Chapter 16-The End

The final chapter is now history and I feel that it was a good way to end the book. The part that I found the most interesting from this final chapter was the fact that most companies never report any social engineering attacks, yet they happen all the time. What Mitnick said was true; that if word of these attacks spread, it could ruin the company. The public reaction to these attacks could end up being more harmful than the attack itself. After all who would want to do business with a company that cannot guarantee that your information is secure? For example if a scam became public at a company like America Online and even just one customer’s personal information was compromised, I know I would think about switching providers. In today’s highly competitive corporate world businesses cannot afford to take chances on possibly losing the trust of their customers. Mitnick closes out the book by illustrating different procedures and policies that may be effective in preventing most scams.

I agree with some of the other bloggers in my group that this book could have been a little shorter. Some of the social engineering scams became repetitive but now that I think about it perhaps that was the point. While reading Mitnicks tip’s towards the end of each chapter I found myself actually predicting what he was going to say. By hammering his message into the readers head for 16 chapters, it would be hard to forget what he taught us in this book. Overall, I think that this book is a must read for whomever is in charge of security procedures at any company no matter how small. While these scams cannot be stopped completely, they can be greatly reduced by listening to Mitnick’s message.

Chapter 15

This chapter takes all of the lessons learned so far in the book and begins to tie them all together. The main point is that there is no technology out there that a manager can go out and purchase that will protect his/her company 100%. While Mitnick admits that technology can help to reduce your risk of becoming a victim to social engineering attacks, he suggests that the best way to protect yourself or your company is through a comprehensive training program. While this may seem obvious to most of us, I’m sure that there are plenty of business owners out there that feel secure because their company has passwords protecting their computers or have unlisted phone numbers to secure departments. The truth is that no technology is a match for the human brain and when the human brain is used to deceive others it is extremely hard to stop.

Testing is something else that Mitnick suggests to ensure that employees are on top of possible security breaches. I feel that this is the only way to ensure that employees are up to date and paying attention to the material which is being taught to them during the aforementioned training program. Like the MBA student who only bothers remembering something if it is going to be on the test, employees often are only concerned with what they will be evaluated on. By continuously testing employees on the proper security procedures, you will be able to see where the weak links in your organizations are and help them to improve. All it takes is for one employee to doze off during their security training to leave an opening for a social engineer. In my opinion testing will expose this and eliminate the threat.

Chapter 14

I really enjoyed reading this chapter. The first thing that stood out to me was that it didn’t make sense that the company that stored the files for the pharmaceutical company in the first example did not have an alarm. In the example the private investigator gained access to the building where the files were kept simply by picking a lock. It seems to me that a company that specializes in storing valuable content (evidenced by the password system they have in place to retrieve files) should have an alarm system. The second useless fact that stood out to me was the fact that the con man in the second example supposedly only spent $150 on taking several employees of the robotics company to lunch at the “best restaurant in town.” Not only did they eat lunch, but he paid for drinks too! I think the real con is how he got away with only spending $150.

This chapter showed some more aspects and techniques of social engineering. I really feel that it takes more skill to pull something off like in the second example (the lunch). With the phone scams, the social engineer can always hang up if someone catches on. When you are physically in someone else’s office, the situation is not as easy to back out of. I guess the lesson learned here is if a well dressed handsome man shows up unannounced and tries to wine and dine you, you better think twice.

Chapter 13

I’ll be the first to admit when I’m wrong. For one of the first chapters in the book, I wrote a post talking about how dumb companies were for not investing in caller i.d. in order to prevent these social engineering scams. Well I now learned from this chapter that these “phone-phreeks” as their called, can program the caller i.d. to show whatever number they want it to. So if they call you claiming to be President Bush, your caller i.d. will show the call coming from the White House which is pretty scary. So ignore what I said in my previous post, caller i.d. will not help.

Mitnick explains later on in the chapter that there is a service called ANI which is a lot more reliable than caller i.d. However in my opinion it is only a matter of time before someone figures out how to manipulate that as well. Before reading this book I never knew that it was possible to manipulate the phone company in so many ways. What I have learned so far is that pretty much nothing that you hear or see can be verified 100% All you can do as a manager is train your employees the best you can for basic security operations and show them plenty of examples such as the ones in this book.

