4 September 2002 Companies are leaving themselves exposed to hackers because of a lack of awareness of the ‘social engineering’ techniques deployed by the most dangerous attackers, according to former hacker Kevin Mitnick.
“A lot of people think they are not gullible, that they can’t be manipulated, but nothing could be further from the truth,” says Mitnick. He claims that using such techniques – combined with substantial technical know-how – he was able to break into all but one of the systems he targeted in a 15-year hacking career.
Social engineers attempt to break in to systems by persuading unwitting staff to part with vital information, including login names and passwords. “The threat of social engineering is substantial. People ought to know that you can buy the best technology in the world and it won’t protect the organisation against social engineering,” he says.
A lack of training means that staff are often unaware of the dangers and will hand over sensitive information to strangers on the phone posing as someone else in the company.
For example, Mitnick was able to take control of US telecoms operator Sprint’s switching equipment by calling the company and posing as an engineer from switch maker Nortel Networks. Staff were persuaded to hand over login names and passwords for the switches so that the ‘Nortel engineer’ could perform remote maintenance.
In addition, security procedures are frequently undermined by senior executives who demand that staff bend the rules when they want something done immediately. As a result, staff often will not question a request purporting to come from the CEO’s office, for example.
Social engineers normally do a lot of research into their targets before attacking. “A social engineer needs to understand the corporate culture, the corporate structure, the organisational chart, who has access to what information, where in the company that information resides,” says Mitnick.
Such valuable data can often be found in the company’s rubbish bins – which ought to be locked and kept on private property. Sensitive files should be shredded before they are thrown out, he advises.
Mitnick says that in addition to the usual technical security procedures – regular port scanning, for example – organisations need to more rigorously enforce security policies and train staff to be alert to the dangers posed by social engineers, particularly in companies that might be targeted by industrial spies.
Kevin Mitnick earned notoriety in the 1980s and 1990s for his apparent ability to break into telephone and computer systems across the world at will. Arrested six times, his last capture resulted in a five-year jail term – the heaviest sentence ever handed down for a hacker. Now, 38 year old Mitnick has ‘gone straight’, offering a rare insight into how hackers really operate.
Information Age will be carrying an in-depth analysis into the social engineering aspect of computer security in its September 2002 issue, due out shortly. For a free subscription to Information Age, please click here.