledge was gleaned, when possible from dumpster diving (using personal information is not necessarily a crime even today if gotten from discarded manuals, receipts, internal memos, and other proprietary documents that have been disposed of and are outside the facility) and calling phone operators or engineers and posing as a member of some other part of the network claiming to need some sort of information.

Some famous early phreakers did not have the stereotypical persona of crackers/hackers that seems to be prevalent in the media today, that of the technically talented nomadic loner, or the social misfit bent on some sort of hacktivism. Most of them were extremely intelligent people with few others to share their knowledge. A few were trained by our government for wartime and found their skills gave them a significant, though not very respected advantage over non-technical people, as is the case with John Draper a.k.a. Cap'n Crunch.

Draper earned his name from his use of a toy whistle found in a cereal box that generated the 2600HZ tone necessary to fool the phone system. John popularized the use of this whistle, and became known by the hacker handle "Cap'n Crunch". John became infamous, and was arrested in May 1972 for illegal use of the telephone company's system. He received probation, and then was arrested again in 1976, convicted on wire fraud charges because there were no other current laws under which he could be tried, and spent four months in Lompoc Federal Prison in California. Since then, he has held a variety of positions and given interviews on his experiences during the earliest days of long distance hacking. To his credit, Draper didn't single-handedly discover the vulnerability in the system, nor did he exploit it for much personal gain other than phone calls. There were, however, some phreakers that tried to use this technology, crude at the time, to play pranks that could have resulted in serious National Security repercussions. One such touted phreak was a phone call to the then President Nixon's bomb shelter in VA; another was (allegedly) a call to the Pope by Steve Wozniak.

This was all possible because the phone system in the late 60s and early 70s was set up so that voice transmission and signal data was sent on the same line. To save money, AT&T set their entire network to this 2600HZ standard. As the knowledge spread, the growing number of phone phreaks became a minor culture onto their own. They were able to train their ears to determine how the long lines routed their calls. Sympathetic (or easily social engineered) telephone company employees gave them the various routing codes to use international satellites and various trunk lines like expert operators. Phone company engineering information was also freely available at most major universities in the reference section since the engineering departments utilized the information in partnerships with the companies to help train new engineers. Once the phone company figured out what was going on, it immediately went to the major universities and red flagged their engineering manuals and removed them from circulation. The information was already out there, though, and until AT&T updated their switching technology and proceeded to subpoena phreakers under the wire fraud act it continued sporadically into the early 80s.

Another well knows social engineer needs almost no introduction. Arrested in February 1995 for allegedly stealing 300 million dollars worth of source code from victim companies, his charges were eventually lowered to 2 counts of computer fraud, wire fraud, impersonation, and misuse. Whatever one may think of hackers/crackers, at the time of Mitnick's capture the judicial system was unprepared to deal with the theft of intellectual property. As a result, Mitnick was held for 4.5 years in federal prison, 8 months of it in solitary confinement, because it was argued that he was an armed federal felon. ("...armed with a keyboard he posed a danger to the community".) The source code that he downloaded was soon made available to any user that requested it by SUN, so their claim of R& D losses was deemed inadmissible.

Kevin Mitnick's journey through the criminal system is disheartening at best for any computer user that wants to pursue a career in computer security or intrusion detection and response because many of the tools utilized to trace such activities can be used for illegal reasons. The governments' case against him originally had 10 victims listed and 27 counts. Among those victims are Novell, Nokia, and SUN Microsystems- companies that suffered no losses , but because Mr. Mitnick had a cell phone by those providers at different times and because he had a Novell program on his computer they are listed in the same weight SUN. None of the 10 companies listed in his indictment have ever filed reports for the loss to shareholders with the Securities and Exchange Commission.

Kevin Mitnick though technologically proficient, accomplished much of what he did by talking. Posing as employees of the phone company, various computer or other technology companies, and asking someone low in that companies' hierarchy for seemingly unrelated bits of information (known now as N.O.R.A.- Non-observable Relationship Awareness) allowed him to gain super user access to most of the systems that he was eventually charged with tampering with. A really competent social engineer can make a target trust him or her to such an extent that the worker casually gives out sensitive internal information. It may not be a significant disclosure in and of itself, but the information gleaned by such manipulation can easily be combined with other small bits to produce a detailed and dangerous roadmap to organizational treasures.

