Подякувати Студентському архіву довільною сумою
Admin
26.02.2023 12:38
Дякуємо, що користуєтесь нашим архівом!
Реферативний переклад
Інформація про навчальний заклад
ВУЗ:
Національний університет Львівська політехніка
Інститут:
Не вказано
Факультет:
Не вказано
Кафедра:
Не вказано
Інформація про роботу
Рік:
2010
Тип роботи:
Інші
Предмет:
Захист інформації
Група:
ЗІД-12
Частина тексту файла (без зображень, графіків і формул):
МІНІСТЕРСТВО ОСВІТИ І НАУКИ УКРАЇНИ
НАЦІОНАЛЬНИЙ УНІВЕРСИТЕТ «ЛЬВІВСЬКА ПОЛІТЕХНІКА»
ІКТА кафедра «Захист інформації»
Реферативний переклад
з курсу:
«ФАХОВА ІНОЗЕМНА МОВА»
«БЕЗПЕКА ІНФОРМАЦІЇ НА ПІДПРИЄМСТВІ»
Львів 2010
Chapter 1
Entering the Premises
Why is it so easy for an outsider to assume the identity of a company employee and carry off an impersonation so convincingly that even people who are highly security conscious are taken in? Why is it so easy to dupe individuals who may be fully aware of security procedures, suspicious of people they don't personally know, and protective of their company's interests? Ponder these questions as you read the stories in this chapter.
THE EMBARRASSED SECURITY GUARD
Date/Time: Tuesday, October 17, 2:16 A.M.
Place: Skywatcher Aviation, Inc. manufacturing plant on the outskirts of Tucson, Arizona.
The Security Guard's Story
Hearing his leather heels click against the floor in the halls of the nearly deserted plant made Leroy Greene feel much better than spending the night hours of his watch in front of the video monitors in the security office. There he wasn't allowed to do anything but stare at the screens, not even read a magazine or his leather-bound Bible. You just had to sit there looking at the displays of still images where nothing ever moved. But walking the halls, he was at least stretching his legs, and when he remembered to throw his arms and shoulders into the walk, it got him a little exercise, too. Although it didn't really count very much as exercise for a man who had played right tackle on the All-City champion high school football team. Still, he thought, a job is a job.
He turned the southwest corner and started along the gallery overlooking the half-mile-long production floor. He glanced down and saw two people walking past the line of partly built copters. The pair stopped and seemed to be pointing things out to each other. A strange sight at this time of night. 'Better check, "he thought. Leroy headed for a staircase that would bring him onto the production-line floor behind the pair, and they didn't sense his approach until he stepped alongside. "Morning. Can I see your security badges, please," he said. Leroy always tried to keep his voice soft at moments like this; he knew that the sheer size of him could seem threatening.
"Hi, Leroy," one of them said, reading the name off his badge. "I'm Tom Stilton, from the Marketing office at corporate in Phoenix. I'm in town for meetings and wanted to show my friend here how the world's greatest helicopters get built." "Yes, sir. Your badge, please," Leroy said. He couldn't help noticing how young they seemed. The Marketing guy looked barely out of high school, the other one had hair down to his shoulders and looked about fifteen. The one with the haircut reached into his pocket for his badge, then started patting all his pockets. Leroy was suddenly beginning to have a bad feeling about this. "Damn," the guy said. "Must've left it in the car. I can get it--just take me ten minutes to go out to the parking lot and back." Leroy had his pad out by this time.
"What'd you say your name was, sr. he asked, and carefully wrote down the response. Then he asked them to go with him to the Security Office. On the elevator to the third floor, Tom chatted about having been with the company for only six months and hoped he wasn't going to get in any trouble for this. In the Security monitoring room, the two others on the night shift with Leroy joined him in questioning the pair. Stilton gave his telephone number, and said his boss was Judy Underwood and gave her telephone number, and the information all checked out on the computer. Leroy took the other two security people aside and they talked about what to do. Nobody wanted to get this wrong; all three agreed they better call the guy's boss even though it would mean waking her in the middle of the night.
