Winkler's relatively easy break-in to the unnamed bank, which relied more on bluffing, or "phreaking," than technology, underscored one of the themes at this week's Black Hat Briefings '98 conference in Las Vegas: Technology is only a part-perhaps the smaller part-of the battle for information security.
As such, security experts here implored companies to focus less on technological solutions to information security and instead to implement plans to stop the skilled saboteur who relies on guile and the fallibility of employees.
Security policies, deciding who has access to what, knowing how to use the security tools already in place and common sense are the best ways to stop the Huns at the gate, the experts said. Ignore the human element, and all the unbreakable encryption, firewalls and sophisticated public-key infrastructures are useless.
Case in point: Winkler's recent bank "attack," in which he was hired to test the bank's security. The bank had three firewalls and was not easy to break into electronically. So Winkler picked up a telephone book. He also did some research on the Web, discovering the bank's domain and other Internet address information left on Usenet groups.
He called an executive's secretary and told her he was from human resources and working on a newsletter that planned to feature the executive. He pumped her for the executive's background and, eventually, his employee ID number. Winkler noticed in classified ads that the bank was hiring a lot of people, so he called the "new employee" office. Posing as the executive whose secretary he'd spoken with two days earlier, he tricked someone there into reading him a list of new hires and their employee ID numbers over the telephone.
The next day he called those new hires and, posing as someone from IS, tricked them into giving up their log-ons, user IDs and, ultimately, their passwords. Seventy-three people took the bait.
With that information in hand, the only equipment Winkler needed was a PC with a modem. "Someone said I would have had the capability to make $2 million transactions," he said.
Some Black Hat attendees listening to Winkler's talk were horrified. "It makes me feel kind of useless, to be honest with you," said one network administrator from an East Coast bank.
The amount of data a thief conducting a "social engineering attack" can steal often depends on skill at bluffing. Technology has little to do with it, said Jeff Moss, director of security assessment services at Secure Computer Corporation, Moss is also the founder of the Black Hat conference and its bad-boy sibling, the Def Con hackers' conference.
"I've known some people who are excellent 'phone phreakers' but [who] can barely boot up their computers," he said.
But there are some things administrators can do. They can create and enforce strict information management policies. They can train employees on the dangers of phreakers and their ilk and warn them of the consequences if they give up important information.
To ensure authentication, administrators should move to two-factor authentication: any combination of passwords, digital certificates, hardware tokens, smart cards and biometric devices.
ID cards can also be used for different parts of the building. Someone from the IS department, for example, should not be unaccompanied in the accounting department.
In the end, the best prevention is common sense. For example, administrators and employees should take important schematics off the walls. Make sure management charts and employee directories don't get into the wrong hands. And make sure that if users leave their desks they have some sort of automatic lock-out, such as a low-cost screen saver with a password.
"Sweat the small stuff," Winkler said. "That's what costs us billions."