ZDNet UK

CBS INTERACTIVE UK BUSINESS SITES:
BNET UK
silicon.com
ZDNet.co.uk

You are here: ZDNet.co.uk > News > Security

Security threats Toolkit

Kevin Mitnick: The great pretender

Tom Espiner ZDNet.co.uk

Published: 14 Jun 2006 11:40 BST

Ten years ago there wasn't much of a World Wide Web to exploit, but there were still hackers — or more accurately crackers. Without the current glut of naive Web users to exploit, would-be cyber-thieves and vandals had to be somewhat more creative, and one of the most creative and infamous was Kevin Mitnick.

Arrested by the FBI in 1995 and convicted of breaking into the systems of Fujitsu Siemens, Nokia and Sun Microsystems, Mitnick served five years in prison — eight months of it in solitary confinement.

In his days on the wrong side of the law, Mitnick used so-called social engineering techniques to fool users into handing over sensitive information. Rather than overt technical hacks, he was able to convince employees to hand over information that enabled him to hack systems, while redirecting telephone signals to avoid detection by the authorities.

Following his run in with law, Mitnick now puts his powers of persuasion to good, running a company that advises businesses on avoiding social engineering attacks.

ZDNet UK caught up with the ex-cracker, ahead of his keynote speech on the "art of deception" at the MIS CISO Executive Summit in Barcelona, to discuss developments in social engineering, new US laws monitoring telephone systems, and alleged "NASA hacker" Gary McKinnon's impending extradition to the US.

Q: How big a problem is social engineering for businesses? Is it becoming a more widely used tactic?
A: It's a substantial problem — a lot of malware is associated with social engineering. Social engineering plays a big part in exploiting known vulnerabilities in software.

Are you seeing any new attack methods?
They use the same methods they always have — using a ruse to deceive, influence, or trick people into revealing information that benefits the attackers. These attacks are initiated, and in a lot of cases the victim doesn't realise. Social engineering plays a large part in the propagation of spyware. Usually attacks are blended, exploiting technological vulnerabilities and social engineering.

What can businesses do to safeguard themselves?
Businesses should train people to try to recognise possible attacks.

What are some of the give-away signs to look for in a potential social engineering attack?
Mostly it's gut instinct — if something doesn't look or feel right. If someone is calling on the telephone, but they...