EVENT REVIEW: Mitnick on Misdirection: Hacking as Close-up Magic

Information security experts routinely warn those they work with about the dangers of social engineering. One way to approach social engineering is to realize that it's magic, and by that we mean stage-and-street magic, not ritual magic. Like the conjuror who performs at a kid's birthday party, the social engineer relies on your trust, your expectations, and your susceptibility to misdirection.

Kevin Mitnick, who now runs Mitnick Security Consulting and also serves as Chief Hacking Officer for the anti-social-engineering training shop KnowBe4, is well known for his days as a black hat. The FBI eventually caught him in a famous and controversial investigation into wire fraud and other computer-related offenses. He did his prison time in the late 1990s, and was released in January 2000, with his access to information technology restricted to a landline phone as a condition of his supervised release. (That supervised release period is more than a decade in the past.)

Mitnick's rehabilitation and subsequent career as a white hat hacker are now famous. At the 2017 Cyber Investing Summit, he described his own path into hacking. It began, he said, with an early interest in magic, conjuring, and was fostered by a high school friend who was into phone phreaking, one of the ancestral forms of hacking where people would make free long-distance calls by whistling the right tone into a phone.

He demonstrated several hacks that bore an interesting resemblance to street magic, including theft of physical access card credentials using a remote card reader, microphone and webcam hacks, and the compromise of a workstation through a plausible social engineering attack. 

One of Mitnick's timelier demonstrations was the introduction of a Trojan into a patched, AV-equipped Windows 7 machine. Installation in memory makes it hard to detect an implant, he noted. "Any AV product can be bypassed." 

He showed a live instance of WannaCry, using a Shodan search to identify potential targets. The exploit he used employed a spoofed and quite persuasive GoToMeeting site. 

To avoid infection, Mitnick recommended "inoculating" personnel against attack by attacking them in training sessions. He also strongly recommended implementing well-crafted egress rules in the enterprise. 

A cautionary observation in closing. Many concerned with security are confident they can see through social engineering, and sometimes they're (we're) right—they (we) don’t believe the person sending the email is really the widow of a Nigerian prince, or that "Microsoft help desk" has really called us to help fix our MacBook. But, as they say, don't get cocky, kid. Spend some time watching card mechanics do their stuff. You probably can't tell how the ace of hearts got there, no matter how closely you look. If the social engineer is as good as the performer at Junior's birthday party, well, they might reel you in, too.

Read this cool news snippet and get your daily does at the source.

Source: Cyberwire

Topics: Social Engineering, security expert, Shodan search, Speaking Engagements, WannaCry, Chief Hacking Officer, hacking, security awareness training, KnowBe4, Mitnick Security Consulting, Trojan, white hat, Kevin Mitnick

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

The Growth of Third-Party Software Supply Chain Cyber Attacks

When testing your employees' social engineering readiness, your teams need simulated attacks that feel as if they’re coming from a nefarious engineer...

Read more ›

Bypassing Key Card Access: Shoring Up Your Physical Security

As you build additional layers of defense into your cybersecurity framework, it's important to implement physical security strategies as well.

Read more ›

How to Prioritize Your Pentesting Report’s Remediation Recommendations

If you recently received a penetration test, you’re on the right track to improving your cybersecurity posture. However, you may be wondering what the..

Read more ›