Mitnick In The News
Hacker exposes weakest links in corporate chain
Aug 31, 2016 - TE WAHA NUI, by Alexander Tange
American poacher turned gamekeeper demonstrates the tech tricks of his trade
The easiest way for cybercriminals and hacktivists to get access to Kiwi companies is through people, and businesses have not done enough to address it.
Reformed hacker Kevin Mitnick demonstrated those weaknesses at the ‘Cyber Threats’ event in Auckland last week.
Mr Mitnick showed a crowd of suited business executives, hooded-hackers and programmers how he breached a major US start-up with a single email, could clone access cards just by standing next to victims, and how to exploit an Australasian online store to get a 97 per cent discount on items including laptops.
He was introduced by Kevin Kanji, associate director at Deloitte, a sponsor of Cyber Threats, held at the SkyCity Convention Centre.
“The truth is, even though data breaches and hacks get a lot of attention in the news, we haven’t done much about it in New Zealand,” said Mr Kanji before welcoming Mr Mitnick on stage.
The world-renowned hacker was arrested for hacking and wire fraud in 1995 after evading law enforcement for three years.
He served five years in jail, including eight months in solitary confinement because the judge feared he could launch nuclear missiles by whistling into a phone. Mr Mitnick now owns a security company where he and his team hack companies with their permission to highlight weak points in their systems.
Mr Mitnick’s emphasised the easiest way to breach a company’s security was through its people. His company uses ‘social-engineering’ - a security term for coercing and manipulating people into sharing sensitive information, downloading malicious software or allowing access into systems without their knowledge.
“No matter how advanced technology a company has, a hacker can get in through social-engineering, and there’s no software on the market to avoid it,” Mr Mitnick said.
He showed how he gained access to a client by pretending to be a legitimate business and sending an email that gave him control over an employee’s computer. He came away with payroll information, intellectual property and access to technology.
“It’s not that people are stupid. We are just human beings, and our trust can be exploited,” said Mr Mitnick.
After Mr Mitnick’s demonstrations a discussion followed with Anurag Madan, head of IT digital services at the Ministry of Social Development, Mr Kanji and Karen Scott-Howman, chief-executive of the NZ Bankers’ Association.
“Kevin is very terrifying, and we have realised that hacking has become one of our top 10 threats globally over the last couple of years,” she said.
Mr Mitnick recommended companies educate their staff to avoid attacks, but that awareness campaigns like posters and educating emails is not enough.
“Awareness alone does not work. Give your employees that ‘aha!’ moment, for example by exploiting them yourself or through companies such as mine. People will be much more aware if you fool them once,” Mr Mitnick said.