Kevin Mitnick, CEO of Mitnick Security Consulting and famous reformed hacker, kicked-off the ITWeb Security Summit this morning by explaining the techniques of social engineering and advising how one can avoid being duped.
"Social engineering is a form of hacking that uses deception to comply with requests to release information or execute some kind of action," he told a 400-strong audience at The Forum in Bryanston.
Mitnick believes successful social engineering can bypass all forms of anti-intrusion technologies.
Social engineering exploits trust, curiosity and poor security measures; it is often far easier than hacking a system, is low risk for an attacker, inexpensive and useful across all operating systems and platforms, he noted.
"I hope that everybody will realise that a security system should be physical, technical, and should also address the human factor."
Help-desks are the number one target in a company for social engineering, Mitnick added.
No stupidity patch
"There are many holes in the human firewall," Mitnick said. He explained that people have illusions of invulnerability, tend to implicitly trust others and want to help others, have perceptions that following security protocols is a waste of time, underestimate the value of information, and do not realise the consequences of passing on information.
He used the example of a study conducted in the UK which revealed that seven out of 10 office workers approached at London`s Waterloo train station gave away their passwords and usernames in return for an Easter egg.
"You cannot download a patch for stupidity - unfortunately," he quipped.
Gathering information
When gathering information, the social engineer will normally try to find out the names of personnel within a company, which employees have recently been hired, the organisational structure, the terminology and lingo used at the organisation, the internal phone directory, and old newsletters.
The social engineer will also find ways of accessing more detailed staff information, including personal schedules, contact details, r'esum'es, responsibilities, hobbies and interests, dialup numbers, past newsgroup postings, driver`s licence number and mother`s maiden name.
Another popular method Mitnick confessed to using is 'dumpster diving` - going through trash to find memos, source codes, old directories, project names and plans, employee names, discarded hard drives, and passwords that may have been scribbled on post-it notes.
Dumpster diving is legal in the US unless a 'no trespassing` sign is posted and the trash is located on private property.
He said the attacker then has to establish an identity, gain the target`s trust through prior knowledge or inferences, and develop responses to overcome objections.
Demonstrating the ease with which someone can access personal details about an individual, Mitnick pulled up George Bush Senior`s driver`s licence number in about 15 seconds at the Web site Public Data.com.
Building resistance
He advised organisations to conduct role-playing exercises to demonstrate personal vulnerability, and modify company politeness norms to encourage people to say no to dubious requests.
Mitnick added that "one of the best ways to motivate people to become more aware of social engineering is to make them anticipate how foolish they would feel if they were manipulated".
Related stories:
Disruptive tech drives security
Architecture, vendors at fault, says MS architect
Share