Tags:
General,
Computers,
Business & Economics,
Electronic Books,
security,
Computer Hackers,
Computer Security,
Computer Networks,
Information Management,
Data Protection,
Social Aspects,
Information Technology,
Internal Security,
Computer Science
to her.
The Fourth Call: Bart in Publications
In Publications, she spoke with a man named Bart. Didi said she was from Thousand Oaks, and they had a new consultant who needed a copy of the company directory. She told him a print copy would work better for the consultant, even if it was somewhat out of date. Bart told her she'd have to fill out a requisition form and send the form over to him.
Didi said she was out of forms and it was a rush, and could Bart be a sweetheart and fill out the form for her? He agreed with a little too much enthusiasm, and Didi gave him the details. For the address of the fictional contractor, she drawled the number of what social engineers call a mail drop, in this case a Mail Boxes Etc.-type of commercial business where her company rented boxes for situations just like this.
The earlier spadework now came in handy: There would be a charge for the cost and shipping of the directory. Fine - Didi gave the cost center for Thousand Oaks:
"IA5N, that's N like in Nancy."
A few days later, when the corporate directory arrived, Didi found it was an even bigger payoff than she had expected: It not only listed the names and phone numbers, but also showed who worked for whom - the corporate structure of the whole organization.
The lady of the husky voice was ready to start making her head-hunter, people- raiding phone calls. She had conned the information she needed to launch her raid using the gift of gab honed to a high polish by every skilled social engineer. Now she was ready for the payoff.
LINGO MAIL DROP: The social engineer's term for a rental mailbox, typically rented under an assumed name, which is used to deliver documents or packages the victim has been duped into sending
MITNICK MESSAGE Just like pieces of a jigsaw puzzle, each piece of information may be irrelevant by itself. However, when the pieces are put together, a clear picture emerges. In this I case, the picture the social engineer saw was the entire internal structure of the company .
Analyzing the Con In this social engineering attack, Didi started by getting phone numbers for three departments in the target company. This was easy, because the numbers she was asking for were no secret, especially to employees. A social engineer learns to sound like an insider, and Didi was skilled at this game. One of the phone numbers led her to a cost center number, which she then used to obtain a copy of the firm's employee directory. The main tools she needed: sounding friendly, using some corporate lingo, and, with the last victim, throwing in a little verbal eyelash-batting. And one more tool, an essential element not easily acquired - the manipulative skills of the social engineer, refined through extensive practice and the unwritten lessons of bygone generations of confidence men.
MORE "WORTHLESS" INFO Besides a cost center number and internal phone extensions, what other seemingly useless information can be extremely valuable to your enemy?.
Peter Abel's Phone Call "Hi," the voice at the other end of the line says. "This is Tom at Parkhurst Travel. Your tickets to San Francisco are ready. Do you want us to deliver them, or do you want to pick them up?" "San Francisco?" Peter says. "I'm not going to San Francisco." "Is this Peter Abels?" "Yes, but I don't have any trips coming up." "Well," the caller says with a friendly laugh, "you sure you don't want to go to
San Francisco?" "If you think you can talk my boss into it..." Peter says, playing along with the
friendly conversation. "Sounds like a mix-up," the caller says. "On our system, we book travel arrangements under the employee number. Maybe somebody used the wrong number. What's your employee number?"
Peter obligingly recites his number. And why not? It goes on just about every personnel form he fills out, lots of people in the company have access to it - human resources, payroll, and, obviously, the outside travel agency. No one treats an employee number like