Jack: Give me your best low tech hacking war story for how the bad guys might be using low tech tools and social engineering skills.

Mr. Marino: There may be several examples of basic low tech methods of attacks that utilized social engineering as the main ingredient in the application of an attack. The one I will recount here I found interesting because there was a perfect storm in effect that allowed the success of the attack. I will not divulge the parties that were victimized in this scheme, but I can say that the vulnerability has been remedied through hardware upgrades, internal procedures, and the advent of know-your-customers regulations that have been adopted.

The enterprising criminals simply opened an account at the large financial institution with cash in an amount slightly above the daily withdrawal limit. They obtained a temporary ATM card, then after the branches had closed for the day, drove up to the ATMs, asked for the daily maximum they could withdraw, extracted the bills from the center of the stack, and cancelled the transaction. They then repeated the process, usually staying at the same ATM for hours, until the ATM had no more funds to dispense.

There are some other low tech social engineering schemes that come to mind. There was one where the subject used a phone book to come up with names and then called a major department store credit department posing as an associate of one of the stores. He would say he had a customer in front of him who forgot his credit card and would provide several addresses until he hit on an actual customer in the system. He would then use the information to make in-store and online purchases.

Jack: Do you think that the bad guys such as foreign spies and possible terrorists use many low tech tools for gaining access to critical information or locations?

Mr. Marino: I think it would be naïve to think that attack vectors would not follow low cost high success paths. Over and over again we have learned of critical information, or access, obtained though the most low tech methods, the most basic of which is the propensity for human beings to willingly provide access or information to those not entitled to have it. It could be from the granting of excess privileges to someone within the organization with no need for the additional access or more nefarious schemes from those seeking intellectual property, financial data, national security information, or any other thing of value. Being able to gain information socially has been around probably since verbal communication was invented. I would call it, if it has not already been called this, “the art of the talk.” Skillful communication most often results in gaining pieces of information that are key to success in whatever line of business or social environment that we humans engage in. So it comes as no surprise that skilled criminals use these same skills of social engineering to advance their schemes. It also comes as no surprise that often when more sophisticated attacks occur they are conducted using already identified weaknesses. There is sometimes this misconception that in order to be successful the criminals have to do expensive engineering to target my enterprise. In fact what most often transpires is that they either go for the weakest link, the human being, or they use already available tools.

From an enterprise perspective an attack may simply consist of a call to an employee getting them to relinquish logon credentials or could involve having them take an action that infects their system with malware. Even with good procedures and practices in place an enterprise may be only as safe as how well their employees adhere to these policies.

The attack may also take the form of harvesting public information on the systems in use and using known vulnerabilities to gain access. Unknowingly providing too much information on our systems provides a clear blueprint for a possible compromise.

Closer to home and directly related to us as individuals, I can think of many examples where in spite of wide-scale public education programs and public media articles, both print and television, people still fall prey to low tech schemes, many coming in the form of what is termed 4-1-9 advance fee fraud. To briefly recap what 4-1-9 stands for, it was the criminal code section in Nigerian criminal statute that addresses these financial schemes. These schemes, meant to extract financial payment from the victims, are probably hundreds of years old. Our modern communication methods have just made them cheaper and easier to perpetrate. There are a variety of schemes, the complexity of which are fairly basic, but the results are the same, to extract funds from the victim utilizing social means. Common variants are using a counterfeit check for purchase of an advertised item or for payment of a required fee to receive funds being secreted from a faraway country, lottery winnings, to receive an inheritance, romance angle, fraud recovery, job offers, just to name a few. Victims come from all social, educational, and economic backgrounds. However, they all share the same component, which is that they have to willingly take the action of sending money or goods to the criminal.

Jack: In Chapter 1, I showed a picture (Figure 1.12) of a portable credit card reader that I found at a flea market. I have been amazed at the number of people that I meet who have been victims of credit card fraud. Do you have any recommendation for people regarding the low tech threat of skimming that seems to continue to grow?

