Low-tech break-ins a big problem
By Jim Kerstetter, 
PC Week Online 
July 31, 1998 4:04 PM PT

LAS VEGAS --- It took only four days of fast talking for security expert
Ira Winkler to make a bank's three firewalls irrelevant. 

Winkler's relatively easy break-in to the unnamed bank, which relied more
on bluffing, or "phreaking," than technology, underscored one of the
themes at this week's Black Hat Briefings '98 conference here:  Technology
is only a part-perhaps the smaller part-of the battle for information
security. 

"bluffing" or "phreaking"? Phreaking is a term used to describe
the 'hacking' of phone systems, or manipulation of phone networks. "Bluffing"
is more in tune with "social engineering".

As such, security experts here implored companies to focus less on
technological solutions to information security and instead to implement
plans to stop the skilled saboteur who relies on guile and the fallibility
of employees. 

Don't overlook the human factor

Security policies, deciding who has access to what, knowing how to use the
security tools already in place and common sense are the best ways to stop
the Huns at the gate, the experts said. Ignore the human element, and all
the unbreakable encryption, firewalls and sophisticated public-key
infrastructures are useless.

Case in point: Winkler's recent bank "attack," in which he was hired to
test the bank's security. The bank had three firewalls and was not easy to
break into electronically. 

So Winkler picked up a telephone book. He also did some research on the
Web, discovering the bank's domain and other Internet address information
left on Usenet groups. 

A few simple phone calls

He called an executive's secretary and told her he was from human
resources and working on a newsletter that planned to feature the
executive. He pumped her for the executive's background and, eventually,
his employee ID number. 

 Winkler noticed in classified ads that the bank was hiring a lot of
people, so he called the "new employee" office. Posing as the executive
whose secretary he'd spoken with two days earlier, he tricked someone
there into reading him a list of new hires and their employee ID numbers
over the telephone. 

The next day he called those new hires and, posing as someone from IS,
tricked them into giving up their log-ons, user IDs and, ultimately, their
passwords. Seventy-three people took the bait. 

With that information in hand, the only equipment Winkler needed was a PC
with a modem. "Someone said I would have had the capability to make $2
million transactions," he said. 

Feeling useless

Some Black Hat attendees listening to Winkler's talk were horrified. "It
makes me feel kind of useless, to be honest with you," said one network
administrator from an East Coast bank. 

Black Hat attendees were horrified? Then "network administrator"?
Is that to say they are the same? I think the writer is confusing terms again.

The amount of data a thief conducting a "social engineering attack" can
steal often depends on skill at bluffing. Technology has little to do with
it, said Jeff Moss, director of security assessment services at Secure
Computer Corp., in Roseville, Minn. Moss is also the founder of the Black
Hat conference and its bad-boy sibling, the Def Con hackers' conference. 

"I've known some people who are excellent 'phone phreakers' but [who] can
barely boot up their computers," he said. 

But there are some things administrators can do. They can create and
enforce strict information management policies. They can train employees
on the dangers of phreakers and their ilk and warn them of the
consequences if they give up important information. 

Double checks

To ensure authentication, administrators should move to two-factor
authentication: any combination of passwords, digital certificates,
hardware tokens, smart cards and biometric devices. 

ID cards can also be used for different parts of the building. Someone
from the IS department, for example, should not be unaccompanied in the
accounting department. 

In the end, the best prevention is common sense.

For example, administrators and employees should take important schematics
off the walls. Make sure management charts and employee directories don't
get into the wrong hands. And make sure that if users leave their desks
they have some sort of automatic lock-out, such as a low-cost screen saver
with a password. 

"Sweat the small stuff," Winkler said. "That's what costs us billions."