" One way I worked on developing the skills of my craft, if I may call it a craft, was to pick out some piece of information I didn't really care about and see if I could talk somebody on the other end of the phone into providing it..."

In Congressional testimony before Senators Lieberman and Thompson years later, Mitnick told them, "I have gained unauthorized access to computer systems at some of the largest corporations on the planet, and have successfully penetrated some of the most resilient computer systems ever developed. I have used both technical and non-technical means to obtain the source code to various operating systems and telecommunications devices to study their vulnerabilities and their inner workings."

The concept of "social engineering" is one that transcends computer model, operating system version, etc. Many computer types just don't understand it; in the same way they don't understand office politics. Bruce Schneier, a computer security consultant said by The Economist to be a security guru has this to say about the subject, " Security is not a product, and it's a process." Many security administrators look at network security as a technological problem rather than a social one. They approach it with the mindset of applying the latest firewalls, intrusion detection systems, access controls, and (sometimes) draconian user policies in hopes of preventing an attack or possible loss of proprietary information.

How does an organization defend against social engineering? Defending against social as well as technical threats should be part a "defense in depth" strategy, but it's often ignored. Businesses can't assume that users "know better" than to give out their passwords. Unless explicitly instructed otherwise, the average employee has no reason to question someone who seems to have a legitimate reason for asking. Even IT team members who are security-conscious might be hesitant to ask for proof of identity from an irate person claiming to be a member of upper management.

Protecting the network from social engineering attacks requires, first and foremost, a set of security policies that lay out the reasons and procedures for responding to these types of requests. Just developing the policies is not enough. In order to be effective:

• All members of management must agree to the policies and understand the need to properly prove their identities when making requests for passwords, etc.
• The policies must be disseminated to all users of the network, with education and training provided as to why compliance is essential.
• There should be explicitly defined consequences for violating the policies.

Security policies should be specific and should address such issues as:

• Strong password policies: minimum length, complexity requirements, requirements to change passwords at specified intervals, prohibition on dictionary words, easily guessed numbers such as birth dates and social security numbers, etc., prohibitions on writing down passwords.
• Prohibitions against disclosing passwords, to whom (if anyone) passwords can be disclosed and under what circumstances, procedure to follow if someone requests disclosure of passwords.
• Requirement that users log off or use password protected screensavers when away from the computer, cautionary instructions on ensuring that no one is watching when you type in logon information, etc.
• Physical security measures to prevent visitors and outside contractors from accessing systems to place key loggers, etc.
• Procedure for verifying identity of users to IT department and IT personnel to users (secret PINs, callback procedures, etc.).
• Policies governing destruction (shredding, incineration, etc.) of paperwork, disks and other media that hold information a hacker could use to breach security.

Social engineering is the easiest way for a hacker to gain access to your network, and one of the most common - yet many companies spend thousands of dollars on thwarting technical attacks and do nothing to prevent exploitation of "the human factor." Establishing policies is the first step in preventing socially engineered attacks, but perhaps the most important step is educating employees to make them aware of the danger of social engineering. The people who fall prey to social engineering scams - whether it's a ruse by an outsider pretending to be a company manager who needs a password changed or e-mail from a stranger pretending to be a wealthy Nigerian with money to give away - are those who haven't heard about the scam. Security awareness should be part of the training of every employee who uses the network, and in order to be effective, it should be ongoing. Forewarned is forearmed, especially when it comes to social engineering.

One of the most daunting aspects in social engineering is the sheer number of methods that can be utilized by an attacker. In fact, the only limiting factor is theimagination of the attacker and the susceptibility of the chosen targets. Social engineering tactics usually exploit identifiable human traits such as fear, greed, and trust, and use the somewhat predictable response characteristics of these traits to obtain information that would otherwise be inaccessible. Social engineering doesn't have to be between people or attack these traits at all however. Other tactics such as dumpster diving and eavesdropping require no human contact and no need to go through the hassle of exploitation, yet still yield vast quantities of information, which can be used as is or taken and assimilated into ammunition for a more elaborate social engineering attack.