Companies exposed to 'social engineers' - Mitnick

[InfoSec News <isn () c4i org>]

http://www.infoconomy.com/pages/news-and-gossip/group66338.adp

Graeme Burton
gburton () infoconomy com
Date: 4 September 2002

Companies are leaving themselves exposed to hackers because of a lack
of awareness of the 'social engineering' techniques deployed by the
most dangerous attackers, according to former hacker Kevin Mitnick.

"A lot of people think they are not gullible, that they can't be
manipulated, but nothing could be further from the truth," says
Mitnick. He claims that using such techniques - combined with
substantial technical know-how - he was able to break into all but one
of the systems he targeted in a 15-year hacking career.

Social engineers attempt to break in to systems by persuading
unwitting staff to part with vital information, including login names
and passwords. "The threat of social engineering is substantial.  
People ought to know that you can buy the best technology in the world
and it won't protect the organisation against social engineering," he
says.

A lack of training means that staff are often unaware of the dangers
and will hand over sensitive information to strangers on the phone
posing as someone else in the company.

For example, Mitnick was able to take control of US telecoms operator
Sprint's switching equipment by calling the company and posing as an
engineer from switch maker Nortel Networks. Staff were persuaded to
hand over login names and passwords for the switches so that the
'Nortel engineer' could perform remote maintenance.

In addition, security procedures are frequently undermined by senior
executives who demand that staff bend the rules when they want
something done immediately. As a result, staff often will not question
a request purporting to come from the CEO's office, for example.

Social engineers normally do a lot of research into their targets
before attacking. "A social engineer needs to understand the corporate
culture, the corporate structure, the organisational chart, who has
access to what information, where in the company that information
resides," says Mitnick.

Such valuable data can often be found in the company's rubbish bins -
which ought to be locked and kept on private property. Sensitive files
should be shredded before they are thrown out, he advises.

Mitnick says that in addition to the usual technical security
procedures - regular port scanning, for example - organisations need
to more rigorously enforce security policies and train staff to be
alert to the dangers posed by social engineers, particularly in
companies that might be targeted by industrial spies.

Kevin Mitnick earned notoriety in the 1980s and 1990s for his apparent
ability to break into telephone and computer systems across the world
at will. Arrested six times, his last capture resulted in a five-year
jail term - the heaviest sentence ever handed down for a hacker. Now,
38 year old Mitnick has 'gone straight', offering a rare insight into
how hackers really operate.

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.