Security and Crime News
Gambling with security
By Kevin Mitnick
On his first day, he approached a very relaxed employee and quickly found the person discussing details of his job. He told Whurley he lost his employee badge all the time, and would share a badge with another employee to get in for the free meals provided in the staff cafeterias.
Whurley's audit task was to get into the casino's offices, take time-stamped digital photos of himself in places he shouldn't be, and then install a wireless access point so he could remotely hack into their systems. He would then retrieve the access point. He wanted access to any systems that ran the financials or held sensitive information, such as visitor information.
That night he heard a radio promotion for a fitness club offering a special for service industry employees. At the club, he targeted a lady named Lenore.
"In 15 minutes we established a spiritual connection," Whurley says, adding Lenore was an auditor and if he could penetrate the casino's financial systems the client was sure to see that as a huge security flaw.
He observed her non-verbal signals and then threw out something that would lead her to say, "Oh, me too".
Later, over dinner, Whurley told her he was new to Vegas and looking for a job, that he had gone to a major university and had a degree in finance. She spent the next couple of hours sharing details about her job.
The next morning, he packed a bag with a laptop notebook, wi-fi gateway and accessories before arriving at the casino's employee entrance at shift change, positioning himself to observe the entrance. A few minutes of waiting and the entryway was clear; not what he wanted. "I headed across the street towards the guard who was leaving the building and prepared to use my favourite disarming question," Whurley says. As the guard passed him, Whurley asked for the time: "One thing I've noticed is that if you approach someone from the front, they're almost always more defensive than if you let them get slightly past you before you address them."
Social engineering is information security's weakest link yet we find company after company deploying technologies to protect their computing resources against technical invasion by hackers but we find little attention is given to countering the threats posed by social engineers.While they talked, another employee called the guard by his nickname, "Cheesy".
As Whurley reached the entrance he said to the desk guard: "Hey, have you seen Cheesy? He owes me $20 on the game and I need the money to get some lunch."
"What the hell are you buying lunch for anyway?" the guard chuckled, suspicious.
"I'm meeting a little honey for lunch," Whurley said. As he breezed through, the guard challenged him for ID.
"It's in my bag, sorry about that," Whurley said, digging through his stuff as he walked away. Whurley was now inside the entrance but had no idea where to go; there weren't a lot of people he could follow but he had little fear of being challenged.
"I was wearing blue - the truth colour - and dressed as if I were a junior executive," he says, "so it was highly unlikely they would question me."
As he walked the hallway, he noticed a camera room. He walked into the inner room and "cleared my throat and before they could challenge me, I said: 'Focus on the girl on 23'."
The men gathered around display 23 and began talking.
As he left, he said: "Oh, I'm Walter with Internal Audit. I just got hired on to Dan Moore's staff," using the name of the head of Internal Audit that he had picked up in one of his conversations. "And I've never been to this property so I'm a little lost. Could you point me in the direction of the executive offices?"
Whurley set out in the direction they indicated and found a break room where a young woman, Megan, was reading a magazine. Megan said she had a couple of badges, some internal memos, and a box of papers that belonged back at the main resort group Internal Audit office. Whurley thought, "Wow, now I have a badge!"
"As I'm walking out, I see an open, empty office," Whurley says. "It has two network ports so I go back to Megan and say I forgot to look at her system and the one in the boss's office.She lets me sit at her desk, gives me her password and then has to use the rest room. I tell her I'm going to add a network security monitor and show her the wireless access point."
He installed the wireless access point and restarted her desktop.
"I start surfing through her hard drive and find all kind of good stuff," Whurley says. She was the executives' administrator and organised their files by name. He grabbed everything he could using his key-chain 256 MB USB flash drive and took a picture of himself sitting in the main executive's office. After a few minutes Megan returned, and he asked her for directions to the Network Operations Centre.
There he ran into serious trouble. "The network room was marked but the door locked," he says, and he didn't have a badge that would give him access so he knocked.
"A gentleman comes to the door and I tell him the same story I've been using. Except what I don't know is that this guy's boss - the IT director (Richard) - is sitting in the office.
"Richard asks who I'm with, where my badge is, and a half dozen other questions in rapid succession. He then says: 'Why don't you come into my office while I call Internal Audit and we'll get this cleared up'.