Mr. Marino: There is always the obvious: do not let your credit card take a stroll with another person. Skimming is still an extremely effective and profitable activity. The variety of devices that can be deployed are now leveraging multiple technologies, including Bluetooth, for rapid compromises of affected accounts. Where once we were more likely to encounter a handheld device used at a restaurant or similar establishment to harvest accounts, we now have devices that are specifically customized to particular point-of-sale locations. The effectiveness of this cannot be overlooked. The customer has a certain level of trust that the ATM machine at their local branch, the gasoline pump, or grocery store point-of-sale terminal is secure. Unfortunately this is not always the case. Skimming parasites have been deployed at all these locations in spite of inherent security measures in place. I do not mean to scare people away from using technology in completion of a transaction and reverting back to cash, but instead to use measures that will significantly reduce the probability of becoming a victim. You notice that I said “reduce the probability.” I meant to say that because there truly is no way to completely eliminate the risk. Technology alone has yet to completely eliminate the deployment of skimming parasites. From a technology perspective in the United States we still use legacy credit card technology. By this I mean that point-of-sale terminals at the millions of businesses in the United States are not capable of reading more advanced card data such as found in embedded chips in credit cards used throughout much of the world. These cards usually require a pin number used by the customer that authenticates the user at the time of transaction. Bringing all these legacy systems up-to-date is expensive for business owners. I will also note that these systems in use throughout Europe are not the magic bullet because other vulnerabilities can still be exploited.

Skimming to a certain degree is still an activity that succeeds in part on the ability of the criminal to socially engineer our actions. If you wonder why I make that statement it is because during the use at an ATM machine or a point-of-sale terminal where the card never leaves our possession we tend to relax. We come to believe and have faith that the transaction is secured. To a large degree it is secure, after the card data leaves the terminal, that is. However, if I inject a skimmer right here, at the card swipe location, you do the skimming for me and I simply intercept your transaction. Remember when I said earlier that the devices are customized?

Skimmers may be manufactured specifically for the specific target, whether to be inserted into a point-of-sale terminal or gasoline pump or made to go on top of a legitimate reader such as on an ATM. They may come in the shape of false fronts that can be placed over a legitimate ATM machine with an incorporated camera that, via Bluetooth, will transmit first the card data, and also the pin code, to someone or something nearby. I would suggest that when you walk or drive up to an ATM, examine your surroundings. Do so not only for someone “shoulder surfing,” (a “shoulder surfer” is a person who attempts to intercept your pin simply by looking over your shoulder as it is keyed) but also for an ill-fitting face on the machine or a small pinhole. Why not use one hand to cover the numbers on the pin pad while you enter your pin?

The solution to safeguard oneself against an embedded skimmer in a point-of-sale terminal or the use of wireless technology (encrypted or not) by the merchant to pass the credit card data to their system are much more complicated issues. We can ask questions of the merchant, we can choose to use a credit card with a strict limit, we can use gasoline company only credit cards at the pump, and of course we can follow all the steps recommended by the Federal Trade Commission in the publication “Take Charge,” securing your good name, which include opting out of pre-approved credit cards and monitoring of your credit history through the free yearly reports available from each of the three (3) credit reporting companies. ¹

Jack: You know that I have been a firm believer in the value of groups (not technically associations) like the Electronic Crimes Taskforce started by the U.S. Secret Service. Tell us how the ecTaskForces got started and when.

Mr. Marino: I am very proud of my service with the Secret Service. I truly feel that it is a great organization rich in history and tradition. The Secret Service is an agency not only responsible for the security of the President and his family, the Vice President and his family, former Presidents and their spouses, and foreign Heads of State while visiting the United States, but also in safeguarding our financial infrastructure. Every law enforcement officer, state, local, or federal, I am sure is equally proud of their service and importance of their duties, and well they should be. However, what I truly loved about the Secret Service was that it relies on the expertise, cooperation, and goodwill of other law enforcement professionals and private sector partners to accomplish its dual role mission. In the investigations arena, this is so very evident in the Electronic Crimes Task Force initiative. Born out of an experiment by the New York Field Office to eliminate some traditional mistrust between law enforcement and those in academia and the private sector, it rose to life in the aftermath of September 11th. The Secret Service office at 7 World Trade Center was destroyed during the attack, and immediately offers of assistance came from their academic and private sector partners. The benefits of these relationships cannot be overstated. So much so that the Bush Administration took note and mandated as part of the PATRIOT Act that the Secret Service continue and expand on the Electronic Crimes Task Force initiative.

