- Email: [email protected]
The arrest of Kevin Mitnick
Network Secufity
also a risk of unauthorized access to data as once a file server is physically accessed it is normally a simple task for a knowledgeable perpetrator to gain access to the data. We would recommend that wherever possible network file servers, gateways and routers are located in a secure and controlled environment. Although file servers are often high specification PCs it is also important to ensure that environmental controls such as air conditioning and uninterruptable power supplies are also considered to ensure the smooth operations of equipment. The relocation of file servers in a centralized computer room can also aid the administration of the network, and contrary to popular misconceptions through the utilization of centralized hubs, network performance can be enhanced by locating all servers on a single segment or by using techniques such as collapsing the backbone. Summary The above sections are based on a generalization of a large number of network reviews which have been performed,
March 1995
but the overall conclusion is that on the whole, local area networks are not subject to adequate controls and procedures and many organizations are exposed to significant business risks due to inefficient network management. We hold some sympathy for the network manager and support functions, as the growth of the network and associated technologies has been dramatic and the developers of the network operating systems have concentrated on the provision of tools for the users rather than the administrator. The good news is that some of the shortcomings of Network Operating Systems are now being addressed, As an example, Novell NetWare 4 is shipped with an excellent auditor function which will provide management with sophisticated audit trails which can be protected from access by the network administrator. NetWare 4.x also provides a single login to multiple NetWare servers which should relieve the administration effort required for effective user management. There is, however, no excuse for weak network security, this seems to be a common problem in many organizations and with the dramatic growth in the
The arrest of Kevin Mitnick Ken Lindup On the morning of Friday February 17th the news broke that Kevin Mitnick had been arrested by the FBI. He has been charged with two federal crimes, illegal use of a telephone access device and computer fraud. The first charge carries a sentence of up to 15 years Imprisonment and fine of $250 000 whilst the second charge could lead to a sentence of up to 20 years and a fine of $250 000.
The authorities missed arresting Mitnick in Seattle in October 1994. It is believed that he was
16
alerted to his impending arrest by using a scanner tuned into the police radio frequencies.
implementation of WAN links, modem links and Internet access, the risks of unauthorized access to systems and data is increasing by the day, Management should at the very best assess their exposure to these risks and stress the importance of network security not only to the users but also to the network management and support functions. This article has concentrated on the management, support and security of computer networks which traditionally encompass a network review. In the next issue, the additional stages of the Touche Ross network review will be discussed which primarily focuses on the review of network resilience and reliability which is beginning to be seen as a critical factor of an organization’s business. Network downtime can now be directly associated with financial losses to an organization and as such should be of a key concern to their senior management and the computer audit function, Chris Sheffield is a computer audit manager at Touche Ross & co.
Background to the case The Mitnick story is important to anyone involved with the security and control of information. It demonstrates just how ruthless, capable and resourceful some hackers are when it comes to penetrating computer systems and networks. For the most able hackers (I deliberately do not use the word best to describe what they do), the public telephone systems and computer networks are merely something to be exploited in the pursuance of their goals whatever they may be. Once
01995 Elsevler Science Ltd
March 1995
they have logged onto a host computer, they will install and compile specially developed software that enables them to continue the intrusion without discovery. Except for properly protected systems, they are free to wander at will through corporate information. When he was caught, Mitnick was found to be in possession of 20 000 credit card numbers, It is believed that he had taken them from the files of Netcom, an Internet service provider, The story also reveals something of the methods used by hackers, Mitnick had been sought by the FBI for more than two years. His downfall was precipitated when he hacked into the home computer of Tautomu Shimomura. Shimomura of the San Diego California Supercomputer Centre (SDSC) is a respected expert in computer security. The affidavit filed by the FBI agent reveals that the FBI were advised of the intrusion on 18th January 1995 by the System Administrator of the San Diego Supercomputer Centre. The initial attack was mounted from the machine apollo.ic.luc.edu, and succeeded in gaining access to osirisnotsdscedu, Shimomura’s machine. The attacker made a copy of the home directory containing E-mail, copies of security tools personal files etc. One of the programs copied was the Berkeley Packet Filter a network monitoring tool capable of monitoring TCP/IP packets. Also copied was cellular phone proprietary software valued at between $500 000 and $1 million, These were deposited in the Well, a commercial online service in Sausalito, California using a directory allocated to the public policy group Computers, Freedom and Privacy. System managers on the Well noticed that the