Chapter 12

First we learned about how social engineers like to prey on new employees, now we see that entry-level employees are also major targets. This is a major problem for companies. Entry-level employees are paid less than others and usually have the least amount of education however their jobs are arguably some of the most important. Low-level employees are usually the ones who come into contact with the customers. For example at a restaurant, the waiters have total control over the experience that that the guest has. The owner of the restaurant can plan all they want however if a guest has a rude/inept waiter they will have a bad experience. This holds true in terms of information as well. These low level employees often have clearance to information that is just as valuable as what managers have.

In order for a company’s security to be compressive it has to stretch across the entire organizational chart. ALL employees need to be properly trained and educated in the company’s security policy. Like the example with the security guard showed, even someone at the bottom of the food chain in the organization can have a profound impact. Management needs to pay more attention to these “low-level” employees because in my opinion, they are the lifeblood of the organization.

Chapter 11

Chapter 11 shows more of the technical side of social engineering. Here we see that there is sometimes a lot more involved in these schemes than just being friendly on the phone. The first example showed how one person was able to mess around with phone lines so he was able to talk to a partner of his in jail. By combining extensive knowledge of phone companies with social engineering skills he found out what area of the prison his friend was in, and arranged a time they could talk privately on the phone. To me if this guy was really that good he would have tricked the guards into letting his friend go free!

The chapter continues with an explanation of how computer hackers were able to once again combine social engineering tactics with knowledge of hacking to find valuable information on a video game. While someone who possesses skills in one specific area can be effective, the well rounded social engineer (quick thinking on the phone as well as strong technically) is truly hard to stop. When you combine the techniques we learned about in previous chapters (name dropping, using lingo) with the skills that were talked about in chapter 11 (hacking, phone skills) the social engineer becomes much more effective.

Chapter 10

This chapter was pretty interesting because it started off with an example that didn’t immediately involve a phone call! The example of the teenagers who snuck into the helicopter plant was pretty interesting although I would personally never take that risk just to “see if I could do it.” I guess that is what separates the social engineer from the normal person. These social engineers seem to take pride in what they do and that is probably why they are so good at it. As I read on I also found the dumpster diving example to be interesting and honestly something that I had never thought of before.

Usually when you see someone digging through trash you figure that they are homeless and trying to find some food/clothes. Typically you do not think that the person wading through your trash could be looking for information that could be quite valuable. I never knew that the FBI also used this technique to take down some pretty high profile criminals In the past. This example makes a paper shredder seem like a rather inexpensive preemptive measure that a business can take in protecting their information. You never know who will take a dive in the dumpster for some info!

Chapter 9

I want to point out that I agree with a post Jenna made in her blog about the novel starting to get a bit repetitive. We’ve read scam after scam and after a while it gets a little boring. Anyways enough complaining, on to the review.

I feel that some of the wording in this chapter is misleading. This chapter talked about “cops as dupes” basically illustrating how the social engineer would easily “scam” police officers. To make a long story short the social engineer manipulated the DMV’s phone lines so calls from the police would go to the social engineer’s cell phone, rather than the DMV. When the social engineer would pick up he would say “DMV how may I help you?” I don’t think it’s fair to say the cops got tricked. I mean how are they supposed to know the DMV number they dialed actually went to someone pretending to be a DMV agent? This scam is impossible to detect and in my opinion the police are doing nothing wrong. Imagine if you called pizza hut, they answered, took your order, then you gave them your credit card number. Would you be considered irresponsible if someone manipulated the phone lines? I think not! Anyways it’ a good scam but to say “cops as dupes” is misleading.

Chapter 8

This chapter showed me that there is no such thing as “going too far” for the social engineer. The example of impersonating a police officer was both shocking and scary. Another scary part of this chapter dealt with a stalker ex-girlfriend who found her ex-boyfriends unpublished telephone number. It blew my mind that she went through this whole scam just so she could call his house. The advice I have for her is, obviously he doesn’t want to be with you so leave him alone and stop being a stalker! With that Dr. Phil moment out of the way, I really thought the “name dropping” example was a great part of this chapter.

