Kevin Mitnick, a famous hacker who went to federal prison in the 1990s, fields questions from the audience at the Virginia Cyber Convention & Expo in Virginia Beach on Oct. 6, 2016. Mitnick now helps companies avoid being hacked, and was the keynote speaker at the expo.
Paranoid? You might want to be.
Kevin Mitnick, the U.S. hacker turned cybersecurity consultant, on Thursday showed a few hundred people just how easily he could take over a person’s computer, copy a secure keycard and steal an identity – if he wanted to.
It’s the cyberattack two-step: Con, then exploit.
The targets of the con are generally people who can be fooled, whether it’s a convincing link or pop-up or plugging in a free thumb drive from a recent work conference.
“At the end of the day, the bad guy is going to attack the weakest link in your technology,” he said.
That weakness: people.
Mitnick was sent to federal prison in the 1990s for wire fraud and other charges and now frequents the cybersecurity speaking circuit. He told the crowd that companies should test their own workers, take as many tech decisions out of employee hands as possible, ensure firewalls are not only keeping bad traffic from getting in but also getting out, encourage people who must open suspicious documents to do so in Google Drive, and emphasize it’s OK to say “No” when a request for information doesn’t seem right.
Web surfing via a public Wi-Fi network? A hacker could be pretending to be a legitimate network waiting for someone to log in so he or she can watch in real-time as usernames and passwords are typed. Mitnick’s advice: subscribe to a monthly virtual private network service and connect to it.
Tech support can’t download a patch for stupidity, he reminded the crowd.
His show was the main event of the daylong Virginia Cyber Convention & Expo sponsored by the nonprofit Cyber Protection Resources and Virginia Beach’s economic development agency.
Scott Schober, a New Jersey-based CEO of a company that detects unauthorized cellphones and who wrote, “Hacked Again – It Can Happen to Anyone Even a Cybersecurity Expert,” was one of three volunteers from the crowd to let Mitnick prove his points. In his case, Mitnick asked for his name and the state where he lives. Two quick online searches for $1 each revealed Schober’s Social Security number, phone numbers, home address and date of birth.
Afterward, Schober said it was “pretty scary,” but not surprising.
“We’re often focused on the password,” or multi-factor authentication, for protection, but people also have to be careful about how much they reveal about themselves on the phone, in an email or even in person, he said.
Mitnick also showed how a device that could fit inside a small backpack or a binder could capture secure keycard information from a few feet away and how a person’s text messages could be co-opted so it appears they’re coming from someone the victim knows when they’re not.
How can people tell if they’ve fallen victim to an attack? If it’s ransomware, it’s easy – the hackers want a person to know so he or she will pay up to take back control. If not, it’s even more difficult than self-defense, unless you or your intrusion detection software knows what to look for.
Mitnick said a hired client asked him to test a couple of specific administrative accounts in the client’s company with a phishing attack. What the client didn’t know is that Mitnick’s company had already gained access.
One of Mitnick’s few shreds of optimism: Don’t expect a cyber 9/11 or Armageddon, the kind that could bring a widespread power grid outage.
”I think that’s a long shot,” Mitnick said, noting that deregulation has made attacks of that scale in the United States a difficult thing to do.
Of course, cyberespionage by nation states is already happening.
In another panel at the convention, Toni Gidwani with Arlington-based ThreatConnect walked through the company’s analysis of the recent hacks of the Democratic National Committee and Democratic Congressional Campaign Committee and the Russian groups that appear to be behind it.
It too involved some of the same human errors that Mitnick warned about during his speech, including a convincing-looking campaign donation website and a link in an email that appeared to be from Google’s Gmail security division (it wasn’t) telling a DNC field director he needed to reset his password.
“They now own your inbox,” said Gidwani, ThreatConnect’s director of analysis and production.
There’s no traveling to a time before a link was clicked, but what can help? Gidwani said two-factor authentication, which requires a pass code from a separate designated device, is important.
“Targeting the user is a very common tactic for these groups,” she said
Source: The Virginian-Pilot