The office to which I was assigned in the aftermath of September 11th was one of the initial offices to expand on this model. The number of private sector companies that participated is too many to individually name here, but it encompassed individuals and companies from financial institutions, energy, telecommunications, technology companies, and many more. Today throughout the United States and Europe the Secret Service has approximately thirty (30) such task forces with representatives of all the critical infrastructures, leading academic centers, and of course many state and local law enforcement partners. It is an initiative I was honored to participate on.

Jack: As you know, my business partner at TheTrainingCo., Don Withers, and I are certified Personal Protection Specialists (PPS), Nine Lives members, and graduates of the Executive Protection Institute. As a part of our training, we learned of ways to help prevent our protectees from becoming victims of low tech hacking exploits. Since most people won't ever have or need a personal protection detail, they will need to know how to protect themselves. Can you offer any personal suggestions from the protection side of your years of experience?

Mr. Marino: Personal protection is something that everyone should take extremely seriously. We are faced with many situations in which we assume nothing will happen and we take no precautions. The threats that exist are financial and physical in nature. Wearing a seat belt in our automobiles has not only become the law but a routine habit that most of us exercise every day and take for granted. However, some other behaviors may not come naturally. For instance, many of us travel routinely whether for work or pleasure, yet do we always take the time to familiarize ourselves with evacuation routes? To highlight what I mean I will use two examples.

The first is when we board an aircraft. During my career I boarded hundreds of airplanes, if not more. I notice how many travelers, probably because this is not their first flight, simply ignore the safety briefing; we all know how to buckle and unbuckle a seat belt after all. An early lesson learned in protection, personal or of a dignitary, is to train like we want to react and do not take anything for granted; prepare for the worst case scenario. I recommend that you place attention to the briefing, planes are built differently, emergency doors use different mechanisms. However, an additional detail that I focus on during the safety briefing is when the flight attendant states, “Locate the nearest exit, it may be behind you.” I not only locate that exit but I count the number of rows that are between me and the exit. I prepare myself, as should you, to maneuver in the dark by simply feeling the way in a cabin that could fill with smoke very rapidly.

The second example mirrors the first in that I repeat this same exercise when I check into a hotel, in this case by simply counting the number of doors from my room to the nearest emergency exit. To rely on a lighted sign at the ceiling level where smoke accumulates makes it extremely difficult in an emergency to orientate oneself to find the stairwell for quick evacuation. Extremely basic measures the likelihood of which we will never have to use, but one time that we are unprepared may be the last time.

There are also some very basic things that we can do to minimize the possibility of financial loss due to low tech hacking. The theft of personally identifiable information from the person of the victim is one of the most common attack vectors. Someone with the benefit of a personal assistant or physical security professional has safeguards and sometimes insulation between themselves and the general public. I recommend that under no circumstance, should one ever respond with personal information from an unsolicited, letter, telephone call, or email. Set limits for yourself as to the amount of information that is available on social media sites. When presented with the opportunity to opt out, do so. (Many “people search” websites that contain information about us allow you to opt out and have your information withdrawn, albeit with limited success especially in the case of state public records).

Practice physical security considerations that assist in safeguarding your personal information. Minimize the possibility of becoming a victim of petty crime. We are most at risk domestically and, even when traveling internationally, of succumbing to a property crime such as presented from a pickpocket. The amount of sensitive personally identifiable information or access to financial resources that we carry should not only be minimized, but also should be compartmentalized and placed in a not easily accessible location. For me it means lose the “George Costanza wallet” (a reference to the Seinfeld show where in one episode of the show Costanza's wallet was so full it made him sit on a slant and one day it exploded, sending all its contents into the street), maintain the minimum amount of information, minimum number of credit cards, never a social security card (unless you are on a job interview or starting a new job). If you travel internationally, keep your passport locked in the hotel safe and carry a photocopy instead. Many of the interactions that the U.S. State Department has with U.S. citizens abroad center on replacing a lost or stolen passport. Lastly, make sure that you maintain your personal financial belongings in a non–easily accessible location, which may mean not in your back pocket or a purse slung over the shoulder.

