Mitnick teaches 'social engineering'

Would you trust Kevin Mitnick? Dozens of administrators, security personnel and phone operators did. That, he says, was one reason he succeeded as a hacker. In the early 90s, Mitnick had the run of many phone systems. On Sunday, the celebrity hacker told hackers, wannabes and activists who packed two rooms at Hacking on Planet Earth 2000 how he did it.

"Through social engineering, I gained the ability to obtain any number, listed or unlisted," Mitnick said in a speech delivered by phone from Los Angeles. "This really came easy to me -- manipulating the telephone company."

Social engineering is basically pulling a con job, hacker-style. The object is to get information or access to systems that are normally only used by privileged users.

"[As] the media characterises social engineering, hackers will call up and ask for a password," Mitnick said. "I have never asked anyone for their password."

It was the first talk Mitnick has given since his probation officer gave him permission to lecture on hacking, work as a security consultant and write articles on security.

Mitnick, 36, served almost five years behind bars for breaking into computers, stealing data and abusing electronic communication systems. Upon his release in January, Mitnick denied the charges against him, claiming he had been railroaded into a plea bargain by the authorities.

Mitnick is nothing, if not persuasive. The California resident chatted with H2K attendees about how he would build trust with administrators, security personnel, and anyone else who might have the information or access he needed.

"You try to make an emotional connection with the person on the other side to create a sense of trust," he said. "That is the whole idea: to create a sense of trust and then exploiting it."

As an introduction to the session, Eric Corley -- also known as Emmanuel Goldstein, the publisher of the hacker magazine 2600 -- called AT&T's internal security to inquire about a memo that warned employees about the social engineering session.

Corley, who had a copy of the memo, posed as an AT&T employee who wanted to know more about the memo and the "hacker threat". He talked to an alleged security employee and confirmed the existence of the memo, though no other privileged information was gained.

While the example seemed benign, it showed how willing people are to trust someone on the other end of a phone call.

"I used to do a lot of improvising," Mitnick said. "I would try to learn their internal lingo and tidbits of information that only an employee would know."

Mitnick also offered advice to businesses afraid that spies and hackers may gain access to their internal systems using social engineering. "On the corporate side, as an employee, it all comes down to user awareness and education," Mitnick said.

Proactively recording calls could increase security as well, he added.

"The 'monitoring this call for quality assurance' is really a deterrent because you don't know whether they are listening to you," he said.

Take me to the Summer of Hacking Special

Take me to Hackers

What do you think? Tell the Mailroom. And read what others have said.