EVENT REVIEW: The World’s Top Hacker Kevin Mitnick’s Interpretation of the Three Wave Attack

Written by Mitnick Security | Aug 16, 2017 12:00:00 AM

(Translated from Chinese using Google Translator)

He is Kevin Mitnick, known as the world's number one hacker.

As a result of stealing national secrets, he was wanted by the FBI and was arrested in 1995 and spent five years in jail.  You would never imagined that now he is FBI's senior security adviser, and set up a security company, transformed into a network security guard.

About him, there are a few "legends" Legend: the US government had him in solitary confinment in prison.?  Yes, in order to prevent him from being a "demon".

Kevin Mitnick began to engage in hacking when he was in high school. For example, people at the age of 16 went to McDonald's to hack into the ordering machine,, of course, he did not do it to obtain free hamburgers for himself, but for the mischief  to let others eat hamburgers for free!

The first law on cyber security was born in 1984, but as early as the 1970s, Kevin Mitnick was engaged in hacking activities in extrajudicial areas.

Perhaps the habit of "feeling no legal control", Kevin Mitnick was arrested for the first time, was charged by the federal court, when the judge was influenced by a prosecutor's claims. The prosecutor said: "He has a very big threat to national security, we want to ensure that this person he will not use any phone, even in prison will not get the phone."

The prosecutor said that there is a reason: why Kevin Mitnick did almost nothing to cheat  He can lure people to divulge a variety of information, including passwords, Internet accounts, technical information, etc.. He also eavesdropped on the technical staff on the phone, secretly monitoring the government officials e-mail, by using human vulnerability to collapse of the "Great Wall" and so on.

The prosecutor is afraid that once Kevin Mitnick touches the phone, he will use the phone to dial the number of the modem, initiate another attack, and may start the "third world war".

"I laughed in court, but the judge did not laugh, and for this reason I was imprisoned for another year in prison." Kevin Mitnick said helplessly.

Legend II: Kevin Mitnick and its team's penetration test success rate is 100%  "We are able to achieve 100% success rate," Kevin Mitnick said firmly, "and on a global scale, if the customer asks us to do such a test."

"Master of Social Engineering" is not a white call.

Kevin Mitnick said that as long as they use social engineering, you can let the company's employees to open an attachment, or open a chain. He was also on the stage of the CSS (3rd China Internet Security Leadership Summit) 2017: recently we had an employee to decrypt a message from Hillary.  "For the attacker, there are actually some easy to attack." He understatement.

Fancy interpretation of three waves of invasion

The first wave: get into the bank's access control.  How did he break the stringent level of monitoring the bank building? Kevin Mitnick starts from the lance entry card.

First, you want to "steal" to an access card.

In Kevin Mitnick's demo, he  came to the first level of a financial institution during the working hours.  To enter into another door, you need a card can be accessed through a HID card. Under normal circumstances, the attacker can only follow someone else in., but, Kevin Mitnick thought that at this level there was a door that might not need any cards - the bathroom!  So, he waited until someone entered the bathroom, using a device to steal a password from the remote access card.

He was on the stage to promote a bit of this equipment, $ 300 can not afford to buy, this device as much as 300 dollars Oh pro!

Through this device, he can copy the smart access card information and copy the information to another empty card.

However, this equipment needs to be close to the person to be copied, so you can choose the cafe, smoking room, bathroom and other places to copy, and even equipment in purses and other objects covering up devices, you can look for opportunities to be near the target, and instantly can copy your target's access control Card information.

What if people do not get close to you? Nothing, he has another piece of equipment. This kind of equipment can copy your card information 3 feet away.

The most extreme example  is that Kevin Mitnick has demonstrated in an American conference, how to use this device at the same time copy the 150 card information!

The top social engineering guru has shown a social working skill with another program!

He disguises himself as a person who wants to rent the office building, first going  to the people who will show him the venue in the floor, while asking the people a bunch of questions and saying such things as we have dozens of people who need office space! You look at their 5-year lease and ask how much money, and if leasing fo 10 years, then will there  be concessions?

Taking advantage of people deliberately, he began to play tricks: Oh, we have dozens of individuals, do you want dozens of keys? Can we  see your access card?

Then, people may be convinced  to show him the card, and with his small scanning equipment hidden in his pocket, casually,  Akira, copies the information in his hand. Then he could invade the data center of the building.

Pick an important employee in the building. 

The second wave: lifts off the laptop password

After entering the enterprise,  not from the data center invasion, but to sneak into an important office where staff knows the operations of the company computer.   Because the general computer will have password protection.

Kevin Mitnick took out his MacBook Air and reduced the way to crack the computer password.

Of course, this time Kevin Mitnick, from his own treasure chest,  took out a piece of equipment: is a similar to the  card equipment, and directly through the USB access port, steals memory, steals the user's password.

"This is a USB access port. Run this tool. You can activate the attack, reboot, it will proceed to the analysis program, after the restart, this is an exit of the machine. Sometimes this attack will not succeed because it's not always perfect.There is only one chance to test, if there is no restart, or you need to re-login. "Kevin Mitnick said.

It is interesting to note that Kevin Mitnick failed when he first tried to get his computer's power on the lock screen state.

Originally, before Kevin Mitnick demonstrated, he conducted a number of rehearsals, and sometimes did not restart the device before the demo.

Kevin Mitnick succeeded for the second time, after some simple operation, the scene on the big screen shows his MacBook Air boot password.

Secretly I'll tell you that his boot password is: httpseverywhere.

However, you know it is useless, Kevin Mitnick said, I go back to change my password.

The third wave: the scene about WannaCry virus!

What mail will you receive? "You drop the geese in my hands," this extortion letter is no longer useful.

Kevin Mitnick seems to be able to guess the motive of the email, he gave this version of the mail content may make your computer infected with WannaCry virus.

For example, for a new customer, the new vendor, there are some such meetings on the Internet, they will not doubt the authenticity of such a meeting invitation. So, it's easy to create a meeting invitation email first.

Of course, in the mail, you have to forge a Go to meeting page link, you need to confirm the user to participate in the meeting.

Let Lei Feng network editor secretly is that this page does not seem to have any problems, layout, color and real Go to meeting site, you need to copy and paste the user ID to verify. In fact, this is a fake website that verifies that the page will induce the user to run a program that is known to be used to confirm the attendance, but is actually a WannaCry virus program.

BINGO! A click, immediately in the move!

This time, students who do not go to the CSS conference site may be sad: It is hard for you to get Kevin Mitnick's autograph, but he has 500 small gifts for the audience. According to Kevin Mitnick introduction, this little gift looks like a card, in fact, is an attack tool - a lock pick.

This enthusiastic review and other interesting articles can be found at the source.

Source: xcnnews