SEE LIVE (Poland): The famous hacker advises how to protect data from attacks using “social engineering”

Written by Mitnick Security | Jul 17, 2018 12:00:00 AM

A dozen or so years ago, "data protection" or "cybersecurity" were concepts close to mainly state and international companies and institutions - the average internet user did not care much about them. Today, when we have everything on the smartphone - information about family, health or banking data - protecting these resources is a challenge for everyone. Often, however, we focus too much on technology, and too little on ... our own behavior - as the most famous hacker in history Kevin Mitnick convinces, currently a security consultant who will be a guest of the Inside Trends conference organized by BI Polska.

Kevin Mitnick is the most famous hacker in history, though not technically the most capable. He gained global fame in the early 90s when he was wanted by the FBI. He repeatedly proved that it is " social engineering " , that is, proper manipulation of people and drawing information from them, is crucial in acquiring other people's data or access to information systems - even in the case of global corporations.

Hacker's social engineering in practice, or what threatens us

Mitnick first used social engineering at the age of ... 13 years. Due to the difficult family situation - as he often remembers, "he was a nanny himself" - one of his main pastimes was to travel around the city by bus. Tickets were, however, relatively expensive.

Young Kevin quickly figured out how the ticket machines work - and it's enough to get a ticket and a block of tickets to be able to drive around Los Angeles for "free". The driver of the bus convinced him to tell him where to buy the natural machine. Then, in the bus depot, he found a block of unused tickets in the trash - and he had a ready solution to "free" travel around Los Angeles.

Since then, teen Mitnick took care of "phreaking", or burglary on phone lines, which allowed him, for example, to hold long conversations at the expense of companies.

Later in his "career" he made many spectacular burglaries by means of social engineering, although it must be emphasized that he did not steal or otherwise gain material benefits when breaking into companies or institutions . Having access to many data, including credit card or social security numbers (which in the US has a weight such as the PESEL number in Poland), he never stole anyone from the dollar, even though it caused losses. As he explained in an interview for Venture Beat :

I caused losses. I do not know if it's 10, 100 or 300 thousand dollars. But I know it was a mistake, it was unethical and I'm sorry about it, but I certainly did not make a loss of $ 300 million. All the companies I hacked were listed companies - and according to SEC regulations, every public company recording material material loss must inform shareholders about it. None of the companies I broke into did report a loss of a cent.'

For Mitnick broke into companies as a truly ideological hacker - he wanted to know the source code of the software and find out how the systems work. After that he committed a crime - he copied the code, but he did not do it for material purposes and did not resale it.

Among his favorite "actions" Mitnick mentioned in interviews, among others shaping communication lines of McDonald's branches. When customers came to DriveThru, employees could hear them, but it was Mitnick who answered them, and blocked McD's answer. "I sat in front of the window and took over communication" - he recalled in interviews.

Further on his list there is m.in. action with Motorola, which began with the fact that the imprudent employee of the company gave him a special code to one of the systems. He also broke into Nokia, and in 1983 he managed to enter ARPANET - a peculiar ancestor of today's Internet, which then functioned as a network for the Pentagon.

In the end, he was caught by the FBI, even though he fooled the Germans for months by changing his identity, which he did "for fun". His case ended in 1999, where he was forbidden in touch anything with the transistor, without the government's permission.

After two years, he was allowed to use the laptop to write the book "The Art of Deception", but only on condition that the equipment will not have access to the Internet and that Mitnick will not notify the media. In later memoirs he argued that he was definitely overstated in the descriptions of how dangerous he was a hacker. - They treated me as if I was a MacGyver. "Give Mitnick a battery and silver tape and will be dangerous for society" - he mocked in the aforementioned conversation with Venture Beat.

Today, Kevin Mitnick, like many exhumers, is a security consultant. It helps companies and institutions, and for users it has published three books that help familiarize with and protect against social engineering techniques.

"It's people, not technologies, that are the weakest link in security"

According to Mitnick, it is largely dependent on people whether they can be approached by a hacker - and not on whether he will be able to break into a smartphone, for example, with sophisticated technologies. So in the book "The Art of Deception" he described attacks with the use of social engineering:

The social engineer uses manipulation and persuasion to cheat people, among others so that they would believe that the manipulative person is what they say they are. As a result, the "engineer" is able to use people to obtain information using or without the use of technology. (...) 

No firewalls and encryption in the world can stop a talented social engineer from raiding the corporate database. If the attacker wants to break into the system, the most effective approach to trying to use his weakest link - not operating systems, firewalls or encryption algorithms, but people. You can not download an update for Windows patching stupidity or naivety.

As emphasized in an interview with Mitnick Digital Trends , social engineering may , however - especially in today's times - take various forms, including hybrid - with the use of techniques of social engineering, and technology gaps . For example, when hacking a network, you can get a person to access it to reveal some information, but you do not need to - because you can, for example, get it to open a PDF file sent by e-mail.

- You do not call someone and you do not ask about his password, attacks are usually a combination of technology and social engineering - emphasized the exhaker.

In his last book, "Duch w Sieci", which is an autobiography, Mitnick gives three basic advice on the security of his data:

  1. NEVER use ANY public internet (hotel, restaurant, airplane, etc.) networks, even when traveling.
  2. NEVER open ANY PDF files on a device other than the computer and without scanning the file with an antivirus (and even then you can catch malicious software).
  3. Every person using your private network MUST follow Rules 1 and 2 - otherwise you are vulnerable.

It is worth remembering that these principles apply not only to computers, but also to mobile devices - tablets and smartphones. As Mitnick emphasized in an interview with Digital Trends, " today hackers hunt for mobile".

Business Insider INSIDE TRENDS conference

For more on how to protect private and corporate data today and how to avoid hacking, Kevin Mitnick will speak at the Business Insider Polska Inside Trends conference .

It will be divided into three thematic zones: FINTECH, LIFE SCIENCE and BUSINESS 4.0. During two days, in which up to 1000 people from the world of media, science, marketing and business will take part, speeches, debates and workshops with speakers are foreseen. 

To view the original article and to read more informative business articles refer to the source.

Source: BUSINESS INSIDER POLSKA