Learn Ethical Hacking: 2014

Saturday, May 10, 2014

Prevention and Mitigation of Social Engineering Attacks

Prevention and Mitigation of Social Engineering Attacks Prevention and Mitigation of Social Engineering Attacks

Sometimes after I give a speech or security training, people will look very paranoid and scared and say something like, “It just seems there is no hope to even attempt security. How do I do it?”

That is a good question. I promote having a good disaster-recovery plan and incident response plan because nowadays it seems that it is not a matter of “if” you will get hacked, but “when.” You can take precautions to give you at least a fighting chance at security.

Social engineering mitigation is not as easy as ensuring hardware security. With traditional defensive security you can throw money into intrusion detection systems, firewalls, antivirus programs, and other solutions to maintain perimeter security. With social engineering no software systems exist that you can attach to your employees or yourself to remain secure.

Security awareness is not about a 40-, 60-, or 90-minute program once every year. It is about creating a culture or a set of standards that each person is committed to utilizing in his or her entire life. It is not just about work or websites deemed to be “important,” but it is the way one approaches being secure as a whole

Top six steps I tell my clients they can take to prevent and mitigate social engineering attempts:

Learning to identify social engineering attacks

Learning from Social Engineering Audits

If you have ever broken a limb you know that as you recover your doctor may send you for therapy. As therapists rehabilitate you, you may undergo some stress testing. This type of testing enables your doctors to see whether you have weaknesses that need to be strengthened. The same applies for your business, except instead of waiting for the “break” to occur before you “test,” social engineering audits enable you to stress-test your company before a breach occurs.

The following sections answer a few key questions when it comes to social engineering audits and how to choose the best auditor. Before getting into the depth of social engineering audits, you should know what an audit really is.

Understanding What a Social Engineering Audit Is

In the most basic terms a social engineering audit is where a security professional is hired to test the people, policies, and physical perimeter of a company by simulating the same attacks that a malicious social engineer would use. The two main differences between a malicious social engineer and a professional auditor are:

Usually, moral and legal guidelines exist that a professional auditor will follow.
The goals of the professional auditor are always to help and not to embarrass, steal, or harm a client.
Professional audits generally have scope limitations that are not imposed upon real attackers.

The professional auditor will spend a lot of time analyzing and gathering data on a “target” or client and will use that information to develop realistic attack vectors. While doing this the professional auditor always keeps in mind the goals that are set forth in writing for each audit. This is an essential piece of the puzzle, because going down a path that can have very bad repercussions on both the SE and the target might be tempting. Clearly defined goals can keep a social engineering auditor from making that mistake.

Setting Audit Goals

The professional social engineer must engage in moral and ethical behavior while still stretching across that line that allows him or her to put on the true “black hat” of a malicious social engineer. This means taking note of things that he or she can use to gain access and expose a hole or weakness in a company’s defenses, no matter how low it may seem.

Finding the security gaps has to be balanced with a concern for the individual employees. Companies who are hacked with a social engineering audit often think that firing the employee(s) who fell for the attack fixes the problem and plugs the “hole.” What the client fails to realize is that after an audit, those employees who did fall for the attacks are probably the most secure people in the building at that time.

The professional social engineer must take extra precaution to ensure that the employees are not put into the line of fire. Personally I make it a key point to tell clients that the audit is not about the employees and, as far as I can help it, I do not include names of the employees who were used. In cases where that cannot be helped and I need to include those names, I focus the report on the flaws the company has in its training, policies, and defenses that allowed the employee to falter.

When outlining the goals of an audit with an auditor I outline the level of intensity from 0 to 10 for these key areas:

To determine whether employees will click on links in emails or open files from people they do not know well, leading to compromise
To determine whether an employee would go to a website and enter personal or business-related information on that site
To determine how much information can be obtained via the phone or in-person visits of employees at work or personal places (that is, bars, gyms, daycares)
To determine the level of security in the office perimeter by testing locks, cameras, motion sensors, and security guards
To determine the ability of a social engineer to create a malicious USB or DVD that will entice the employee to use it on his or her work computer, compromising the business

Of course, more areas will be tested, but what I try to do is outline closely the goals the company has for this audit. What I find is that companies often do not know what they want. The auditor’s job is to walk them through different avenues into the company and to determine which of those they want tested.