01995 Elsevier Science Ltd
Network Security
groups use of disk space exceeded their agreed aliocation by several megabytes, One of the organizers of Computers, Freedom and Privacy checked the directory and found Shimomura’s missing files. The attacker made a mistake in that he did not notice that Shimomura backed up his to a remote server. This failure enabled Shimomura to reconstruct the attacker’ s actions, The method used to mount the attack is believed to have involved the use of IP address spoofing. Internet firewalls verify the authenticity of a computer attempting to connect by checking that its IP address is valid. The IP address is unique to each computer connected to the Internet, however, it is possible for one computer to impersonate another by using its IP address. The technique is not particularly easy to master, but it can be done. Shimomura and two colleagues from the supercomputing centre set up a monitoring operation at Sausalito using software he had developed specially. By capturing all the keystrokes used by the attacker, Shimomura was able to deduce that Mitnick was the most likely suspect. On 10th February 1995, the Network Manager at Netcom reported to the FBI that their online server had been the victim of multiple unauthorized intrusions. The team of monitors moved their equipment to the premises of Netcom. Using subpoenaed telephone company records the team were able to conclude that the attacks were coming from Netcom’s dialup access point at Research Triangle Park, Raleigh, North Carolina. The calls were coming from a GTE switching centre, but
originating within the Sprint cellular network. By comparing the logs at Netcom with Sprint records, they discovered that the calls were coming from an area near the Raleigh-Durham International Airport. The area of search was narrowed down to the Players Court Apartment complex by use of a directional aerial and a signal strength meter. The FBI used their sensitive equipment to pinpoint the actual apartment from where the calls were coming. At 2.00 am on the morning of 16th February, Mitnick was arrested. He was found with 20 000 credit card numbers copied over the last two years from the files at Netcom. Kevin Mitnick’s hacking record It was not his first brush with the raw. He was first arrested in 1981 and received six months in jail for stealing technical manuals from the Pacific Telephone Company. He was part of a group of hackers (the Roscoe Gang) including Susan van Nuys, Steven Rhoades and Roscoe a student at the University of Southern California. In 1983 he was caught hacking into computers at the University of Southern California and TRW, a credit rating agency. This last attack has parallels with the hacking attacks of Phiber Optik who also targeted TRW. Also like Phiber, Mitnick used simple equipment, a Tandy TRS80. I have one of these machines, and they are very basic. It has 32k of memory and runs for 20 hours on a set of AA batteries, They are programmed in basic but they do have a 300 band modem. This shows that hacking does not require sophisticated equipment. After this Mitnick dropped out of circulation for a while. In 1986 he managed to get an account on Dockmaster, the
17
Network Security
front-end to the National Security Agency. Mitnick employed social engineering to gain an account. His method was simple. After finding the name of someone with a guest account, he telephoned him saying that he (Mitnick) was a system administrator. He said that he was issuing new passwords and needed to know the user’s name, telephone number and old password (for verification). This is a standard piece of social engineering well documented in hacker bulletin board postings, but it is still very effective. Mitnick continued to expand his knowledge of the telephone networks. We have read in the press recently about the phantom hacker who gained access the BT service computer system. Mitnick really did hack into its US equivalent - COSMOS, COSMOS (Computer System for Mainframe Operations) is a database system used to control the operation of the networks, It contains information such as the addresses of the cable pairs, customer records and service orders. Mitnick could modify customer records and one example shows something of his skills and also the malicious side of his nature. Mitnick was an amateur radio ham. Another radio ham had annoyed him, so Mitnick arranged for the $30 000 telephone bill of a local hospital to be added to his account. In 1987 Mitnick was accused of illegally accessing Digital Corporation computers and stealing copies of security software. He was alleged to have caused $4 million worth of damage. He was arrested again in 1988. This time the authorities were so concerned about Mitnick’s abilities that he was banned from using a phone from jail. He was