Leroy called Mrs. Underwood himself, explained who he was and did she have a Mr. Tom Stilton working for her? She sounded like she was still half-asleep. "Yes," she said.
"Well, we found him down on the production line at 2:30 in the morning with no ID badge." Mrs. Underwood said, "Let me talk to him." Stilton got on the phone and said, "Judy, I'm really sorry about these guys waking you up in the middle of the night. I hope you're not going to hold this against me."
He listened and then said, "It was just that I had to be here in the morning anyway, for that meeting on the new press release. Anyway, did you get the email about the Thompson deal? We need to meet with Jim on Monday morning so we don't lose this. And I'm still having lunch with you on Tuesday, right?" He listened a bit more and said good-bye and hung up.
That caught Leroy by surprise; he had thought he'd get the phone back so the lady could tell him everything was okay. He wondered if maybe he should call her again and ask, but thought better of it. He had already bothered her once in the middle of the night; if he called a second time, maybe she might get annoyed and complain to his boss. "Why make waves?" he thought.
Okay if I show my friend the rest of the production line? Stilton asked Leroy
You want to come along, keep an eye on us ? "Go on, Leroy said. "Look around. Just don't forget your badge next time. And let Security know if you need to be on the plant floor after hours-it's the rule." I'll remember that, Leroy," Stilton said. And they left.
Hardly ten minutes had gone by before the phone rang in the Security Office. Mrs. Underwood was on the line. "Who was that guy?!" she wanted to know. She said she kept trying to ask questions but he just kept on talking about having lunch with her and she doesn't know who the hell he is. The security guys called the lobby and the guard at the gate to the parking lot. Both reported the two young men had left some minutes before.
Joe Harper's Story
Just to see what he could get away with, seventeen-year-old Joe Harper had been sneaking into buildings for more than a year, sometimes in the daytime, sometimes at night. The son of a musician and a cocktail waitress, both working the night shift, Joe had too much time by himself. His story of that same incident sheds instructive light on how it all happened. I have this friend Kenny who thinks he wants to be a helicopter pilot. He asked me, could I get him into the Skywatcher factory to see the production line where they make the choppers. He knows I've got into other places before. It's an adrenaline rush to see if you can slip into places you're not supposed to be.
But you don't just walk into a factory or office building. Got to think it through, do a lot of planning, and do a full reconnaissance on the target. Check the company's Web page for names and titles, reporting structure, and telephone numbers. Read press clippings and magazine articles. Meticulous research is my own brand of caution, so I could talk to anybody that challenged me, with as much knowledge as any employee.
So where to start? First I looked up on the Internet to see where the company had offices, and saw the corporate headquarters was in Phoenix. Perfect. I called and asked for Marketing; every company has a marketing department. A lady answered, and I said I was with Blue Pencil Graphics and we wanted to see if we could interest them in using our services and who would I talk to. She said that would be Tom Stilton. I asked for his phone number and she said they didn't give out that information but she could put me through. The call rang into voice mail, and his message said, "This is Tom Stilton in Graphics, extension 3147, please leave a message." Sure--they don't give out extensions, but this guy leaves his right on his voice mail. So that was cool. Now I had a name and extension.
Another call, back to the same office. "Hi, I was looking for Tom Stilton. He's not in. I'd like to ask his boss a quick question." The boss was out, too, but by the time I was finished, I knew the boss's name. And she had nicely left her extension number on her voice mail, too.
I could probably get us past the lobby guard with no sweat, but I've driven by that plant and I thought I remembered a fence around the parking lot. A fence means a guard who checks you when you try to drive in. And at night, they might be writing down license numbers, too, so I'd have to buy an old license plate at a flea market.
But first I'd have to get the phone number in the guard shack. I waited a little so if I got the same operator when I dialed back in, she wouldn't recognize my voice. After a bit I called and said, "We've got a complaint that the phone at the Ridge Road guard shack has reported intermittent problems--are they still having trouble?" She said she didn't know but would connect me.
