T H E A R T O F D E C E P T I O NC o n t r o l l i n g t h e H u m a n E l e m e n t o f S e c u r i t y

KEVIN D. MITNICK& William L. Simon

01237124 FM.F 8/27/02 12:31 PM Page i

02237124 Part01/Ch01.F 8/27/02 12:31 PM Page 2

T H E A R T O F D E C E P T I O NC o n t r o l l i n g t h e H u m a n E l e m e n t o f S e c u r i t y

KEVIN D. MITNICK& William L. Simon

01237124 FM.F 8/27/02 12:31 PM Page i

Publisher: Robert IpsenEditor: Carol LongDevelopmental Editor: Nancy StevensonManaging Editor: John AtkinsInterior Design: Marie Kristine Parial-LeonardoText Design & Composition: Wiley Composition ServicesChart Design: Stacey Kirkland

Designations used by companies to distinguish their products are often claimed as trademarks. In all instances where Wiley Publishing, Inc., is aware of a claim, the product names appear ininitial capital or ALL CAPITAL LETTERS. Readers, however, should contact the appropriatecompanies for more complete information regarding trademarks and registration.

This book is printed on acid-free paper.

Copyright 2002 by Kevin D. Mitnick. All rights reserved.

Published by Wiley Publishing, Inc., Indianapolis, IndianaPublished simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system, or transmittedin any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States CopyrightAct, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rose-wood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470. Requests to thePublisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, Email: permcoordinator@wiley.com.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used theirbest efforts in preparing this book, they make no representations or warranties with respect tothe accuracy or completeness of the contents of this book and specifically disclaim any impliedwarranties of merchantability or fitness for a particular purpose. No warranty may be created orextended by sales representatives or written sales materials. The advice and strategies containedherein may not be suitable for your situation. You should consult with a professional whereappropriate. Neither the publisher nor author shall be liable for any loss of profit or any othercommercial damages, including but not limited to special, incidental, consequential, or otherdamages.

For general information on our other products and services please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears inprint may not be available in electronic books.

ISBN: 0-471-23712-4

Printed in the United States of America

10 9 8 7 6 5 4 3 2 1

237124 FM.F 9/12/02 8:41 AM Page ii

For Reba Vartanian, Shelly Jaffe, Chickie Leventhal, and MitchellMitnick, and for the late Alan Mitnick, Adam Mitnick,

and Jack Biello

For Arynne, Victoria, and David, Sheldon, Vincent, and Elena

01237124 FM.F 8/27/02 12:31 PM Page iii

Social Engineering

social engineering uses influence and persuasion to deceive peopleby convincing them that the social engineer is someone he is not,or by manipulation. As a result, the social engineer is able to takeadvantage of people to obtain information with or without the use oftechnology.

01237124 FM.F 8/27/02 12:31 PM Page iv

1Foreword vii

Preface ix

Introduction xv

Part 1 Behind the Scenes 1

Chapter 1 Securitys Weakest Link 3

Part 2 The Art of the Attacker 13

Chapter 2 When Innocuous Information Isnt 15

Chapter 3 The Direct Attack: Just Asking for It 31

Chapter 4 Building Trust 41

Chapter 5 Let Me Help You 55

Chapter 6 Can You Help Me? 77

Chapter 7 Phony Sites and Dangerous Attachments 93

Chapter 8 Using Sympathy, Guilt, and Intimidation 105

Chapter 9 The Reverse Sting 133

Part 3 Intruder Alert 147

Chapter 10 Entering the Premises 149

Chapter 11 Combining Technology and Social Engineering 173

Chapter 12 Attacks on the Entry-Level Employee 195

Chapter 13 Clever Cons 209

Chapter 14 Industrial Espionage 225

contents

01237124 FM.F 8/27/02 12:31 PM Page v

Part 4 Raising the Bar 243

Chapter 15 Information Security Awareness and Training 245

Chapter 16 Recommended Corporate Information Security Policies 259

Security at a Glance 331

Sources 339

Acknowledgments 341

Index 347

vi

Conte

nts

01237124 FM.F 8/27/02 12:31 PM Page vi

we humans are born with an inner drive to explore the natureof our surroundings. As young men, both Kevin Mitnick andI were intensely curious about the world and eager to proveourselves. We were rewarded often in our attempts to learn new things,solve puzzles, and win at games. But at the same time, the world aroundus taught us rules of behavior that constrained our inner urge toward freeexploration. For our boldest scientists and technological entrepreneurs, aswell as for people like Kevin Mitnick, following this inner urge offers thegreatest thrills, letting us accomplish things that others believe cannot bedone.

