Kevin Mitnick: The great pretender

Summary:The hacker turned security expert discusses some of the latest trends in socially engineered security breaches, and how best to defend against them

Ten years ago there wasn't much of a World Wide Web to exploit, but there were still hackers — or more accurately crackers. Without the current glut of naive Web users to exploit, would-be cyber-thieves and vandals had to be somewhat more creative, and one of the most creative and infamous was Kevin Mitnick.

Arrested by the FBI in 1995 and convicted of breaking into the systems of Fujitsu Siemens, Nokia and Sun Microsystems, Mitnick served five years in prison — eight months of it in solitary confinement.

In his days on the wrong side of the law, Mitnick used so-called social engineering techniques to fool users into handing over sensitive information. Rather than overt technical hacks, he was able to convince employees to hand over information that enabled him to hack systems, while redirecting telephone signals to avoid detection by the authorities.

Following his run in with law, Mitnick now puts his powers of persuasion to good, running a company that advises businesses on avoiding social engineering attacks.

ZDNet UK caught up with the ex-cracker, ahead of his keynote speech on the "art of deception" at the MIS CISO Executive Summit in Barcelona, to discuss developments in social engineering, new US laws monitoring telephone systems, and alleged "NASA hacker" Gary McKinnon's impending extradition to the US.

Q: How big a problem is social engineering for businesses? Is it becoming a more widely used tactic?
A: It's a substantial problem — a lot of malware is associated with social engineering. Social engineering plays a big part in exploiting known vulnerabilities in software.

Are you seeing any new attack methods?
They use the same methods they always have — using a ruse to deceive, influence, or trick people into revealing information that benefits the attackers. These attacks are initiated, and in a lot of cases the victim doesn't realise. Social engineering plays a large part in the propagation of spyware. Usually attacks are blended, exploiting technological vulnerabilities and social engineering.

What can businesses do to safeguard themselves?
Businesses should train people to try to recognise possible attacks.

What are some of the give-away signs to look for in a potential social engineering attack?
Mostly it's gut instinct — if something doesn't look or feel right. If someone is calling on the telephone, but they...

Topics: Security

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.