Kevin Mitnick became the most notorious hacker ever when he was
imprisoned for five years for causing more than £187m worth of
damage. But he is now a reformed character and his new book offers
advice on how to recognise anyone smooth-talking their way to your
corporate secrets. Bill Goodwin reports
A company may have purchased the best security technologies that
money can buy, trained their people so well that they lock up all
their secrets before going home at night, and hired building guards
from the best security firm in the business. But, says Kevin
Mitnick, the world's most notorious computer hacker, that company
is still totally vulnerable. Its own staff are the weakest link.
Like the rest of us, they make mistakes, they are gullible, and
they can be manipulated and conned.
Mitnick's success as a computer hacker stems from his ability to
exploit these human weaknesses. He was, and is, a first-class
"social engineer", able to persuade unsuspecting employees to
divulge the most sensitive systems information, without them even
realising it.
Now going straight after serving a five-year prison sentence,
Mitnick has revealed the social engineering secrets behind his
hacking exploits in his book, The Art of Deception. It sheds a
clear light on risks posed to organisations by social engineers of
every description, from hackers to industrial spies, and private
detectives to headhunters. It should be required reading for every
IT director and chief information officer.
Mitnick's first brush with social engineering skills came
at high school when a friend introduced him to the hobby of phone
phreaking. He learned how to pass himself off as a phone company
employee, learning the lingo and internal company procedures so
well that he "could talk most telco employees into almost
anything".
"One way I worked on developing the skills of my craft, if I may
call it a craft, was to pick out some piece of information I didn't
really care about and see if I could talk somebody on the other end
of the phone into providing it, just to improve my skills," says
Mitnick.
By combining technical exploits with social engineering, he
discovered he was able to burrow his way into even the most
formidably protected systems.
"If it was getting their password it was done very elaborately,
where it was already predetermined how the target would verify the
identity of the IT person, for example, if I was impersonating an
IT person."
"I would get into the company's PBX, and when the real employee
called back, it would simply forward the call outside the company
to a cloned cellphone," he says.
No research has been done to show just how much of hacking involves
social engineering, but Mitnick believes it is a significant factor
in at least 50% of attacks.
"And the real scary thing is that 99% of social engineering attacks
work, which tends to illustrate that people are not aware of the
threat of social engineering and the methodologies used," he says.
One of the most common ruses used by hackers with social
engineering skills is to phone a company's IT helpdesk, posing as
an employee with a problem.
"The social engineer will find the name of an employee, call the
helpdesk and pretend they are that employee, to find out the
process. What does the helpdesk ask? Do they ask for the employee
number, do they ask to call back, do they ask who your boss is? And
once they have figured out what the process is, they say, 'I have
got to go, I have got an emergency call, I will call you back'."
For a skilled social engineer, it is not difficult to discover, for
example, the employee number of a member of staff, the name of his
or her boss, or other information used by IT staff for
verification.
"Let us say it is a social security number. The social engineer
will research that person, find out their social security number,
then call up. And then when they are asked to verify who they say
they are, they give their social. The helpdesk analyst believes it
and resets the passwords. Once the passwords are re-set the social
engineer then calls the real target, claiming to be from the IT
department or the helpdesk."
Mitnick used just such a ploy when he broke into the computers of
NEC, an attack which eventually led to his imprisonment. He used a
programming command "finger" to list all the users on the NEC
machine he was interested in. "I saw a user logged in, and it gave
his phone number. I phoned the user up and within 30 to 60 seconds
I was able to determine that person's level of knowledge of the
Unix operating system.
"I told him that there was a problem in creating certain files that
began with a period and that I was trying to troubleshoot this. I
said, do you have a .rhost file? He said no, what is that? And
immediately knowing that he did not know what a .rhost file was,
put me in the position of having to create one.
"If you create a .rhost file under the Unix operating system, if
the systems are set up in such a way, for running certain types of
services, you can log into the user's account without needing a
password. So I talked him through the process of creating a .rhost
file."
Social engineers are successful because most of us have been
brought up to trust that people are who they claim to be. When a
fellow employee calls asking for assistance, our natural reaction
is to try and help. Few of us question whether the person is who
they claim to be, particularly if they drop the right names, use
the right company language, and appear confident.