The guy answered, "Ridge Road gate, this is Ryan." I said, "Hi, Ryan,
this is Ben. Were you having problems with your phones there?" He's just a low-paid security guard but I guess he had some training because he right away said, "Ben who--what's your last name?" I just kept right on as if I hadn't even heard him. "Somebody reported a problem earlier."
I could hear him holding the phone away and calling out, "Hey, Bruce,
Roger, was there a problem with this phone. He came back on and said,
"No, no problems we know about."
"How many phone lines do you have there?"
He had forgotten about my name. "Two," he said.
"Which one are you on now?" "3140."
Gotcha! "And they're both working okay?"
"Seems like."
Okay, I said. Listen, Tom, if you have any phone problems, just call us in Telecom any time. We're here to help."
My buddy and I decided to visit the plant the very next night. Late that afternoon I called the guard booth, using the name of the Marketing guy. I said, "Hi, this is Tom Stilton in Graphics. We're on a crash deadline and I have a couple of guys driving into town to help out. Probably won't be here till one or two in the morning. Will you still be on then?" He was happy to say that, no, he got off at midnight. I said, "Well, just leave a note for the next guy, okay? When two guys show up and say they've come to see Tom Stilton, just wave 'em on in-okay?"
Yes, he said, that was fine. He took down my name, department, and extension number and said he'd take care of it. We drove up to the gate a little after two, I gave Tom Stilton's name, and a sleepy guard just pointed to the door we should go in and where I should park. When we walked into the building, there was another guard station in the lobby, with the usual book for after-hours sign-ins. I told the guard I had a report that needed to be ready in the morning, and this friend of mine wanted to see the plant. "He's crazy about helicopters," I said "Thinks he wants to learn to pilot one." He asked me for my badge. I reached into a pocket, then patted around and said I must have left it in car; I’ll go get it. I said, "It'll take about ten minutes." He said, Never mind, it's okay, just sign in." Walking down that production line-what a gas. Until that tree-trunk of a Leroy stopped us.
When things get tight, I just start sounding like I'm really steamed. Like I'm really who I claimed to be and it's annoying they don't believe me. When they started talking about maybe they should call the lady I said was my boss and went to get her home phone number from the computer, I stood there thinking, "Good time to just make a break for it." But there was that parking-lot gate-even if we got out of the building, they'd close the gate and we'd never make it out. When Leroy called the lady who was Stilton's boss and then gave me the phone, the lady started shouting at me "Who is this, who are you!" and I just kept on talking like we were having a nice conversation, and then hung up.
How long does it take to find somebody who can give you a company phone number in the middle of the night? I figured we had less than fifteen minutes to get out of there before that lady was ringing the security office and putting a bug in their ears. We got out of there as fast as we could without looking like we were in a hurry. Sure was glad when the guy at the gate just waved us through.
Analyzing the Con
It's worth noting that in the real incident this story is based on, the intruders actually were teenagers. The intrusion was a lark, just to see if they could get away with it. But if it was so easy for a pair of teenagers, it would have been even easier for adult thieves, industrial spies, or terrorists. How did three experienced security officers allow a pair of intruders to just walk away? And not just any intruders, but a pair so young that any reasonable person should have been very suspicious?
Leroy was appropriately suspicious, at first. He was correct in taking them to the Security Office, and in questioning the guy who called himself Tom Stilton and checking the names and phone numbers he gave. He was certainly correct in making the phone call to the supervisor. But in the end he was taken in by the young man's air of confidence and indignation. It wasn't the behavior he would expect from a thief or intruder-only a real employee would have acted that way.., or so he assumed. Leroy should have been trained to count on solid identification, not perceptions. Why wasn't he more suspicious when the young man hung up the phone without handing it back so Leroy could hear the confirmation directly from Judy Underwood and receive her assurance that the kid had a reason for being in the plant so late at night?
Leroy was taken in by a ruse so bold that it should have been obvious. But consider the moment from his perspective: a high-school graduate, concerned for his job, uncertain whether he might get in trouble for bothering a company manager for the second time in the middle of the night. If you had been in his shoes, would you have made the follow-up call?