Most employees are so scared of losing their jobs that they will do anything to please their supervisor and not draw attention to themselves. By mentioning a supervisors name, most employees will be scared to upset that person. This reminds me of the Lion King when the hyenas would say the name “Mufasa” then shiver in fear. By dropping the name of a supervisor the employee feels compelled to give you what you want. It’s almost like by using the name, you are granted the authority of that person (funny how that works). What I learned from this example is that names should be ignored and the request should only be granted if it is right to do so. I’m sure that even if the boss did request the information, he/she would be proud that you tried to protect the company and refused to give out the information.

Chapter 7

I personally enjoyed this chapter the most up to this point in the book. So far most of these social engineering scams seemed so distant and really did not “hit home.” Since I have never held a serious position (just internships) with a company these scams were something that I would read about and keep in mind, however they were something that I had never previously witnessed. The example of the fake e-mail from pay-pal in this chapter is something that I have seen and experienced. Like I mentioned in a previous post for people that do not know a lot about the internet and computers ( like some older Americans) these types of attacks can be especially harmful. I receive periodic e-mails from places such as “Bank of America” with subject lines such as “Mr. Jacobs, we have problems with your account.” Now I don’t even have an account with Bank of America, so it’s easy to spot the scam. However for people that did have an account, it would force them to at least open the mail.

Using computers and the internet practically my whole life, I am able to spot a fake website by looking at the address. Some people that are not that familiar with the internet, would have no idea and just click on the link and fall into the trap. These types of scams are dangerous and hurt e-commerce by giving people a reason to think twice about doing business online. The government really needs to step up efforts along with businesses to stop these attacks before e-commerce is put in jeopardy.

Chapter 6

The concept of “speakeasy” security is one that I previously had not thought of. This chapter showed that in some cases if you can just find the phone number, or website you will have full access to whatever information you need. When certain phone numbers are not listed to the public, the person answering the call automatically assumes that you have proper clearance. It is this assuming that gets people into trouble. In one of my high school classes my teacher always used to say that when you assume you make an “ass out of you and me.” This play on words sounded funny to me at the time however it couldn’t be more truthful. If employees would not take shortcuts in doing their jobs and demand verification from everyone calling that particular number these attacks would be stopped.

The blame might not rest entirely on the employees shoulders. Perhaps management is too shortsighted to place the proper importance on security. If management is just stressing productivity, it could lead to situations like what was outlined in this chapter. It’s too easy for someone to stumble upon a “secret” phone number or something of the like. Security must be enforced no matter how mundane the process.

Chapter 5

This chapter reminded me of an episode of a favorite show of mine, curb your enthusiasm. There was an example in the book of how the social engineer caused a problem, and then fixed the problem, in order to build trust with his victim. In the episode of curb, the main character Larry David wants to get back together with his wife who recently left him. The only problem is that she takes advice from her psychologist who thinks it’s a bad idea for her to get back together with Larry. So now Larry must think of a way to get the psychologist to like him. He decides to have a friend of his pretend to steal the psychologists purse while Larry would be waiting behind a tree to pop out, stop the thief and return the purse to the grateful psychologist. Larry set up this whole burglary in order to gain the trust of someone that he needed.

Although in the episode the plan doesn’t work, obviously these types of scams work all the time in the social engineering world. These types of attacks seem hard to stop and I’m not really sure how to protect against them. You must be suspicious of those that seem to pop up immediately after something bad happens. Kind of like in the Godfather when before Don Corleone died he warned his son Michael that the first one to approach him at the funeral would be the traitor.

Chapter 4

I feel that this chapter pointed out something very important in terms of information security. The example of the father refusing to believe that his son could retrieve his credit card number provides some insight as to why these social engineering scams are so dangerous. The father in the story had so much confidence that the company would not reveal his credit card number; he was even willing to bet money on it! I think this example shows the presence of a generational gap in terms of security beliefs. I feel that older Americans (not in the IT field) are so trusting in these companies and their “secure” technologies that they put themselves at risk.

Further, most older people are more vulnerable to these attacks due to the fact they don’t realize what someone could do with this type of information. For example my dad knows how to turn on his computer and look at web pages and that is it. It would be easy for someone to trick him at work by throwing out some jargon and he would have no idea it was a scam. In other areas he would be impossible to trick (he’s a lawyer) it’s just that computers are a new thing to him and unlike our generation he was not brought up with it. I feel that our generation will be a little more savvy to these types of threats.