A company may have purchased the best security technologies that money can buy, trained their people so well that they lock up all their secrets before going home at night, and hired building guards from the best security firm in the business. But, says Kevin Mitnick, the world's most notorious computer hacker, that company is still totally vulnerable. Its own staff are the weakest link. Like the rest of us, they make mistakes, they are gullible, and they can be manipulated and conned.
Mitnick's success as a computer hacker stems from his ability to exploit these human weaknesses. He was, and is, a first-class "social engineer", able to persuade unsuspecting employees to divulge the most sensitive systems information, without them even realising it.
Now going straight after serving a five-year prison sentence, Mitnick has revealed the social engineering secrets behind his hacking exploits in his book, The Art of Deception. It sheds a clear light on risks posed to organisations by social engineers of every description, from hackers to industrial spies, and private detectives to headhunters. It should be required reading for every IT director and chief information officer.
Mitnick's first brush with social engineering skills came at high school when a friend introduced him to the hobby of phone phreaking. He learned how to pass himself off as a phone company employee, learning the lingo and internal company procedures so well that he "could talk most telco employees into almost anything".
"One way I worked on developing the skills of my craft, if I may call it a craft, was to pick out some piece of information I didn't really care about and see if I could talk somebody on the other end of the phone into providing it, just to improve my skills," says Mitnick.
By combining technical exploits with social engineering, he discovered he was able to burrow his way into even the most formidably protected systems.
"If it was getting their password it was done very elaborately, where it was already predetermined how the target would verify the identity of the IT person, for example, if I was impersonating an IT person."
"I would get into the company's PBX, and when the real employee called back, it would simply forward the call outside the company to a cloned cellphone," he says.
No research has been done to show just how much of hacking involves social engineering, but Mitnick believes it is a significant factor in at least 50% of attacks.
"And the real scary thing is that 99% of social engineering attacks work, which tends to illustrate that people are not aware of the threat of social engineering and the methodologies used," he says.
One of the most common ruses used by hackers with social engineering skills is to phone a company's IT helpdesk, posing as an employee with a problem.
"The social engineer will find the name of an employee, call the helpdesk and pretend they are that employee, to find out the process. What does the helpdesk ask? Do they ask for the employee number, do they ask to call back, do they ask who your boss is? And once they have figured out what the process is, they say, 'I have got to go, I have got an emergency call, I will call you back'."
For a skilled social engineer, it is not difficult to discover, for example, the employee number of a member of staff, the name of his or her boss, or other information used by IT staff for verification.
"Let us say it is a social security number. The social engineer will research that person, find out their social security number, then call up. And then when they are asked to verify who they say they are, they give their social. The helpdesk analyst believes it and resets the passwords. Once the passwords are re-set the social engineer then calls the real target, claiming to be from the IT department or the helpdesk."
Mitnick used just such a ploy when he broke into the computers of NEC, an attack which eventually led to his imprisonment. He used a programming command "finger" to list all the users on the NEC machine he was interested in. "I saw a user logged in, and it gave his phone number. I phoned the user up and within 30 to 60 seconds I was able to determine that person's level of knowledge of the Unix operating system.
"I told him that there was a problem in creating certain files that began with a period and that I was trying to troubleshoot this. I said, do you have a .rhost file? He said no, what is that? And immediately knowing that he did not know what a .rhost file was, put me in the position of having to create one.
"If you create a .rhost file under the Unix operating system, if the systems are set up in such a way, for running certain types of services, you can log into the user's account without needing a password. So I talked him through the process of creating a .rhost file."
Social engineers are successful because most of us have been brought up to trust that people are who they claim to be. When a fellow employee calls asking for assistance, our natural reaction is to try and help. Few of us question whether the person is who they claim to be, particularly if they drop the right names, use the right company language, and appear confident.
Social engineers use a variety of psychological tricks to persuade staff to part with sensitive information. A favourite trick is to build up a rapport with an employee by claiming enthusiasm for the same interests, hobbies and beliefs. A hacker may call the same person for several weeks, asking for help on a variety of small issues, before finally asking for the killer favour.
