June 14, 2006 7:17 AM PDT

Newsmaker: Kevin Mitnick, the great pretender

By Tom Espiner
Staff Writer, CNET News

See all Newsmakers

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
Email
Print

Related Stories: Kevin Mitnick on hacking's evolution
November 4, 2005; Mitnick: Security depends on workers' habits
March 4, 2005; Vandals deface ex-hacker Mitnick's site
February 10, 2003; Hacker Mitnick's Internet homecoming
January 21, 2003; A happy new year for hacker Mitnick
December 24, 2002; Mitnick released from prison
September 21, 2000

newsmakers Ten years ago, there wasn't much of a World Wide Web to exploit, but there were still hackers--or, more accurately, crackers.

Without the current glut of naive Web users to exploit, would-be cyberthieves and vandals had to be somewhat more creative, and one of the most creative and infamous was Kevin Mitnick.

Arrested by the FBI in 1995 and convicted of breaking into the systems of Fujitsu Siemens, Nokia and Sun Microsystems, Mitnick served five years in prison--eight months of it in solitary confinement.

They use the same methods they always have--using a ruse to deceive, influence or trick people into revealing information that benefits the attackers.

In his days on the wrong side of the law, Mitnick used so-called social-engineering techniques to fool users into handing over sensitive information. Rather than overt technical hacks, he was able to convince employees to hand over information that enabled him to hack systems, while redirecting telephone signals to avoid detection by the authorities.

Following his run-in with the law, Mitnick put his powers of persuasion to good, running a company that advises businesses on avoiding social-engineering attacks.

ZDNet UK caught up with the ex-cracker before his keynote speech on the "art of deception" at the MIS CISO Executive Summit & Roundtable in Barcelona, to discuss developments in social engineering, new U.S. laws monitoring telephone systems and alleged "NASA hacker" Gary McKinnon's impending extradition to the United States.

Q: How big a problem is social engineering for businesses? Is it becoming a more widely used tactic?
Mitnick: It's a substantial problem--a lot of malware is associated with social engineering. Social engineering plays a big part in exploiting known vulnerabilities in software.

Are you seeing any new attack methods?
Mitnick: They use the same methods they always have--using a ruse to deceive, influence or trick people into revealing information that benefits the attackers. These attacks are initiated, and in a lot of cases, the victim doesn't realize. Social engineering plays a large part in the propagation of spyware. Usually, attacks are blended, exploiting technological vulnerabilities and social engineering.

Businesses should train people to try to recognize possible attacks.

What can businesses do to safeguard themselves?
Mitnick: Businesses should train people to try to recognize possible attacks.

What are some of the giveaway signs to look for in a potential social-engineering attack?
Mitnick: Mostly, it's gut instinct--if something doesn't look or feel right. If someone is calling on the telephone, but they refuse to give any contact information, that's a red flag. If they make a request that's out of the ordinary, that's a red flag. If they make a request for something sensitive, that's when verification is necessary, depending on company policy.

If somebody is flattering you, they might be trying to influence you to cooperate. Or they might use an authority ruse--they pretend to have a higher status than you to force information from you.

Is it all down to the employees?
Mitnick: People can't be human lie detectors. Companies need to develop a simple security protocol to know when employees should refer to policy--on their intranet. Top management needs to buy into this idea.

Companies should run workshops on responses to social engineering, to demonstrate the foolish feeling people could have if they're tricked. Enterprises need to motivate compliance with policy and explain why this is important to employees. Businesses should also develop their security policy and encourage employee participation--educate people. You can hire an outside firm to test security and see if people can be fooled into revealing information.

There are new laws, in both the United States and the United Kingdom, regarding monitoring telephone systems. What is your opinion on them?
Mitnick: There's a privacy issue at stake. There's a big scandal at the moment with the Bush administration monitoring systems.

Can that be avoided?
Mitnick: People can use strong crypto, but then so can criminals and terrorists. Security and privacy is always a delicate balancing act.

What's your opinion on Gary McKinnon, the so-called "NASA hacker"? The U.S. is in the process of extraditing him to face charges of hacking into government systems.
Mitnick: He's the UFO guy, right? I think the excuse that he was trying to expose UFOs is laughable--he was allegedly hacking around all sorts of systems.

