Combining technology and social engineering: Hacking behind bars

In this excerpt from Chapter 11 of The Art of Deception: Controlling the Human Element of Security, authors Kevin Mitnick and William L. Simon begin a story that shows how social engineering can be used with technology.

What are some of the most secure installations you can think of, protected against break-in, whether physical, telecommunications, or electronic in nature? Fort Knox? Sure. The White House? Absolutely. NORAD, the North American Air Defense installation buried deep under a mountain? Most definitely.

How about federal prisons and detention centers? They must be about as secure as any place in the country, right? People rarely escape, and when they do, they are normally caught in short order. You would think that a federal facility would be invulnerable to social engineering attacks. But you would be wrong -- there is no such thing as foolproof security, anywhere.

A few years ago, a pair of grifters (professional swindlers) ran into a problem. It turned out they had lifted a large bundle of cash from a local judge. The pair had been in trouble with the law on and off through the years, but this time the federal authorities took an interest. They nabbed one of the grifters, Charles Gondorff, and tossed him into a correctional center near San Diego. The federal magistrate ordered him detained as a flight risk and a danger to the community.

His pal Johnny Hooker knew that Charlie was going to need a good defense attorney. But where was the money going to come from? Like most grifters, their money had always gone for good clothes, fancy cars, and the ladies as fast as it came in. Johnny barely had enough to live on.

The money for a good lawyer would have to come from running another scam. Johnny wasn't up to doing this on this own. Charlie Gondorff had always been the brains behind their cons. But Johnny didn't dare visit the detention center to ask Charlie what to do, not when the Feds knew there had been two men involved in the scam and were so eager to lay their hands on the other one. Especially since only family can visit, which meant he'd have to show fake identification and claim to be a family member. Trying to use fake ID in a federal prison didn't sound like a smart idea.

No, he'd have to get in touch with Gondorff some other way. It wouldn't be easy. No inmate in any federal, state, or local facility is allowed to receive phone calls. A sign posted by every inmate telephone in a federal detention center says something like, "This notice is to advise the user that all conversations from this telephone are subject to monitoring, and the use of the telephone constitutes consent to the monitoring." Having government officials listen in on your phone calls while committing a crime has a way of extending your federally funded vacation plans.

Johnny knew, though, that certain phone calls were not monitored: calls between a prisoner and his attorney, protected by the Constitution as client-attorney communications, for example. In fact, the facility where Gondorff was being held had telephones connected directly to the federal Public Defender's Office (PDO). Pick up one of those phones, and a direct connection is made to the corresponding telephone in the PDO. The phone company calls this service Direct Connect. The unsuspecting authorities assume the service is secure and invulnerable to tampering because outgoing calls can only go to the PDO, and incoming calls are blocked. Even if someone were somehow able to find out the phone number, the phones are programmed in the telephone company switch as deny terminate, which is a clumsy phone company term for service where incoming calls are not permitted.

Since any halfway decent grifter is well versed in the art of deception, Johnny figured there had to be a way around this problem. From the inside, Gondorff had already tried picking up one of the PDO phones and saying, "This is Tom, at the phone company repair center. We're running a test on this line and I need you to try dialing nine, and then zero-zero." The nine would have accessed an outside line, the zero-zero would then have reached a long-distance operator. It didn't work -- the person answering the phone at the PDO was already hip to that trick.

Johnny was having better success. He readily found out that there were ten housing units in the detention center, each with a direct connect telephone line to the Public Defender's Office. Johnny encountered some obstacles, but like a social engineer, he was able to think his way around these annoying stumbling blocks. Which unit was Gondorff in? What was the telephone number to the direct connect services in that housing unit? And how would he initially get a message to Gondorff without it being intercepted by prison officials?

What may appear to be the impossible to average folks, like obtaining the secret telephone numbers located in federal institutions, is very often no more than a few phone calls away for a con artist. After a couple of tossing-and-turning nights brainstorming a plan, Johnny woke up one morning with the whole thing laid out in his mind, in five steps.

First, he'd find out the phone numbers for those ten direct-connect telephones to the PDO.

He'd have all ten changed so that the phones would allow incoming calls.

He'd find out which housing unit Gondorff was on.

Then he'd find out which phone number went to that unit.

Finally, he'd arrange with Gondorff when to expect his call, without the government suspecting a thing.

Piece a' cake, he thought.

Read the rest of Chapter 11, Combining technology and social engineering