What Should and Should Not Be Included in an Audit

Many different ways exist for testing the outlined goals to see clearly whether a security hole exists in a company. Using all the principles in this tutorial can a security hole exists in a company. Using all the principles in this book can help outline a good plan for attack. However, avoid some things when planning an attack. Things like:

Attacking a target’s family or friends
Planting evidence of crimes or infidelity to discredit a target
Depending on the laws of the land, impersonating law enforcement can be illegal
Breaking into a target’s home or apartment
Using evidence of a real affair or embarrassing circumstance to blackmail a target into compliance.

Things like these should be avoided at all costs because they do not accomplish the goal and leave the target feeling violated. However, the question does come up about what to do if in an audit evidence appears of some of these things. Each auditor must personally decide how to handle these circumstances, but consider a couple of examples.

In one audit, an auditor found out an employee was using the company’s high-speed Internet to download gigabytes worth of porn to external hard drives. Instead of risking the employee’s getting fired he went to the employee and told him he knew, but he didn’t want him to get fired and just gave him a warning to stop. The employee became embarrassed and upset and figured the auditor was going to still report him. He decided he wanted to preemptively combat this attack and he went to the owners and said the auditor was planting evidence of this offense on his computer.

Of course, the auditor had logs and screenshots of when the compromise occurred and the employee was fired anyway. But also the auditor was reprimanded for not coming forward when he found an offense of which the company had a strict policy.

In another account, the auditor found evidence of a man downloading child pornography to his computer and then distributing it to others on the Internet. The auditor knew from the other images on his computer that he had a wife and children and that reporting this would lead to divorce, probably jail time, and the ruination of his career as well as the family’s life.

The law of the land was that child pornography was illegal, as well as morally disgusting and vile. The auditor turned the man in to the company as well as the authorities, which cost that man his career, family, and freedom.

Having a clearly defined “do not” list enhances your audits and keeps you from crossing your own moral and legal guidelines. In one interview I had with Joe Navarro, one of the world’s leaders on nonverbal communication, he made a statement about this point. He said that unless you are a law enforcement agent you have to decide what lines you will and will not cross before you enter into an engagement. With that in mind then what things should an auditor include in audits?

Phishing Attacks: Targeted email attacks that allow a company to see whether its employees are susceptible to attacks through email.

Pretexting In-Person Attacks: Very precise and controlled pretexts are chosen and then performed over the phone or in-person to determine whether employees will fall for them.

Baiting: An in-person attack where access is gained to the target’s building or other property by some method, and USBs or DVDs are dropped that contain malicious files on them embedded with malicious code.

Tailgating (or piggybacking): An in-person attack where the auditor attempts to approach a group of employees to gain access to the building by just following them in.

Physical Security (Red Team): An attempt to gain physical access to an office and take items of value to the company.

This short list can help a professional auditor set some guidelines to define what should and should not be included. Still, one of the largest problems many companies have is trying to pick out a good auditor, one who can accomplish these tasks at hand.

Choosing the Best Auditor

If you broke a limb and the damage was bad, and a doctor told you that you have a chance for only 50% recovery, but that going to see a good surgeon could increase those odds, wouldn’t you search high and low for a good surgeon to fix your problems? And when you found him, what questions would you ask? Wouldn’t you want to see his past work? You would want some proof of his ability to grasp the concepts and perform the tasks that would increase your chances of recovery.

You follow a similar process to find the right auditor. Here are some of the basics that you might want to find out as you speak to an auditor:

Knowledge: Has the team released any research, papers, speeches, or other materials that display they are knowledgeable about social engineering? Are they known in the community for being leaders in this field? You do not want to trust your audit and security to a team that is using outdated methods and is not up on the most recent tactics being used.

Determining the amount of knowledge an auditor and team has is hard to do without a little research. Asking auditors about any papers, articles, or information they have written on the topics is not a bad idea. Make sure the team you hire is at the top of its game.

Experience: Clients often do not want to be identified or named. In my case, many clients do not want to be put on a website or marketing material because they feel this will embarrass them or make them vulnerable. But you can determine the experience of the auditor in other ways. Ask him about the methods he has used and how he implemented solutions in the past.

