The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (36 page)

I don't really know much about that geeky stuff." Chapter 10 Social Engineers -- How They Work and How to Stop Them 227

While she was out, he installed the wireless access point and restarted her desktop. Then he realized he had a 256MB universal serial bus (USB) flash drive on his key chain and full access to Megan's computer. "I start surfing through her hard drive and find all kind of good stuff." It turned out that she was the executive administrator for every one of the execu- tives and that she had organized their files by name "all nice and neat." He grabbed everything he could, then, using the timer feature on his dig- ital camera, took a picture of himself sitting in the main executive's office. After a few minutes Megan returned, and he asked her for directions to the Network Operations Center (NOC).

There he ran into "serious trouble." He said, "First off, the network room was marked . . . which was cool. However, the door is locked." He didn't have a badge that would give him access and tried knocking.

A gentleman comes to the door and I tell him the same story I've

been using: "Hi, I'm Walter with Internal Audit and blah, blah,

blah." Except what I don't know is that this guy's boss -- the IT

director -- is sitting in the office. So the guy at the door says

"Well, I need to check with Richard. Wait here a second."

He turns around and tells another guy to get Richard and let

him know that there is someone "claiming" to be from Internal

Audit at the door. A few moments later, I get busted. Richard

asks who I'm with, where my badge is, and a half dozen other

questions in rapid succession. He then says, "Why don't you come

into my office while I call Internal Audit and we'll get this

cleared up."

Whurley figured that "This guy has totally busted me." But then, "Thinking quickly, I tell him `You got me!' and I shake his hand. I then tell him `My name is Whurley.' And I reach in my bag for a business card. I then tell him that I've been down inside the bowels of the casino for a couple of hours and not one person has challenged me, and that he was the first and was probably going to look pretty good in my report. I then say, `Let's go sit in your office while you call over so you know everything is legitimate. Besides,' I say, `I need to go ahead and tell Martha, who is in charge of this operation, about a couple of the things I've seen down here.'"

For an on-the-spot gambit in a tight situation, it turned out to be brilliant. An amazing transformation took place. Richard began asking Whurley about what he had seen, people's names, and so on, and then explained that he had been doing his own audit in an attempt to get an increase in the security budget to make the NOC more secure, with "biometrics and 228 The Art of Intrusion

the whole works." And he suggested that maybe he could use some of Whurley's information to help him achieve his goal.

By then it was lunch time. Whurley took advantage of the opening by suggesting that maybe they could talk about it over lunch, which Richard seemed to think was a good idea, and they headed off together to the staff cafeteria. "Notice that we haven't called anyone yet at this point. So I suggest that we place that call, and he says, `You've got a card, I know who you are.'" So the two ate together in the cafeteria, where Whurley got a free meal and made a new "friend."

"He asked about my networking background and we started talking about the AS400s that the casino is running everything on. The fact that things went this way can be described in two words -- very scary." Scary because the man is the director of IT, and responsible for computer secu- rity, is sharing all kinds of privileged, inside information with Whurley but has never taken the most basic step of verifying his identity.

Commenting on this, Whurley observed that "mid-level managers don't ever want to be put `on the spot.' Like most of us, they never want to be wrong or get caught making an obvious mistake. Understanding their mindset can be a huge advantage." After lunch, Richard brought Whurley back to the NOC.

"When we walk in, he introduces me to Larry, the main systems admin- istrator for the AS400s. He explains to Larry that I'm going to be `rip- ping' them in an audit in a few days, and he had had lunch with me and got me to agree to do a preliminary audit and save them any major embarrassment" when it came time for the actual audit. Whurley then spent a few minutes getting an overview of the systems from Larry, gath- ering more useful information for his report; for example, that the NOC stored and processed all of the aggregate data for the entire resort group.

I told him that it would help me to help him faster if I had a net-

work diagram, firewall Access Control Lists, and so on, which he

provided only after calling Richard for approval. I thought,

"Good for him."

Whurley suddenly realized that he had left the wireless access point back in the executive offices. Though the chances that he would be caught had dropped dramatically since establishing his rapport with Richard, he explained to Larry that he needed to go back to get the access point he had left. "To do this I would need a badge so I could let myself back into the NOC and come and go as I pleased." Larry seemed a bit reluctant to do this, so Whurley recommended that he call Richard Chapter 10 Social Engineers -- How They Work and How to Stop Them 229

again. He called and told Richard that the visitor wanted to be issued a badge; Richard had an even better idea: The casino had recently let sev- eral employees go, and their badges were in the NOC and nobody had found the time yet to deactivate them, "so it would be all right for him to just use one of those."

Whurley went back to having Larry explain the systems and describe the security measures they had recently taken. A phone call came in from Larry's wife, apparently angry and upset about some ongoing issue. Whurley pounced on this volatile situation, recognizing he could bene- fit. Larry said to his wife, "Listen, I can't talk. I have someone here in the office." Whurley motioned for Larry to put his wife on hold for a second and then offered advice about how important it was for him to work through the problem with her. And he offered to grab one of the badges if Larry would show him where they were.

"So Larry walked me over to a filing cabinet, opened a drawer, and just said `Take one of these.' He then walked back to his desk and picked up the phone. I noticed that there was no sign-out sheet or log of the badge numbers, so I took two of the several that were there." He now had not just a badge, but one that would allow him access to the NOC at any time.

Whurley then headed back to see his new friend Megan, recover his wireless access point, and see what else he could find out. And he could take his time about it.

I figured the time wouldn't really matter because he'd be on the

phone with his wife and he'd stay distracted for longer than he

thought. I set the stopwatch on my phone to count down twenty

minutes, enough time for me to do some exploring without draw-

ing additional suspicion from Larry, who appeared to suspect

something was up.

