Section 9.1 Mission Impossible Techniques

   


9.1 Mission Impossible Techniques

graphics/threedangerlevel.gif

Some of the not-so-young will remember the old "Mission Impossible" television series where U.S. government spies sabotaged someone else's operations, captured someone or something, or gained secret information in clever ways. Frequently, this was done by misrepresentation, sometimes by posing as a telephone company or gas company repairman. Sometimes it was done by seduction. Sites will need to guard against bribery and extortion. These attacks are called social engineering.

If you are responsible for a medium to large site (or even a small site) you need to worry about this. I'm not talking about some teenager or drug addict hoping to fence your computer. Rather, I'm talking about a professional out either to get your data or to disrupt your operations. If someone shows up claiming to be from the phone company to "install the new lines," ask him who ordered it and ask for the details, such as what kind of line and what phone number. Verify his story with the person who he claimed ordered the service; be suspicious of vague answers. Remember that anyone can phone your agency's main number, ask the name of the person in charge of Telecommunications, and then mention that name to you.

All information and physical access should be on a need-to-know basis, and persons claiming to be from a vendor or other agency should be required to prove their identity before being granted access and they should be supervised. If the badge or ID card was "left in the truck" or "forgotten," tell him to come back when he has it. Anyone can purchase a fake utility or police uniform for about $150; someone showed up at our last Halloween party in a police costume so realistic that he was thought to be a real officer responding to a complaint. A professional will have a realistic but fake ID card; a telephone call to the company using a known good phone number will detect all but the most determined operatives.

You also should look up the number of the phone company (or other company that she claims to be from) in the phone book, call that number, see if they sent someone and ask for the order number and see if the person has paperwork with the same order number. Ask to see his company picture ID and verify over the phone that the name matches.

Be especially suspicious of someone who shows up without having been asked to by an appropriate person at your agency. On "Mission Impossible," as I recall, and also in one of the Dirty Harry movies, the intruders showed up in a gas company truck claiming to be there to fix a gas leak with an urgency to their manner. One could spend about $10 on a propane torch and release the gas to simulate the smell of a gas leak. Unless a fleet of fire engines and police cars shows up, take the time to make a phone call to the company before granting any access and by all means have someone watch him carefully.

This morning while writing this book, I saw a man out of the corner of my eye in my back yard heading to the front yard. When I looked at him he was in his twenties wearing a gray uniform typical of service people and carrying what looked like a three-foot section of white pipe. I had finished this chapter last night so the details were fresh in my mind.

I intercepted him in the front yard, keeping my distance, and asked him what he was doing on my property. (I had assumed that he was a surveyor because I could not see what anyone else would be doing in my back yard.) He said that he was reading my electric meter.

This made me suspicious because although the electric meter was on that side of the house it was nowhere near the back yard where he was and, because there is a large wooded area "back there" I didn't envision him "cutting across it" from another house. He headed over to my neighbor's and disappeared. When I looked on the road for a marked Georgia Power truck I saw none. I considered immediately phoning 911 or the electric company's emergency number. I chose instead to take a walk up the road to try to find him and his truck.

I do not recommend this course of action because you could get killed. During my walk I found his clearly labeled truck which he then hopped into, after saying hello to me, and drove down another road where I saw him get out and inspect someone's meter. Still, prior to the walk confirming his claim, calling 911 would not have been inappropriate and the police would have preferred this to finding a dead former Linux system administrator lying in the road.


Remember that large agencies and companies have vendors in almost daily and any "Mission Impossible" operative could phone common vendors, claim to be from your agency, and ask when they are sending someone in. They even could place a false order and send out a fake person. This is why verifying that someone is expected with the person in your company whose name appears on the order is important.

In an article on February 11, 2000 on PC World's Web site (copyrighted by Reuters), someone who works for IBM's consulting Tiger team tells that his favorite trick is to grab a hard hat, peel a phone company sticker off a communications cabinet and stick it on a notebook, carry some tools, and he can gain access to almost anywhere. A phone company style "test phone" can be purchased at surplus electronic mail order sites and at Radio Shack.

All your security people and cleaning crews should be informed that absolutely no one shall be admitted without proper credentials under pain of dismissal. Even the "I left my keys on my desk" excuse should not be accepted unless, possibly, that person was at the desk in question 10 minutes ago. Methods for setting up your own Tiger team are discussed in "Break into Your Own System with Tiger Teams" on page 588.

Once, from an interior corridor of a 1000-employee company, I rolled a cart up to the front door loaded with computer equipment and notebooks around Midnight. I explained that I was taking the equipment home and that I "had permission." The guard, who had never seen me before, said okay, without my presenting any paperwork whatsoever. After I already had moved some of the equipment to my automobile he said, "Uh, I guess I should see your driver's license and write down the details."

I cheerfully provided it, but any 20-year-old can tell you how to create a fake driver's license. Did he even bother to make a security log entry of this? I do not know.


Never underestimate the power of bribery and extortion (blackmail). The U.S. government requires an extensive background check of anyone who will be allowed access to classified materials. Before granting access to highly classified materials, the FBI or military intelligence will interview many people who have known the person for decades, run her fingerprints and name through the FBI's criminal records computer, and thus verify that she has no criminal record, have no evidence of dishonesty, and has no secrets that could be used for extortion. Even if someone has a secret that is not illegal, such as a sexual kink, if it could be used as blackmail that person could be denied a clearance. In cases such as this, the person might be given a choice of either making this secret public or being denied the clearance.

Spending one or two thousand dollars per person for a private investigator to check out your critical people and obtaining credit reports could eliminate most people susceptible to bribery and blackmail. Some agencies and companies will use polygraph tests. (Naturally you will want to work with your personnel or legal staff to ensure that you do not violate applicable law.)

Ensure that there is physical security. Often communications lines and Ethernet cable are exposed to anyone who wants to tap in. U.S. government security regulations require that cables that carry secret data through unclassified areas be enclosed in steel pipe, that all pipe fittings be spot-welded together, and that there be weekly inspections of the pipe for evidence of tampering.

These regulations also require that access under floors, above ceilings (especially dropped ceilings), and via ventilation ducts be blocked by steel bars or other approved methods. These bars too must be inspected each week. I guess the government guys watch the spy movies too, where the spy crawls through ventilation ducts.



       
    Top


    Real World Linux Security Prentice Hall Ptr Open Source Technology Series
    Real World Linux Security Prentice Hall Ptr Open Source Technology Series
    ISBN: N/A
    EAN: N/A
    Year: 2002
    Pages: 260

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net