18
March 7995
sentenced to two years in jail in 1989. The .lessons from the case What are the lessons to be learned from Mitnick’s career? Kevin Mitnick seems to have been involved with computer abuse for nearly 15 years. In that time his knowledge and skills have grown, and some of that knowledge at least has spread into the hacker world at large. Hackers are not going to go away. Hacking is part of a sub-culture that rejects many of the values of conventional society. Hackers often see themselves as modern day Robin Hoods, They are talented, often obsessed with the technology, resourceful and sometimes malicious. IP spoofing Blind reliance on Internet firewalls to prevent unauthorized network access is misplaced. A firewall that has been set up correctly will provide a lot of protection, but there are some known vulnerabilities. IP address spoofing is one example. Network Security carried an article by Harold Highland called “Internet security” in June 1994. To understand IP spoofing, it is necessary to understand something about how TCP/IP addressing works. TCP/IP is the communications protocol used by many networks including the Internet. Every computer connected to the Internet is assigned a unique IP address. The IP address is the way computers identify each other. When two computers connect to each other using TCP/IP, they exchange packets in a three-way handshaking process. The machine making the connection sends a synchronization segment with a sequence number (x). The target computer returns another synchronization
segment, acknowledging (x) and including another sequence number (y). The first machine now sends the third synchronization segment acknowledging (y), Whilst the computer, attempting the logon, may send a fictitious IP address, it must respond to the packet sent by the target computer. This will be sent to the actual computer corresponding to the IP address, The problem is that this computer did not originate the connection and will request that the connection be reset. The packets exchanged by the two machines each contain a unique number used to ensure that the packets are processed in the correct order. There is a hacking utility (widely available on the Internet) which can be used to forge packets containing a different IP address from the assigned host address, The utility can also be used to change the IP address of the attackers computer. The hacker has two problems to solve: (1) How to prevent the actual ‘owner’ of the IP address from receiving the connection packets and resetting the connection, (2) How to anticipate the sequence number generated by the target computer. Preventing the actual ‘owner’ of the IP address from receiving the synchronisation segments is achieved by using a technique called port wedging. Port wedging involves sending a stream of logon requests to the actual host, so as to fill the queues on its input port. It cannot respond to the handshake segments being sent to it by the host being spoofed. If it could respond, it would receive an acknowledgement to a
01995 Elsevier Science Ltd
March 1995
connection it did not initiate and would reset the connection, It is possible to guess the sequence number generated by the target host. This is an important step because the attacker must have knowledge of the acknowledgement sequence number in order to assign the correct sequence numbers to the TCP/IP packets that are to be sent. Social engineering and dumpster diving Social engineering and dumpster diving appear again and again in accounts of the activities of hackers like Kevin Mitnick. Any manuals or documents containing information about computer networks or the people involved with them should always be treated as confidential waste. That means that they should be shredded and stored in a secure area pending destruction. Dumpster diving is a widely known technique, and it is easy to say that removing waste is not stealing. The information does not have to be valuable to be desirable to hackers, However, if enough information is retrieved from corporate waste sacks some will prove useful to hackers, Notwithstanding, the value of information in hacker attacks, there remains the issue of corporate embarrassment. How many companies want their corporate business discussed over the Internet by groups of hackers and ‘wannerbe’ hackers? Part of the attraction of hacking is the obtaining of knowledge that ones peer groups lack. That is obvious from many of the postings on
01995 Elsevier Science Ltd
Network Security