Another common technique is to pose as someone senior in the organisation. "I need a list of all your company's sales people by 4pm today. Do you want me to tell Mr Big that I couldn't complete the takeover report in time because you refused to send it over?" New employees are particularly vulnerable to this sort of attack.
"It is a performance art. The ability to act, to develop a pretext. To be able to think around obstacles, of how somebody may verify that you are who you say you are. Not to hesitate, to have confidence, to act like you belong. The social engineer puts themselves in the mindset that they are this character, and they have to believe that they are the character."
The foremost defence for any organisation is to create policies, so staff know exactly how to respond to requests for information. They should be taught that hackers can use even the most innocuous sounding pieces of internal information as a stepping stone towards accessing genuine company secrets.
"Employees have to be educated about what information needs to be protected and how to protect it. Once people have a better understanding of how they can be manipulated they are in a better position to realise that an attack is under way."
Mitnick advises companies to categorise their data, so their staff know what information is sensitive or private, and what can be safely made public. Staff should be trained to independently verify the identities of anyone asking for non-public information, even if the person appears genuine. This could be a simple matter of checking their names in the phone directory and phoning them back on their internal number.
As a top-grade hacker turned consultant, Mitnick's insights will prove invaluable for many organisations. But he admits he may face an uphill struggle winning over the confidence of some organisations he is offering to advise, through his security consultancy Defensive Thinking. "Unfortunately because of the false media reporting about me, and because I did things that I should not have done in the past, it probably does create concern.
"So what I am doing is working on changing my image not just by saying that I am doing good things but by actually doing them. Like this book, for example. And hopefully people will forgive the past and not buy into the myth."
The myth of Mitnick
Kevin Mitnick entered the public's consciousness in 1994 when New York Times journalist John Markov ran an article on its front page - Cyberspace's Most Wanted: Hacker Eludes FBI Pursuit. That article was the beginning of his downfall, says Mitnick. The FBI was made to look foolish and didn't take it lying down. "Markov created the myth of Kevin Mitnick," he says.
Mitnick went on the run, moving from town to town, working under assumed names. The FBI was always one step behind until Mitnick decided to hack into security expert Tsutomu Shimomura's network on Christmas day 1994. Shimomura worked with the FBI, tracking Mitnick to an apartment in Raleigh, North Carolina. The arrest was sensational, with Mitnick branded, as he says, the "Hannibal Lecter of cyberspace".
It is hard to separate the myth from reality. Mitnick has been accused of everything from hacking into the defence computers of the North American Aerospace Defense Command to wiretapping the FBI. At his trial, it was suggested Mitnick could start a nuclear war if he was given access to a telephone. The truth was more mundane, he says.
Mitnick was held without trail for four and a half years, including eight months in solitary confinement. He was accused of causing more than $300m (£187m) worth of damage to companies he hacked. He claims the figure was invented by prosecutors to justify a heavy prison sentence, which was way out of proportion to the crimes he had committed. Prosecutors simply added up the research and development costs of every piece of source code Mitnick looked at, and claimed that as damage.
"Under federal law in the US, if any company suffers a material loss, they have to report it," he says. "They did not report any losses that were attributable to my conduct."
Mitnick says he was motivated purely by curiosity. "I did not try to profit from it or destroy any information. I was breaking the law by kind-of snooping. Looking at information I shouldn't have been looking at."
What every company needs to do
- Conduct awareness training programmes for staff on the methods used by social engineers
- Examine what seemingly innocuous information could be used by social engineers to gain access to sensitive information
- Simply knowing inside terminology can make the social engineer appear authoritative and knowledgeable
- Few companies give out the direct phone numbers of their chief executives or board chairman. Most companies though have no concern about giving out phone numbers of most departments and groups in their organisation to anyone who appears to be an employee
- Departmental accounting codes and copies of the corporate phone directory are frequent targets for social engineers
- Employee numbers by themselves should not be used as a form of authentication
- Consider teaching staff this approach: whenever asked a question or asked a favour by a stranger, learn to politely decline until the request can be verified.
