Information Security News mailing list archives
Mitnick Turns Gamekeeper
From: InfoSec News <isn () C4I ORG>
Date: Mon, 30 Oct 2000 21:27:01 -0600
http://www.techweb.com/wire/story/TWB20001030S0023 By Marcia Savage, CRN 10/30/00, 6:49 p.m. ET LOS ANGELES -- Kevin Mitnick used to make life miserable for corporate IT managers by breaking into computer systems. Now he's making it his business to help them secure their networks against hackers. Mitnick, who was released from prison earlier this year after nearly five years there, offered tips on information security to IT professionals at the Giga Information Group Infrastructures for E-Business conference, held here last month. "Even though you've bought the best security products, some people will break through," said Mitnick, whose business card identifies him as an information security consultant. "There's no sure-fire way to protect yourself. You have to manage the risk. There's no way you can eliminate it." Mitnick offered insight into the hacker mindset, and it was none too comforting: "The more secure you make your systems, the more it attracts them." Hackers are driven by a curiosity to explore the network and to obtain "forbidden knowledge," he said. Hacking doesn't necessarily involve technical computer skills, said the 37-year-old Mitnick. Someone can fool an employee into disclosing a password or into doing something on a computer, a technique called social engineering. The larger a company is, the more vulnerable it is to social engineering. It's easier for an attacker to pretend to be someone else in the company in an environment where employees don't all know each other, Mitnick said. Attackers who use social engineering try to establish an emotional connection with an employee via friendliness, intimidation, or by gaining sympathy, he said. He recommended training employees about the risks of social engineering. A taped recording on incoming calls announcing that phone conversations are recorded also will help deter hackers. While employees may unwittingly give information that lets an intruder into the network, they also choose weak passwords, Mitnick said. Short passwords are easy to crack, and workers often post their passwords on notes stuck to their computers. To reduce the risk, Mitnick suggested companies take the following steps: Use password-management software to help employees choose strong passwords; have password expiration; and create stronger authentication by combining passwords with biometrics. Mitnick said companies also need to take precautions against another technique used by attackers to obtain confidential information: dumpster diving. Shredding documents, reviewing what's put into the recycling bin, and erasing or destroying magnetic media are ways to minimize that risk. Overall, securing an e-business means educating employees about the importance of information security, Mitnick said. "Motivate all your employees to make security their business," he said. Some IT professionals may be suspicious of taking security advice from someone who used to hack systems, but Bret Greenstein was impressed by Mitnick's talk. "If you don't know the enemy, you don't know what you're up against," said Greenstein, who manages Web infrastructure for a large corporation. Steve Hunt, analyst at Giga, Cambridge, Mass., said Giga (stock: GIGX) caught a lot of criticism for inviting Mitnick to speak. But "Kevin has simply helped us open our eyes as to what the risks are," he said. Mitnick was accused of causing millions of dollars in damage to technology companies, including Motorola, and was imprisoned after a three-year FBI manhunt that ended in 1995. He pleaded guilty to wire fraud and computer fraud, but said the charges were overblown and he knew he wouldn't get a fair trial. He claimed the FBI wanted to make an example of him. While Mitnick says he's getting a lot of job offers, he's limited in what he can do. Under the terms of his supervised release, he's barred from using computers, advising anyone who uses a computer, and from traveling outside of central California. To do any computer-related work, he must receive approval from his parole officer, who gave him permission to speak at the Giga conference. When he was 16, Mitnick became a "phone phreaker" and broke into phone networks. He said he learned social engineering from phone phreaking. Now, he said his goal is to use his experience to help others with computer security. Mitnick said he can help companies without them giving him "the keys to the kingdom." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Mitnick Turns Gamekeeper InfoSec News (Oct 31)
- <Possible follow-ups>
- Re: Mitnick Turns Gamekeeper Sadler, Connie J (Nov 02)