Social engineers use a variety of psychological tricks to persuade
staff to part with sensitive information. A favourite trick is to
build up a rapport with an employee by claiming enthusiasm for the
same interests, hobbies and beliefs. A hacker may call the same
person for several weeks, asking for help on a variety of small
issues, before finally asking for the killer favour.
Another common technique is to pose as someone senior in the
organisation. "I need a list of all your company's sales people by
4pm today. Do you want me to tell Mr Big that I couldn't complete
the takeover report in time because you refused to send it over?"
New employees are particularly vulnerable to this sort of attack.
"It is a performance art. The ability to act, to develop a pretext.
To be able to think around obstacles, of how somebody may verify
that you are who you say you are. Not to hesitate, to have
confidence, to act like you belong. The social engineer puts
themselves in the mindset that they are this character, and they
have to believe that they are the character."
Defensive action
The foremost defence for any
organisation is to create policies, so staff know exactly how to
respond to requests for information. They should be taught that
hackers can use even the most innocuous sounding pieces of internal
information as a stepping stone towards accessing genuine company
secrets.
"Employees have to be educated about what information needs to be
protected and how to protect it. Once people have a better
understanding of how they can be manipulated they are in a better
position to realise that an attack is under way."
Mitnick advises companies to categorise their data, so their staff
know what information is sensitive or private, and what can be
safely made public. Staff should be trained to independently verify
the identities of anyone asking for non-public information, even if
the person appears genuine. This could be a simple matter of
checking their names in the phone directory and phoning them back
on their internal number.
As a top-grade hacker turned consultant, Mitnick's insights will
prove invaluable for many organisations. But he admits he may face
an uphill struggle winning over the confidence of some
organisations he is offering to advise, through his security
consultancy Defensive Thinking. "Unfortunately because of the false
media reporting about me, and because I did things that I should
not have done in the past, it probably does create concern.
"So what I am doing is working on changing my image not just by
saying that I am doing good things but by actually doing them. Like
this book, for example. And hopefully people will forgive the past
and not buy into the myth."
The myth of Mitnick
Kevin Mitnick entered the public's
consciousness in 1994 when New York Times journalist John Markov
ran an article on its front page - Cyberspace's Most Wanted: Hacker
Eludes FBI Pursuit. That article was the beginning of his downfall,
says Mitnick. The FBI was made to look foolish and didn't take it
lying down. "Markov created the myth of Kevin Mitnick," he says.
Mitnick went on the run, moving from town to town, working under
assumed names. The FBI was always one step behind until Mitnick
decided to hack into security expert Tsutomu Shimomura's network on
Christmas day 1994. Shimomura worked with the FBI, tracking Mitnick
to an apartment in Raleigh, North Carolina. The arrest was
sensational, with Mitnick branded, as he says, the "Hannibal Lecter
of cyberspace".
It is hard to separate the myth from reality. Mitnick has been
accused of everything from hacking into the defence computers of
the North American Aerospace Defense Command to wiretapping the
FBI. At his trial, it was suggested Mitnick could start a nuclear
war if he was given access to a telephone. The truth was more
mundane, he says.
Mitnick was held without trail for four and a half years, including
eight months in solitary confinement. He was accused of causing
more than $300m (£187m) worth of damage to companies he hacked. He
claims the figure was invented by prosecutors to justify a heavy
prison sentence, which was way out of proportion to the crimes he
had committed. Prosecutors simply added up the research and
development costs of every piece of source code Mitnick looked at,
and claimed that as damage.
"Under federal law in the US, if any company suffers a material
loss, they have to report it," he says. "They did not report any
losses that were attributable to my conduct."
Mitnick says he was motivated purely by curiosity. "I did not try
to profit from it or destroy any information. I was breaking the
law by kind-of snooping. Looking at information I shouldn't have
been looking at."