Six psychological techniques
Authority People have a tendency to comply when a request is made by a person in authority. Social engineers cloak themselves in the mantle of authority by claiming to be from the IT department, an executive, or a PA to a senior manager
Empathy People respond favourably when the person making a request appears likeable or has similar beliefs, interests and attitudes. A social engineer will attempt to mimic the behaviour of his target
Reciprocation People may automatically comply with a request when given or promised something of value, such as an item, advice or help. Social engineers can pose as the IT helpdesk, offering helpful advice, knowing that their victim will be more likely to be helpful in return
Consistency Once people have promised to do something they tend to follow through, rather than appear untrustworthy. A hacker posing as someone from the IT department might ask a new employee to give a commitment to good security practices, before giving him or her advice on constructing a secure password in a way that will allow him to guess it. The victim complies because of his/her previous commitment
Social validation People will comply when what they are doing appears to be in line with what others are doing. A social engineer might claim to be conducting a survey and name other people in the department who have already answered questions in order to build confidence
Scarcity People will comply with a request if they believe it will give them access to an item that is in short supply or available only for a short time. For example, an attacker could send an e-mail claiming that the first 500 people to register for a new website win tickets to a new film. Unsuspecting employees are asked to type in their user names and password.
Source: The Art of Deception, by Kevin Mitnick
The social engineer as an IT supplier
Transcript of conversation taken from Mitnick's book, The Art of Deception
The caller identified himself to Paul Ahearn, in technical support, as Edward with SeerWare, your database supplier. "Apparently a bunch of our customers didn't get the e-mail about our emergency update, so we are calling a few for a quality control check to see whether there was a problem installing the patch. Have you installed the update yet?"
Ahearn said he was pretty sure he hadn't seen anything like that.
Edward said," Well, it could cause intermittent catastrophic loss of data so we recommend you get it installed as soon as possible."
Yes, that was something he certainly wanted to do, Ahearn said.
"Okay," the caller responded. "We can send you a tape or CD with the patch, and I want to tell you, it is really critical - two companies have already lost several days of data. So you should get this installed as soon as it arrives, before it happens to your company."
"Can't I download it from your website?" Ahearn wanted to know.
"It should be available soon - the tech team has been putting out all these fires. If you want, we can have our customer support centre install it for you, remotely. We can either dial up or use Telnet to connect to the system, if you can support that."
"We don't allow Telnet, especially from the internet - it is not secure," Ahearn answered. "If you can use SSH, that would be okay," he said, naming a product that provides secure file transfers.
"Yeh. We have SSH. So what is the IP address?"
Ahearn gave him the IP address, and when Edward asked, "And what user name and password can I use?" Ahearn gave him those as well.
The social engineer at work as a PA
Transcript of conversation taken from Mitnick's book, The Art of Deception
The attacker pretends to be a personal assistant working for the big company boss.
"Scott, this is Christopher Dalbridge. I just got off the phone with Mr Biggley, and he is more than a little unhappy. He says he sent a note 10 days ago that you people were to get copies of all your market penetration research over to us for analysis. We never got a thing."
"Market penetration research? Nobody said anything to me about it. What department are you in?"
"We're a consulting firm he hired, and we're already behind schedule."
"Listen, I'm just on my way to a meeting. Let me get your phone number and..."
The attacker now sounded just short of truly frustrated. "Is this what you want me to tell Mr Biggley? Listen, he expects our analysis by tomorrow morning and we have to work on it tonight. Now, do you want me to tell him we couldn't do it because we couldn't get the report from you, or do you want to tell him that yourself?"
An angry chief executive can ruin your week. The target is likely to decide that maybe this is something he had better take care of before he goes into that meeting.
This was first published in January 2003