If security is a people, process and technology problem, the weakest link in the chain are the people, which explains why social engineering attacks are on the rise, says Kevin Mitnick.
Mitnick, a security consultant who was once imprisoned for five years for stealing source code, paints a disturbing picture of how easy it is to use social engineering to bypass expensive security systems.
Speaking at a recent LANDesk user conference in Florida, Mitnick said the number one target in companies today is the help desk, which has access to critical systems information. So, hackers find an employee name and call the desk pretending they’ve lost their password to see what the desk will ask for in terms of authentication.
Then they abandon the call on some pretense and go get what the desk has asked for.
Think you’re secure because your desk requires users to cough up one or more of these: Social Security number, date of birth, home address, phone number, driver’s license or mother’s maiden name? Mitnick pulled a volunteer out of the audience and, using a combination of free and inexpensive online services, within a few minutes had all of that.
“Companies that use these types of questions for employee authentication shouldn’t,” he said. “It should be a dynamic system.” Mitnick told how he used social engineering to steal the source code for Motorola’s Star Tak phone when it first came out.
Walking from his office to his apartment, he called the company looking for the lead developer. He pretended to be from corporate R&D and got passed around a lot but finally reached the person’s assistant. She found the requested files and, with some coaching, tried to FTP them to an anonymous Mitnick account, but couldn’t because of some internal security restrictions.
Before he could protest, she put him on hold to talk to security, and came back with a proxy server workaround and sent the goods. All it took was a 20-minute phone call.
People are all too eager to help, Mitnick said, which is key to his first suggestion about how to fight back: You need to demonstrate to employees how these attacks work and what is at stake. And you need to modify politeness norms. “It’s OK to say no when someone asks for something sensitive,” he said.
If all of this isn’t scary enough, keep in mind that studies have shown that 35 to 70 per cent of users will give up their user name and password to anonymous callers saying they are from IT.
Maybe education should be your next big security investment.
Dix is editor of Network World (U.S.). He is at email@example.com.