After reading super-hacker Kevin Mitnick‘s book, Ghost in the Wires, about his escapades leading up to his imprisonment for hacking, what struck me was how much of his “hacking” was really social engineering. Quite often, Mitnick just called someone on the phone and asked them for what he needed, up to and including root account access, usernames and passwords, and proprietary source code.
Mitnick did not just call up and say “hey, I’m Kevin Mitnick, the FBI’s most-wanted hacker, and I need a privileged login on your network.” He learned enough about companies to ask the right questions, give the right answers, and get what he wanted. For example, here is how Mitnick “hacked into” Motorola to steal the source code for it’s cutting-edge MicroTAC Ultra Lite cell phone:
… I called toll-free directory assistance and asked for Motorola, then called that number and told the friendly receptionist who answered that I was looking for the project manager for the MicroTAC Ultra Lite project.
“Oh, our Cellular Subscriber Group is based in Schaumberg, Illinois. would you like the number?” she asked. Of course I would.
I called Schaumberg and said, “Hi, this is Rick with Motorola in Arlington Heights. I’m trying to reach the project manager for the MicroTAC Ultra Lite.” After being transferred around to several different people, I ended up speaking with a vice president in Research and Development. I gave him the same line about being from Arlington Heights and needing to reach the MicroTAC project manager.
I was worried that the executive might get suspicious about the traffic noises and occasional horns being blown by drivers eager to get home before the snow started piling up, but no. He just said “That’s Pam, she works for me,” and gave me her telephone extension. Pam’s voicemail announced that she was away on a two-week vacation, then advised, “If you need any help whatsoever, please cal Alisa,” and gave her extension.
I called the number and said “Hi, Alisa. It’s Rick with Research and Development in Arlington Heights. When I spoke to Pam last week, she talked about going on vacation. Did she leave yet?”
Of course Alisa answered, “Yes.”
“Well,” I said, “she was supposed to send me the source code for the MicroTAC Ultra Lite. But she said that if she didn’t have time before she left, I should call you and you’d help em out.”
Her response was, “What version do you want?”
In the end, Mitnick ends up with the source code by doing nothing more than calling a few people at Motorola.
When Mat Honan lost control of his computer, phone, Google account, Twitter account, and more, it was not the result of clever computer intrusion. It was the result of clever social engineering.
At 4:33 p.m., according to Apple’s tech support records, someone called AppleCare claiming to be me. Apple says the caller reported that he couldn’t get into his Me.com e-mail — which, of course was my Me.com e-mail.
In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover.
After that, Honan’s devices and accounts fell like dominos as the hacker used Honan’s Apple account to reset passwords, take over accounts and wipe them, and expose the biggest flaw in any security scheme: humans.
So while you are obsessing about whether or not your cloud storage is secure, how much more at risk are your client files from someone who walks in the front door of your office? How hard would it be for someone to call your office and obtain confidential information by posing as a former client, opposing counsel, or substituting counsel?
Don’t ignore cloud security, but don’t forget that to protect the easy way in.
- 2013-08-15. Originally published.
- 2014-10-31. Updated and republished.
Featured image: “phone conversation a man” from Shutterstock.