But of course, a second phone call wasn't the only possible action. What else could the security guard have done? Even before placing the phone call, he could have asked both of the pair to show some kind of picture identification; they drove to the plant, so at least one of them should have a driver's license. The fact that they had originally given phony names would have been immediately obvious (a professional would have come equipped with fake ID, but these teenagers had not taken that precaution). In any case, Leroy should have examined their identification credentials and written down the information. If they both insisted they had no identification, he should then have walked them o the car to retrieve the company ID badge that "Tom Stilton" claimed he had left there.
MITNICK MESSAGE
Manipulative people usually have very attractive personalities. They are typically fast on their feet and quite articulate. Social engineers are also skilled at distracting people's thought processes so that they cooperate. To think that any one particular person is not vulnerable to this manipulation is to underestimate the skill and the killer instinct of the social engineer. A good social engineer, on the other hand, never underestimates his adversary.
Following the phone call, one of the security people should have stayed with the pair until they left the building. And then walked them to their car and written down the license-plate number. If he had been observant enough, he would have noted that the plate (the one that the attacker had purchased at a flea market) did not have a valid registration sticker - and that should have been reason enough to detain the pair for further investigation.
DUMPSTER DIVING
Dumpster diving is a term that describes pawing through a target's garbage in search of valuable information. The amount of information you can learn about a target is astounding. Most people don't give much thought to what they're discarding at home: phone bills, credit card statements, medical prescription bottles, bank statements, work-related materials, and so much more. At work, employees must be made aware that people do look through trash to obtain information that may benefit them.
During my high school years, I used to go digging through the trash behind the local phone company buildings-often alone but occasionally with friends who shared an interest in learning more about the telephone company. Once you became a seasoned Dumpster diver, you learn a few tricks, such as how to make special efforts to avoid the bags from the restrooms, and the necessity of wearing gloves. Dumpster diving isn't enjoyable, but the payoff was extraordinary- internal company telephone directories, computer manuals, employee lists, discarded printouts showing how to program switching equipment, and more-all there for the taking. I'd schedule visits for nights when new manuals were being issued, because the trash containers would have plenty of old ones, thoughtlessly thrown away. And I'd go at other odd times as well, looking for any memos, letters, reports, and so forth, that might offer some interesting gems of information. On arriving I'd find some cardboard boxes, pull them out and set them aside. If anyone challenged me, which happened now and then, I'd say that a friend was moving and I was just looking for boxes to help him pack. The guard never noticed all the documents I had put in the boxes to take home. In some cases, he'd tell me to get lost, so I'd just move to another phone company central office.
I don't know what it's like today, but back then it was easy to tell which bags might contain something of interest. The floor sweepings and cafeteria garbage were loose in the large bags, while the office wastebaskets were all lined with white disposable trash bags, which the cleaning crew would lift out one by one and wrap a tie around.
One time, while searching with some friends, we came up with some sheets of paper torn up by hand. And not just torn up: someone had gone to the trouble of ripping the sheets into tiny pieces, all conveniently thrown out in a single trash bag. We took the bag to a local donut shop, dumped the pieces out on a table, and started assembling them one by one. We were all puzzle-doers, so this offered the stimulating challenge of a giant jigsaw puzzle, but turned out to have more than a childish reward. When done, we had pieced together the entire account name and password list for one of the company's critical computer systems.
Were our Dumpster-diving exploits worth the risk and the effort? You bet they were. Even more than you would think, because the risk is zero. It was true then and still true today: As long as you're not trespassing, poring through someone else's trash is 100 percent legal. Of course, phone phreaks and hackers aren't the only ones with their heads in trash cans. Police departments around the country paw through trash regularly, and a parade of people from Mafia dons to petty embezzlers have been convicted based in part on evidence gathered from their rubbish. Intelligence agencies, including our own, have resorted to this method for years.
