Ex-hacker spins his tale

Deceiving people into revealing passwords and other critical information to break into a computer system poses the biggest threat to computer and company security and users of the Internet, the world’s most famous ex-hacker warned at the 2nd Information Security Matrix Forum at the Hotel Divani Caravel on Tuesday. Kevin Mitnick, a one-time fugitive from the FBI who later spent five years in jail for cyber-crimes, and who now runs his own information security consulting company that helps government and businesses protect vital data, told an audience of information technology vendors, security officials and professionals that «Social engineering is the single most effective and dangerous threat to information security.» Sponsored by the Hellenic American Union (HAU), a prominent business and educational institution in Athens, and Encode, a major information risk management company, the three-day Forum also featured Steve Hunt, vice president of the Chicago-based Forrester/GIGA company, which specializes in internal security program practices. He said the natural order of security now depends more on controlling who has access to company computers and what their privileges should be. Social engineering Mitnick, formerly of Los Angeles and now living near Las Vegas, developed a cult following before his capture in 1995 for a series of computer crimes, which included using «social engineering» to gain critical information to get into telephone company systems and databases. He said social engineering is a form of «hacking,» using computers to break into other computer systems, and that «the key to the attacker’s agenda is to persuade you to circumvent security. What people should do is follow security protocols. That is the number one protection.» He said that is as simple as telling a caller that you will call them back rather than give out information over the telephone. Despite company security training programs and other measures to protect information, Mitnick said, «There’s really a general lack of awareness about social engineering,» and noted how relatively easy it is to get information that could let a hacker break into a computer system. His warning came the same day the information technology firm Gartner issued a similar alert and said social engineering, which they defined as «manipulation of people, rather than machines, to successfully breach security systems of an enterprise or consumer» was the fastest-growing problem in computer security. Managing vulnerability Mitnick said, «Security is about managing vulnerability,» and said reports that 11 percent of computer attacks come through social engineering are too low. «I believe it is a lot bigger because you can’t detect social engineering,» he said. The methods also include tricking people into opening links or attachments on their computers. The social engineer may target receptionists, secretaries, security guards, system administrators, and company employees, and exploit their curiosity, bad habits, and willingness to help. Usually the attacker has already gathered some information about a company and its employees, often from the Internet, before the first contact is made. Mitnick said it once took him only 10 telephone calls to a bank to get enough information to get into its computer network, and that social engineers can often easily obtain people’s checking account numbers and other critical data. Often, he said, social engineers can simply call a company’s computer help desk and pose as an employee to get a password. «If the attackers know the terminology and lingo and names of people, it builds credibility and confidence. The last thing a social engineer or hacker wants is for a person to notify their management,» he said. He said employees should pay attention to their own discomfort when they get an unusual request on the phone, be wary of being distracted by the caller, watch out for flattery or a caller using the trappings of authority, and immediately report any strange calls to their own security offices. During a question-and-answer period, he advised would-be followers not to take his path. «I took the wrong road that affected my family and my life and I regret the decisions that I made,» he said. Earlier, Hunt said company computer security experts need to look at authenticating who is using their equipment to protect transactions and data on their networks. He said many companies relied on intrusion detection devices instead of looking at who was using their computers and why. «We have found 80 percent of all employment intrusion detections are considered failures,» he said. What Hunt recommended was better monitoring of who is using computers, verifying backgrounds and passwords, controlling access, and auditing to protect critical company data and prevent outsiders from obtaining information. Some lost security badges, he said, have turned up for sale on the Internet and compromised company computer security. HAU Executive Director Leonidas Phoebus Koskos welcomed the participants and told them there were other important issues involving IT managers and company computer security to consider. He noted that security is guaranteeing that only authorized persons have access to the firm’s assets and use them only in authorized ways. «It means safeguarding the integrity and privacy of both company and client data,» he said. He added that since information technology plays a core role in the management of these assets, IT officers themselves have a correspondingly key role to play in today’s firm as an important and equal member of the core management team. He said that it was the need to equip IT managers with managerial decision-making skills and knowledge, and hone their ability to communicate effectively with fellow managers that led the Hellenic American University, a business school founded with support from the HAU, to broaden the concentrations offered in its MBA degree to include one with a concentration in Information Technology Management.