Kevin Mitnick is one of the finest people I know. Ask him, and he willsay forthrightly that what he used to dosocial engineeringinvolvesconning people. But Kevin is no longer a social engineer. And even whenhe was, his motive never was to enrich himself or damage others. Thatsnot to say that there arent dangerous and destructive criminals out therewho use social engineering to cause real harm. In fact, thats exactly whyKevin wrote this bookto warn you about them.

The Art of Deception shows how vulnerable we all aregovernment,business, and each of us personallyto the intrusions of the social engi-neer. In this security-conscious era, we spend huge sums on technology toprotect our computer networks and data. This book points out how easyit is to trick insiders and circumvent all this technological protection.

Whether you work in business or government, this book provides apowerful road map to help you understand how social engineers work andwhat you can do to foil them. Using fictionalized stories that are bothentertaining and eye-opening, Kevin and coauthor Bill Simon bring to lifethe techniques of the social engineering underworld. After each story, they offer practical guidelines to help you guard against the breaches andthreats theyve described.

foreword

01237124 FM.F 8/27/02 12:31 PM Page vii

Technological security leaves major gaps that people like Kevin can helpus close. Read this book and you may finally realize that we all need toturn to the Mitnicks among us for guidance.

Steve Wozniak

viii

Fore

word

01237124 FM.F 8/27/02 12:31 PM Page viii

some hackers destroy peoples files or entire hard drives; theyrecalled crackers or vandals. Some novice hackers dont bother learn-ing the technology, but simply download hacker tools to breakinto computer systems; theyre called script kiddies. More experiencedhackers with programming skills develop hacker programs and post themto the Web and to bulletin board systems. And then there are individualswho have no interest in the technology, but use the computer merely as atool to aid them in stealing money, goods, or services.

Despite the media-created myth of Kevin Mitnick, I am not a malicioushacker.

But Im getting ahead of myself.

STARTING OUTMy path was probably set early in life. I was a happy-go-lucky kid, butbored. After my father split when I was three, my mother worked as awaitress to support us. To see me thenan only child being raised by amother who put in long, harried days on a sometimes-erratic schedulewould have been to see a youngster on his own almost all his wakinghours. I was my own babysitter.

Growing up in a San Fernando Valley community gave me the whole ofLos Angeles to explore, and by the age of twelve I had discovered a way totravel free throughout the whole greater L.A. area. I realized one day whileriding the bus that the security of the bus transfer I had purchased relied onthe unusual pattern of the paper-punch that the drivers used to mark day,time, and route on the transfer slips. A friendly driver, answering my care-fully planted question, told me where to buy that special type of punch.

The transfers are meant to let you change buses and continue a journeyto your destination, but I worked out how to use them to travel anywhereI wanted to go for free. Obtaining blank transfers was a walk in the park.

preface

01237124 FM.F 8/27/02 12:31 PM Page ix

x

The trash bins at the bus terminals were always filled with only-partly-used books of transfers that the drivers tossed away at the end of theirshifts. With a pad of blanks and the punch, I could mark my own trans-fers and travel anywhere that L.A. buses went. Before long, I had all butmemorized the bus schedules of the entire system. (This was an earlyexample of my surprising memory for certain types of information; I canstill, today, remember phone numbers, passwords, and other seeminglytrivial details as far back as my childhood.)

Another personal interest that surfaced at an early age was my fascina-tion with performing magic. Once I learned how a new trick worked, Iwould practice, practice, and practice some more until I mastered it. Toan extent, it was through magic that I discovered the enjoyment in gain-ing secret knowledge.

From Phone Phreak to HackerMy first encounter with what I would eventually learn to call social engi-neering came about during my high school years when I met another student who was caught up in a hobby called phone phreaking. Phonephreaking is a type of hacking that allows you to explore the telephonenetwork by exploiting the phone systems and phone company employees.He showed me neat tricks he could do with a telephone, like obtainingany information the phone company had on any customer, and using asecret test number to make long-distance calls for free. (Actually it was free only to us. I found out much later that it wasnt a secret test numberat all. The calls were, in fact, being billed to some poor companys MCIaccount.)

That was my introduction to social engineeringmy kindergarten, soto speak. My friend and another phone phreaker I met shortly thereafterlet me listen in as they each made pretext calls to the phone company. Iheard the things they said that made them sound believable; I learnedabout different phone company offices, lingo, and procedures. But thattraining didnt last long; it didnt have to. Soon I was doing it all on myown, learning as I went, doing it even better than my first teachers.

The course my life would follow for the next fifteen years had been set.

In high school, one of my all-time favorite pranks was gaining unau-thorized access to the telephone switch and changing the class of serviceof a fellow phone phreak. When hed attempt to make a call from home,hed get a message telling him to deposit a dime because the telephonecompany switch had received input that indicated he was calling from apay phone.

