Social Engineering and Owning the BoxI previously worked as a security guard for Quebecor World in Lincoln, NE . Nothing glamorous by any means, but unique in the fact that my job as a 5.75 hour rental security guard required me to go through a month long background check with credit report extracts and criminal records, interviews with the State Patrol, and several inquiries about my employment history. Why would this be necessary for such a mundane job? Who cares about the criminal history of a security guard working third shift at a printer? Say no to plagiarism. Get a tailor-made essay on “Why violent video games should not be banned”?Get an original essayQuebecor prints, among other things, AOL CDs and pre-approved credit card applications and has several hundred thousand at any time of names, addresses, telephone numbers, credit card numbers, and social security numbers prominently (relatively) clearly. Dumpsters are locked outside. A special shredder devours waste paper into confetti pieces smaller than the tip of an infant's fingernail, then shreds it again. Not that these precautions aren't a good start, but in about 10 minutes, an inside employee with a grudge or someone with access to cash can seek help from a for-profit company to replenish shredding paper into some semblance of the original document or simply walking out of the facility with the privacy of thousands of people in their hands. Have you noticed anything unusual in your credit report recently? In this article, I researched social engineering. Looking a little at its history, referring to it as a non-technical means of obtaining information and ultimately accessing a computer information system, I looked at two prominent "old school" social engineers. I then describe some basic precautions which are effective whatever the level of the information system used. Social engineering, and its associated type of information attack, "dumpster diving," is computer jargon for the use of non-technical means to compromise an information system. It is one of the most interesting aspects of computer network security and the most effective means of intrusion because the human element of computing will never disappear. Someone has to design the systems, implement them, train them, and ultimately use them. Even with the sci-fi horror stories about computers gone mad, we'll always have humans at the terminals somewhere, someday; thus, any computer information is vulnerable to a psychological attack. Eric Drexler's gray matter scenario (famous for stating that "intelligent, microscopic computers could conquer the Earth), while a possibility in the future, is not currently feasible in due to current limitations of technology. The author himself also distanced himself from his mid-1980s historical theory, saying he wished he had never made the statement because of the immense impact it had in stifling new research on computer miniaturization. Social engineering is not a new intrusion. technical. The CERT/CC issued an alert describing the increasing incidence of unauthorized access attempts to computer systems in 1991. The explosion of the Internet among these former non-computer users made successful attempts all the more morelikely, a security issue that still occurs every day despite more than a decade of familiarity. Before the Internet, social engineering was evidenced by hacking the telephone system with red and blue tone generators, allowing the user to make calls to other locations (including across continents) while billing the costs to another position. Sometimes calls were billed to the telephone company itself, to thumb its nose at the establishment. The tone boxes themselves and their use required no personal contact since they could be constructed from plans freely available in cracker zines like 2600 (named for the 2600 Hz frequency required to generate an acceptance tone calling in early AT&T) and Phrack telephone systems. The creators of the tone boxes had to have extensive knowledge of the telephone system and how it worked from local exchanges and the network as a whole. This knowledge was gleaned, where possible, from dumpster diving (using personal information is not necessarily a crime, even today, if it comes from manuals, receipts, internal memos and other discarded proprietary materials that have been disposed of and are located outside the facility) and by calling. operators or engineers and posing as a member of another part of the network claiming to need some sort of information. Some of the early famous phreakers did not have the stereotypical cracker/hacker persona that seems to be prevalent in the media today, that of a technically talented lone nomad, or a social misfit prone to a kind of hacktivism. Most of them were extremely intelligent people and few other people shared their knowledge. A few were trained by our government for wartime and found that their skills gave them a significant, if little respected, advantage over non-technical people, as was the case with John Draper, aka Cap' nCrunch. Draper earned his name through his use of a toy whistle found in a cereal box that generated the 2,600 Hz tone needed to fool the telephone system. John popularized the use of this whistle and became known under the hacker name "Cap'n Crunch". John became infamous and was arrested in May 1972 for illegal use of the telephone company's system. He was placed on probation, then was arrested again in 1976, convicted of wire fraud because there was no other law in place under which he could be tried, and spent four months in prison federal office in Lompoc, California. Since then, he has held various positions and given interviews about his experiences in the early days of long-distance hacking. Admittedly, Draper did not single-handedly discover the system's vulnerability, nor did he exploit it for personal gain other than phone calls. However, some phreakers attempted to use this technology, rudimentary at the time, to pull pranks that could have serious repercussions on national security. One of these vaunted scams was a phone call to then-President Nixon's bomb shelter in Virginia; another was (allegedly) a call to the Pope by Steve Wozniak. All of this was possible because the telephone system of the late 1960s and early 1970s was configured so that voice transmission and signal data were sent over the same line. To save money, AT&T configured its entire network to this 2600 Hz standard. AsAs knowledge spread, the growing number of phone hacks became a minor culture in its own right. They were able to train their ears to determine how the long lines routed their calls. Friendly (or easy to manipulate) telephone company employees gave them the various routing codes to use international satellites and various trunk lines like expert operators. Technical information from telephone companies was also freely available at most major universities in the reference section, because engineering departments used this information in partnership with companies to help train new engineers. Once the phone company realized what was happening, they immediately went to major universities and flagged their engineering textbooks and removed them from circulation. The information was already available, however, and until AT&T updated its switching technology and subpoenaed fraudsters under the Wire Fraud Act, it continued sporadically until in the early 1980s. Another well-known social engineer almost needs no introduction. Arrested in February 1995 for allegedly stealing $300 million in source code from victim companies, his charges were eventually reduced to 2 counts of computer fraud, wire fraud, identity theft, and misuse . Whatever one may think of hackers/crackers, at the time of Mitnick's capture, the justice system was not prepared to combat intellectual property theft. As a result, Mitnick was held for 4.5 years in federal prison, including 8 months in solitary confinement, as it was argued that he was an armed federal criminal. ("...armed with a keyboard, he posed a danger to the community.") The source code he downloaded was quickly made available to any user who requested it by SUN, so that their claim for R&D losses was ruled inadmissible.Kevin Mitnick's journey through the criminal system is daunting at best for any computer user wishing to pursue a career in computer security or intrusion detection and response, because many tools used to trace such activities may be used for illegal reasons. The government's case against him initially had 10 listed victims and 27 counts. These victims include Novell, Nokia and SUN Microsystems - companies that suffered no losses, but because Mr. Mitnick owned a cell phone from these vendors at different times and because he had a Novell program on his computer, they are listed in the same weight. SUN. None of the 10 companies listed in his indictment ever filed shareholder loss reports with the Securities and Exchange Commission. Kevin Mitnick, while tech-savvy, accomplished much of what he did by talking. Posing as employees of the telephone company, various computer or other technology companies, and asking someone low in the hierarchy of those companies for seemingly unrelated information (now known as NORA - No -observable Relationship Awareness) allowed him to gain superuser access to many of the systems he was ultimately accused of tampering with. A truly skilled social engineer can get a target to trust them so much that they carelessly disclose sensitive internal information. This may not be a meaningful disclosure in itself, but.