Forwarded From: "Prosser, Mike" <Mike_Prosser@tds.com>
[Mike: FYI- this article calls "social engineering" phreaking, but other
than that it is an excellent example of just how easy it is for someone
good at social engineering (may not even have to be that good) to get
valuable access information.]
Low-tech break-ins a big problem
By Jim Kerstetter,
PC Week Online
July 31, 1998 4:04 PM PT
LAS VEGAS --- It took only four days of fast talking for security expert
Ira Winkler to make a bank's three firewalls irrelevant.
Winkler's relatively easy break-in to the unnamed bank, which relied more
on bluffing, or "phreaking," than technology, underscored one of the
themes at this week's Black Hat Briefings '98 conference here: Technology
is only a part-perhaps the smaller part-of the battle for information
security.
As such, security experts here implored companies to focus less on
technological solutions to information security and instead to implement
plans to stop the skilled saboteur who relies on guile and the fallibility
of employees.
Don't overlook the human factor
Security policies, deciding who has access to what, knowing how to use the
security tools already in place and common sense are the best ways to stop
the Huns at the gate, the experts said. Ignore the human element, and all
the unbreakable encryption, firewalls and sophisticated public-key
infrastructures are useless.
Case in point: Winkler's recent bank "attack," in which he was hired to
test the bank's security. The bank had three firewalls and was not easy to
break into electronically.
So Winkler picked up a telephone book. He also did some research on the
Web, discovering the bank's domain and other Internet address information
left on Usenet groups.
A few simple phone calls
He called an executive's secretary and told her he was from human
resources and working on a newsletter that planned to feature the
executive. He pumped her for the executive's background and, eventually,
his employee ID number.
Winkler noticed in classified ads that the bank was hiring a lot of
people, so he called the "new employee" office. Posing as the executive
whose secretary he'd spoken with two days earlier, he tricked someone
there into reading him a list of new hires and their employee ID numbers
over the telephone.
The next day he called those new hires and, posing as someone from IS,
tricked them into giving up their log-ons, user IDs and, ultimately, their
passwords. Seventy-three people took the bait.
With that information in hand, the only equipment Winkler needed was a PC
with a modem. "Someone said I would have had the capability to make $2
million transactions," he said.
Feeling useless
Some Black Hat attendees listening to Winkler's talk were horrified. "It
makes me feel kind of useless, to be honest with you," said one network
administrator from an East Coast bank.
The amount of data a thief conducting a "social engineering attack" can
steal often depends on skill at bluffing. Technology has little to do with
it, said Jeff Moss, director of security assessment services at Secure
Computer Corp., in Roseville, Minn. Moss is also the founder of the Black
Hat conference and its bad-boy sibling, the Def Con hackers' conference.
"I've known some people who are excellent 'phone phreakers' but [who] can
barely boot up their computers," he said.
But there are some things administrators can do. They can create and
enforce strict information management policies. They can train employees
on the dangers of phreakers and their ilk and warn them of the
consequences if they give up important information.
Double checks
To ensure authentication, administrators should move to two-factor
authentication: any combination of passwords, digital certificates,
hardware tokens, smart cards and biometric devices.
ID cards can also be used for different parts of the building. Someone
from the IS department, for example, should not be unaccompanied in the
accounting department.
In the end, the best prevention is common sense.
For example, administrators and employees should take important schematics
off the walls. Make sure management charts and employee directories don't
get into the wrong hands. And make sure that if users leave their desks
they have some sort of automatic lock-out, such as a low-cost screen saver
with a password.
"Sweat the small stuff," Winkler said. "That's what costs us billions."
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]
Received on Wed Aug 5 12:25:13 1998