Newsmaker: Kevin Mitnick, the great pretender

Ten years ago, there wasn't much of a World Wide Web to exploit, but there were still hackers--or, more accurately, crackers.

Without the current glut of naive Web users to exploit, would-be cyberthieves and vandals had to be somewhat more creative, and one of the most creative and infamous was Kevin Mitnick.

Arrested by the FBI in 1995 and convicted of breaking into the systems of Fujitsu Siemens, Nokia and Sun Microsystems, Mitnick served five years in prison--eight months of it in solitary confinement.

They use the same methods they always have--using a ruse to deceive, influence or trick people into revealing information that benefits the attackers.

In his days on the wrong side of the law, Mitnick used so-called social-engineering techniques to fool users into handing over sensitive information. Rather than overt technical hacks, he was able to convince employees to hand over information that enabled him to hack systems, while redirecting telephone signals to avoid detection by the authorities.

Following his run-in with the law, Mitnick put his powers of persuasion to good, running a company that advises businesses on avoiding social-engineering attacks.

ZDNet UK caught up with the ex-cracker before his keynote speech on the "art of deception" at the MIS CISO Executive Summit & Roundtable in Barcelona, to discuss developments in social engineering, new U.S. laws monitoring telephone systems and alleged "NASA hacker" Gary McKinnon's impending extradition to the United States.

Q: How big a problem is social engineering for businesses? Is it becoming a more widely used tactic?
Mitnick: It's a substantial problem--a lot of malware is associated with social engineering. Social engineering plays a big part in exploiting known vulnerabilities in software.

Are you seeing any new attack methods?
Mitnick: They use the same methods they always have--using a ruse to deceive, influence or trick people into revealing information that benefits the attackers. These attacks are initiated, and in a lot of cases, the victim doesn't realize. Social engineering plays a large part in the propagation of spyware. Usually, attacks are blended, exploiting technological vulnerabilities and social engineering.

Businesses should train people to try to recognize possible attacks.

What can businesses do to safeguard themselves?
Mitnick: Businesses should train people to try to recognize possible attacks.

What are some of the giveaway signs to look for in a potential social-engineering attack?
Mitnick: Mostly, it's gut instinct--if something doesn't look or feel right. If someone is calling on the telephone, but they refuse to give any contact information, that's a red flag. If they make a request that's out of the ordinary, that's a red flag. If they make a request for something sensitive, that's when verification is necessary, depending on company policy.

If somebody is flattering you, they might be trying to influence you to cooperate. Or they might use an authority ruse--they pretend to have a higher status than you to force information from you.

Is it all down to the employees?
Mitnick: People can't be human lie detectors. Companies need to develop a simple security protocol to know when employees should refer to policy--on their intranet. Top management needs to buy into this idea.

Companies should run workshops on responses to social engineering, to demonstrate the foolish feeling people could have if they're tricked. Enterprises need to motivate compliance with policy and explain why this is important to employees. Businesses should also develop their security policy and encourage employee participation--educate people. You can hire an outside firm to test security and see if people can be fooled into revealing information.

There are new laws, in both the United States and the United Kingdom, regarding monitoring telephone systems. What is your opinion on them?
Mitnick: There's a privacy issue at stake. There's a big scandal at the moment with the Bush administration monitoring systems.

Can that be avoided?
Mitnick: People can use strong crypto, but then so can criminals and terrorists. Security and privacy is always a delicate balancing act.

What's your opinion on Gary McKinnon, the so-called "NASA hacker"? The U.S. is in the process of extraditing him to face charges of hacking into government systems.
Mitnick: He's the UFO guy, right? I think the excuse that he was trying to expose UFOs is laughable--he was allegedly hacking around all sorts of systems.

I think they're trying to make an example out of him--you can't be in another country and escape American justice. Now, I'm not an expert on British law, but surely he could be prosecuted in the U.K. for the same thing?  

Tom Espiner reported for ZDNet UK.