I think they're trying to make an example out of him--you can't be in another country and escape American justice. Now, I'm not an expert on British law, but surely he could be prosecuted in the U.K. for the same thing?

Tom Espiner reported for ZDNet UK.

More Newsmakers

See more CNET content tagged:
Kevin Mitnick, ruse, engineering, hacker, attack

Add a Comment (Log in or register) 8 comments

Didn't this SAME story appear 8 months ago?
by June 14, 2006 11:12 AM PDT: This is the exact same article posted about 8 months ago on CNET. Same sotry to the letter actually.

*** cnet, where's the NEWS?; Reply to this comment View all 3 replies
Processing

This has been known for years
by Mr. Network June 14, 2006 1:14 PM PDT: yet still people are stuipid enough to fall for this crap. If you do not know the person, why are you telling them anything? Make sure you follow proper security protocols before handing out sensitive information.; Reply to this comment

Why do stupid writers still refer to Mitnick as a hacker?
by Jackson Cracker June 14, 2006 4:03 PM PDT: He wasn't a hacker, or even a cracker. He was simply a con man
who talked people into giving him access or giving up information
he could then use to get access without needing to do any cracking.
It's not much different from today's "phishing" where con artists
use fraud to convince someone to provide a username and password,
which they can then use to directly access that person's account,
again without ever resorting to any "cracking" or "hacking".; Reply to this comment

Miracle Diets, Anti-aging, No Money Down Real Estate,
by maxwis June 14, 2006 9:18 PM PDT: Turn to any television channel and you will see the greatest example of social engineering known to man -- the infomercial. Today I was treated to Cindy Crawford telling me about a rare melon in the South of France that you put on your face to turn back the aging clock. Presumably this is how Cindy became a super-model. Thanks to Cindy's beneficience you don't have to travel to Paris and visit a reclusive dermatologist to get this secret, just send her a check for $39.95 and she will send you a bottle of the miracle potion in the mail.; Reply to this comment

Latest tech news headlines

Creating a 'Facebook for spies'
Posted in News - Digital Media by Steven Musil

September 7, 2008 10:30 AM PDT
The main problem with Windows Vista
Posted in Defensive Computing by Michael Horowitz

September 6, 2008 7:50 PM PDT
Google-focused satellite enters orbit
Posted in News - Digital Media by Jonathan Skillings

September 6, 2008 7:33 PM PDT

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Business Tech
Chrome's JavaScript challenge to Silverlight
The advent of Google's Chrome browser, software pros say, should spur a big speedup for JavaScript, which would raise its standing against Microsoft's Silverlight technology.
Gallery
Photos: Top 10 reviews of the week
Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.
News - Apple
Apple watchers spot 'iPod Nano' pix, iTunes hints
The rumor mill has long been predicting a longer, leaner new version of the iPod Nano, and now it's conjuring up some pictures.
Coop's Corner
Chris Shipley 1, Internet lynch mob 0
Demo's impresario goes public with a tart and smartly written riposte to the shoot-from-the-lip crowd.
Video
Katie Couric reflects on first Webcast
The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.
News - Digital Media
Creating a 'Facebook for spies'
The CIA, FBI, and National Security Agency are reportedly testing a social-networking site designed for use by analysts within the 16 U.S. intelligence agencies.
Video
YouTube plays party politics
During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.
News - Gaming and Culture
Are Demo and TechCrunch50 fragmenting their audiences?
With both events scheduled to start Monday, many press, as well as venture capitalists and others are having to choose which one to attend.
News - Cutting Edge
Execs predict next Google-like tech
On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.
Gallery
Images: The art of 'Spore' prototypes
Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.
Crossfade
The Standard, 'A Different Skin': Free MP3 of the Day
Eschewing the danceable beats favored by many of its post-punk brethren, while opting instead for more ominous and insistent rhythms, is what makes the Standard visceral and engaging. Download a free MP3 of "A Different Skin" courtesy of CNET Download Mus
Green Tech
Duke Energy to invest in mini solar power plants
Can hundreds of rooftop solar panels collectively operate like a central power plant? Duke Energy launches $100 million distributed solar program to find out.