An auditor often does not want to let all the secrets out of the bag in an initial meeting, but ask him for one or two accounts of attacks he launched, which will help you determine his level of skill.

Contract: Having the audit completely outlined, documented, and limitations set can go a long way toward a successful audit.

Personally, I do not like to work with a ton of limitations because most malicious social engineers do not have any at all. But at least a small subset of rules written out on what is and is not allowed should be agreed upon.

A social engineer wants permission to record phone calls; video-record the building and interactions; and especially if an audit includes physical security, to have written permission to remove items from the premises. An auditor doesn’t want to finish the audit just to be presented with a warrant or a lawsuit.

Also designate an emergency contact person who knows about the audit and can vouch for the auditor and team. If an auditor finds himself in a legal jam he’ll want a number to call. No one wants to be performing a late-night dumpster dive to be met by the police and have to sit the night in jail. Having a contact person provides a “get out of jail free” card and can save a lot of hassle in the long run.

Developing Scripts

One more beneficial thing bears mentioning: develop scripts. Don’t cringe; I don’t mean scripts in the sense that the employee must say X if a situation equals A plus B. I am talking about outlines that help an employee be prepared to use critical thinking when it counts the most. Consider these scenarios:

What is the proper response when someone who claims to work for the CEO calls and demands your password? What do you do when a guy who has no appointment but looks and acts the part of a vendor demands access to a part of the building or property?

Scripts can help an employee determine the proper response during these circumstances and help them feel at ease. For example, a script may look like this:

If someone calls and claims to be from the management office and demands compliance of either handing over information or internal data, follow these steps:

Ask for the person’s employee ID number and name. Do not answer any questions until you have this information.
After getting the identifying information, ask for the project ID number related to the project he or she is managing that requires this information.
If the information in steps 1 and 2 is successfully obtained, comply. If it’s not, ask the person to have his or her manager send an email to your manager requesting authorization and terminate the call.

A simple script like this can help employees know what to say and do in circumstances that can try their security consciousness.

Keeping Software Updated

In our contest, more than 60% of the companies that were called were still using Internet Explorer 6 and Adobe Acrobat 8. Those are staggering statistics.

Dozens if not hundreds of public vulnerabilities exist in those two applications alone. Knowing that a target uses those two applications opens them up for an enormous number of attacks that can be so malicious that all the IDs, firewalls, and antivirus systems cannot possibly stop them. But do you know what can stop them?

The answer is updates. The newest versions of software generally have patched their security holes, at least the majority of them. If a particular piece of software has a horrible track record, don’t use it; switch to something less vulnerable.

In the contest calls, if an employee divulged that the company used Firefox, Chrome, or another secure browser, or FoxIt or the most up-to-date Adobe software, contestants would have been shut down. I am not saying those pieces of software do not experience any problems at all. Exploits for certain versions certainly exist, but this software is significantly less vulnerable. The possession of that information is still valuable but if no exploits are available then the next phase of the attack cannot be launched.

Keeping software updated is the one tip that seems to get the most flack because it takes the most work and can cause the most overhead.

Changing internal policies and methodologies that allow very old software to still be in play can be very difficult and cause all sorts of internal shifts.

However, if a company is committed to security and committed to creating a personal security awareness then committing to these changes will become part of the business culture.

Being Aware of the Value of the Information You Are Being Asked For

Before giving out information to someone, determine whether the person who is calling or interacting with you deserves it. Humans have this built-in desire to want to help and to be helpful to those whom we perceive need it. It is a major way a social engineer manipulates a target into handing over valuable information. Analyzing the person with whom you are interacting and determining whether she deserves the information she is asking for can save you the embarrassment and damage of falling victim.

For example, in the social engineering contest at Defcon one contestant had a pretext that he was a customer of a major antivirus company. He called in with a serious problem—his computer couldn’t get online and he felt it was due to something the antivirus was doing and wanted the technical support representation to do one simple thing—browse to a website.

Malicious SEs often use this attack vector. By driving a victim to a website embedded with malicious code or malicious files they can gain access to a target’s computer and network. In the case of the contest, the website was not malicious at all, but it was to show that if this were a malicious attack it would have been successful.