"I tell him, 'You got me!' and I shake his hand. I then reach for a business card, saying I've been inside the bowels of the casino for a couple of hours and not one person has challenged me, and that he was the first and was probably going to look pretty good in my report."
An amazing transformation took place: Richard began asking Whurley about what he had seen, people's names, and explained that he had been doing his own audit in an attempt to get an increase in the security budget to make the operations centre more secure, with "biometrics and the whole works".
Whurley took advantage, suggesting they could talk about it over lunch and they headed off to the cafeteria. "Notice that we haven't called anyone yet at this point," Whurley says. "So I suggest that we place that call, and he says, 'You've got a card, I know who you are'.
"He asked about my networking background and we started talking about the AS400s that the casino is running everything on. The fact that things went this way can be described in two words - very scary."
Scary because the man is the director of IT, and responsible for computer security, and is sharing all kinds of inside information but has never taken the most basic step of verifying his identity.
Whurley observed that "mid-level managers don't ever want to be put on the spot".
After lunch, Richard brought Whurley back to the operations centre. "When we walk in, he introduces me to Larry, the main systems administrator for the AS400s. He explains that I'm going to be ripping them in an audit in a few days."
Whurley spent a few minutes getting an overview of the systems from Larry, gathering more information for his report. "I told him that it would help me to help him faster if I had a network diagram, firewall access control lists, which he provided only after calling Richard for approval."
He said to Larry that he needed to go back to get the access point and needed a badge "so I could let myself back into the NOC", Whurley says. Larry seemed reluctant, so Whurley recommended he call Richard, who had a better idea: the casino had recently let several employees go and nobody deactivated them, "so it would be all right for him to just use one of those".
A phone call came in from Larry's wife, who was angry and upset. Larry said to his wife, "Listen, I can't talk. I have someone here in the office."
Whurley offered to grab one of the badges if Larry would show him where they were.
"Larry walked me over to a filing cabinet, opened a drawer, and said. 'Take one of these'. I noticed there was no sign-out sheet or log of the badge numbers, so I took two." He now had a badge that would give him access to the operations centre. "I set the stopwatch on my phone to count down 20 minutes," Whurley says, "enough time for me to do some exploring without drawing suspicion from Larry."
Whurley hoped to discover the computer where badge access privileges were controlled so he could modify the access on his two badges. He decided to ask the guard at the entrance. The guard didn't even ask why.
"I located the control system and walked into the small networking closet where it was located," Whurley says. "There I found a PC with the list for the ID badges already open. No screen saver, no password - nothing to slow me down."
This is typical: "People have an 'out of sight, out of mind' mentality," he says. "If a system is in a controlled access area, they think there isn't any need to protect the computer. I thought I should take the extra badge, add access privileges, switch the name, and then switch it with an employee who would wander around the casino, inadvertently helping me to muddy the audit logs. But who would I choose? Why, Megan, of course."
He explained he had completed the test and needed to get that equipment back.
He told Megan he needed her help: "Most social engineers would agree that people are too willing to help," he says. A few moments later, Megan had a badge that would confuse things while Whurley had her badge as well as the badge that would tag him as an executive in the logs. When Whurley got back to Larry's office, he saw how things were going with Larry's wife; he and Larry two spent almost an hour talking about marriage.
"I explain to Larry that my laptop has special auditing software I need to run against the network."
Whurley scanned the network and compromised both Windows and Linux machines because of poor password management, and then spent nearly two hours copying information off the network and burning to DVD, "which was never questioned".
At the review meeting, the head of Internal Audit complained that Whurley had no right to access the systems in a physical way because "that wasn't how they would be attacked". Whurley was told what he did bordered on "criminal" and that the client didn't appreciate his actions.
Whurley: "Why did the casino think that what I did was unfair? The answer was simple. My report could cause them to be audited by the Gaming Commission, which could have financial repercussions."
Whurley was paid in full but "they made it very clear that they didn't really want to see me around any more".
"I'll probably never work in Vegas again," he laments.
Maybe the Gaming Commission needs the services of an ethical hacker who already knows his way around the back areas of a casino.
Social engineering is information security's weakest link yet we find company after company deploying technologies to protect their computing resources against technical invasion by hackers but we find little attention is given to countering the threats posed by social engineers.