It may be a tactic too low down for James Bond-movie-goers would much rather watch him outfoxing the villain and bedding a beauty than standing up to his knees in garbage. Real-life spies are less squeamish when something of value may be bagged among the banana peels and coffee grounds, the newspapers and grocery lists. Especially if gathering the information doesn't put them in harm's way.
Cash for Trash
Corporations play the Dumpster-diving game, too. Newspapers had a field day in June 2000, reporting that Oracle Corporation (whose CEO, Larry Ellison, is probably the nation's most outspoken foe of Microsoft) had hired an investigative firm that had been caught with their hands in the cookie jar. It seems the investigators wanted trash from a Microsoft-supported lobbying outfit, ACT, but they didn't want to risk getting caught. According to press reports, the investigative firm sent in a woman who offered the janitors $60 to let her have the ACT trash. They turned her down. She was back the next night, upping the offer to $500 for the cleaners and $200 for the supervisor. The janitors turned her down and then turned her in. Leading on-line journalist Declan McCullah, taking a leaf from literature, titled his Wired News story on the episode, "'Twas Oracle That Spied on MS." Time magazine, nailing Oracle's Ellison, titled their article simply "Peeping Larry."
Analyzing the Con
Based on my own experience and the experience of Oracle, you might wonder why anybody would bother taking the risk of stealing someone's trash. The answer, I think, is that the risk is nil and the benefits can be substantial. Okay, maybe trying to bribe the janitors increases the chance of consequences, but for anyone who's willing to get a little dirty, bribes aren't necessary. For a social engineer, Dumpster diving has its benefits. He can get enough information to guide his assault against the target company, including memos, meeting agendas, letters and the like that reveal names, departments, titles, phone numbers, and project assignments. Trash can yield company organizational charts, information about corporate structure, travel schedules, and so on. All those details might seem trivial to insiders, yet they may be highly valuable information to an attacker.
Mark Joseph Edwards, in his book Internet Security with Windows NT, talks about "entire reports discarded because of typos, passwords written on scraps of paper, 'While you were out' messages with phone numbers, whole file folders with documents still in them, diskettes and tapes that weren't erased or destroyed-all of which could help a would-be intruder." he writer goes on to ask, "And who are those people on your cleaning crew? You've decided that the cleaning crew won't [be permitted to] enter the computer room but don't forget the other trash cans. If federal agencies deem it necessary to do background checks on people who have access to their wastebaskets and shredders, you probably should as well."
MITNICK MESSAGE
Your trash may be your enemy's treasure. We don't give much consideration to the materials we discard in our personal lives, so why should we believe people have a different attitude in the workplace? It all comes down to educating the workforce about the danger (unscrupulous people digging for valuable information) and the vulnerability (sensitive information not being shredded or properly erased).
THE HUMILIATED BOSS
Nobody thought anything about it when Harlan Fortis came to work on Monday morning as usual at the County Highway Department, and said he'd left home in a hurry and forgotten his badge. The security guard had seen Harlan coming in and going out every weekday for the two years she had been working there. She had him sign for a temporary employee's badge, gave it to him, and he went on his way. It wasn't until two days later that all hell started breaking loose. The story spread through the entire department like wildfire. Half the people who heard it said it couldn't be true. Of the rest, nobody seemed to know whether to laugh out loud or to feel sorry for the poor soul.
After all, George Adamson was a kind and compassionate person, the best head of department they'd ever had. He didn't deserve to have this happen to him. Assuming that the story was true, of course. The trouble had begun when George called Harlan into his office late one Friday and told him, as gently as he could, that come Monday Harlan would be reporting to a new job. With the Sanitation Department. To Harlan, this wasn't like being fired. It was worse; it was humiliating. He wasn't going to take it lying down.
That same evening he seated himself on his porch to watch the homeward- bound traffic. At last he spotted the neighborhood boy named David who everyone called "The War Games Kid" going by on his moped on the way home from high school. He stopped David, gave him a Code Red Mountain Dew he had bought especially for the purpose, and offered him a deal: the latest video game player and six games in exchange for some computer help and a promise of keeping his mouth shut. After Harlan explained the project - without giving any of the compromising specifics-David agreed. He described what he wanted Harlan to do. He was to buy a modem, go into the office, find somebody's computer where there was a spare phone jack nearby, and plug in the modem. Leave the modem under the desk where nobody would be likely to see it. Then came the risky part. Harlan had to sit down at the computer, install a remote-access software package, and get it running. Any moment the man who worked in the office might show up, or someone might walk by and see him in another person's office. He was so uptight that he could hardly read the instructions that the kid had written down for him. But he got it done, and slipped out of the building without being noticed.
Planting the Bomb
David stopped over after dinner that night. The two sat down at Harlan's computer and within in a few minutes the boy had dialed into the modem, gained access, and reached George Adamson's machine. Not very difficult, since George never had time for precautionary things like changing passwords, and was forever asking this person or that to download or email a file for him. In time, everyone in the office knew his password. A bit of hunting turned up the file called BudgetSlides2002.ppt, which the boy downloaded onto Harlan's computer. Harlan then told the kid to go on home, and come back in a couple of hours. When David returned, Harlan asked him to reconnect to the Highway Department computer system and put the same file back where they had found it, overwriting the earlier version. Harlan showed David the video game player, and promised that if things went well, he'd have it the next day.
SurprisingGeorge
You wouldn't think that something sounding as dull as budget hearings would be of much interest to anyone, but the meeting chamber of the County Council was packed, filled with reporters, representatives of special interest groups, members of the public, and even two television news crews. George always felt much was at stake for him in these sessions. The County Council held the purse strings, and unless George could put on a convincing presentation, the Highways budget would be slashed. Then
everyone would start complaining about potholes and stuck traffic lights and dangerous intersections, and blaming him, and life would be miser able for the whole coming year. But when he was introduced that evening, he stood up feeling confident. He had worked six weeks on this presentation and the PowerPoint visuals, which he had tried out on his wife, his top staff people, and some respected friends. Everyone agreed it was his best presentation ever.
The first three PowerPoint images played well. For a change, every Council member was paying attention. He was making his points effectively. And then all at once everything started going wrong. The fourth image was supposed to be a beautiful photo at sunset of the new highway extension opened last year. Instead it was something else, something very embarrassing. A photograph out of a magazine like Penthouse. He could hear the audience gasp as he hurriedly hit the button on his laptop to move to the next image. This one was worse. Not a thing was left to the imagination. He was still trying to click to another image when someone in the audience pulled out the power plug to the projector while the chairman banged loudly with his gavel and shouted above the din that the meeting was adjourned.
Analyzing the Con
Using a teenage hacker's expertise, a disgruntled employee managed to access the computer of the head of his department, download an important PowerPoint presentation, and replace some of the slides with images certain to cause grave embarrassment. Then he put the presentation back on the man's computer. With the modem plugged into a jack and connected to one of the office computers, the young hacker was able to dial in from the outside. The kid had set up the remote access software in advance so that, once connected to the computer, he would have full access to every file stored on the entire system. Since the computer was connected to the organization's network and he already knew the boss's username and password, he could easily gain access to the boss's files. Including the time to scan in the magazine images, the entire effort had taken only a few hours. The resulting damage to a good man's reputation was beyond imagining.
MITNICK MESSAGE
The vast majority of employees who are transferred, fired, or let go in a downsizing are never a problem. Yet it only takes one to make a company realize too late what steps they could have taken to prevent disaster. Experience and statistics have clearly shown that the greatest threat to the enterprise is from insiders. It's the insiders who have intimate knowledge of where the valuable information resides, and where to hit the company to cause the most harm.
