Last week, Kevin Mitnick visited Melbourne as part of a tour. He spoke to an audience of security professionals from a wide range of different industries about his start as a black-hat hacker, i.e. using his skills to break into systems to steal data, through to his present career as a white-hat hacker, i.e. conducting penetration tests for major companies all over the world.
While Mitnick did break the law in the 1990s and was prosecuted, what’s interesting is that his hacks might have used some tricky technical skills, they were far more dependent on one specific thing.
In his 16 years of working as a penetration tester, Mitnick’s company has never failed to break into a system – as long as he has been able to talk to people.
HUMAN ERROR OPENS ENTRY POINTS FOR HACKERS
While our IT systems hold valuable data such as financial records, technical designs and personal information, the real key to getting into those systems is hacking the humans.
During the day, I had the opportunity to interview Mitnick on stage. To illustrate some of his answers, Mitnick demonstrated some hacks. For example, in one simple scenario he sent a text message to my phone that looked like it was sent by my partner. All he needed was my phone number and my partner’s number and he was able to send a text asking for an account password.
The technical sophistication of this was very low – almost anyone can repeat the hack using online text messaging services. But the effect of breaching the trust of individuals can be devastating.
Although strong passwords, encryption, firewalls and security software are important, they can all be easily bypassed if a hacker can convince a legitimate user to hand over the keys to the fortress.
The hacker’s most powerful weapon is social engineering. Mitnick used social engineering to make telephone calls to whoever he wanted while under close guard during his months in solitary confinement. He was placed there because law enforcement officials were convinced he could launch a missile by phoning mission control and whistling into a phone.
WHAT CAN YOU DO TO PREVENT HUMAN ERROR?
Putting robust systems in place to protect your systems is critical. But supporting people with good processes that minimise the risk of them being manipulated by a bad actor is perhaps more important.
Some easy steps to take include:
- Always require two parties to sign off on any financial transactions.
- Rely on face-to-face or some other direct, non-electronic, means to verify important business interactions.
- View any request to access a system or conduct a transaction with scepticism until you have verified that the request is genuine.
Source: Data Protection Adviser