Mitnick teaches 'social engineering'

[InfoSec News <isn () C4I ORG>]

http://dailynews.yahoo.com/h/zd/20000717/tc/mitnick_teaches_social_engineering__1.html

Monday July 17 05:15 PM EDT

By Robert Lemos, ZDNet News

The ex-hacker tells a capacity audience at H2K how he gained
unauthorized access to phone companies' networks.

NEW YORK -- Would you trust Kevin Mitnick? Dozens of administrators,
security personnel and phone operators did. That, he says, was one
reason he succeeded as a hacker.

In the early '90s, Mitnick had the run of many phone systems. On
Sunday, the celebrity hacker told hackers, wannabes and activists who
packed two rooms at Hacking on Planet Earth 2000 how he did it.

"Through social engineering, I gained the ability to obtain any
number, listed or unlisted," Mitnick said in a speech delivered by
phone from Los Angeles. "This really came easy to me -- manipulating
the telephone company."

Social engineering is basically pulling a con job, hacker-style. The
object is to get information or access to systems that are normally
only used by privileged users.

"(As) the media characterizes social engineering, hackers will call up
and ask for a password," Mitnick said. "I have never asked anyone for
their password."

It was the first talk Mitnick has given since his probation officer
gave him permission to lecture on hacking, work as a security
consultant and write articles on security.

Mitnick, 36, served almost five years behind bars for breaking into
computers, stealing data and abusing electronic communication systems.
Upon his release in January, Mitnick recanted his plea bargain,
claiming he had been railroaded by the authorities.

Social engineering 101

Mitnick is nothing, if not persuasive. The California resident chatted
with H2K attendees about how he would build trust with administrators,
security personnel, and anyone else who might have the information or
access he needed.

"You try to make an emotional connection with the person on the other
side to create a sense of trust," he said. "That is the whole idea: to
create a sense of trust and then exploiting it."

As an introduction to the session, Eric Corley -- also known as
Emmanuel Goldstein, the publisher of the hacker magazine 2600 --
called AT&T Corp.'s internal security to inquire about a memo that
warned employees about the social engineering session.

Corley, who had a copy of the memo, posed as an AT&T employee who
wanted to know more about the memo and the "hacker threat." He talked
to an alleged security employee and confirmed the existence of the
memo, though no other privileged information was gained.

While the example seemed benign, it showed how willing people are to
trust someone on the other end of a phone call.

"I used to do a lot of improvising," Mitnick said. "I would try to
learn their internal lingo and tidbits of information that only an
employee would know."

Turning employees into skeptics

Mitnick also offered advice to businesses afraid that spies and
hackers may gain access to their internal systems using social
engineering.

"On the corporate side, as an employee, it all comes down to user
awareness and education," Mitnick said.

Proactively recording calls could increase security as well, he added.

"The 'monitoring this call for quality assurance' is really a
deterrent because you don't know whether they are listening to you,"
he said.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".