Appendix 1
Phreaking: The Weakest Information System Components Are Human
The following definitions are given in Bob Jensen’s Technology Glossary at http://www.trinity.edu/~rjensen/245glossf..htm :
Phreaker = the skilled saboteur who relies on guile and the fallibility of employees in an information system. Employees do not necessarily have to be co-conspirators. The phreaker takes advantage of their innocence and trusting nature. The term is used in contrast to a hacker and a cracker. A hacker is a person who relies only upon technology to hack into the system (e.g., by breaking the encryption code.) Whereas a hacker usually breaks in without intention to harm the system or for personal gain, a "hacker" turns into a "cracker" when the intention becomes more sinister. A "phreaker" may do some hacking or cracking, but the to be a phreaker the saboteur must also rely upon human fallibility
In Incident 2 of the above case, Bruce Sidlinger was engaged by the CEO of TEHMA to be a phreaker. There are numerous examples of phreaking. One of the best known was revealed at the Black Hat Briefings ’98 Conference held in Las Vegas by Ira Winkler. Winkler was engaged by a large bank to crack into a customer database. Three firewall computers made it very difficult to crack into the system using only technological tools. Instead Winkler represented himself as an employee of the bank and chose to phreak into the system. He informed the a high level executive’s secretary that he was from human resources and working on a newsletter that planned to feature the executive. In the interview, he obtained executive’s background and employee ID number.
Winkler knew that the bank had recently hired a number of new employees, so he called the Personnel Office. Posing as the executive he’d phreaked in advance, he tricked the Personnel Office into giving him a list of new hires and their employee ID numbers over the telephone. Next he tricked 73 new employees into revealing their ID numbers and Information System passwords. With those ID numbers and passwords, it would then have been a simple process to crack into the database and steal millions of dollars before the bank could possibly detect that it had been phreaked. In total, it only took four days to phreak the bank’s information system.
Jim Kerstetter, in PC Week Online, July 31, 1998,
http://www.zdnet.com/pcweek/news/0727/31ebhat.html (or the PC Week hard copy version on August 3, 1998, Page 6), states the following:Winkler’s relatively easy break-in to the unnamed bank, which relied more on bluffing, or "phreaking," than technology, underscored one of the themes at this week’s Black Hat Briefings ‘98 conference here: Technology is only a part-perhaps the smaller part-of the battle for information security.
As such, security experts here implored companies to focus less on technological solutions to information security and instead to implement plans to stop the skilled saboteur who relies on guile and the fallibility of employees.
Security policies, deciding who has access to what, knowing how to use the security tools already in place and common sense are the best ways to stop the Huns at the gate, the experts said. Ignore the human element, and all the unbreakable encryption, firewalls and sophisticated public-key infrastructures are useless.