The first attempt was laid out like this by the contestant: “I cannot browse to my website and I think your product is blocking me. Can you check by going to this site so I know for sure whether it is your software or not?”

The technical support representative answered well by saying, “Sir, our product would not block you from going to that site; it wouldn’t matter if I can go there or not.” He declined the request.

The contestant did not give up there; after talking a bit more he again tried, “I know you said your product would not block the site, but it worked until I installed your software, so can you please check for me?”

Again he was declined his request: “Sir, I am sorry for that inconvenience but again our product would not block you and my going to the site will not help you fix the problem.”

It seemed as if the request was going to be rejected for good when the contestant tried one last-ditch effort and said, “Sir, it would make me feel better if you would just try going to this site for me. Please, can you help me out?”

This simple request put our technical support rep over the edge and he opened his browser and went right to the site. He had the right idea, he even had the right security awareness answer, but in the end he wanted his “customer” to “feel better” and honored his request. This could have led that company to a major pitfall if it were a malicious attack.

The technical support representative knew that this information was not relevant to that particular call. Like him, you must be determined to analyze whether the information being asked for is deserved and relevant to the person with whom you are interacting. Approaching this scenario from the other angle, what if the contestant were a legitimate customer and the rep had declined to go to that website—what is the worst that could have happened?

The customer might have been a little upset at being declined the request he wanted but it still would not have changed the outcome. The product he had was not the cause of his woes.

A social engineer often uses charm to start a conversation about the weather, work, the product, anything at all, and uses it to reveal the information sought. This is where a good security awareness policy comes into play—educating your employees about what tactics might be used against them can save them from acting out of fear.

In one audit the pretext I used was being the assistant to the CFO. The call center employees had a fear of losing their jobs for rejecting the requests from such a high-level management. Why? They are not given the proper education to know that rejecting that request would not cost them their jobs. At the same time protocols should be in place for the employee to know when a request for information is proper.

I mentioned earlier that creating an atmosphere that makes information seem less valuable is also a tactic used by social engineers to get people to freely divulge this “unimportant” information.

Creating a Personal Security Awareness Culture

My team and I decided it would be a great opportunity to hold a contest that would showcase whether corporate Companies is vulnerable to this attack vector (responding to a “contest”). We organized the contest by having interested people sign up to take part in two stages of social engineering :information gathering and active attacks.

To keep the contest legal and moral we did n ot want any person victimized, and no Social Security numbers, credit cards, and no personal identifying information would be gathered. Our goal was not to get any of these people fired. In addition our goal was not to embarrass any particular company, so we decided also no passwords or other personal security–related information from the companies. Instead we developed a list of about 25–30 “flags” that ranged from whether the company had an internal cafeteria, to who handles its trash disposal, to what browser it uses, and to what software it uses to open PDFs. Finally, we chose target companies from all sectors of business in corporate America: gas companies, tech companies, manufacturers, retail, and everything in between.

Each contestant was assigned one target company in secret, on which he had two weeks to do passive information gathering. That meant contestants were not allowed to contact the company, send it emails, or in any way try to social engineer information out of it. Instead they had to use the web, Maltego, and other tools to gather as much information as possible and enter all they found into a professional-looking report.

From the information gathered we wanted contestants to develop a couple of plausible attack vectors that they thought would work in the real world.

Then contestants had to come to our area, sit in a soundproof booth, and make a 25-minute phone call to their target to implement their attack vector and see what information they could obtain.

I could spend the next 20–30 pages telling you what happened at that contest and what the outcome was, but one thing we found was this: Every contestant obtained enough information out of the targets that the company would have failed a security audit. Regardless of the experience level of the contestant and the pretext, the contestants were successful in accomplishing their goals.

Now on to what applies here—security awareness. Corporations that care about security have programs where they train their employees how to be aware of potential security risks via phone, Internet, or in person. What we found was that security awareness in those companies was at failure stage.

Why? How could it be that these Fortune 500 companies that spend millions or more on security, training, education, and services designed to protect their employees could be failing at security awareness?

In reviewing much of the material and methods available for so-called security awareness, what I have found is that it is boring, silly, and not geared to make the participant interact or think. Short DVD presentations that cover a ton of things in a shotgun approach that blasts the participant with a lot of tiny little facts are not designed to sink in too deep.

