Cyber Security Articles & News

EVENT REVIEW: Mitnick on Misdirection: Hacking as Close-up Magic

Information security experts routinely warn those they work with about the dangers of social engineering. One way to approach social engineering is to realize that it's magic, and by that we mean stage-and-street magic, not ritual magic. Like the conjuror who performs at a kid's birthday party, the social engineer relies on your trust, your expectations, and your susceptibility to misdirection.

Kevin Mitnick, who now runs Mitnick Security Consulting and also serves as Chief Hacking Officer for the anti-social-engineering training shop KnowBe4, is well known for his days as a black hat. The FBI eventually caught him in a famous and controversial investigation into wire fraud and other computer-related offenses. He did his prison time in the late 1990s, and was released in January 2000, with his access to information technology restricted to a landline phone as a condition of his supervised release. (That supervised release period is more than a decade in the past.)

Mitnick's rehabilitation and subsequent career as a white hat hacker are now famous. At the 2017 Cyber Investing Summit, he described his own path into hacking. It began, he said, with an early interest in magic, conjuring, and was fostered by a high school friend who was into phone phreaking, one of the ancestral forms of hacking where people would make free long-distance calls by whistling the right tone into a phone.

He demonstrated several hacks that bore an interesting resemblance to street magic, including theft of physical access card credentials using a remote card reader, microphone and webcam hacks, and the compromise of a workstation through a plausible social engineering attack. 

One of Mitnick's timelier demonstrations was the introduction of a Trojan into a patched, AV-equipped Windows 7 machine. Installation in memory makes it hard to detect an implant, he noted. "Any AV product can be bypassed." 

He showed a live instance of WannaCry, using a Shodan search to identify potential targets. The exploit he used employed a spoofed and quite persuasive GoToMeeting site. 

To avoid infection, Mitnick recommended "inoculating" personnel against attack by attacking them in training sessions. He also strongly recommended implementing well-crafted egress rules in the enterprise. 

A cautionary observation in closing. Many concerned with security are confident they can see through social engineering, and sometimes they're (we're) right—they (we) don’t believe the person sending the email is really the widow of a Nigerian prince, or that "Microsoft help desk" has really called us to help fix our MacBook. But, as they say, don't get cocky, kid. Spend some time watching card mechanics do their stuff. You probably can't tell how the ace of hearts got there, no matter how closely you look. If the social engineer is as good as the performer at Junior's birthday party, well, they might reel you in, too.

Read this cool news snippet and get your daily does at the source.

Source: Cyberwire

Topics: Social Engineering, security expert, Shodan search, WannaCry, Chief Hacking Officer, hacking, keynote speaker, security awareness training, KnowBe4, Mitnick Security Consulting, Trojan, white hat, Kevin Mitnick

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

Spear Phishing vs Phishing: Recognizing the Difference

Since the dawn of the internet, there have been threat actors looking to exploit systems, steal data, and compromise the integrity and reputation of p..

Read more ›

Kevin Mitnick Security Awareness Training: Microsoft Teams

Kevin Mitnick — founder of Mitnick Security and Knowbe4’s Chief Hacking Officer — helps organizations find and remediate vulnerabilities through penet..

Read more ›

What is a Red Hat Hacker? Top Things to Know

Cyber attackers shouldn’t all be painted with the same brush. There are many different types, all with separate motivations and tactics for launching ..

Read more ›
tech-texture-bg