Lessons from the World’s Most Famous Hacker

Last week, Kevin Mitnick visited Melbourne as part of a tour. He spoke to an audience of security professionals from a wide range of different industries about his start as a black-hat hacker, i.e. using his skills to break into systems to steal data, through to his present career as a white-hat hacker, i.e. conducting penetration tests for major companies all over the world.

While Mitnick did break the law in the 1990s and was prosecuted, what’s interesting is that his hacks might have used some tricky technical skills, they were far more dependent on one specific thing.

In his 16 years of working as a penetration tester, Mitnick’s company has never failed to break into a system – as long as he has been able to talk to people.

HUMAN ERROR OPENS ENTRY POINTS FOR HACKERS

While our IT systems hold valuable data such as financial records, technical designs and personal information, the real key to getting into those systems is hacking the humans.

During the day, I had the opportunity to interview Mitnick on stage. To illustrate some of his answers, Mitnick demonstrated some hacks. For example, in one simple scenario he sent a text message to my phone that looked like it was sent by my partner. All he needed was my phone number and my partner’s number and he was able to send a text asking for an account password.

The technical sophistication of this was very low – almost anyone can repeat the hack using online text messaging services. But the effect of breaching the trust of individuals can be devastating.

Although strong passwords, encryption, firewalls and security software are important, they can all be easily bypassed if a hacker can convince a legitimate user to hand over the keys to the fortress.

The hacker’s most powerful weapon is social engineering. Mitnick used social engineering to make telephone calls to whoever he wanted while under close guard during his months in solitary confinement. He was placed there because law enforcement officials were convinced he could launch a missile by phoning mission control and whistling into a phone.

WHAT CAN YOU DO TO PREVENT HUMAN ERROR?

Putting robust systems in place to protect your systems is critical. But supporting people with good processes that minimise the risk of them being manipulated by a bad actor is perhaps more important.

Some easy steps to take include:

  • Always require two parties to sign off on any financial transactions.
  • Rely on face-to-face or some other direct, non-electronic, means to verify important business interactions.
  • View any request to access a system or conduct a transaction with scepticism until you have verified that the request is genuine.

Source: Data Protection Adviser

Topics: Social Engineering, Speaking Engagements, steal data, tech designs, two party sign off, black hat hacker, face to face communication, human error, penetration testing, security software, encryption, cybersecurity expert, financial records, firewalls, IT systems, personal info, Melbourne, strong passwords, white hat hacker, Australia, Kevin Mitnick

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

6 Types of Social Engineering Attacks and How to Prevent Them

Social engineering attacks account for a massive portion of all cyber-attacks.

Read more ›

What You Get When You Invest in Social Engineering Testing with Mitnick Security

When testing your employees' social engineering readiness, your teams need simulated attacks that feel as if they’re coming from a nefarious engineer...

Read more ›

Mitnick Security: Ransomware Awareness Training

Ransomware is a type of malware that prevents accessibility to either a single computer or an entire network until a ransom is paid. This can result i..

Read more ›
tech-texture-bg