Hacker exposes weakest links in corporate chain

American poacher turned gamekeeper demonstrates the tech tricks of his trade

The easiest way for cybercriminals and hacktivists to get access to Kiwi companies is through people, and businesses have not done enough to address it.

Reformed hacker Kevin Mitnick demonstrated those weaknesses at the ‘Cyber Threats’ event in Auckland last week.

Mr Mitnick showed a crowd of suited business executives, hooded-hackers and programmers how he breached a major US start-up with a single email, could clone access cards just by standing next to victims, and how to exploit an Australasian online store to get a 97 per cent discount on items including laptops.

He was introduced by Kevin Kanji, associate director at Deloitte, a sponsor of Cyber Threats, held at the SkyCity Convention Centre.

“The truth is, even though data breaches and hacks get a lot of attention in the news, we haven’t done much about it in New Zealand,” said Mr Kanji before welcoming Mr Mitnick on stage.

The world-renowned hacker was arrested for hacking and wire fraud in 1995 after evading law enforcement for three years.

He served five years in jail, including eight months in solitary confinement because the judge feared he could launch nuclear missiles by whistling into a phone. Mr Mitnick now owns a security company where he and his team hack companies with their permission to highlight weak points in their systems.

Mr Mitnick’s emphasised the easiest way to breach a company’s security was through its people. His company uses ‘social-engineering’ - a security term for coercing and manipulating people into sharing sensitive information, downloading malicious software or allowing access into systems without their knowledge.

“No matter how advanced technology a company has, a hacker can get in through social-engineering, and there’s no software on the market to avoid it,” Mr Mitnick said.

He showed how he gained access to a client by pretending to be a legitimate business and sending an email that gave him control over an employee’s computer. He came away with payroll information, intellectual property and access to technology.

“It’s not that people are stupid. We are just human beings, and our trust can be exploited,” said Mr Mitnick.

After Mr Mitnick’s demonstrations a discussion followed with Anurag Madan, head of IT digital services at the Ministry of Social Development, Mr Kanji and Karen Scott-Howman, chief-executive of the NZ Bankers’ Association.
“Kevin is very terrifying, and we have realised that hacking has become one of our top 10 threats globally over the last couple of years,” she said.

Mr Mitnick recommended companies educate their staff to avoid attacks, but that awareness campaigns like posters and educating emails is not enough.

“Awareness alone does not work. Give your employees that ‘aha!’ moment, for example by exploiting them yourself or through companies such as mine. People will be much more aware if you fool them once,” Mr Mitnick said.


Topics: SkyCity Convention Centre, solitary confinement, technology, Anurag Madan, penetration testing, phishing simulation, clone access cards, cyber criminals, cyber security consultant, cyber threats, hacking, IT digital services, keynote speaker, Kiwi companies, Ministry of Social Development, Mitnick Security Awareness Training, NZ Banker's Association, intellectual property, Karen Scott-Howman, wire fraud, Auckand New Zealand, Deloitte, hacktivists, Kevin Kanji, Kevin Mitnick, malicious software

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

How to Prioritize Your Pentesting Report’s Remediation Recommendations

If you recently received a penetration test, you’re on the right track to improving your cybersecurity posture. However, you may be wondering what the..

Read more ›

Understanding Post-Inoculation Cybersecurity Attack Vectors

If you’ve recently improved your cybersecurity posture, you should know that the work to protect your company’s data is not over.

Read more ›

Password Management Best Practices: How Secure Are Password Managers?

Password managers are convenient tools for storing, organizing, and accessing passwords. But are they safe from cyber attacks?

Read more ›