Without the current glut of naive Web users to exploit, would-be cyberthieves and vandals had to be somewhat more creative, and one of the most creative and infamous was.
Arrested by the FBI in 1995 and convicted of breaking into the systems of Fujitsu Siemens, Nokia and Sun Microsystems,--eight months of it in solitary confinement.
In his days on the wrong side of the law, Mitnick used so-called social-engineering techniques to fool users into handing over sensitive information. Rather than overt technical hacks, he was able to convince employees to hand over information that enabled him to hack systems, while redirecting telephone signals to avoid detection by the authorities.
Following his run-in with the law, Mitnick put his powers of persuasion to good, running a company that advises businesses on avoiding social-engineering attacks.
ZDNet UK caught up with the ex-cracker before his keynote speech on the "art of deception" at the MIS CISO Executive Summit & Roundtable in Barcelona, to discuss developments in social engineering, new U.S. laws monitoring telephone systems and alleged "NASA hacker" 's impending extradition to the United States.
Q: How big a problem is social engineering for businesses? Is it becoming a more widely used tactic?
Mitnick: It's a substantial problem--a lot of malware is associated with social engineering. Social engineering plays a big part in exploiting known vulnerabilities in software.
Are you seeing any new attack methods?
Mitnick: They use the same methods they always have--using a ruse to deceive, influence or trick people into revealing information that benefits the attackers. These attacks are initiated, and in a lot of cases, the victim doesn't realize. Social engineering plays a large part in the propagation of spyware. Usually, attacks are blended, exploiting technological vulnerabilities and social engineering.
What can businesses do to safeguard themselves?
Mitnick: Businesses should train people to try to recognize possible attacks.
What are some of the giveaway signs to look for in a potential social-engineering attack?
Mitnick: Mostly, it's gut instinct--if something doesn't look or feel right. If someone is calling on the telephone, but they refuse to give any contact information, that's a red flag. If they make a request that's out of the ordinary, that's a red flag. If they make a request for something sensitive, that's when verification is necessary, depending on company policy.
If somebody is flattering you, they might be trying to influence you to cooperate. Or they might use an authority ruse--they pretend to have a higher status than you to force information from you.
Is it all down to the employees?
Mitnick: People can't be human lie detectors. Companies need to develop a simple security protocol to know when employees should refer to policy--on their intranet. Top management needs to buy into this idea.
Companies should run workshops on responses to social engineering, to demonstrate the foolish feeling people could have if they're tricked. Enterprises need to motivate compliance with policy and explain why this is important to employees. Businesses should also develop their security policy and encourage employee participation--educate people. You can hire an outside firm to test security and see if people can be fooled into revealing information.
There are new laws, in both the United States and the United Kingdom, regarding monitoring telephone systems. What is your opinion on them?
Mitnick: There's a privacy issue at stake. There's a big scandal at the moment with the Bush administration monitoring systems.
Can that be avoided?
Mitnick: People can use strong crypto, but then so can criminals and terrorists. Security and privacy is always a delicate balancing act.
What's your opinion on Gary McKinnon, the so-called "NASA hacker"? The U.S. is in the process of extraditing him to face charges of hacking into government systems.
Mitnick: He's the UFO guy, right? I think the excuse that he was trying to expose UFOs is laughable--he was allegedly hacking around all sorts of systems.
I think they're trying to make an example out of him--you can't be in another country and escape American justice. Now, I'm not an expert on British law, but surely he could be prosecuted in the U.K. for the same thing?
Tom Espiner reported for ZDNet UK.