conference channels like #HACK and #PHREAK on Internet Relay Chat. This means that we can expect to see more ‘wannerbe’ hackers raiding corporate waste sacks, It is something to boast about on the bulletin boards and chat lines. It is also an exciting act that appears to be low risk yet enables people to emulate the likes of Kevin Mitnick. People manning help desks and system administrators must be made aware of the dangers of social engineering. Procedures to establish the authenticity of people calling help desks must be established and must be followed at all times. Any user or manager who attempts to persuade a network technical to bypass procedures should be left in no uncertain terms that they have committed a breach of the security policy. Many companies have strict rules about unlicensed software, virus checking and unauthorized network connections. It is often seen as a disciplinary matter. In my opinion trying to persuade a technician to break security rules is equally serious. Social engineering is not just about getting passwords by trickery, the Roscoe Gang gained access to corporate premises by talking security guards into letting them in. Social engineering is taught at hacker conferences - I attended an excellent session on social engineering at the “Hacking at the End of the Universe” conference in Holland. It may be thought that no 16-year-old should be able to convince a network supervisor that they are a telephone engineer. The skills that are taught and the professional approach adopted by some to honing
those skills make such a deception easy. I saw and heard the presenter call a telephone supervisor in front of an audience of 600 and demonstrate the techniques with success, All staff such as network administrators, technicians manning help desks should be properly trained in social engineering techniques. Resisting social engineering attacks is an excellent subject for role play exercises. It does not come naturally to resist a call from a senior executive (which may or may not be genuine) who claims to have forgotten their password. The caller will sound genuine, they will be able to offer corroborating evidence to prove their authenticity. They will even ask for the someone to call the executive back on an unlisted number known only to the company. The chances are that they have succeeded in diverting all calls to that number to the line that they are using. The Mitnick story shows that security officers must look at the totality of their security. Once they have targeted a network, hackers like Mitnick will probe security until they find a loophole. They will then use the appropriate technique to exploit it. They do not mind if the weakness is technical, procedural or human. Whether or not Kevin Mitnick is convicted and receives a long jail sentence is not the answer What Mitnick can do today, others will be able to do tomorrow. Formulation of good security policies, rules and procedures, and the use of good technical tools must be coupled with strict observance. It is the only answer,
19
also a risk of unauthorized access to data as once a file server is physically accessed it is normally a simple task for a knowledgeable perpetrator to gain access to the data. We would recommend that wherever possible network file servers, gateways and routers are located in a secure and controlled environment. Although file servers are often high specification PCs it is also important to ensure that environmental controls such as air conditioning and uninterruptable power supplies are also considered to ensure the smooth operations of equipment. The relocation of file servers in a centralized computer room can also aid the administration of the network, and contrary to popular misconceptions through the utilization of centralized hubs, network performance can be enhanced by locating all servers on a single segment or by using techniques such as collapsing the backbone. Summary The above sections are based on a generalization of a large number of network reviews which have been performed,
March 1995
but the overall conclusion is that on the whole, local area networks are not subject to adequate controls and procedures and many organizations are exposed to significant business risks due to inefficient network management. We hold some sympathy for the network manager and support functions, as the growth of the network and associated technologies has been dramatic and the developers of the network operating systems have concentrated on the provision of tools for the users rather than the administrator. The good news is that some of the shortcomings of Network Operating Systems are now being addressed, As an example, Novell NetWare 4 is shipped with an excellent auditor function which will provide management with sophisticated audit trails which can be protected from access by the network administrator. NetWare 4.x also provides a single login to multiple NetWare servers which should relieve the administration effort required for effective user management. There is, however, no excuse for weak network security, this seems to be a common problem in many organizations and with the dramatic growth in the
The arrest of Kevin Mitnick Ken Lindup On the morning of Friday February 17th the news broke that Kevin Mitnick had been arrested by the FBI. He has been charged with two federal crimes, illegal use of a telephone access device and computer fraud. The first charge carries a sentence of up to 15 years Imprisonment and fine of $250 000 whilst the second charge could lead to a sentence of up to 20 years and a fine of $250 000.
