Human firewalls are a must, says Mitnick

There is no point spending millions on security if employees can be persuaded to divulge log-in details, says the infamous hacker, who has plenty of examples of just how pointless it can be
Written by Munir Kotadia, Contributor
Companies can better protect their confidential information by creating an incident response department to deal with suspicious queries, says infamous ex-hacker Kevin Mitnick.

At a social engineering prevention workshop in Sydney this week, Mitnick explained that this group should be trained in the art of social engineering, be able to investigate any potential [security] attacks and respond in an efficient and effective manner.

The founder of Mitnick Security Consulting (formerly known as Defensive Thinking) also called on companies to properly educate their workforce and strengthen their so-called "human firewall".

At the workshop, Mitnick and business partner Alex Kasperavicius shared some of the tactics used by social engineers to bypass a company's technical security by exploiting employees' psychological vulnerabilities.

Mitnick said there is no point spending millions of dollars on the latest hardware and software to protect corporate networks if it is relatively simple for an attacker to persuade one of the company's employees to divulge their log-in details.

"As the attacker I am going to look for the weakest point where I can gain access. A security program is made up of people, processes and technology. Your company could be strong in one area, such as technology, but its people may not be trained up to recognise where the bad guys are going to strike. The attackers are going to look for the easiest way in," said Mitnick.

As an example of security weak points, Mitnick and Kasperavicius demonstrated how dumpster diving could reap rewards. Before leaving Los Angeles, the pair claimed they went to the offices of a prominent female entertainer to salvage some of her company's rubbish bags.

After removing the old pizza boxes, drinks cans and other garbage, they were left with a large number of e-mail printouts, faxes, wage slips, telephone bills and other documents. The workshop attendees were given the task of going through the leftover 'rubbish' to see if they could find anything that might help them launch an attack.

Among the old pay slips and invoices, the delegates found what were allegedly the home and mobile phone numbers of high-profile pop singers -- including Christina Aguilera -- and a well-known rock guitarist. There was also a printout containing the admin URL, username and password of the Web site of a reality television star.

Another item discovered in the pile was an unopened letter from a young fan asking for the prominent entertainer's autograph. Paper-clipped to the letter was US$1. This letter was found, unopened.

"In the garbage you find post-it notes, calendars, project names, printouts of source code, billing, systems names and correspondence. Companies dumpster dive to get competitive intelligence -- it is not just the hackers and industrial spies," said Mitnick.

Mitnick demonstrated how social engineers use confidence tricks and simple charades to elicit valuable information from unsuspecting employees. The tricks ranged from simply pretending to be from the IT department and persuading an employee to reveal their password, to more elaborate scams that involve months of research and acting ability.

Mitnick advised delegates to create and enforce security policies that included defences against social engineering techniques. He said different staff members should be trained to look out for different types of attacks. For example, the company receptionist is unlikely to be targeted by the same type of social engineering attack as a telecommuter or a security guard.

Editorial standards