Pref

ace

01237124 FM.F 8/27/02 12:31 PM Page x

xi

I became absorbed in everything about telephones, not only the elec-tronics, switches, and computers, but also the corporate organization, theprocedures, and the terminology. After a while, I probably knew moreabout the phone system than any single employee. And I had developedmy social engineering skills to the point that, at seventeen years old, I wasable to talk most telco employees into almost anything, whether I wasspeaking with them in person or by telephone.

My much-publicized hacking career actually started when I was in highschool. While I cannot describe the detail here, suffice it to say that oneof the driving forces in my early hacks was to be accepted by the guys inthe hacker group.

Back then we used the term hacker to mean a person who spent a greatdeal of time tinkering with hardware and software, either to develop moreefficient programs or to bypass unnecessary steps and get the job donemore quickly. The term has now become a pejorative, carrying the mean-ing of malicious criminal. In these pages I use the term the way I havealways used itin its earlier, more benign sense.

After high school I studied computers at the Computer Learning Centerin Los Angeles. Within a few months, the schools computer manager real-ized I had found vulnerability in the operating system and gained fulladministrative privileges on their IBM minicomputer. The best computerexperts on their teaching staff couldnt figure out how I had done this. Inwhat may have been one of the earliest examples of hire the hacker, Iwas given an offer I couldnt refuse: Do an honors project to enhance theschools computer security, or face suspension for hacking the system. Ofcourse, I chose to do the honors project, and ended up graduating cumlaude with honors.

Becoming a Social EngineerSome people get out of bed each morning dreading their daily work rou-tine at the proverbial salt mines. Ive been lucky enough to enjoy my work.In particular, you cant imagine the challenge, reward, and pleasure I hadin the time I spent as a private investigator. I was honing my talents in theperformance art called social engineering (getting people to do things theywouldnt ordinarily do for a stranger) and being paid for it.

For me it wasnt difficult becoming proficient in social engineering. Myfathers side of the family had been in the sales field for generations, so theart of influence and persuasion might have been an inherited trait. Whenyou combine that trait with an inclination for deceiving people, you havethe profile of a typical social engineer.

Preface

01237124 FM.F 8/27/02 12:31 PM Page xi

xii

You might say there are two specialties within the job classification ofcon artist. Somebody who swindles and cheats people out of their moneybelongs to one sub-specialty, the grifter. Somebody who uses deception,influence, and persuasion against businesses, usually targeting their infor-mation, belongs to the other sub-specialty, the social engineer. From thetime of my bus-transfer trick, when I was too young to know there wasanything wrong with what I was doing, I had begun to recognize a talentfor finding out the secrets I wasnt supposed to have. I built on that talentby using deception, knowing the lingo, and developing a well-honed skillof manipulation.

One way I worked on developing the skills of my craft, if I may call it acraft, was to pick out some piece of information I didnt really care aboutand see if I could talk somebody on the other end of the phone into pro-viding it, just to improve my skills. In the same way I used to practice mymagic tricks, I practiced pretexting. Through these rehearsals, I soon foundthat I could acquire virtually any information I targeted.

As I described in Congressional testimony before Senators Liebermanand Thompson years later:

I have gained unauthorized access to computer systems at some of thelargest corporations on the planet, and have successfully penetrated someof the most resilient computer systems ever developed. I have used bothtechnical and nontechnical means to obtain the source code to variousoperating systems and telecommunications devices to study their vulnera-bilities and their inner workings.

All of this activity was really to satisfy my own curiosity; to see what Icould do; and find out secret information about operating systems, cellphones, and anything else that stirred my curiosity.

FINAL THOUGHTSIve acknowledged since my arrest that the actions I took were illegal, andthat I committed invasions of privacy.

My misdeeds were motivated by curiosity. I wanted to know as much asI could about how phone networks worked and the ins-and-outs of com-puter security. I went from being a kid who loved to perform magic tricksto becoming the worlds most notorious hacker, feared by corporations andthe government. As I reflect back on my life for the last 30 years, I admit Imade some extremely poor decisions, driven by my curiosity, the desire tolearn about technology, and the need for a good intellectual challenge.

Pref

ace

01237124 FM.F 8/27/02 12:31 PM Page xii

Im a changed person now. Im turning my talents and the extensiveknowledge Ive gathered about information security and social engineer-ing tactics to helping government, businesses, and individuals prevent,detect, and respond to information-security threats.

This book is one more way that I can use my experience to help othersavoid the efforts of the malicious information thieves of the world. I thinkyou will find the stories enjoyable, eye-opening, and educational.

xiii

Preface

01237124 FM.F 8/27/02 12:31 PM Page xiii