9.1 Mission Impossible TechniquesSome of the not-so-young will remember the old "Mission Impossible" television series where U.S. government spies sabotaged someone else's operations, captured someone or something, or gained secret information in clever ways. Frequently, this was done by misrepresentation, sometimes by posing as a telephone company or gas company repairman. Sometimes it was done by seduction. Sites will need to guard against bribery and extortion. These attacks are called social engineering. If you are responsible for a medium to large site (or even a small site) you need to worry about this. I'm not talking about some teenager or drug addict hoping to fence your computer. Rather, I'm talking about a professional out either to get your data or to disrupt your operations. If someone shows up claiming to be from the phone company to "install the new lines," ask him who ordered it and ask for the details, such as what kind of line and what phone number. Verify his story with the person who he claimed ordered the service; be suspicious of vague answers. Remember that anyone can phone your agency's main number, ask the name of the person in charge of Telecommunications, and then mention that name to you. All information and physical access should be on a need-to-know basis, and persons claiming to be from a vendor or other agency should be required to prove their identity before being granted access and they should be supervised. If the badge or ID card was "left in the truck" or "forgotten," tell him to come back when he has it. Anyone can purchase a fake utility or police uniform for about $150; someone showed up at our last Halloween party in a police costume so realistic that he was thought to be a real officer responding to a complaint. A professional will have a realistic but fake ID card; a telephone call to the company using a known good phone number will detect all but the most determined operatives. You also should look up the number of the phone company (or other company that she claims to be from) in the phone book, call that number, see if they sent someone and ask for the order number and see if the person has paperwork with the same order number. Ask to see his company picture ID and verify over the phone that the name matches. Be especially suspicious of someone who shows up without having been asked to by an appropriate person at your agency. On "Mission Impossible," as I recall, and also in one of the Dirty Harry movies, the intruders showed up in a gas company truck claiming to be there to fix a gas leak with an urgency to their manner. One could spend about $10 on a propane torch and release the gas to simulate the smell of a gas leak. Unless a fleet of fire engines and police cars shows up, take the time to make a phone call to the company before granting any access and by all means have someone watch him carefully.
Remember that large agencies and companies have vendors in almost daily and any "Mission Impossible" operative could phone common vendors, claim to be from your agency, and ask when they are sending someone in. They even could place a false order and send out a fake person. This is why verifying that someone is expected with the person in your company whose name appears on the order is important. In an article on February 11, 2000 on PC World's Web site (copyrighted by Reuters), someone who works for IBM's consulting Tiger team tells that his favorite trick is to grab a hard hat, peel a phone company sticker off a communications cabinet and stick it on a notebook, carry some tools, and he can gain access to almost anywhere. A phone company style "test phone" can be purchased at surplus electronic mail order sites and at Radio Shack. All your security people and cleaning crews should be informed that absolutely no one shall be admitted without proper credentials under pain of dismissal. Even the "I left my keys on my desk" excuse should not be accepted unless, possibly, that person was at the desk in question 10 minutes ago. Methods for setting up your own Tiger team are discussed in "Break into Your Own System with Tiger Teams" on page 588.
Never underestimate the power of bribery and extortion (blackmail). The U.S. government requires an extensive background check of anyone who will be allowed access to classified materials. Before granting access to highly classified materials, the FBI or military intelligence will interview many people who have known the person for decades, run her fingerprints and name through the FBI's criminal records computer, and thus verify that she has no criminal record, have no evidence of dishonesty, and has no secrets that could be used for extortion. Even if someone has a secret that is not illegal, such as a sexual kink, if it could be used as blackmail that person could be denied a clearance. In cases such as this, the person might be given a choice of either making this secret public or being denied the clearance. Spending one or two thousand dollars per person for a private investigator to check out your critical people and obtaining credit reports could eliminate most people susceptible to bribery and blackmail. Some agencies and companies will use polygraph tests. (Naturally you will want to work with your personnel or legal staff to ensure that you do not violate applicable law.) Ensure that there is physical security. Often communications lines and Ethernet cable are exposed to anyone who wants to tap in. U.S. government security regulations require that cables that carry secret data through unclassified areas be enclosed in steel pipe, that all pipe fittings be spot-welded together, and that there be weekly inspections of the pipe for evidence of tampering.
|
Top |