Wednesday, July 6, 2011

The Direct Attack: Just Asking for It

Posted by OurTech Team | Wednesday, July 6, 2011 | Category: , , , , |

The Direct Attack: Just Asking for It
Many social engineering attacks are intricate, involving a number of steps and
elaborate planning, combining a mix of manipulation and technological knowhow.
But I always find it striking that a skillful social engineer can often achieve his
goal with a simple, straightforward, direct attack. Just asking outright for the
information may be all that's needed - as you'll see.
Want to know someone's unlisted phone number? A social engineer can tell you
half a dozen ways (and you'll find some of them described in other stories in
these pages), but probably the simplest scenario is one that uses a single phone
call, like this one.
Number, Please
The attacker dialed the private phone company number for the MLAC, the
Mechanized Line Assignment Center. To the woman who answered, he said:
"Hey, this is Paul Anthony. I'm a cable splicer. Listen, a terminal box out here got
fried in a fire. Cops think some creep tried to burn his own house down for the
insurance. They got me out here alone trying to rewire this entire two hundredpair
terminal. I could really use some help right now. What facilities should be
working at 6723 South Main?"
In other parts of the phone company, the person called would know that reverse
lookup information on non pub (non published) numbers is supposed to be given
out only to authorized phone company MLAC is supposed to be known only to
company employees. And while they'd never give out information to the public,
who would want to refuse a little help to a company man coping with that heavyduty
assignment?. She feels sorry for him, she's had bad days on the job herself,
and she’ll
bend the rules a little to help out a fellow employee with a problem. She gives
him the cable and pairs and each working number assigned to the address.
It's human nature to trust our fellow man, especially when the request meets the
test of being reasonable. Social engineers use this knowledge to exploit their
victims and to achieve their goals.
Analyzing the Con
As you'll notice repeatedly in these stories, knowledge of a company’s lingo, and
of its corporate structure - its various offices and departments what each does and
what information each has - is part of the essential bag of tricks of the successful
social engineer.
A man we'll call Frank Parsons had been on the run for years, still wanted by the
federal government for being part of an underground antiwar group in the 1960s.
In restaurants he sat facing the door and he had a way of glancing over his
shoulder every once in a while that other people found disconcerting. He moved
every few years.
At one point Frank landed in a city he didn't know, and set about job hunting. For
someone like Frank, with his well-developed computer skills (and social
engineering skills as well, even ,though he never listed those on a job
application), finding a good job usually wasn't a problem. Except in times when
the economy is very tight, people with good technical computer knowledge
usually find their talents in high demand and they have little problem landing on
their feet. Frank quickly located a well – paying job opportunity at a large,
upscale, long-term care facility near where he was living.
Just the ticket, he thought. But when he started plodding his way through the
application forms, he came upon an uh-oh: The employer required the applicant
to provide a copy of his state criminal history record, which he had to obtain
himself from the state police. The stack of employment papers included a form to
request this document, and the form had a little box for providing a fingerprint.
Even though they were asking for a print of just the right index finger, if they
matched his print with one in the FBI's database, he'd probably soon be working
in food service at a federally funded resort.
On the other hand, it occurred to Frank that maybe, just maybe, he might still be
able to get away with this. Perhaps the state didn't send those fingerprint samples
to the FBI at all. How could he find out?
How? He was a social engineer--how do you think he found out? He placed a
phone call to the state patrol: "Hi. We're doing a study for the State Department
of Justice. We're researching the requirements to implement a new fingerprint
identification system. Can I talk to somebody there that's really familiar with
what you're doing who could maybe help us out?"
And when the local expert came on the phone, Frank asked a series of questions
about what systems they were using, and the capabilities to search and store
fingerprint data. Had they had any equipment problems? Were they tied into the
National Crime Information Center's (NCIC) Fingerprint Search or just within the
state? Was the equipment pretty easy for everybody to learn to use?
Slyly, he sneaked the key question in among the rest.
The answer was music to his ears: No they weren't tied into the NCIC, they only
checked against the state's Criminal Information Index (CII).

Currently have 0 Comments:

Leave a Reply