The authorities missed arresting Mitnick in Seattle in October 1994. It is believed that he was
16
alerted to his impending arrest by using a scanner tuned into the police radio frequencies.
implementation of WAN links, modem links and Internet access, the risks of unauthorized access to systems and data is increasing by the day, Management should at the very best assess their exposure to these risks and stress the importance of network security not only to the users but also to the network management and support functions. This article has concentrated on the management, support and security of computer networks which traditionally encompass a network review. In the next issue, the additional stages of the Touche Ross network review will be discussed which primarily focuses on the review of network resilience and reliability which is beginning to be seen as a critical factor of an organization’s business. Network downtime can now be directly associated with financial losses to an organization and as such should be of a key concern to their senior management and the computer audit function, Chris Sheffield is a computer audit manager at Touche Ross & co.
Background to the case The Mitnick story is important to anyone involved with the security and control of information. It demonstrates just how ruthless, capable and resourceful some hackers are when it comes to penetrating computer systems and networks. For the most able hackers (I deliberately do not use the word best to describe what they do), the public telephone systems and computer networks are merely something to be exploited in the pursuance of their goals whatever they may be. Once
01995 Elsevler Science Ltd
March 1995
they have logged onto a host computer, they will install and compile specially developed software that enables them to continue the intrusion without discovery. Except for properly protected systems, they are free to wander at will through corporate information. When he was caught, Mitnick was found to be in possession of 20 000 credit card numbers, It is believed that he had taken them from the files of Netcom, an Internet service provider, The story also reveals something of the methods used by hackers, Mitnick had been sought by the FBI for more than two years. His downfall was precipitated when he hacked into the home computer of Tautomu Shimomura. Shimomura of the San Diego California Supercomputer Centre (SDSC) is a respected expert in computer security. The affidavit filed by the FBI agent reveals that the FBI were advised of the intrusion on 18th January 1995 by the System Administrator of the San Diego Supercomputer Centre. The initial attack was mounted from the machine apollo.ic.luc.edu, and succeeded in gaining access to osirisnotsdscedu, Shimomura’s machine. The attacker made a copy of the home directory containing E-mail, copies of security tools personal files etc. One of the programs copied was the Berkeley Packet Filter a network monitoring tool capable of monitoring TCP/IP packets. Also copied was cellular phone proprietary software valued at between $500 000 and $1 million, These were deposited in the Well, a commercial online service in Sausalito, California using a directory allocated to the public policy group Computers, Freedom and Privacy. System managers on the Well noticed that the
01995 Elsevier Science Ltd
Network Security
groups use of disk space exceeded their agreed aliocation by several megabytes, One of the organizers of Computers, Freedom and Privacy checked the directory and found Shimomura’s missing files. The attacker made a mistake in that he did not notice that Shimomura backed up his to a remote server. This failure enabled Shimomura to reconstruct the attacker’ s actions, The method used to mount the attack is believed to have involved the use of IP address spoofing. Internet firewalls verify the authenticity of a computer attempting to connect by checking that its IP address is valid. The IP address is unique to each computer connected to the Internet, however, it is possible for one computer to impersonate another by using its IP address. The technique is not particularly easy to master, but it can be done. Shimomura and two colleagues from the supercomputing centre set up a monitoring operation at Sausalito using software he had developed specially. By capturing all the keystrokes used by the attacker, Shimomura was able to deduce that Mitnick was the most likely suspect. On 10th February 1995, the Network Manager at Netcom reported to the FBI that their online server had been the victim of multiple unauthorized intrusions. The team of monitors moved their equipment to the premises of Netcom. Using subpoenaed telephone company records the team were able to conclude that the attacks were coming from Netcom’s dialup access point at Research Triangle Park, Raleigh, North Carolina. The calls were coming from a GTE switching centre, but
