Editorial & Analysis
Also by this author
14 Oct 2013
IP EXPO Online chats with Kevin Mitnick about the challenges facing IT leaders today when it comes to safeguarding valuable corporate information.
One employee, one bad decision: that’s all it takes for a hacker to get their foot in the door of an organisation. And once they’re inside, all the investments that the target company has made in anti-virus software count for nothing.
That was the message from Kevin Mitnick, once the world’s most-wanted hacker and now one of its foremost IT security experts, in his opening keynote at IP EXPO 2013.
Addressing a full house, Mitnick recalled his former life as a hacker and the skills he acquired in social engineering - the art of deceiving employees of a company into handing over information or performing a specific task by posing as someone else.
“Security is about people, processes and technology, and organisations need to bolster the weakest link, which invariably is the human element,” he said.
That’s as true today as it was during Mitnick’s time as a hacker in the 1970s and 1980s, when social engineering was the “cornerstone” of his hacking activities. Today, Mitnick said, cyber-criminals and hackers tend to use both social engineering and the exploitation of application vulnerabilities in order to breach corporate IT security. Attacks that use the two in combination, he said, are by far the most likely to succeed.
During a 40-minute Q&A interview, Mitnick gave the audience several live demonstrations of the ways that hackers use social engineering to get their hands on information, just by persuading them to open an emailed Word or PDF document. These documents appear perfectly safe to recipients - and to anti-virus scanners. But once opened, the Word document could be used to steal usernames and passwords, while the PDF installed a Trojan that handed control over of the user’s PC to the hacker, enabling them to upload or download files to or from the computer, change its registry and turn on the webcam, for example.
In an age of social networking, where many people share personal details online on sites such as Twitter, Facebook and LinkedIn, it’s never been easier for hackers to find out information on targets that they can later use to deceive them. Information on an employee’s role, skills, previous employers and network of associates are all ammunition to the determined hacker, he said.
These days, in addition to speaking engagements around the world, Mitnick leads his own company, Mitnick Security Consulting, which specialises in helping companies from a range of different industries prevent information theft. Penetration testing is one of the services provided, and where clients agree to some element of social engineering to be used in tests, the company has never failed to breach its defences, Mitnick told the IP EXPO 2013 audience.
“I used to provide free penetration tests,” he joked with them. “Now I charge. The difference is I have permission.” But the thrill of penetrating a system, even with the permission of its owners, is still the same today for him as it was back in his hacking heyday.