Frank Fiore – Novelist & Screenwriter

March 12, 2010

Hacking Computer Systems Using Social Engineering

Filed under: CyberKill — Frank Fiore @ 10:34 AM

In CyberKill, Morgan Dallas, uses social engineering to gain access to the BioNan computer and hack into the SIRUS files.

What is social engineering? It is an easy non-technical security breach and is one of the easiest ways into a computer system.

Here’s an example.

At one of the Computer Security Institute’s “Meet the Enemy” seminars several years ago, an attendee challenged a hacker’s boast about using social engineering to gather sensitive information about a company. So, the hacker gave a live demonstration.

He dialed up a company, got transferred around, and reached the Help Desk.

“Who’s the supervisor on duty tonight”, he asked?

“Oh, it’s Betty?” “Let me talk to Betty.”

“Hey Betty, having a bad day?” “No? You should.” “Why?” “Your systems are down.”

She said, “My systems aren’t down, we’re running fine.”

He said, “All of my monitors here are showing that you’re completely offline. Something is really wrong.”

She said, “I’m not offline.” He said, “You better sign off.” She signed off.

He said, “Now sign on again.” She signed on again.

He said, “We didn’t even show a blip, we show no change.” He said, “Sign off again.” She did.

“Betty, I’m going to have to sign on as you here to figure out what’s happening with your ID. Let me have your user ID and password.”

So this senior supervisor at the Help Desk tells him her user ID and password. He said, “I’m signed on as you now and I can’t see the difference. Shoot. I know what it is. Let me sign off. Now sign yourself back on again.” She did.

He said, “I know what it is. You’re on day-old files. You think you’re online but you’re not. You’re on day-old files. Do me a favor, what changes all the time? The PIN code? Pull the PIN code file, just read me off the first ten PIN codes you’ve got there and I’ll compare them.”

She was reading off the first PIN code when we heard ‘click’.

He said, “I told you I could.”

The basic goals of social engineering are the same as hacking in general – to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network.

They say that one man’s meat is another man’s poison. To those wanting to gain access to a network, it can be said that one man’s garbage is another man’s treasure. Malicious network crackers love to go “trashing” to find documents that help them piece together the structure of your company, provide clues about what kinds of computer systems you use, and most important, obtain the names, titles, and telephone numbers of your employees.

How? Consider the documents a company trashes everyday. They include important information for an identity thief to gain access to an organization and network using his or her knowledge of social engineering. Such items would include:

  • Company phone books
  • Organizational charts
  • Memos
  • Company policy manuals
  • Calendars of meetings, events, and vacations
  • System manuals
  • Printouts of sensitive data or login names and passwords
  • Printouts of source code
  • Disks and tapes
  • Company letterhead and memo forms
  • Outdated hardware (especially hard drives).

These items can provide a wealth of information to identity thieves and impersonators.  A copy of the company phone book is an extremely valuable tool. Knowing who to call and who to impersonate are the first steps to gaining access to a network and the data contained within. Having the right names and titles at their fingertips let smart impersonators sound as though they actually work for a company.

Dave Del Torto, a software designer with Pretty Good Privacy, said: “People are absolutely pathetic about maintaining security policies, and social engineering is the easiest way in.

In CyberKill, Travis Cole, Taylor Chin and Morgan Dallas want to break into the BioNan computer system. The sense foul play between BioNan, the company that creates the nano-dust, and the US ARMY Information Warfare Laboratory.

Here’s a snippet of dialogue from CyberKill that shows how Dallas used this type of security breach.

“What do you have?” Cole asked.

“Just a password to the BioNan mainframe,” said Dallas, rather smugly. His hostility from earlier seemed long gone.

“And how did you get that?”

Taylor replied, “He has friends in low places.”

Dallas shot her a nasty look. “I have some friends who operate on the other side of the law. I asked them for a favor.”

“Why would they do you a favor?” asked Taylor skeptically.

“Like I said, I have …”

“… friends in low places,” added Taylor.

Cole had a sudden feeling. “Friends in the mob?” he asked.

“It doesn’t matter right now. My friends gave me a password for BioNan.”

“Okay, Houdini,” said Cole, dropping it for now. “How’d they do that?”

Well,” Dallas said with a conspiratorial smile, “my friends run a rather extensive business on the Net.”

“Breaking legs for hire?” quipped Taylor.

“No, Miss Bigot. They run some of the biggest and best porno sites on the Web. They have millions of subscribers to hundreds of adult web sites they manage.”

“And I suppose you’ve visited the majority of them?” Taylor said snidely.

Cole glanced at her, “Taylor, give him a break.” He looked at Dallas. “What does any of this have to do with you getting a password to the BioNan mainframe?”

“Fairly simple. Tell me, Cole, do you use a different password for every site you’re registered to use? You know, paid subscription sites, shopping sites, personal banking sites, etc., etc.?”

“No. Too many to keep track of. But I try.”

“So I bet you use the same password/user name combination on some sites, right?”

“Yes. So?”

“Well, many of the horndogs that subscribe to several porn sites do the same. And sometimes, they use the very same password/username combination of their company servers as they do for their porn sites. So I asked my friends to have their Webmaster run a match of BioNan IP addresses that access their sites and supply me with their password and user name.”

“And they did?” asked Taylor incredulously.

“Uh huh,” said Dallas smugly. “And we got several hits. So while sleeping beauty here napped in his office, I went home and found BioNan’s website. From there I was able to hack into their company Intranet. I ran the password/username combinations I had, and sure enough, found the SIRUS file.” He triumphantly held up a memory stick.

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: