Social Engineering and Owning the Box I once worked as a security guard for Quebecor World in Lincoln, NE. Nothing glamorous by any means, but unique in that my 5.75 hour security guard job required me to undergo a 1 month background check complete with credit history and criminal record, interviews with the state police and multiple questions about my previous employment history. Why would this be necessary for such a mundane job? Who cares about the criminal record of a third-shift security guard at a printing plant? Say no to plagiarism. Get a tailor-made essay on the topic "Why violent video games should not be banned"? Get an original essay Quebec prints, among other things, AOL CDs and pre-approved credit card applications and has at any time several hundred thousand names, addresses, telephone numbers, numbers, credit card numbers and Social Security numbers in (relatively) plain sight. The bins are closed outside. A special shredder devours the waste paper, reducing it to pieces smaller than the end of a baby's little finger nail, and then shredding them again. Not that these precautions aren't a good start, but in about 10 minutes, an insider with a grudge or someone with access to money can enlist the help of a for-profit company to reconstruct the scraps of paper in a semblance of the original document or just walk out of the facility with the private lives of thousands of people in their hands. Have you noticed anything unusual on your credit report lately? In this article I researched social engineering. I looked at some of its history, designated it as a non-technical means of obtaining information, and ultimately, to get into a computer information system, I looked at two prominent "old school" social engineers. I will then describe some basic precautions that are effective regardless of the level of information system used. Social engineering, and the related "dumpster diving" type of information attack, is IT slang for using non-technical means to compromise an information system. It is one of the most interesting aspects of computer network security and the most effective means of intrusion because the human element of computing will never disappear. Someone has to design the systems, implement them, train them, and finally use them. Even with science fiction horror stories about computers gone mad, sooner or later we will always have humans at terminals somewhere; therefore any cyber information is vulnerable to a psychological attack. Eric Drexler's (famous for saying that "microscopic, intelligent computers could take over the earth") scenario, while a possibility in the future, is not possible right now due to the current limitations of the technology. Even the author himself has distanced himself from his seminal theory of the mid-1980s, saying he wishes he had never made this statement because of the immense impact it has had in stifling new research into computer miniaturization. Social engineering is not a new technical intrusion. In 1991, CERT/CC published an advisory describing an increase in unauthorized access attempts to computer systems. The explosion of the Internet among non-computer users made successful attempts even more likely, a security problem that still occurs every day despite more than a decade of familiarity. Before the Internet, social engineering was evident in cracking the telephone system with generatorsred and blue tones, which allowed the user to make calls to other locations (even across continents) by charging the costs to another extension. Sometimes the calls were charged to the phone company itself as a way to poke fun at the institution. The tone boxes themselves and their use required no personal contact as they could be built from designs freely accessible in crackers' zines such as 2600 (named after the 2600 HZ frequency required to generate a call-acceptance tone in early AT&T telephone systems) and Phrack . The creators of the tone boxes had to have in-depth knowledge of the telephone system and how it worked from local exchanges and across the larger network. This knowledge was gathered, whenever possible, by rummaging through dumpsters (even today the use of personal information is not necessarily a crime if obtained from discarded manuals, receipts, internal memos and other proprietary documents that have been disposed of and are found in the outside the facility) and calling operators or engineers and pretending to be a member of some other part of the network claiming to need some kind of information. Some famous early phreakers did not have the stereotypical cracker/hacker personality that seems to be prevalent in the media today, that of the technically talented nomadic loner or the social misfit prone to a kind of hacktivism. Most of them were extremely intelligent people with few others to share their knowledge with. Some were trained by our government for wartime and found that their skills gave them a significant, if not widely respected, advantage over non-technical people, as was the case with John Draper aka Cap'n Crunch. Draper earned his name from his use of a toy whistle found in a cereal box that generated the 2600 Hz tone needed to fool the telephone system. John popularized the use of this whistle and became known by the hacker nickname "Cap'n Crunch". John became famous and was arrested in May 1972 for illegal use of the telephone company's system. He received probation, and then was arrested again in 1976, convicted on wire fraud charges because there were no other current laws under which he could be tried, and spent four months in Lompoc federal prison in California. Since then, he has held several positions and given interviews about his experiences during the early days of long-distance hacking. To his credit, Draper did not discover the system vulnerability on his own, nor did he exploit it for personal gain other than phone calls. However, there were some phreakers who attempted to use this technology, crude at the time, to perform pranks that could have serious repercussions on national security. One such attack was a phone call to then-President Nixon's bomb shelter in Virginia; another was (allegedly) a call to the Pope from Steve Wozniak. All of this was possible because the telephone system in the late 1960s and early 1970s was set up so that voice transmission and signal data were sent over the same line. To save money, AT&T set their entire network to this 2600HZ standard. As knowledge has spread, the growing number of phone phreaks has become a minor culture in its own right. They were able to train their ears to determine how long queues routed their calls. Sympathetic (or easily socialized) employees of telephone companies gave them the various routing codes to use international satellites and various trunk lines as expert operators. Technical information about telephone companies wasalso available for free at most major universities in the reference section as engineering departments used the information in collaboration with companies to help train new engineers. Once the phone company realized what was happening, it immediately went to major universities, red-flagging their engineering textbooks and removing them from circulation. The information was already available, though, and until AT&T updated its switching technology and proceeded to sue phreakers under the wire fraud law, it continued sporadically until the early 1980s. Another well-known social engineer almost needs no introduction. Arrested in February 1995 on charges of stealing $300 million worth of source code from victim companies, his charges were eventually reduced to two counts: computer fraud, wire fraud, identity theft, and misuse . Whatever one might think of hackers, at the time of Mitnick's capture the justice system was unprepared to deal with intellectual property theft. As a result, Mitnick was held for 4.5 years in federal prison, including 8 months in solitary confinement, because it was alleged that he was an armed federal criminal. ("...armed with a keyboard he represented a danger to the community.") The source code he had downloaded was soon made available to any user who requested it by SUN, so their claim for R&D losses was deemed inexcusable.Kevin Mitnick's journey through the criminal system is at best daunting for any computer user who wants to pursue a career in cybersecurity or intrusion detection and response because many of the tools used to track such activity can be used to illegal reasons. The government's case against him originally listed 10 victims and 27 charges. Among these victims are Novell, Nokia and SUN Microsystems, companies that did not suffer losses, but because Mr. Mitnick had a cell phone from these vendors at different times and because he had a Novell program on his computer, they are listed in the same SUN weight. None of the 10 companies listed in his indictment ever filed shareholder loss reports with the Securities and Exchange Commission. Kevin Mitnick, although technologically savvy, accomplished much of what he did by talking. Posing as an employee of the telephone company, various computer or other technology companies and asking someone low-level in that company's hierarchy for seemingly unrelated information (now known as NORA - Non-observable Relationship Awareness) allowed him to obtain the superuser access to most of the systems which he was eventually accused of tampering with. A truly competent social engineer can make a target trust him to the point that the worker casually provides sensitive inside information. It may not be a significant revelation in itself, but the information gleaned from such manipulation can easily be combined with other small snippets to produce a detailed and dangerous roadmap to organizational treasures." One way I worked to develop skills My job, if I can call it a job, was to pick out some information that didn't really interest me and see if I could get someone on the other end of the phone to provide it..." In Congressional testimony before Senators Lieberman and Thompson years Afterwards, Mitnick told them: "I have gained unauthorized access to the computer systems of some of the most.