The social side of security


Kevin Mitnick

When famed hacker Kevin Mitnick wanted to break into the systems that run telecom operator Sprint’s backbone network, he did not bother running a sophisticated technical attack. Instead, his first move was to pick up the phone and simply ring the company direct.

Posing as a Nortel service engineer, Mitnick persuaded Sprint staff to hand over dial-in numbers, log-in names and passwords to the telephone company’s switches so that the


The making of a ‘social engineer’

Kevin Mitnick grew up in the San Fernando Valley area of California and started hacking in 1980 as a sixteen year old ‘phone phreaker’ – a telephone system hacker – before quickly graduating to computers.

In 1982, his successful hack into the North American Defense Command (NORAD) computer system inspired the film War Games, released a year later. In a fifteen year hacking ‘career’ Mitnick claims he was defeated just once.

But while many of his victims claim that he caused tens of millions of dollars of damage, there is no evidence that Mitnick used his skills for real financial gain.

Rather, Mitnick says that he hacked for the intellectual challenge, as well as to obtain information and technology that would further his understanding of computers and the phone system.

Prior to his final arrest in February 1995, he was playing a cat-and-mouse game with his main adversary, computer scientist Tsutomu Shimomura, whose home network he had compromised two months earlier.

Using a mobile phone connection, Mitnick had compromised the switches of two phone companies – Sprint and GTE – in a bid to mask his location. He was eventually tracked down by Shimomura to an apartment block in Raleigh, North Carolina where an FBI team arrested him.

After his release from five years in jail in January 2000, he was prohibited from using a computer or mobile phone for three years.



‘Nortel engineer’ he was posing as could perform routine remote maintenance on the equipment. Armed with that information, Mitnick says that he was able to dial-into Sprint’s network and manipulate phone lines at will.

“A lot of people think they are not gullible, that they can’t be manipulated. But nothing could be further from the truth,” says Mitnick. “I used such tactics to get information and compromise computer systems and networks.” That is something of an understatement.

Mitnick earned notoriety in the 1980s and 1990s for seemingly being able to break into telephone and computer systems across the world at will. He stole software from Santa Cruz Operation, Digital Equipment and Sun Microsystems, including an in-development source code copy of its Solaris operating system. He accessed the North American Defense Command (NORAD) computer systems and broke his way into the Pentagon. Arrested six times, his final capture resulted in a five-year jail term – the heaviest sentence ever handed down for a hacker.

Now since his release in January 2001, Mitnick, 38, has ‘gone straight’ as a security consultant specialising in ‘social engineering’ techniques – a hacking approach that many organisations have failed to appreciate. As such, he is in a position to deliver some valuable lessons on how many hackers really penetrate systems.

Social engineering

The Sprint hack was just one of many perpetrated by Mitnick using a combination of technical skills and ‘social engineering’ – the art of manipulating people into divulging information about their systems that can provide the pass-key for an attack.

For hackers, private investigators and industrial spies, the technique is compelling. Why go through the tedious process of ‘war-dialling’ for an insecure port on an organisation’s network or try to brute force a password – activities that might arouse suspicion – when through a mix of technical knowledge confidence trick an employees can often simply be persuaded to disclose a legitimate log-in name and password?

It is a skill that exploits innate psychological principles, says Mitnick. “All of us make mental shortcuts depending on who we think is making the request and the reason for the request. We don’t really analyse the identity of the person and whether they are authorised,” he says.

Exploiting fear of authority is a common tactic: Attackers will frequently pretend that they are acting on behalf of the boss and the target will feel that they have to comply – particularly as many executives demand that short-cuts be made for them when they want something done.

Reciprocity is also effective. “You call somebody up under the guise of helping them, help them with something regardless of whether they want the help or not, then the victim feels obligated to reciprocate,” says Mitnick.

To do this, a social engineer might cause a fault, such as persuading somebody in the IT department to shut down the port that connects his target employee’s PC to the Internet.


Most wanted

1980 – Hacker Kevin Mitnick starts dabbling in ‘phone phreaking’, the art of exploiting the phone system to get free calls.

1982 – Hacks into North American Defense Command (NORAD) computer systems.

1982 – Arrested by police for the first time after talking his way into computer rooms at Pacific Bell phone company in Los Angeles, California.

1983 – Hacks into phone company switches in New York and California.

1987 – Hacks into computers of the Santa Cruz Operation (SCO) and downloads software.