What I challenge you to do as a company or even as an individual is to create a program that engages, interacts, and dives deep into security awareness. Instead of just telling your employees why having long and complex passwords is a good idea, show them how quickly one can crack an easy password. When I am asked to help perform security awareness training for a client, sometimes I ask an employee to come up to my computer and type in a password that she feels is secure. I do this before I release any information about passwords. Then as I start my presentation on that section I start a cracker against that password. Usually within a minute or two the password is cracked and I reveal to the room the password that was secretly typed into my computer. The immediate and drastic effect it has on each person has an extreme impact. But after numerous demonstrations like that employees will comment on how they now understand how serious having a good password is.

When I discuss the topic of malicious attachments in email, I do not have to show employees how to craft a malicious PDF but I do show them what it looks like from both the victim’s and the attacker’s computers when a malicious PDF is opened. This helps them understand that a simple crash can lead to devastation.

Of course, this teaching method produces a lot of fear, and although that is not the goal, it is not a terrible side product, because employees will remember it better. But the goal is to make them think not just about what they do not only at work and with their office computers, but also their own bank accounts, home computers, and how they treat security on a personal level.

I want each person who hears a security presentation or reads this tutorial to review how he interacts with the Internet as a whole and make serious changes to reusing passwords, storing passwords or personal information in non-secure locations, and to where they connect to the Internet. I cannot tell you how many times I have seen a person sitting in the center of Starbucks on her free Wi-Fi checking a bank account or making an online purchase. As much as I want to go up and yell at that person and tell her how quickly her whole life can be turned upside down if the wrong person is sitting on that same network with her, I don’t.

I want people who read this to also think of how they give out information over the phone. Con men and scam artists use many avenues to steal from the elderly, those having hard economic times, and everyone else. The phone still remains a very powerful way to do this. Being aware of the vendors’, banks’, or suppliers’ policies on what they will and will not ask for over the phone can help you avoid many of the pitfalls. For example, many banks list in their policies that they will never call and ask from a Social Security number or bank account number. Knowing this can safeguard you for falling for a scam that can empty your life savings.

Calling security awareness a “program” indicates that it is something ongoing. A program means you schedule time to continually educate yourself. After you obtain all this useful information, then you can use it to develop a program that will help you to stay secure.

Learning to Identify Social Engineering Attacks

The first stage in social engineering prevention and mitigation is to learn about the attacks.

You don’t have to dive so deep into these attacks that you know how to recreate malicious PDFs or create the perfect con.

But understanding what happens when you click a malicious PDF and what signs to look for to determine whether someone is trying to trick you can help protect you.

You need to understand the threats and how they apply to you.

Wednesday, May 7, 2014

Hosting company stole my website, and my domain name – what should I do?

Story from WhoAPI Blog

If you own a domain name read on, there’s a good chance you or your friend might need it.

Here’s how the nightmare story goes.

My friend, let’s call her Nicole, calls me last night at 9pm. The problem is, she doesn’t want to renew her domain or hosting for another year and pay $100. However, she wants to save her website because she paid some $800 for it, naturally she wants to protect the investment. Now some of you are thinking, well that’s a piece of cake, just copy the files with a FTP program, or just download the tar.gz file with cPanel. The problem is, my friend Nicole isn’t tech savvy, she’s an artist. Now that wouldn’t be such a problem if the guy who developed her website, and pretends to be a “hosting company” isn’t looking to take advantage of her, her ignorance, and extort money out of her. He tells her, you can’t get the website unless you renew everything for a whole year.

So, I tell Nicole to ask for the username and the password, so we can save the website, and for the EPP code to transfer the domain. I managed to convince her that it would be smart to save the domain, and that I have several hosting accounts, and that she could host her website for free on one of mine accounts. There’s only 1 more day left according the WHOIS, so I am thinking, OK, there’s still enough time. She first told me that today was the last day. I also checked her website, and it was still functioning, it had a cart for ordering paintings, about me page, etc.

HOSTING COMPANY TURNS INTO DARTH SIDIOUS

Nicole calls hers… I still have trouble calling that extorter a hosting company, because that would be putting a dark shadow over the good guys. So from now own, I will call him, Sidious. The thing is, hosting companies are holding the entire Internet up and running. Those tabs you have opened up there in your browser, you couldn’t see any of that if there were no hosting companies.

People in the hosting industry are some of the most hard working people I know. They have to deal with 24-7 support, hackers, updates, upgrades, business, lawyers, blacklists, spams, etc… I am telling you, it’s a war zone out there. Trust me, you do not want to run a hosting company when 200 of your clients get hacked on Christmas morning, and you have a hangover.

So anyway, Nicole calls Sidious, and asks for what’s rightfully hers. And she doesn’t understand what she is asking (just repeating what I told her). To give her the username and password, and the domain name EPP code. What happens next? Sidious suspends her website, and tells her it’s too late, and that she should press CTRL + F5 to see the change. Adding again she needs to pay the $100 for another year if she wants her website. I confirm, the website is now down.

….

The awful thing is, when I was a hosting provider, I had similar experience with my new hosting clients. They wanted to jump boat, and Sidious guy was giving them a hard time. So Nicole asks me, WHAT NOW? You could hear the despair in her voice, thinking she was robbed, lost her website, her domain, gone. Thinking, a website was a bad idea.

At this point, I am thinking, how can I cause damage to this guy. However, I know better than that. I want to teach as much people as possible that this can happen. Users should check with their hosting provider, and the domain registrar right from the start, an exit strategy.

HOSTING COMPANY WORKS HARD TO PROTECT YOU

In case a thing like this does happen, feel free to call the police, lawyers, threaten with legal actions and try to find a friend who understands the language and protect your rights. I wish I could say something down the lines of “if you can’t afford a lawyer one will be appointed to you”, but it won’t. You have to get someone from the hosting industry to protect you. There are ways of hurting a hosting company, but that’s far to powerful weapon that I can just blog about (I don’t mean any illegal activities). The thing is, I know there are more than few cases when a client is wrongfully accusing a hosting company, and I wouldn’t want them with this weapon in hands, again, the good hosting guys might get hurt.

Oh and another thing. Always check the WHOIS if you and your email address are there as your main point of contact, and ask your provider how and where you can unlock the domain and get the EPP code. It is alternatively called an auth code, a transfer key, a transfer secret, EPP authentication code, or EPP authorization code. EPP stands for Extensible Provisioning Protocol, check Wikipedia.

We made a website years ago where you can check whois for free, CroDNS. Where do you host your website and where do you register your domains, and have you tried leaving them?

Here’s a few more advices that people on Hacker News commented.

1. Always register your domain name with a company other than your hosting provider. Don’t even allow the domain registrar to be owned by the same corporation.

2. Always maintain a complete, separate copy of the website’s content. Never allow the only copy of a Website to be in the hands of an ISP.

Pretexting: How to Become Anyone

Pretexting How to Become Anyone Pretexting: How to Become Anyone

Honesty is the key to a relationship. If you can fake that, you’re in.

At times we probably all wish we could be someone else. Heck, I would love to be a little skinnier and better looking. Even though medical science hasn’t come up with a pill that can make that possible, a solution to this dilemma does exist—it’s called pretexting.

What is pretexting? Some people say it is just a story or lie that you will act out during a social engineering engagement, but that definition is very limiting. Pretexting is better defined as the background story, dress, grooming, personality, and attitude that make up the character you will be for the social engineering audit. Pretexting encompasses everything you would imagine that person to be. The more solid the pretext, the more believable you will be as a social engineer. Often, the simpler your pretext, the better off you are.

Pretexting, especially since the advent of the Internet, has seen an increase in malicious uses. I once saw a t-shirt that read, “The Internet: Where men are men, women are men, and children are FBI agents waiting to get you.” As slightly humorous as that saying is, it has a lot of truth in it. On the Internet you can be anyone you want to be. Malicious hackers have been using this ability to their advantage for years and not just with the Internet.

Topics

What Is Pretexting?

The Principles and Planning Stages of Pretexting

Successful Pretexting

Successful Pretexting

Successful Pretexting Successful Pretexting

To learn how to build a successful pretext, take a look at a couple of stories of social engineers who used pretexts that worked and how they developed them. Eventually they did get caught, which is why these stories are now available.

