By Susan Richter, Head of Content
It’s true. On Wednesday I attended IP EXPO, the UK’s biggest end-to-end enterprise IT event run by one of our clients – IMAGO TechMedia. I started off my visit with the opening keynote delivered by Kevin Mitnick, once considered the most wanted cyber-criminal in the world. That was before he exchanged his notoriety for credibility. He is now a respected security expert – head of Mitnick Security Consulting – paid to find the vulnerabilities in the security of organisations.
Mitnick began hacking in the 1970s, initially using telcos and telco employees to get what he wanted. Back then, the term hacker wasn’t associated with malicious intent as it is now, and Mitnick admitted to being mischievous and enjoying the pranking aspect of hacking. He used what he coined ‘social engineering’ to get information from employees in an organisation or to get them to perform some action that would allow him access to get what he wanted. If you’ve ever watched Hustle, The Italian Job, or Leverage, you’ll know exactly how this works.
Fast forward thirty-odd years and Mitnick now uses a combination of social engineering and client-side exploits to identify the gaps in security systems for his clients, which include businesses in the financial, e-commerce, and manufacturing industries.
He said that when social engineering is used, he is always 100 per cent successful in breaching an organisation’s security. And it’s not just his experience; other security testers also find that when they use an employee in the targeted organisation, they too are successful each time.
Why? Because people are the weakest link in the security chain. Part of Mitnick’s approach is to send someone in the organisation a file – something as innocuous as a Word document or PDF – and get them to open it. The e-mail containing the document needs to be from a trusted source and is not sent randomly to anyone in the organisation. It is part of what Mitnick calls a surgical attack. And what does he use to develop a target list? Social media.
LinkedIn, Facebook and Twitter yield all kinds of information about someone – from past employers and job titles, to suppliers and business partners. This can be used to spoof an e-mail with a view to sending an attachment that contains a Trojan. What about anti-virus software? It doesn’t pick up that anything is wrong and once the attachment is opened, depending on the code embedded in it, it’s basically a free for all allowing hackers to see all your files, hijack your webcam or figure out our password.
Peer to peer platforms are also a great source of information as some users unknowingly share their entire hard drives with other users when they install the client. Getting your hands on this information, often personal and business related information, is not illegal as it is in the public domain.
In an age where information is freely available because we freely give this information away, the potential for hacking is enormous, not only by private individuals but governments as well (but that’s a blog for another time). We make things easy for hackers and cyber criminals and the lesson to be learned from Kevin Mitnick’s presentation is that we are the most vulnerable spots in our own security and it easier attacking than defending, we need to be a little more vigilant.
*Mitnick didn’t need to use social engineering to use my laptop… I asked him to.