Social Engineering May Be a Greater Threat to Client Files Than “Hackers”
I just finished reading hacker Kevin Mitnick‘s book, Ghost in the Wires, about his escapades leading up to his imprisonment for hacking. What struck me was how much of his “hacking” was really social engineering. Quite often, Mitnick just called someone on the phone and asked them for what he needed: up to and including root accounts, usernames and passwords, and proprietary source code.
Mitnick did not just call up and say “hey, I’m Kevin Mitnick, the FBI’s most-wanted hacker, and I need a privileged login on your network.” He learned enough about companies to ask the right questions, give the right answers, and get what he wanted. For example, here is how Mitnick “hacked into” Motorola to steal the source code for it’s cutting-edge MicroTAC Ultra Lite cell phone:
… I called toll-free directory assistance and asked for Motorola, then called that number and told the friendly receptionist who answered that I was looking for the project manager for the MicroTAC Ultra Lite project.
“Oh, our Cellular Subscriber Group is based in Schaumberg, Illinois. would you like the number?” she asked. Of course I would.
I called Schaumberg and said, “Hi, this is Rick with Motorola in Arlington Heights. I’m trying to reach the project manager for the MicroTAC Ultra Lite.” After being transferred around to several different people, I ended up speaking with a vice president in Research and Development. I gave him the same line about being from Arlington Heights and needing to reach the MicroTAC project manager.
I was worried that the executive might get suspicious about the traffic noises and occasional horns being blown by drivers eager to get home before the snow started piling up, but no. He just said “That’s Pam, she works for me,” and gave me her telephone extension. Pam’s voicemail announced that she was away on a two-week vacation, then advised, “If you need any help whatsoever, please cal Alisa,” and gave her extension.
I called the number and said “Hi, Alisa. It’s Rick with Research and Development in Arlington Heights. When I spoke to Pam last week, she talked about going on vacation. Did she leave yet?”
Of course Alisa answered, “Yes.”
“Well,” I said, “she was supposed to send me the source code for the MicroTAC Ultra Lite. But she said that if she didn’t have time before she left, I should call you and you’d help em out.”
Her response was, “What version do you want?”
In the end, Mitnick ends up with the source code by doing nothing more than calling a few people at Motorola.
So while you are obsessing about whether or not your cloud storage is secure, how much more at risk are your client files from someone who walks in the front door of your office? How hard would it be for someone to call your office and obtain confidential information by posing as a former client, opposing counsel, or substituting counsel?
Don’t ignore cloud security, but don’t forget that to protect the easy way in.