Example 1: Stanley Mark Rifkin

Additional Pretexting Tools

Other tools exist that can enhance a pretext. Props can go a long way in convincing a target of the reality of your pretext; for example, magnetic signs for your vehicle, matching uniforms or outfits, tools or other carry-ons, and the most important—a business card.

The power of the business card hit me when I was recently flying to Las Vegas on business. My laptop bag usually gets scanned, rescanned, then swabbed for bomb dust or whatever. I am one of those guys who doesn’t really mind the extra security precautions because they keep me from blowing up in the air, and I am happy with that.

Yet I realize that 90 percent of the time I am going to get extra attention by Transportation Security Administration (TSA). On this particular trip I had forgotten to take my lock picks, RFID scanner, four extra hard drives, bump keys, and plethora of wireless hacking gear out of my carryon laptop bag. As it goes through the scanner I hear the lady working the xray say, “What the heck?”

She then calls over another gentlemen who stares at the screen and says, “I have no clue what the heck that stuff is.” He then looks around, sees my smiling face, and says, “Is this you?” I walk over to the table with him as he is emptying my RFID scanner and my large case of lock picks and he says, “Why do you have all of these items and what are they?”

I had nothing planned but decided at the last second to try this move: I pulled out a business card and said, “I am security professional who specializes in testing networks, buildings, and people for security holes. These are the tools of my business.” I said this as I handed him a business card and he looked at it for about five seconds and then said, “Oh, excellent.

Thanks for the explanation.”

He neatly put all my items back in, zipped the bag up, and let me go. Usually I go through the bomb screening, the little dust machine, and then a patdown, but this time all I got was a thank you and a quick release. I began to analyze what I did differently than normal. The only difference was that I had given him a business card. Granted, my business card is not the $9.99

special from an online card printer, but I was amazed that what seemed to have happened was that a business card added a sense of license to my claims.

My next four flights I purposely packed every “hacking” device into my bags I could find and then kept a business card in my pocket. Each time my bag was examined and I was asked about the contents, I flipped out the card. Each time I was apologized to, had my items packed in neatly, and let go. Imagine my experience was a pretext. Little details can add so much weight to what I am saying that I can appear valid, trustworthy, and solid with nothing more than a card that tells people that everything I say is true. Don’t underestimate the power of a business card. One word of caution: getting a weak and pathetic-looking business card can actually cause the opposite effect. A business card that was “free” with an advertisement on the back will not add weight to a professional pretext. Yet there is no reason to spend $300 on a business card to use once. Many online business card printers can print a small amount of very nice cards for less than $100.

Example 2: Hewlett-Packard

HP’s chairwoman, Patricia Dunn, hired a team of security specialists who hired a team of private investigators who used pretexting to obtain phone records. These hired professionals actually got in and played the roles of HP board members and parts of the press. All of this was done to uncover a supposed information leak within the ranks at HP.

Ms. Dunn wanted to obtain the phone records of board members and reporters (not the records from the HP facilities, but the personal home and cell phone records of these people) to verify where she supposed the leak was. The Newsweek article states:

On May 18, at HP headquarters in Palo Alto, California, Dunn sprung her bombshell on the board: She had found the leaker. According to Tom Perkins, an HP director who was present, Dunn laid out the surveillance scheme and pointed out the offending director, who acknowledged being the CNET leaker. That director, whose identity has not yet been publicly disclosed, apologized. But the director then said to fellow directors, “I would have told you all about this. Why didn’t you just ask?” That director was then asked to leave the boardroom, and did so, according to Perkins.

What is notable about this account is what is next mentioned about the topic of pretexting:

The HP case specifically also sheds another spotlight on the questionable tactics used by security consultants to obtain personal information. HP acknowledged in an internal e-mail sent from its outside counsel to Perkins that it got the paper trail it needed to link the director leaker to CNET through a controversial practice called “pretexting”; Newsweek obtained a copy of that e-mail. That practice, according to the Federal Trade Commission, involves using “false pretenses” to get another individual’s personal nonpublic information: telephone records, bank and credit-card account numbers, Social Security numbers and the like.