originating within the Sprint cellular network. By comparing the logs at Netcom with Sprint records, they discovered that the calls were coming from an area near the Raleigh-Durham International Airport. The area of search was narrowed down to the Players Court Apartment complex by use of a directional aerial and a signal strength meter. The FBI used their sensitive equipment to pinpoint the actual apartment from where the calls were coming. At 2.00 am on the morning of 16th February, Mitnick was arrested. He was found with 20 000 credit card numbers copied over the last two years from the files at Netcom. Kevin Mitnick’s hacking record It was not his first brush with the raw. He was first arrested in 1981 and received six months in jail for stealing technical manuals from the Pacific Telephone Company. He was part of a group of hackers (the Roscoe Gang) including Susan van Nuys, Steven Rhoades and Roscoe a student at the University of Southern California. In 1983 he was caught hacking into computers at the University of Southern California and TRW, a credit rating agency. This last attack has parallels with the hacking attacks of Phiber Optik who also targeted TRW. Also like Phiber, Mitnick used simple equipment, a Tandy TRS80. I have one of these machines, and they are very basic. It has 32k of memory and runs for 20 hours on a set of AA batteries, They are programmed in basic but they do have a 300 band modem. This shows that hacking does not require sophisticated equipment. After this Mitnick dropped out of circulation for a while. In 1986 he managed to get an account on Dockmaster, the
17
Network Security
front-end to the National Security Agency. Mitnick employed social engineering to gain an account. His method was simple. After finding the name of someone with a guest account, he telephoned him saying that he (Mitnick) was a system administrator. He said that he was issuing new passwords and needed to know the user’s name, telephone number and old password (for verification). This is a standard piece of social engineering well documented in hacker bulletin board postings, but it is still very effective. Mitnick continued to expand his knowledge of the telephone networks. We have read in the press recently about the phantom hacker who gained access the BT service computer system. Mitnick really did hack into its US equivalent - COSMOS, COSMOS (Computer System for Mainframe Operations) is a database system used to control the operation of the networks, It contains information such as the addresses of the cable pairs, customer records and service orders. Mitnick could modify customer records and one example shows something of his skills and also the malicious side of his nature. Mitnick was an amateur radio ham. Another radio ham had annoyed him, so Mitnick arranged for the $30 000 telephone bill of a local hospital to be added to his account. In 1987 Mitnick was accused of illegally accessing Digital Corporation computers and stealing copies of security software. He was alleged to have caused $4 million worth of damage. He was arrested again in 1988. This time the authorities were so concerned about Mitnick’s abilities that he was banned from using a phone from jail. He was
18
March 7995
sentenced to two years in jail in 1989. The .lessons from the case What are the lessons to be learned from Mitnick’s career? Kevin Mitnick seems to have been involved with computer abuse for nearly 15 years. In that time his knowledge and skills have grown, and some of that knowledge at least has spread into the hacker world at large. Hackers are not going to go away. Hacking is part of a sub-culture that rejects many of the values of conventional society. Hackers often see themselves as modern day Robin Hoods, They are talented, often obsessed with the technology, resourceful and sometimes malicious. IP spoofing Blind reliance on Internet firewalls to prevent unauthorized network access is misplaced. A firewall that has been set up correctly will provide a lot of protection, but there are some known vulnerabilities. IP address spoofing is one example. Network Security carried an article by Harold Highland called “Internet security” in June 1994. To understand IP spoofing, it is necessary to understand something about how TCP/IP addressing works. TCP/IP is the communications protocol used by many networks including the Internet. Every computer connected to the Internet is assigned a unique IP address. The IP address is the way computers identify each other. When two computers connect to each other using TCP/IP, they exchange packets in a three-way handshaking process. The machine making the connection sends a synchronization segment with a sequence number (x). The target computer returns another synchronization
segment, acknowledging (x) and including another sequence number (y). The first machine now sends the third synchronization segment acknowledging (y), Whilst the computer, attempting the logon, may send a fictitious IP address, it must respond to the packet sent by the target computer. This will be sent to the actual computer corresponding to the IP address, The problem is that this computer did not originate the connection and will request that the connection be reset. The packets exchanged by the two machines each contain a unique number used to ensure that the packets are processed in the correct order. There is a hacking utility (widely available on the Internet) which can be used to forge packets containing a different IP address from the assigned host address, The utility can also be used to change the IP address of the attackers computer. The hacker has two problems to solve: (1) How to prevent the actual ‘owner’ of the IP address from receiving the connection packets and resetting the connection, (2) How to anticipate the sequence number generated by the target computer. Preventing the actual ‘owner’ of the IP address from receiving the synchronisation segments is achieved by using a technique called port wedging. Port wedging involves sending a stream of logon requests to the actual host, so as to fill the queues on its input port. It cannot respond to the handshake segments being sent to it by the host being spoofed. If it could respond, it would receive an acknowledgement to a
01995 Elsevier Science Ltd
March 1995
connection it did not initiate and would reset the connection, It is possible to guess the sequence number generated by the target host. This is an important step because the attacker must have knowledge of the acknowledgement sequence number in order to assign the correct sequence numbers to the TCP/IP packets that are to be sent. Social engineering and dumpster diving Social engineering and dumpster diving appear again and again in accounts of the activities of hackers like Kevin Mitnick. Any manuals or documents containing information about computer networks or the people involved with them should always be treated as confidential waste. That means that they should be shredded and stored in a secure area pending destruction. Dumpster diving is a widely known technique, and it is easy to say that removing waste is not stealing. The information does not have to be valuable to be desirable to hackers, However, if enough information is retrieved from corporate waste sacks some will prove useful to hackers, Notwithstanding, the value of information in hacker attacks, there remains the issue of corporate embarrassment. How many companies want their corporate business discussed over the Internet by groups of hackers and ‘wannerbe’ hackers? Part of the attraction of hacking is the obtaining of knowledge that ones peer groups lack. That is obvious from many of the postings on
01995 Elsevier Science Ltd
Network Security
conference channels like #HACK and #PHREAK on Internet Relay Chat. This means that we can expect to see more ‘wannerbe’ hackers raiding corporate waste sacks, It is something to boast about on the bulletin boards and chat lines. It is also an exciting act that appears to be low risk yet enables people to emulate the likes of Kevin Mitnick. People manning help desks and system administrators must be made aware of the dangers of social engineering. Procedures to establish the authenticity of people calling help desks must be established and must be followed at all times. Any user or manager who attempts to persuade a network technical to bypass procedures should be left in no uncertain terms that they have committed a breach of the security policy. Many companies have strict rules about unlicensed software, virus checking and unauthorized network connections. It is often seen as a disciplinary matter. In my opinion trying to persuade a technician to break security rules is equally serious. Social engineering is not just about getting passwords by trickery, the Roscoe Gang gained access to corporate premises by talking security guards into letting them in. Social engineering is taught at hacker conferences - I attended an excellent session on social engineering at the “Hacking at the End of the Universe” conference in Holland. It may be thought that no 16-year-old should be able to convince a network supervisor that they are a telephone engineer. The skills that are taught and the professional approach adopted by some to honing
those skills make such a deception easy. I saw and heard the presenter call a telephone supervisor in front of an audience of 600 and demonstrate the techniques with success, All staff such as network administrators, technicians manning help desks should be properly trained in social engineering techniques. Resisting social engineering attacks is an excellent subject for role play exercises. It does not come naturally to resist a call from a senior executive (which may or may not be genuine) who claims to have forgotten their password. The caller will sound genuine, they will be able to offer corroborating evidence to prove their authenticity. They will even ask for the someone to call the executive back on an unlisted number known only to the company. The chances are that they have succeeded in diverting all calls to that number to the line that they are using. The Mitnick story shows that security officers must look at the totality of their security. Once they have targeted a network, hackers like Mitnick will probe security until they find a loophole. They will then use the appropriate technique to exploit it. They do not mind if the weakness is technical, procedural or human. Whether or not Kevin Mitnick is convicted and receives a long jail sentence is not the answer What Mitnick can do today, others will be able to do tomorrow. Formulation of good security policies, rules and procedures, and the use of good technical tools must be coupled with strict observance. It is the only answer,
19