More Newsmakers

Didn't this SAME story appear 8 months ago?

This is the exact same article posted about 8 months ago on CNET. Same sotry to the letter actually.

*** cnet, where's the NEWS?

[Bob Brinkman]

I was thinking 4 momnths (eom)

(eom)

[Bob Brinkman]

I was thinking 4 months (eom)

(eom)

[Bob Brinkman]

I was thinking 4 months (eom)

(eom)

[Mr. Network]

This has been known for years

yet still people are stuipid enough to fall for this crap. If you do not know the person, why are you telling them anything? Make sure you follow proper security protocols before handing out sensitive information.

[Jackson Cracker]

Why do stupid writers still refer to Mitnick as a hacker?

He wasn't a hacker, or even a cracker. He was simply a con man
who talked people into giving him access or giving up information
he could then use to get access without needing to do any cracking.
It's not much different from today's "phishing" where con artists
use fraud to convince someone to provide a username and password,
which they can then use to directly access that person's account,
again without ever resorting to any "cracking" or "hacking".

[maxwis]

Miracle Diets, Anti-aging, No Money Down Real Estate,

Turn to any television channel and you will see the greatest example of social engineering known to man -- the infomercial. Today I was treated to Cindy Crawford telling me about a rare melon in the South of France that you put on your face to turn back the aging clock. Presumably this is how Cindy became a super-model. Thanks to Cindy's beneficience you don't have to travel to Paris and visit a reclusive dermatologist to get this secret, just send her a check for $39.95 and she will send you a bottle of the miracle potion in the mail.

[1Turgay]

I wouldnt have bothered to this email now a coment?, however by me and most disent peoples standarts
CNET starded out as looking out for the people on the net, so caled "honest" Joe and Mr:Tom Espiner wiriting about one person who may have did what he did because it was done to him first and or, Mr:K.M had to do it to get some atantion to, perhaps he was saying to big shots that he knows a trick or to, 'Pc's do use a pacige drops one from other to stay conected or how the smart ***** say, to cominicate, lol, if it is ok to brake the law for Big furms then whay not is it ok for people the brake the same law to get justice?
I didnt know of any KM until started a busenes and my busenes went down by other major big busneses who gived by one hand and got their other fut partner to stomp out the little guy, here you are I am giving you a personal information, lol, ok.

What is the truth, since you have taking it up on yourself to write/coment whatever, youre not about M.I.T was formed long a go, if you can get your contions to edmit and speekout that, what was net before was no force net and now, even a kid cant go to a site for information without Businesses using a ruse to deceive, influence or trick people into revealing information that benefits the attackers. Busnss forcing people not just tricking its like a cominist/fashist internet, "if your not a member sign up now" yah, I copy and passed lol, in truth or you shud know in the name of cnet znet, uk net the world and youre only one of the many people who will explote. The way I see that you your self allso see it to that 'Businesses attack first the same methods they always have
trick people to benefits the attackers, milions of people getting riped of trying to use the net to cominicate, Bill Gates who sposetley had writed the code with a friend "basic" was a hippy a cracker? yes, and now?,,,,, the CNET representetive talking on well in 'a personal info' Australia foxtel that the internet hecker will be cor, what about some big shot to make it clear to other marcetting ppl and ashalon and so on, ohh the Federal.B.I
is US national yet they got the consept of they are international, them to get up to things the ugleee, US is giving your country a hard time as well, mexico/Spain, I hate politics. Finel but every one is treeting it as a joke that, if rich gets richer and pure gets purer to give the what little money they may hold on to and be left out on a limb, what do you thing will hapine slowly but shurly. I cant imagine of a world war 3 but who knows,
the worth thing will be the people uprise to their goverments aroun the world, and if that hapines all at once then, who need 3rd word war.
I dont know if this will get read by anyone or just get delited after robots done with it, Santurian you may be but Sizer was the Hitler as all now are Sizer even then Rome had disapeared, forgive typos and respppcfly yours

Turgay