Anyone who's ever worked in an IT department knows that ID badges are tied to a computer system; with the right PC access, you can expand your access to go anywhere in the building. Whurley was hoping to dis- cover the computer where badge access privileges were controlled so he could modify the access on the two badges he had. He walked through the corridors looking into offices for the control system for the badges, which proved to be harder than he thought. He felt frustrated and stumped.

He decided to ask someone and settled on the guard who had been so friendly at the employees' entrance. By now many people had seen him with Richard, so that suspicions were almost nonexistent. Whurley found 230 The Art of Intrusion

his mark and told him that he needed to see the building access control system. The guard didn't even ask why. No trouble. He was told exactly where to find what he was looking for.

"I located the control system and walked into the small networking closet where it was located. There I found a PC on the floor with the list for the ID badges already open. No screen saver, no password -- noth- ing to slow me down." In his view, this was typical. "People have an `out of sight, out of mind' mentality. If a system like this is in a controlled access area, they think there isn't any need to be diligent about protecting the computer."

In addition to giving himself all-areas access, there was one more thing he wanted to do:

Just for fun, I thought I should take the extra badge, add some

access privileges, switch the name, and then switch it with an

employee who would be wandering around the casino, inadver-

tently helping me to muddy the audit logs. But who would I

choose? Why Megan, of course -- it would be easy to switch the

badges with her. All I would have to do is tell her I needed her help

with the audit.

When Whurley walked in, Megan was as friendly as ever. He explained that he had completed the test and needed to get that equipment back. He then told Megan that he needed her help. "Most social engineers would agree that people are too willing to help." He needed to see Megan's badge to check it against the list he had. A few moments later, Megan had a badge that would confuse things even further, while Whurley had her badge as well as the badge that would tag him as an executive in the logs.

When Whurley got back to Larry's office, the distraught manager was just finishing the call with his wife. Finally hanging up, he was ready to continue their conversation. Whurley asked that the network diagrams be explained in detail to him, but then interrupted and, to disarm him, Whurley asked about how things were going with Larry's wife. The two men spent almost an hour talking about marriage and other life issues.

At the end of our talk, I was convinced that Larry wouldn't be

causing me any more issues. So, now I explain to Larry that my

laptop has special auditing software I need to run against the

network. Since I usually have top gear, getting the laptop hooked

up to the network is always easy because there isn't a geek on the

planet who doesn't want to see it running. Chapter 10 Social Engineers -- How They Work and How to Stop Them 231

After a while, Larry stepped away to make some phone calls and attend to other items. Left to himself, Whurley scanned the network and was able to compromise several systems, both Windows and Linux machines, because of poor password management, and then spent nearly two hours starting and stopping copies of information off the network and even burning some of the items to DVD, "which was never questioned."

After completing all of this I thought it would be funny, and use-

ful, to try one more thing. I went to every individual that I had

come in contact with -- and some that had just briefly seen me

with others -- and told them some variant of "Well, I'm done.

Say, could you do me a favor. I like to collect pictures of all the peo-

ple and places I work at. Would you mind taking a picture with

me?" This proved to be "amazingly simple."

Several people even offered to take the pictures of him with others in nearby offices. He had also secured badges, network diagrams, and access to the casino's network. And he had photos to prove it all.

At the review meeting, the head of Internal Audit complained that Whurley had no right to try to access the systems in a physical way because "that wasn't how they would be attacked." Whurley was also told that what he did bordered on "criminal" and that the client didn't at all appreciate his actions.

Whurley explained:

Why did the casino think that what I did was unfair? The answer

was simple. I had not worked with any casino before and did not

fully understand the regulations [they operate under]. My report

could cause them to be audited by the Gaming Commission,

which could potentially have actual financial repercussions.

Whurley was paid in full, so he didn't mind very much. He wished that he had left a better impression on the client but felt they pretty much hated the approach he had used and thought it unfair to them and to their employees. "They made it very clear that they didn't really want to see me around anymore."

That hadn't happened to him before; usually clients appreciated the results of his audits and saw them as what he called "mini-red teaming events or War Games," meaning they were okay with being tested using the same methods that a hostile hacker or social engineer might. "Clients almost always get a thrill out of it. I had, too, until this point in my career." 232 The Art of Intrusion

All in all, Whurley rates this Vegas experience as a success in the area of testing, but a disaster in the area of client relations. "I'll probably never work in Vegas again," he laments.

But then, maybe the Gaming Commission needs the consulting serv- ices of an ethical hacker who already knows his way around the back areas of a casino.

INSIGHT Social psychologist Brad Sagarin, PhD, who has made a study of persua- sion, describes the social engineer's arsenal this way: "There's nothing magic about social engineering. The social engineer employs the same persuasive techniques the rest of us use every day. We take on roles. We try to build credibility. We call in reciprocal obligations. But unlike most of us, the social engineer applies these techniques in a manipulative, deceptive, highly unethical manner, often to devastating effect."

We asked Dr. Sagarin to provide descriptions of the psychological principles underlying the most common tactics used by social engi- neers. In a number of cases, he accompanied his explanation with an example from the stories in the earlier Mitnick/Simon book, The Art of Deception (Wiley Publishing, Inc., 2002), that illustrated the partic- ular tactic.

Each item begins with an informal, nonscientific explanation of the principle, and an example.

Trappings of Role The social engineer exhibits a few behavioral characteristics of the role he or she is masquerading in. Most of us tend to fill in the blanks when given just a few characteristics of a role -- we see a man dressed like an execu- tive and assume he's smart, focused, and reliable.