Jack: I'd like to ask you one final question about the growing problem of identity theft. I suspect that much of that involves some form of social engineering and other low tech hacking exploits used to gain enough information to take over someone's identity. Is the threat continuing to grow in your opinion, and do you have any suggestions for our readers preventing becoming a victim?

Mr. Marino: Absolutely, as I previously mentioned the theft of personally identifiable information is very common and very profitable as well. The Federal Trade Commission (FTC) maintains the statistics on the number of victims of identity theft and the sheer numbers, their estimate is nine (9) million Americans are victims each year, are in my opinion staggering. I also have to believe that to a certain extent these numbers under represent the actual number of victims. Many people are not aware that should they be a victim of identity theft it should not only be reported to the police jurisdiction in which they live, but it should also be reported to the FTC as the central depository of the information.

We hear in the news about a large database compromise at a particular location and start to think that is where the problem lies. The truth of the matter is that low tech hacking and social engineering attacks are extremely effective and require little to no technical skills. A great location to scour for information is what we place on social networking sites. You may be thinking, “but my site is private.” Password strengths vary by the individual, no different than the lock we choose for own home. If the password, or lock, is weak the criminal can enter your home or enter your computer and can become in essence the user or the “man in the middle” (“man in the middle” refers to a computer attack whereby the criminal sits in between the two intended users and controls the conversation or session). Besides the lock or password controls, risky web surfing habits can expose the user to any number of system vulnerabilities. The technical skill needed to deploy that vulnerability is really zero; you can buy off the shelf software tools (programs). So you see there are a number of ways that criminals could harvest entire address books in order to attempt social engineering attacks. The strength of any network, including our social networks, is only as strong as the weakest lock. One of the common attacks I have seen is where in this same scenario of the social network compromise, the address book was used to “spoof” (masquerade) an email pleading for cash, via a money remitter. The email appears to come from someone you know and they are pleading for funds because of an unforeseen travel emergency. Low tech, but effective, because of the human nature propensity to be trusting and helpful.

Make no mistake, however; methods used for identity theft are usually low tech, and unsophisticated. Though there may be variations to the schemes, the sources remain pretty constant. They include old-fashioned phishing attacks; theft of mail from our own mailboxes; rummaging through the trash; cold call pretexting, which is social engineering in the truest sense; and old-fashioned stealing of financial data by an insider with access or from our own person.

A lot of the power to protect us from identity theft resides with us. We can exercise good practices, some of which I mentioned earlier, and we can also exercise our own due diligence with tools at our disposal. The primary tool is our vigilance.

Jack: Thanks for always being there for us, Tony.

Jack: Give me your best low tech hacking war story for how the bad guys might be using low tech tools and social engineering skills.

SA Baker: Malicious executable attachments to email continue to be the most prevalent low tech hacking threat. While social engineering strategies have changed somewhat, the hacker's goal of convincing unsuspecting victims to open and view email with malicious attachments remains the same. Changes in social engineering strategies include the increase in “Whaling” also known as “Spear Phishing” activity as opposed to traditional “Phishing.” The difference in terms being that “Whaling” aka “Spear Phishing” specifically targets executive managers and decision makers within private and public sector organizations rather than utilizing the more traditional means of randomly distributing malicious code through bulk email “spamming” activity. Another social engineering tactic that has gained tremendous momentum preys on the explosive popularity of social networking sites. The strategy utilizes a slightly more sophisticated model of masking malicious .exe files with .jpg or .txt file extensions. An example would be that the victim opens the file to view a photograph or picture (.jpg) and running behind the photo is malicious code (.exe). The most significant difference when comparing the low tech hacker or “Script Kiddy” to the more sophisticated lone wolf or state-sponsored hacker is that the low tech hacker will likely utilize malicious tools readily available for purchase on many hacker forums. These tools most often target known operating system (OS) vulnerabilities and rely on the complacency of the victim to be successful. This is very important to understand from the victim perspective and emphasizes the points of 1) utilizing updated system security software 2) utilizing the default system setting of “daily” to “patch, patch, patch” vulnerabilities identified by your OS provider.

