Kevin Mitnick: The great pretender

The hacker turned security expert discusses some of the latest trends in socially engineered security breaches, and how best to defend against them
Written by Tom Espiner, Contributor

Ten years ago there wasn't much of a World Wide Web to exploit, but there were still hackers — or more accurately crackers. Without the current glut of naive Web users to exploit, would-be cyber-thieves and vandals had to be somewhat more creative, and one of the most creative and infamous was Kevin Mitnick.

Arrested by the FBI in 1995 and convicted of breaking into the systems of Fujitsu Siemens, Nokia and Sun Microsystems, Mitnick served five years in prison — eight months of it in solitary confinement.

In his days on the wrong side of the law, Mitnick used so-called social engineering techniques to fool users into handing over sensitive information. Rather than overt technical hacks, he was able to convince employees to hand over information that enabled him to hack systems, while redirecting telephone signals to avoid detection by the authorities.

Following his run in with law, Mitnick now puts his powers of persuasion to good, running a company that advises businesses on avoiding social engineering attacks.

ZDNet UK caught up with the ex-cracker, ahead of his keynote speech on the "art of deception" at the MIS CISO Executive Summit in Barcelona, to discuss developments in social engineering, new US laws monitoring telephone systems, and alleged "NASA hacker" Gary McKinnon's impending extradition to the US.

Q: How big a problem is social engineering for businesses? Is it becoming a more widely used tactic?
A: It's a substantial problem — a lot of malware is associated with social engineering. Social engineering plays a big part in exploiting known vulnerabilities in software.

Are you seeing any new attack methods?
They use the same methods they always have — using a ruse to deceive, influence, or trick people into revealing information that benefits the attackers. These attacks are initiated, and in a lot of cases the victim doesn't realise. Social engineering plays a large part in the propagation of spyware. Usually attacks are blended, exploiting technological vulnerabilities and social engineering.

What can businesses do to safeguard themselves?
Businesses should train people to try to recognise possible attacks.

What are some of the give-away signs to look for in a potential social engineering attack?
Mostly it's gut instinct — if something doesn't look or feel right. If someone is calling on the telephone, but they...

... refuse to give any contact information — that's a red flag. If they make a request that's out of the ordinary — that's a red flag. If they make a request for something sensitive — that's when verification is necessary, depending on company policy."

If somebody is flattering you, they might be trying to influence you to cooperate. Or, they might use an authority ruse — they pretend to have a higher status than you to force information from you.

Is it all down to the employees?
People can't be human lie detectors. Companies need to develop a simple security protocol to know when employees should refer to policy, on the intranet. Top management needs to buy into this idea.

Companies should run workshops on responses to social engineering, to demonstrate the foolish feeling people could have if they're tricked. Enterprises need to motivate compliance with policy, and explain why this is important to employees. Businesses should also develop their security policy, and encourage employee participation — educate people. You can hire an outside firm to test security, and see if people can be fooled into revealing information.

There are new laws, in both the US and the UK, regarding monitoring telephone systems. What is your opinion on them?
There's a privacy issue at stake. There's a big scandal at the moment with the Bush administration monitoring systems.

Can that be avoided?
People can use strong crypto, but then so can criminals and terrorists. Security and privacy is always a delicate balancing act.

What's your opinion on Gary McKinnon, the so-called "NASA hacker"? The US is in the process of extraditing him to face charges of hacking into government systems.
He's the UFO guy, right? I think the excuse that he was trying to expose UFOs is laughable — he was allegedly hacking around all sorts of systems.

I think they're trying to make an example out of him — you can't be in another country and escape American justice. Now, I'm not an expert on British law, but surely he could be prosecuted in the UK for the same thing?

Editorial standards