I planned to read something about history this summer. Then I picked the history of hacking. My favorite was Kevin Mitnick’s autobiography – the very definition of a page-turner.
The book is free of hardcore technical jargon and written for geeks and lay audience alike. Readers are introduced to the spirit of a hacker in the older sense of the word: Mitnick’s hacks were motivated by the thrill of exploring systems but he never gained financially.
Kevin Mitnick successfully obtained the latest source code of cell phones, reports on security vulnerabilities in operating systems, and legitimately looking birth certificates of deceased children to setup new identity – due to his combination of technical skills and mastery of social engineering. He got people to reveal corporate information they should not. Pieces of information are seemingly innocuous in their own rights – a name of server, a corporate directory of employees – but it helps the social engineer to learn the lingo and pose as a trusted insider.
I often had been called way too honest – and thus not getting anywhere in life, professionally. So I was asking myself:
Could I con people into breaking rules? The intuitive answer was of course No.
But then the following anecdote emerged from a dark corner of my mind.
A long time ago I had worked as an IT Infrastructure Manager – responsible for quite a colorful IT environment run partly by subversive non-official admins. I actually transitioned into that role from supporting some of the latter. One of the less delightful duties was to keep those subversive elements from building rogue websites and circumventing the bureaucratic corporate content management system – by purchasing internet domains like super-fancy-product-name.com and hosting these services where they figured I would not find it.
I also had to clean up legacy mess.
One time we had to migrate an internet domain hosted on behalf of an Another Very Important Organization to one of their servers. Routine stuff, had the domain been under our control. But it was tied to a subversive website a department had once set up, working with an external marketing consultancy. The consulting company was – as per the whois records – the official owner of the domain.
Actually the owner listed was not even that company was a person employed by that company but not working for them anymore. I consulted with the corporate lawyers, and it would have been a legal knot hard to disentangle.
However, I had to transfer the stuff right now. Internet domains have a legal owner and an administrative and a technical contact. The person able to do the transfer is the latter but he or she must not do it unless instructed to do so.
I tracked down and the technical contact and called him up. The tech-c’s phone number is public information, very easy to find back then – nowadays you might need a tiny bit of social engineering to obtain it.
I explained the whole case to him – the whole truth in all details. He was a helpful network administrator working for a small internet provider. Having to deal with a typical network admin’s predicament immediately built a kind of bond. Meeting a fellow nerd makes working in IT infrastructure management somewhat enjoyable – in a job you are only noticed if something goes wrong. (The rest of the time you are scolded for needing too much money and employing too much personnel).
The result was that the domain was technically transferred to the intended target organization’s server immediately. But he said: If somebody asks you how this has been done – it wasn’t me!
Another admin at another telco said the same to me later – I had convinced him to provide me a password of a client. This inquiry of mine and reasons given were true and legitimate as I was doing it on behalf of a client – the password owner.
In both cases there was a third party, a client or colleague or employer, who was quite happy with the results.
But there weren’t any formal checks involved – people did not ask me for a verifiable phone number to call me back or wanted to talk to my boss or to the client. If I just had fabricated the stories I would have managed to get a domain transferred and obtain a hosting customer’s password.
The psychologically interesting part of my job was that I didn’t have real power to tell departments what they must or must not do. I could just persuade them.
I think this is an aspect very common to many corporate jobs today – jobs with with grand titles but just a bunch of feeble dotted lines to the rest of the corporate universe and its peripheral contractors’ satellites – some of which you never meet face-to-face.
Combine that with an intricate tangle of corporate guidelines and rules – many of them set up to enforce security and compliance. In some environments people hardly get their jobs done without breaking or bending a subset of those rules.
Social engineering in some sense is probably what makes companies still being able to function at all.