1988 – Hacks systems of Digital Equipment Corp (DEC). Operates with two computers: One to perpetrate the hack, the other to monitor his adversaries’ progress in responding to the threat.

1989 – Jailed for one year for the DEC break-in. Later breaks the terms of probation order requiring him to seek treatment for his hacking ‘addiction’.

1992 – Joins Tel Tec Detective Agency. Later accused of hacking into commercial systems while working for Tel Tec, in violation of probation terms. Goes on the run.

1994 – Hacks research computers of Sun Microsystems and downloads an under-development source code copy of the Solaris operating system.

December 1994 – Hacks network of San Diego, California-based computer scientist Tsutomu Shimomura. Downloads mobile communications software.

February 1995 – Shimomura helps FBI agents track Mitnick to an apartment in Raleigh, North Carolina.

1999 – Pleads guilty to a number of ‘access device frauds’. Sentenced to a total of 68 months.

January 2000 – Released from jail after serving 60 months in prison.



When he calls the target posing as someone from IT support just minutes later, the attacker can gain trust by ‘helping’ to restore the connection.

He might also pick up the target’s user name and password in the process. “‘We are having problems with the system, can you try changing your password to ‘test123′? Can you change it back?’ As soon as the attacker knows the password for a split second, he is in,” says Mitnick.

Alternatively, an attacker might call a relatively IT literate member of staff who will be bowled over at being asked to help the IT department. But when they are persuaded to try logging into a system via a certain Internet protocol (IP) address, for example, they may not be smart enough to realise that they are opening a port on a machine outside the organisation’s network, a port that is controlled by the attacker.

Obviously, the log in attempt fails, but the attacker gets what he wanted: The user name and password of the target, which he can use to break into the organisation’s systems. The target, meanwhile, does not realise that he has been manipulated into giving away such critical information.


Such examples are not made-up. They illustrate real attacks made by Mitnick or associates when he was a hacker or private investigator. Today, he makes his living as a security consultant, warning organisations of the dangers of people like him – and worse.

A typical attack may have two stages: The first is to gain information to use in the second stage, when the sting is carried out. In the first stage, acting stupid is enough to glean all the information that an attacker needs. ‘Hi, this is Tony in payroll. We just put through your request to have your pay cheque directly deposited to you Citibank account’.

At the other end of the phone, the target protests that no such request was ever made and besides, he does not even have a Citibank account. To check, ‘Tony in Payroll’ asks for his employee number, before confirming that he has indeed, made a mistake.

But while the target considers his payroll number to be innocuous, the attacker can use it to authenticate himself to the systems administrator who sets up dial-in accounts for remote workers, such as sales people in the field.

“I understand this exact ruse was worked on one of the largest computer software manufacturers in the world,” says Mitnick. “You would think the systems administrators in such a company would be trained to detect such an attack,” he adds.

“I think the threat of social engineering is substantial. People ought to know that you can buy the best technology in the world and it won’t protect the organisation against social engineering,” says Mitnick.

The reformed hacker says that companies must adopt a strategy to tighten up this neglected area of security. First, this should include training to alert staff at all levels of the threat posed by social engineers. For example, staff at telecoms companies often take calls from private investigators seeking information about people with ex-directory numbers.

Mitnick, of course, found an easier way. “I even social engineered BT. I used to get ex-directory numbers because I found out that an employee could access [the relevant] computer and all they needed was their sign-in code. So I talked an employee into divulging their sign-in code,” says Mitnick.

In addition, IT directors need to take a second look at some of the software they run and re-write it so that certain security policies are enforced. For example, forcing employees to choose more complex passwords or making sure that these are changed on a more regular basis.

Finally, organisations need also be more careful about what they throw out, shredding anything that an outsider could use to authenticate themselves as a valid employee in a social engineering-based attack.

“A social engineer needs to understand the corporate culture, the corporate structure, the organisational chart, who has access to what information, where in the company that information resides,” says Mitnick.

And much of that information can be found by ‘dumpster diving’ in the company waste bins, and fishing out discarded floppy disks, old company manuals, memos, phone lists, directories and even password lists, says Mitnick.

Are most companies so foolish as to make such sensitive information so easily accessible? Absolutely, Mitnick concludes.

assets bin source summary_source tmp Information Age will be reviewing Kevin Mitnick’s new book The Art of Deception in the October 2002 issue.

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics