Social Engineering May Be a Greater Threat to Client Files Than “Hackers”

shutterstock_123618874

After reading super-hacker Kevin Mitnick‘s book, Ghost in the Wires, about his escapades leading up to his imprisonment for hacking, what struck me was how much of his “hacking” was really social engineering. Quite often, Mitnick just called someone on the phone and asked them for what he needed, up to and including root account access, usernames and passwords, and proprietary source code.

Mitnick did not just call up and say “hey, I’m Kevin Mitnick, the FBI’s most-wanted hacker, and I need a privileged login on your network.” He learned enough about companies to ask the right questions, give the right answers, and get what he wanted. For example, here is how Mitnick “hacked into” Motorola to steal the source code for it’s cutting-edge MicroTAC Ultra Lite cell phone:

… I called toll-free directory assistance and asked for Motorola, then called that number and told the friendly receptionist who answered that I was looking for the project manager for the MicroTAC Ultra Lite project.

“Oh, our Cellular Subscriber Group is based in Schaumberg, Illinois. would you like the number?” she asked. Of course I would.

I called Schaumberg and said, “Hi, this is Rick with Motorola in Arlington Heights. I’m trying to reach the project manager for the MicroTAC Ultra Lite.” After being transferred around to several different people, I ended up speaking with a vice president in Research and Development. I gave him the same line about being from Arlington Heights and needing to reach the MicroTAC project manager.

I was worried that the executive might get suspicious about the traffic noises and occasional horns being blown by drivers eager to get home before the snow started piling up, but no. He just said “That’s Pam, she works for me,” and gave me her telephone extension. Pam’s voicemail announced that she was away on a two-week vacation, then advised, “If you need any help whatsoever, please cal Alisa,” and gave her extension.

I called the number and said “Hi, Alisa. It’s Rick with Research and Development in Arlington Heights. When I spoke to Pam last week, she talked about going on vacation. Did she leave yet?”

Of course Alisa answered, “Yes.”

“Well,” I said, “she was supposed to send me the source code for the MicroTAC Ultra Lite. But she said that if she didn’t have time before she left, I should call you and you’d help em out.”

Her response was, “What version do you want?”

I smiled.

In the end, Mitnick ends up with the source code by doing nothing more than calling a few people at Motorola.

When Mat Honan lost control of his computer, phone, Google account, Twitter account, and more, it was not the result of clever computer intrusion. It was the result of clever social engineering.

At 4:33 p.m., according to Apple’s tech support records, someone called AppleCare claiming to be me. Apple says the caller reported that he couldn’t get into his Me.com e-mail — which, of course was my Me.com e-mail.

In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover.

After that, Honan’s devices and accounts fell like dominos as the hacker used Honan’s Apple account to reset passwords, take over accounts and wipe them, and expose the biggest flaw in any security scheme: humans.

So while you are obsessing about whether or not your cloud storage is secure, how much more at risk are your client files from someone who walks in the front door of your office? How hard would it be for someone to call your office and obtain confidential information by posing as a former client, opposing counsel, or substituting counsel?

Don’t ignore cloud security, but don’t forget that to protect the easy way in.

Updates

  • 2013-08-15. Originally published.
  • 2014-10-31. Updated and republished.

Featured image: “phone conversation a man” from Shutterstock.

  • This field is for validation purposes and should be left unchanged.
  • Paul Spitz

    When I had my retail store, every once in a while someone would stride in with a clipboard and some kind of form attached to it, and say that they needed to check my credit card terminal for compliance and upgrades. I never let them, because I figured they were probably from a competing merchant processor, trying to switch over my service to them dishonestly. It’s amazing, however, how far someone can get just by acting like they are entitled to do what they are doing.

    • http://californiacivilrightslaw.com/ Ramsey Hanafi

      Reminds me of the snail-mail I sometimes get in the form of the folded paper with tear away sides, so that it looks like a check or some other official financial correspondence. When in reality is is some student loan consolidation fake-bill or some other junk mail.

      On the topic of the post, I went to some CLE with a hacker guy (yes, that is the extent of my memory) and he said the same thing. The vast majority of his “hacking” was just old school hussling people for info.