THE PROMOTION SEEKER
Late in the morning of a pleasant autumn day, Peter Milton walked into the lobby of the Denver regional offices of Honorable Auto Parts, a national parts wholesaler for the automobile aftermarket. He waited at the reception desk while the young lady signed in a visitor, gave driving directions to a caller, and dealt with the UPS man, all more or less at the same time. "So how did you learn to do so many things at once?" Pete said when she had time to help him. She smiled, obviously pleased he had noticed. He was from Marketing in the Dallas office, he told her, and said that Mike Talbott from Atlanta field sales was going to be meeting him. "We have a client to visit together this afternoon," he explained. I'll just wait here in the lobby." "Marketing." She said the word almost wistfully, and Pete smiled at her, waiting to hear what was coming. "If I could go to college, that's what I'd take," she said. "I'd love to work in Marketing." He smiled again. "Kaila," he said, reading her name off the sign on the counter, "We have a lady in the Dallas office who was a secretary. She got herself moved over to Marketing. That was three years ago, and now she's an assistant marketing manager, making twice what she was." Kaila looked starry-eyed. He went on, "Can you use a computer?" "Sure," she said.
"How would you like me to put your name in for a secretary's job in Marketing. She beamed. "For that I'd even move to Dallas." "You're going to love Dallas," he said. "I can't promise an opening right away, but I'll see what I can do." She thought that this nice man in the suit and tie and with the neatly trimmed, well-combed hair might make a big difference in her working life. Pete sat down across the lobby, opened his laptop, and started getting some work done. After ten or fifteen minutes, he stepped back up to the counter. "Listen," he said, "it looks like Mike must've been held up. Is there a conference room where I could sit and check my emails while I'm waiting?"
Kaila called the man who coordinated the conference room scheduling and arranged for Pete to use one that wasn't booked. Following a pattern picked up from Silicon Valley companies (Apple was probably the first to do this) some of the conference rooms were named after cartoon characters, others after restaurant chains or movie stars or comic book heroes. He was told to look for the Minnie Mouse room. She had him sign in, and gave him directions to find Minnie Mouse. He located the room, settled in, and connected his laptop to the Ethernet port. Do you get the picture yet? Right-the intruder had connected to the network behind the corporate firewall.
Anthony's Story
I guess you could call Anthony Lake a lazy businessman. Or maybe "bent" comes closer.
Instead of working for other people, he had decided he wanted to go to work for himself; he wanted to open a store, where he could be at one place all day and not have to run all over the countryside. Only he wanted to have a business that he could be as sure as possible he could make money at. What kind of store? That didn't take long to figure out. He knew about repairing cars, so an auto parts store. And how do you build in a guarantee of success? The answer came to him in a flash: convince auto parts wholesaler Honorable Auto Parts to sell him all the merchandise he needed at their cost. Naturally they wouldn't do this willingly. But Anthony knew how to con people, his friend Mickey knew about breaking into other people's computers, and together they worked out a clever plan. That autumn day he convincingly passed himself off as an employee named Peter Milton, and he had conned his way inside the Honorable Auto Parts offices and had already plugged his laptop into their network. So far, so good, but that was only the first step. What he still had to do wouldn't be easy, especially since Anthony had set himself a fifteen-minute time limit-any longer and he figured that the risk of discovery would be too high.
MITNICK MESSAGE
Train your people not to judge a book solely by its cover-just because someone is well-dressed and well-groomed he shouldn't be any more believable. In an earlier phone call pretexting as a support person from their computer supplier, he had put on a song-and-dance act. "Your company has purchased a two-year support plan and we're putting you in the database so we can know when a software program you're using has come out with a patch or a new updated version. So I need to have you tell me what applications you're using." The response gave him a list of programs, and an accountant friend identified the one called MAS 90 as the target--the program that would hold their list of vendors and the discount and payment terms for each. With that key knowledge, he next used a software program to identifiy," all the working hosts on the network, and it didn't take him long to locate the correct server used by the Accounting department. From the arsenal of hacker tools on his laptop, he launched one program and used it to identify all of the authorized users on the target server. With another, he then ran a list of commonly used passwords, such as "blank," and "password" itself. "Password" worked. No surprise there. People just lose all creativity when it comes to choosing passwords.
Only six minutes gone, and the game was half over. He was in. Another three minutes to very carefully add his new company, address, phone number, and contact name to the list of customers. And then for the crucial entry, the one that would make all the difference, the entry that said all items were to be sold to him at 1 percent over Honorable Auto Parts' cost. In slightly under ten minutes, he was done. He stopped long enough to tell Kaila thanks, he was through checking his emails. And he had reached Mike Talbot, change of plans, he was on the way to a meeting at a client's office. And he wouldn't forget about recommending her for that job in Marketing, either.
Analyzing the Con
The intruder who called himself Peter Milton used two psychological subversion techniques-one planned, the other improvised on the spur of the moment. He dressed like a management worker earning good money. Suit and tie, hair carefully styled-these seem like small details, but they make an impression. I discovered this myself, inadvertently. In a short time as a programmer at GTE California--a major telephone company no longer in existence-I discovered that if I came in one day without a badge, neatly dressed but casual--say, sports shirt, chinos, and Dockers--I'd be stopped and questioned. Where's your badge, who are you, where do you work? Another day I'd arrive, still without a badge but in a suit and tie, looking very corporate. I'd use a variation of the age-old piggybacking technique, blending in with a crowd of people as they walk into a building or a secure entrance. I would latch onto some people as they approached the main entrance, and walk in chatting with the crowd as if I was one of them. I walked past, and even if the guards noticed I was badge-less, they wouldn't bother me because I looked like management and I was with people who were wearing badges. From this experience, I recognized how predictable the behavior of security guards is. Like the rest of us, they were making judgments based on appearances-a serious vulnerability that social engineers learn to take advantage of. The attacker's second psychological weapon came into play when he noticed the unusual effort that the receptionist was making. Handling several things at once, she didn't get testy but managed to make everyone feel they had her full attention. He took this as the mark of someone interested in getting ahead, in proving herself. And then when he claimed to work in the Marketing department, he watched to see her reaction, looking for clues to indicate if he was establishing a rapport with her. He was. To the attacker, this added up to someone he could manipulate through a promise of trying to help her move into a better job. (Of course, if she had said she wanted to go into the Accounting department, he would have claimed he had contacts for getting her a job there, instead.) Intruders are also fond of another psychological weapon used in this story: building trust with a two-stage attack. He first used that chatty conversation about the job in Marketing, and he also used "name- dropping"-giving the name of another employee-a real person, incidentally, just as the name he himself used was the name of a real employee. He could have followed up the opening conversation right away with a request to get into a conference room. But instead he sat down for a while and pretended to work, supposedly waiting for his associate, another way of allaying any possible suspicions because an intruder wouldn't hang around. He didn't hang around for very long, though; social engineers know better than to stay at the scene of the crime any longer than necessary. Just for the record: By the laws on the books at the time of this writing, Anthony had not committed a crime when he entered the lobby. He had not committed a crime when he used the name of a real employee. He had not committed a crime when he talked his way into the conference room. He had not committed a crime when he plugged into the company's network and searched for the target computer. Not until he actually broke in to the computer system did he break the law.
MITNICK MESSAGE
Allowing a stranger into an area where he can plug a laptop into the corporate network increases the risk of a security incident. It's perfectly reasonable for an employee, especially one from offsite, to want to check his or her email from a conference room, but unless the visitor is established as a trusted employee or the network is segmented to prevent unauthorized connections, this may be the weak link that allows company files to be compromised.
SNOOPING ON KEVIN
Many years ago when I was working in a small business, I began to notice that each time I walked into the office that I shared with the three other computer people who made up the IT department, this one particular guy (Joe, I'll call him here) would quickly toggle the display on his computer to a different window. I immediately recognized this as suspicious. When it happened two more times the same day, I was sure something was going on that I should know about. What was this guy up to that he didn't want me to see? Joe's computer acted as a terminal to access the company's minicomputers, so I installed a monitoring program on the VAX minicomputer that allowed me to spy on what he was doing. The program acted as if a TV camera was looking over his shoulder, showing me exactly what he was seeing on his computer. My desk was next to Joe's, I turned my...
Ділись своїми роботами та отримуй миттєві бонуси!
0%
Оголошення від адміністратора