Mitnick warns on dangers of social engineering

The famed ex-hacker has warned against security strategies that focus on technology; it's teaching staff to say 'no' that will keep your network secure
Written by David Braue, Contributor

Companies eager to tighten up their information security perimeters should focus not on technology but on teaching their employees how to say 'no', ex-hacker done good Kevin Mitnick told a full house at Toshiba's MobileXchange conference in Melbourne, Australia, on Thursday.

Mitnick became a cyberspace legend after his success in penetrating networks at major telecommunications firms -- including Pacific Bell and Motorola, Nokia, Fujitsu, Novell and NEC -- led the FBI on a 15-year manhunt that ended when his 1995 capture put him behind bars for nearly four years. Older and seemingly wiser, he now uses his skills for good as a Los Angeles-based security consultant, stopping in Australia briefly to address the crowd at the annual Toshiba event.

Many companies invest heavily in security technologies to protect their networks, but Mitnick was quick to point out that even the tightest technological barriers never stopped him; rather, some carefully planned social engineering -- or even a bit of Dumpster diving in one's spare time -- can often be far more effective at penetrating the weakest security link at most companies: their people.

"What you can find in the trash is simply amazing," said Mitnick, holding up a "souvenir" from his earlier days: a printed directory listing the name, phone number, email address, direct reports and other information about every employee in the company. "People throw out notes, drafts of letters, printouts of source code, printouts of project documentation they're working on. In some cases they even write down passwords and access information, or calendars that list every person that person has talked to or met with".

This information provides invaluable assistance to hackers keen to worm their way into a company by, say, impersonating an employee and calling the internal help desk, or dropping into the site and pretending to be a business associate. Because people hate to say no even when they're suspicious of a well-presented stranger, Mitnick says, smooth talking has gotten many a hacker far closer to a target company's network than days of brute-force technological attacks.

Modern technology is an enabler for such attacks: if a hacker can worm his way into a conference room for just a few minutes, for example, an wireless access point can be plugged into an out-of-the way network access point, providing an open back door into the network even when the hacker is parked outside the building.

The solution to such security vulnerabilities is easy to understand, but often hard to implement: develop clear security policies for issues such as treatment of strangers, handling of information and access to physical facilities by visitors. In suspicious circumstances, teach employees to fall back on those policies rather than trying to ad-lib their response or give in to their natural reticence to accommodate the hacker's requests.

Even a simple request for contact details, so that a company employee might call back the person requesting assistance, can be enough to make many hackers turn tail and run.

"We can't expect our employees to be human lie detectors," Mitnick said. "One of the most difficult challenges in corporate cultures is getting people to modify their politeness norms. Social psychology has found that people should generally pay attention to their own discomfort; if something doesn't feel right, or it's nagging at their gut, they'd better check it out. They're not always going to remember a security policy, but what you want is to come up with some very simple protocols that will trigger employees to refer to security policy. The only people who are going to object to this are the bad guys".

David Braue reported from Sydney for ZDNet Australia. For more ZDNet Australia stories, click here.

Editorial standards