It is essential to educate and train employees how to protect themselves from being duped.
The challenge to defend against human-based vulnerabilities is substantial. Protecting the organisation from being victimised by hackers using social engineering tactics has to be the responsibility of every employee, even those who don't use computers.
Executives, switchboard operators, receptionists, cleaning crew, garage attendants, and most especially, new employees - all can be exploited by social engineers. The human element is information security's weakest link. Are you going to be the weak link that a social engineer is able to exploit in your company?
The naked social engineer: Dissecting Whurley's con
Trappings of the role
The social engineer exhibits a few characteristics of the role in which he masquerades, such as mentioning the name of the target's boss or other employees, or using company or industry terminology or jargon. Most of us tend to fill in the blanks when given just a few characteristics of a role - we see a man dressed like an executive and assume he's smart, focused, and reliable.
When Whurley entered the camera room, he was dressed like an executive, he spoke with a commanding authority, and he gave what the men in the room took to be an order to action. Once we accept someone, we make inferences attributing other characteristics.
Whurley suggested to IT manager Richard that the two have lunch, realising that being together immediately establishes his credibility with any employee who noticed them.
Forcing the target into a role (altercasting)
Manoeuvring the target into an alternative role, such as forcing submission by being aggressive. In his conversations with Lenore, Whurley put himself into a needy role to manoeuvre her into a helper role, the most common form. The target then finds it awkward to back off.
Distracting from systematic thinking
People process information systematically or heuristically. When processing systematically, we think carefully about a request but when processing heuristically we take mental shortcuts. When Larry needed to handle his wife, Whurley used the situation to land an employee's badge.
The desire to help
Helping makes us feel empowered, gets us out of a bad mood and makes us feel good about ourselves. When Whurley showed up at the employees' entrance of the casino, the guard believed his story about taking a "honey" to lunch and didn't become insistent when Whurley walked away without showing ID.
We are more likely to say "yes" to requests from people we like. Whurley got information from Lenore by gaug-ing her reactions and continually tail-oring remarks to things to which she would respond. This led her to feel that they shared similar tastes and interests ("Me, too!").
A social engineer will sometimes make the target believe something terrible will happen, but that the impending disaster can be averted if the target does as the attacker sug-gests. A social engineer masquerad-ing as a company executive may target a junior with an urgent demand, with the implication that the underling will get into trouble for not complying.
The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers (ISBN 0764569597) by Kevin D. Mitnick and William L. Simon goes on sale this week for $45.95.
The high price of cyber infamy
Once one of the world's most wanted cyber criminals, Kevin Mitnick is now on the book and lecture circuit teaching organisations how to resist hackers.
His high-profile hacks during the 1990s set him on the run, pursued by US law enforcement agencies. It also inspired many newspaper articles, several books and even a film of his exploits.
Mitnick rose to legendary status as a result of his intrusions into many big organisations' computer networks - Nokia, Novell and the Pentagon among them. But he is most renowned for an uncanny ability to manipulate people into divulging sensitive information, known as "social engineering".
That infamy had him spending eight months of his five-year jail term in solitary confinement when the judge was convinced he could start a nuclear war by whistling musical modem tones into a telephone line connected to NORAD's mainframe.
Since his 2000 release from jail, he has worked as a security consultant and written two books - The Art of Deception and The Art of Intrusion, to be released this week.
It was only in 2003 that he was again permitted to access the internet or computers, after a seven-year ban. That didn't stop the Los Angeles chapter of the Information Systems Security Association, a group for industry professionals, banning him from their meetings. After initially accepting his application, and emailing him a password to access its members-only site, the group revoked the privileges saying his past activities precluded him from joining under its code of ethics.
The best firewall
Get your workers to thwart hackers
Role-playing shows how to resist social vulnerabilities.
Training emphasises each worker's responsibility to protect information. For instance non-sensitive information may be used by a social engineer to create the illusion of credibility, likeability and trustworthiness.
Show how security protects the business and how negligence can cause harm.
It's OK to say "no. Sensitive requests should be declined gracefully until the authorisation of the person requesting the information is verified.
Management should say that workers will never be asked to circumvent security and they will not get into trouble for following procedure, even if directed by a manager to violate it.
© J. R. Roberts, Security Strategies