Jack: Do you think that the bad guys such as foreign spies and possible terrorists use many low tech tools for gaining access to critical information or locations?

SA Baker: Jack I will keep my responses more broad in perspective. The points I make above are the points that I make in every cyber security–related presentation that I do. While it is possible that low tech hacking tools can be deployed by individuals involved in espionage and terrorism, the most important concepts for the users to embrace are: 1) the need to educate themselves on the current threats and tactics utilized by the criminal hacker and 2) how to protect themselves, their sensitive information, and their networks from these types of attacks.

Jack: Tell me more about “Spear Fishing” and what people should know to prevent being a victim. Our readers would also like to know when the FBI would get involved if someone thinks that they have been targeted.

SA Baker: The term “Spear Phishing” is a hacker term which indicates that the hacker is specifically targeting an individual for attack as opposed to a bulk spam mail approach. The significance from a law enforcement perspective is that it shows a significant shift in philosophy, sophistication, and most importantly, in criminal intent. As an example, a hacker utilizing a spam mail approach does not know what the return on the investment will be at the time of delivery. Often, the hacker is simply looking to disrupt or disable service connections for individual users, to incorporate the individual machine into a network of compromised machines known as a “bot net” or “bot herding,” or in some instances to steal the personal identification of individual but unknown users. A hacker utilizing a “Spear Phishing” method has researched a private or public sector entity, identified a potential target based on position or perceived access, and specifically attempts to deliver a malicious payload to that person by way of email. The motivations for “Spear Phishing” are numerous. The hacker's motivations can be total network disruption, utilizing the network to store illegal or illegally obtained documents and images; theft of trade secrets; theft of classified material; theft of personal information; or financial motivation. The best defense against becoming a victim of “Spear Phishing” is do not open email and email attachments unless you are positive you know the sender. If you receive an email that appears to be from someone you know but the email has no entry on the subject line or the subject content is not consistent with the person you know (i.e., the email asks for information that is not normal for the known contact or the email contains content that is not normal or appropriate for the known contact), take caution. Discard the email to your “trash” folder. Often, but not always, the suspect email will ask for a response. If so, before you respond to the suspect email, telephone or initiate a new email from your contact list to the known contact that the email appeared to come from and ask them if they sent you an email. If the receiver already opened the email and the email contains content that is obviously not from a known/trusted contact—the email contains photos, videos or other attachments that are obviously not from the known/trusted contact and/or the email contains illegible content—immediately close the email and contact your network administrator or IT security personnel. Some of the factors the FBI considers in determining whether to initiate an investigation regarding an apparent “Spear Phishing” attempt would be 1) Was the target an elected official? 2) Did the target hold a security clearance and/or have access to sensitive or classified data or networks? 3) Was there a loss of data, and if so, was the data classified? 4) What was the monetary loss or value of data lost, altered, or destroyed? 5) Did the intrusion result in damage to network or infrastructure or otherwise cause in the entity's inability to operate resulting in economic loss?

Jack: What can companies do to help law enforcement reduce the threat of low tech crimes?

SA Baker: Whether an individual or private entity, the best offense is a really good defense when protecting against the low tech hacker. By that I mean, now more than ever before the public sector is willing to share the most recent threat-based intelligence regarding cyber crime with private sector partners. Organizations such as InfraGard share threat-based intelligence at scheduled meetings as well as via a userid/password protected VPN where the most recent threat-based intelligence bulletins are posted for review by the membership. Individuals and the private sector as a whole should ensure that all of the stakeholders are well informed regarding the most current threat-based intelligence available. Companies should ensure that not just the IT staff are aware of the threats but rather all of the employees should have access to the threat intelligence. Generally speaking, the individual user is the most vulnerable and most targeted for compromise by the low tech hacker. Most states have adopted cyber crime laws similar to those enacted at the federal level. If a person or entity suspects they are a victim of cyber crime, they should contact the FBI, state, or local law enforcement agency nearest to them for advice.

