Mitnick Turns Gamekeeper

[InfoSec News <isn () C4I ORG>]

http://www.techweb.com/wire/story/TWB20001030S0023

By Marcia Savage, CRN
10/30/00, 6:49 p.m. ET

LOS ANGELES -- Kevin Mitnick used to make life miserable for corporate
IT managers by breaking into computer systems. Now he's making it his
business to help them secure their networks against hackers.

Mitnick, who was released from prison earlier this year after nearly
five years there, offered tips on information security to IT
professionals at the Giga Information Group Infrastructures for
E-Business conference, held here last month.

"Even though you've bought the best security products, some people
will break through," said Mitnick, whose business card identifies him
as an information security consultant. "There's no sure-fire way to
protect yourself. You have to manage the risk. There's no way you can
eliminate it."

Mitnick offered insight into the hacker mindset, and it was none too
comforting: "The more secure you make your systems, the more it
attracts them." Hackers are driven by a curiosity to explore the
network and to obtain "forbidden knowledge," he said.

Hacking doesn't necessarily involve technical computer skills, said
the 37-year-old Mitnick. Someone can fool an employee into disclosing
a password or into doing something on a computer, a technique called
social engineering.

The larger a company is, the more vulnerable it is to social
engineering. It's easier for an attacker to pretend to be someone else
in the company in an environment where employees don't all know each
other, Mitnick said.

Attackers who use social engineering try to establish an emotional
connection with an employee via friendliness, intimidation, or by
gaining sympathy, he said. He recommended training employees about the
risks of social engineering. A taped recording on incoming calls
announcing that phone conversations are recorded also will help deter
hackers.

While employees may unwittingly give information that lets an intruder
into the network, they also choose weak passwords, Mitnick said. Short
passwords are easy to crack, and workers often post their passwords on
notes stuck to their computers.

To reduce the risk, Mitnick suggested companies take the following
steps: Use password-management software to help employees choose
strong passwords; have password expiration; and create stronger
authentication by combining passwords with biometrics.

Mitnick said companies also need to take precautions against another
technique used by attackers to obtain confidential information:
dumpster diving. Shredding documents, reviewing what's put into the
recycling bin, and erasing or destroying magnetic media are ways to
minimize that risk.

Overall, securing an e-business means educating employees about the
importance of information security, Mitnick said.

"Motivate all your employees to make security their business," he
said.

Some IT professionals may be suspicious of taking security advice from
someone who used to hack systems, but Bret Greenstein was impressed by
Mitnick's talk.

"If you don't know the enemy, you don't know what you're up against,"
said Greenstein, who manages Web infrastructure for a large
corporation.

Steve Hunt, analyst at Giga, Cambridge, Mass., said Giga (stock: GIGX)
caught a lot of criticism for inviting Mitnick to speak. But "Kevin
has simply helped us open our eyes as to what the risks are," he said.

Mitnick was accused of causing millions of dollars in damage to
technology companies, including Motorola, and was imprisoned after a
three-year FBI manhunt that ended in 1995. He pleaded guilty to wire
fraud and computer fraud, but said the charges were overblown and he
knew he wouldn't get a fair trial. He claimed the FBI wanted to make
an example of him.

While Mitnick says he's getting a lot of job offers, he's limited in
what he can do. Under the terms of his supervised release, he's barred
from using computers, advising anyone who uses a computer, and from
traveling outside of central California. To do any computer-related
work, he must receive approval from his parole officer, who gave him
permission to speak at the Giga conference.

When he was 16, Mitnick became a "phone phreaker" and broke into phone
networks. He said he learned social engineering from phone phreaking.

Now, he said his goal is to use his experience to help others with
computer security. Mitnick said he can help companies without them
giving him "the keys to the kingdom."


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".