[ISN] Low-tech break-ins a big problem

From: mea culpa (jerichoat_private)
Date: Tue Aug 04 1998 - 17:59:15 PDT

  • Next message: mea culpa: "[ISN] Denver Key Bank customers' boxes looted"

    Forwarded From: "Prosser, Mike" <Mike_Prosserat_private>
    [Mike: FYI- this article calls "social engineering" phreaking, but other
     than that it is an excellent example of just how easy it is for someone
     good at social engineering (may not even have to be that good) to get
     valuable access information.]
    Low-tech break-ins a big problem
    By Jim Kerstetter, 
    PC Week Online 
    July 31, 1998 4:04 PM PT
    LAS VEGAS --- It took only four days of fast talking for security expert
    Ira Winkler to make a bank's three firewalls irrelevant. 
    Winkler's relatively easy break-in to the unnamed bank, which relied more
    on bluffing, or "phreaking," than technology, underscored one of the
    themes at this week's Black Hat Briefings '98 conference here:  Technology
    is only a part-perhaps the smaller part-of the battle for information
    As such, security experts here implored companies to focus less on
    technological solutions to information security and instead to implement
    plans to stop the skilled saboteur who relies on guile and the fallibility
    of employees. 
    Don't overlook the human factor
    Security policies, deciding who has access to what, knowing how to use the
    security tools already in place and common sense are the best ways to stop
    the Huns at the gate, the experts said. Ignore the human element, and all
    the unbreakable encryption, firewalls and sophisticated public-key
    infrastructures are useless.
    Case in point: Winkler's recent bank "attack," in which he was hired to
    test the bank's security. The bank had three firewalls and was not easy to
    break into electronically. 
    So Winkler picked up a telephone book. He also did some research on the
    Web, discovering the bank's domain and other Internet address information
    left on Usenet groups. 
    A few simple phone calls
    He called an executive's secretary and told her he was from human
    resources and working on a newsletter that planned to feature the
    executive. He pumped her for the executive's background and, eventually,
    his employee ID number. 
     Winkler noticed in classified ads that the bank was hiring a lot of
    people, so he called the "new employee" office. Posing as the executive
    whose secretary he'd spoken with two days earlier, he tricked someone
    there into reading him a list of new hires and their employee ID numbers
    over the telephone. 
    The next day he called those new hires and, posing as someone from IS,
    tricked them into giving up their log-ons, user IDs and, ultimately, their
    passwords. Seventy-three people took the bait. 
    With that information in hand, the only equipment Winkler needed was a PC
    with a modem. "Someone said I would have had the capability to make $2
    million transactions," he said. 
    Feeling useless
    Some Black Hat attendees listening to Winkler's talk were horrified. "It
    makes me feel kind of useless, to be honest with you," said one network
    administrator from an East Coast bank. 
    The amount of data a thief conducting a "social engineering attack" can
    steal often depends on skill at bluffing. Technology has little to do with
    it, said Jeff Moss, director of security assessment services at Secure
    Computer Corp., in Roseville, Minn. Moss is also the founder of the Black
    Hat conference and its bad-boy sibling, the Def Con hackers' conference. 
    "I've known some people who are excellent 'phone phreakers' but [who] can
    barely boot up their computers," he said. 
    But there are some things administrators can do. They can create and
    enforce strict information management policies. They can train employees
    on the dangers of phreakers and their ilk and warn them of the
    consequences if they give up important information. 
    Double checks
    To ensure authentication, administrators should move to two-factor
    authentication: any combination of passwords, digital certificates,
    hardware tokens, smart cards and biometric devices. 
    ID cards can also be used for different parts of the building. Someone
    from the IS department, for example, should not be unaccompanied in the
    accounting department. 
    In the end, the best prevention is common sense.
    For example, administrators and employees should take important schematics
    off the walls. Make sure management charts and employee directories don't
    get into the wrong hands. And make sure that if users leave their desks
    they have some sort of automatic lock-out, such as a low-cost screen saver
    with a password. 
    "Sweat the small stuff," Winkler said. "That's what costs us billions." 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:00:18 PDT