Typically—say in the case of a phone company—pretexters call up and falsely represent themselves as the customer; since companies rarely require passwords, a pretexter may need no more than a home address, account number, and heartfelt plea to get the details of an account.

According to the Federal Trade Commission’s Web site, pretexters sell the information to individuals who can range from otherwise legitimate private investigators, financial lenders, potential litigants, and suspicious spouses to those who might attempt to steal assets or fraudulently obtain credit. Pretexting, the FTC site states, “is against the law.” The FTC and several state attorneys general have brought enforcement actions against pretexters for allegedly violating federal and state laws on fraud, misrepresentation, and unfair competition. One of HP’s directors is Larry Babbio, the president of Verizon, which has filed various actions against pretexters.

Example 1: Stanley Mark Rifkin

Stanley Mark Rifkin is credited with one of the biggest bank heists in American history

Rifkin was a computer geek who ran a computer consulting business out of his small apartment. One of his clients was a company that serviced the computers at Security Pacific Bank. The 55-floor Security Pacific National Bank headquarters in Los Angeles looked like a granite-and-glass

fortress. Dark-suited guards roamed the lobby and hidden cameras photographed customers as they made deposits and withdrawals. This building seemed impenetrable, so how is it that Rifkin walked away with $10.2 million and never held a gun, never touched a dollar, and never

held up anyone?

The bank’s wire transfer policies seemed secure. They were authorized by a numerical code that changed daily and was only given out to authorized personnel. It was posted on a wall in a secure room that only “authorized personnel” had access to.

In October 1978, he visited Security Pacific, where bank employees easily recognized him as a computer worker. He took an elevator to the D-level, where the bank’s wire transfer room was located. A pleasant and friendly young man, he managed to talk his way into the room where the bank’s secret code-of-the-day was posted on the wall. Rifkin memorized the code and left without arousing suspicion.

Soon, bank employees in the transfer room received a phone call from a man who identified himself as Mike Hansen, an employee of the bank’s international division. The man ordered a routine transfer of funds into an account at the Irving Trust Company in New York—and he provided the secret code numbers to authorize the transaction. Nothing about the transfer appeared to be out of the ordinary, and Security Pacific transferred the money to the New York bank. What bank officials did not know was that the man who called himself Mike Hansen was in fact Stanley Rifkin, and he had used the bank’s security code to rob the bank of $10.2 million.

This scenario offers much to talk about, but for now, focus on the pretext.

Think about the details of what he had to do:

He had to be confident and comfortable in order to not raise suspicion for being in that room.
He had to have a believable story when he called to do the transfer and have the details to back up his story.
He had to be spontaneous enough to go with the flow with questions that might have come up.
He had to also be smooth enough to not raise suspicion.
This pretext had to be meticulously planned out with the utmost detail being thought through. It wasn’t until he visited a former associate that his pretext failed, and he was caught. When he was caught, people who knew him were amazed and some even said things like, “There is no way he is a thief; everyone loves Mark.”

Obviously his pretext was solid. He had a well-thought-out, and one would guess, well-rehearsed plan. He knew what he was there to do and he played the part perfectly. When he was in front of strangers he was able to play the part; his downfall came when he was with a colleague who knew him, and that colleague saw a news story then put two and two together and turned Mark in.

Amazingly enough, while out on bail, Rifkin began to target another bank using the same scheme, but a government mole had set him up; he got caught and spent eight years in federal prison. Although Mark is a “bad guy” you can learn much about pretexting from reading his story. He kept it very simple and used the things that were familiar to him to build a good storyline.

Mark’s plan was to steal the money and turn it into an untraceable commodity: diamonds. To do so he would first need to be a bank employee to steal the money, then a major diamond buyer to unload the cash, and finally sell the diamonds to have usable, untraceable cash in his pocket.

Although his pretext did not involve elaborate costumes or speech patterns he had to play the part of a bank employee, then major diamond buyer, then play the part of a diamond seller. He changed roles maybe three, four, or five times in this gig and was able to do it well enough to fool almost everyone.

Mark knew who his targets were and approached the scenario with all the principles outlined earlier. Of course, one can’t condone what he did, but his pretexting talents are admirable. If he put his talents to good use he would probably make a great public figure, salesperson, or actor.