What every company needs to do
- Conduct awareness training programmes for staff on the methods
used by social engineers
- Examine what seemingly innocuous information could be used by
social engineers to gain access to sensitive information
- Simply knowing inside terminology can make the social engineer
appear authoritative and knowledgeable
- Few companies give out the direct phone numbers of their chief
executives or board chairman. Most companies though have no concern
about giving out phone numbers of most departments and groups in
their organisation to anyone who appears to be an employee
- Departmental accounting codes and copies of the corporate phone
directory are frequent targets for social engineers
- Employee numbers by themselves should not be used as a form of
authentication
- Consider teaching staff this approach: whenever asked a
question or asked a favour by a stranger, learn to politely decline
until the request can be verified.
Six psychological techniques
Authority People have a tendency to comply when a request is
made by a person in authority. Social engineers cloak themselves in
the mantle of authority by claiming to be from the IT department,
an executive, or a PA to a senior manager
Empathy People respond favourably when the person making a
request appears likeable or has similar beliefs, interests and
attitudes. A social engineer will attempt to mimic the behaviour of
his target
Reciprocation People may automatically comply with a request
when given or promised something of value, such as an item, advice
or help. Social engineers can pose as the IT helpdesk, offering
helpful advice, knowing that their victim will be more likely to be
helpful in return
Consistency Once people have promised to do something they
tend to follow through, rather than appear untrustworthy. A hacker
posing as someone from the IT department might ask a new employee
to give a commitment to good security practices, before giving him
or her advice on constructing a secure password in a way that will
allow him to guess it. The victim complies because of his/her
previous commitment
Social validation People will comply when what they are
doing appears to be in line with what others are doing. A social
engineer might claim to be conducting a survey and name other
people in the department who have already answered questions in
order to build confidence
Scarcity People will comply with a request if they believe
it will give them access to an item that is in short supply or
available only for a short time. For example, an attacker could
send an e-mail claiming that the first 500 people to register for a
new website win tickets to a new film. Unsuspecting employees are
asked to type in their user names and password.
Source: The Art of Deception, by Kevin Mitnick
The social engineer as an IT supplier
Transcript of conversation taken from Mitnick's book, The Art of
Deception
The caller identified himself to Paul Ahearn, in
technical support, as Edward with SeerWare, your database supplier.
"Apparently a bunch of our customers didn't get the e-mail about
our emergency update, so we are calling a few for a quality control
check to see whether there was a problem installing the patch. Have
you installed the update yet?"
Ahearn said he was pretty sure he hadn't seen anything like that.
Edward said," Well, it could cause intermittent catastrophic loss
of data so we recommend you get it installed as soon as possible."
Yes, that was something he certainly wanted to do, Ahearn said.
"Okay," the caller responded. "We can send you a tape or CD with
the patch, and I want to tell you, it is really critical - two
companies have already lost several days of data. So you should get
this installed as soon as it arrives, before it happens to your
company."
"Can't I download it from your website?" Ahearn wanted to know.
"It should be available soon - the tech team has been putting out
all these fires. If you want, we can have our customer support
centre install it for you, remotely. We can either dial up or use
Telnet to connect to the system, if you can support that."
"We don't allow Telnet, especially from the internet - it is not
secure," Ahearn answered. "If you can use SSH, that would be okay,"
he said, naming a product that provides secure file transfers.
"Yeh. We have SSH. So what is the IP address?"
Ahearn gave him the IP address, and when Edward asked, "And what
user name and password can I use?" Ahearn gave him those as well.
The social engineer at work as a PA
Transcript of
conversation taken from Mitnick's book, The Art of
Deception
The attacker pretends to be a personal assistant working for the
big company boss.
"Scott, this is Christopher Dalbridge. I just got off the phone
with Mr Biggley, and he is more than a little unhappy. He says he
sent a note 10 days ago that you people were to get copies of all
your market penetration research over to us for analysis. We never
got a thing."
"Market penetration research? Nobody said anything to me about it.
What department are you in?"
"We're a consulting firm he hired, and we're already behind
schedule."
"Listen, I'm just on my way to a meeting. Let me get your phone
number and..."
The attacker now sounded just short of truly frustrated. "Is this
what you want me to tell Mr Biggley? Listen, he expects our
analysis by tomorrow morning and we have to work on it tonight.
Now, do you want me to tell him we couldn't do it because we
couldn't get the report from you, or do you want to tell him that
yourself?"
An angry chief executive can ruin your week. The target is likely
to decide that maybe this is something he had better take care of
before he goes into that meeting.