Jack: With some of these low tech crimes, it can be difficult to know who in law enforcement a possible victim should call. If in doubt as to who to refer a potential crime to, should the FBI be contacted directly by individuals or companies?

SA Baker: Great question. Often it is confusing for victims to determine the appropriate agency to contact with information regarding hacking events. The FBI has taken significant strides in the past 10 years to remove some of that confusion. By creating organizations such as InfraGard, the FBI established a community outreach organization for the private sector. The most important aspect of the organization is that the FBI created a systematic method to distribute relevant information to a large audience of members. Members are educated on current cyber threats; provided with suggestions on protecting personal and sensitive industry data; and the jurisdictional responsibilities local, state, and federal law enforcement. InfraGard also provides for an identified FBI point of contact should a member need further explanation on jurisdictional matters. Another resource sponsored by the FBI is an FBI-managed website for cyber-related criminal complaints. This site is www.IC3.gov. The FBI provides this website as a service to persons and entities that wish to report instances of cyber-related criminal activity. Individuals can visit the site to report or research the latest cyber scams and other methods utilized by cyber criminals. Lastly, individuals requiring specific information or wishing to personally report information on cyber-related crime, specifically “Spear Phishing,” are welcome to contact their local FBI field office either by telephone or in person.

Jack: How is the FBI working with local and state law enforcement agencies to help spread the word about these low tech crimes? One of the best Charlotte InfraGard meetings that I ever attended was a meeting where the FBI brought in all of the local and state agencies from the surrounding counties to share their current threat knowledge with our members. It was amazing to see how many of the same kinds of crimes were on the rise in each respective geographic location.

SA Baker: The FBI works closely with local, state, and other federal law enforcement agencies primarily through FBI-sponsored Cyber Crime Task Forces (CCTF) located throughout the country. In doing so, the FBI sponsors local and state officers and agents for federal deputations. The federal deputation affords the local and/or state officer the same federal investigative authority as an FBI Special Agent. This is extremely important in cyber crime investigations. First, most states have concurrent jurisdictional laws that mirror those established by Congress at the federal level. Also, most law enforcement agencies actively involved in cyber crime investigations are experiencing the same criminal acts to a varying degree. Because there is substantial interest among the general citizenry, cyber crime has become a priority to local and state law enforcement agencies. Investigative personnel resources for cyber crime matters, however, are generally very limited at the local and state levels.

The FBI CCTF therefore serves as a “force multiplier” to local and state agencies that are willing to commit their limited resources to the CCTF effort. Secondly, cyber crime effecting citizens in a particular community are seldom committed by an offender residing within that community. In fact, the offender oftentimes does not even reside within the United States. It is important to note this fact when considering the importance of the federal deputation. Without the FBI sponsorship of the federal deputation, the jurisdictional boundaries of the investigative agency would stop at the city, county, or state line where the investigating agency resides. An example would be a city police detective investigating a scam perpetrated on a person or persons responding to items listed for sale on an online personal advertising site. If the investigative detective was required to work without a federal deputation, her or his authority would stop at the city limits or other jurisdictional boundary established by the department.

The detective would then have to rely on her or his established professional contacts outside the jurisdiction or attempt to make contacts within the jurisdiction where the investigation might lead. Lastly, the detective would have to consider forwarding the investigation to federal authorities for investigative consideration. All of these issues are resolved with the FBI sponsoring the federal deputation, which allows for the Task Force Officer (TFO) to travel anywhere within the United States or its possessions in pursuit of evidence of the crime. Further, the TFOs are able to leverage the close working relationships that the FBI has established with its international law enforcement partners in pursuit of cyber criminals around the world. Last but certainly not least, participation in FBI CCTFs affords the deputized officers with extremely valuable cyber training at the FBI's expense. TFOs can receive numerous IT certifications at no expense to the participating agency.

Jack: Thanks for everything that you do to keep us safe, Greg.