March 4, 2005 12:55 PM PST

Mitnick: Security depends on workers' habits

Related Stories

Hacker Mitnick's Internet homecoming

January 21, 2003

A happy new year for hacker Mitnick

December 24, 2002

Mitnick hawks notorious laptops

October 2, 2002

Mitnick released from prison

September 21, 2000

Mitnick faces 22-month rap

June 19, 1997
Famed ex-hacker Kevin Mitnick is warning against security strategies that focus on technology. Rather, teaching your staff to say no will help keep your network secure, he says.

Mitnick, a cyberspace legend known for having penetrated the networks of such companies as Motorola and Nokia, spoke Thursday at Toshiba's MobileXchange conference in Melbourne, Australia.

"What you can find in the trash is simply amazing. People throw out notes, drafts of letters, printouts of source code."
--Kevin Mitnick,
hacker turned security consultant

Mitnick led the FBI on a 15-year manhunt that ended in 1995, and he ended up behind bars for nearly four years. Older and seemingly wiser, he now uses his skills for good as a Los Angeles-based security consultant.

Many companies invest heavily in technologies to protect their networks, but Mitnick was quick to point out that even the tightest technological barriers never stopped him. Rather, some carefully planned social engineering--or even a bit of dumpster diving in one's spare time--can often be far more effective at penetrating the weakest security link at most companies: their people.

"What you can find in the trash is simply amazing," Mitnick said. "People throw out notes, drafts of letters, printouts of source code, printouts of project documentation they're working on. In some cases, they even write down passwords and access information, or calendars that list every person that person has talked to or met with."

This information provides invaluable assistance to hackers keen to worming their way into a company by, say, impersonating an employee and calling the internal help desk, or dropping in and pretending to be a business associate. Because people hate to say no, even when they're suspicious of a well-presented stranger, Mitnick says, smooth talking has gotten many a hacker far closer to a target company's network than brute-force technological attacks.

Modern technology is an enabler for such attacks: If a hacker can worm his way into a conference room for just a few minutes, for example, a wireless access point can be plugged into an out-of-the way network access point, providing an open back door into the network, even when the hacker is parked outside the building.

The solution to such security vulnerabilities is easy to understand but often hard to implement: Develop clear security policies for issues such as treatment of strangers, handling of information and access to physical facilities by visitors. Teach employees to fall back on those policies when they're in suspicious circumstances rather than trying to ad-lib their response or give in to their natural inclination to accommodate the hacker's requests.

Even a simple request for contact details, so that a company employee might call back the person requesting assistance, can be enough to make many hackers turn tail and run.

"We can't expect our employees to be human lie detectors," Mitnick said. "One of the most difficult challenges in corporate cultures is getting people to modify their politeness norms.

"Social psychology has found that people should generally pay attention to their own discomfort. If something doesn't feel right, or it's nagging at their gut, they'd better check it out. They're not always going to remember a security policy, but what you want is to come up with some very simple protocols that will trigger employees to refer to security policy. The only people who are going to object to this are the bad guys."

David Braue reports for ZDNet Australia.

3 comments

Join the conversation!
Add your comment
Couldn't agree more.
Mitnick is right on the money. Sure, social engineering is still incredibly effective these days (if you disagree, try looking at the percentage of SCAMS that you'll find both online and offline), but it goes beyond that.

It's all about judgement calls on the behalf of the individual who happens to have sensitive information. Ask yourself, "Does <person> really need to know <tidbit> to do their job?" before handing over anything security-sensitive. Be cautious, but __DO NOT__ be paranoid.

Steve Jobs, too, would probably agree with Mitnick -- you can't solve a social problem using software or technology. The saddest part is that there are so many companies out there trying to solve socially-oriented security problems through technological "solutions". A real bummer...
Posted by katamari (310 comments )
Reply Link Flag
Mitnick is no genius
It's a shame Cnet saw fit to give any attention to this common criminal. He's right, but he's simply stating the obvious. He spent much of his "career" breaking into systems using the same kind of tricks common scam artist use like calling someone and impersonating someone else to get a password. Not much different than those crooks who call and say they're with... and say they want your credit card number.

Go ahead, listen to him if you want. Don't bothing investing in all those "Fancy Tools" he pooh-poohs. It's precisely those kinds of tools second rate hackers like Mitnick are unable to get past.

Security consultant indeed. Once a scam artist...
Posted by felgercarbnaysay (49 comments )
Reply Link Flag
Scammer or Legend?
HEre's this debate. Some people (like the guy above me) say Mitnick is nothing more than a common scam-artist. Some say Mitnick is a legend in his own right.

For Mitnick to be caught, well, yeah, that's fine and dandy. You can say "he was never a real hacker" because of that, but that's not true.

And yes, Mitnick HACKED his way in just as much as he did socially engineering. Why else do you think he got away with so much? If he couldn't hack, then the info he was getting would have been useless to him.

However, there's a group more interesting than Mitnick. Wired released an article about a year ago about three blind brothers from Israel who pulled similar hacking feats.
Posted by (461 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.