Hacker Mitnick preaches social engineering awareness

SYDNEY -- Properly trained staff, not technology, is the best protection against social engineering attacks on sensitive information, according to security consultant and celebrity hacker Kevin Mitnick.

"People are used to having a technology solution [but] social engineering bypasses all technologies, including firewalls," Mitnick said. "Technology is critical but we have to look at people and processes. Social engineering is a form of hacking that uses influence tactics."

During his keynote address at this year's Citrix iForum conference in Sydney Thursday, Mitnick said hackers are analyzing the "bigger picture" and are looking for the weakest link, which is "people like you and me".

"Why do hackers use social engineering? It's easier than exploiting a technology vulnerability," he said. "You can't go and download a Windows update for stupidity... or gullibility."

Mitnick said social engineering appeals to hackers because the Internet is so widespread, it evades all intrusion detection systems, it's free or very low cost, it's low risk, it works on every operating system, leaves no audit trail, is nearly 100 percent effective, and there is a general lack of awareness of the problem.

"Social engineering attacks can be simple or complex and take from minutes to years," he said, adding that surveys have revealed that nine out of 10 people will give their password in exchange for a chocolate Easter egg.

Mitnick spoke of how social engineering has been used to extract millions of dollars from banks and how he used the technique to siphon source code for a mobile phone out of Motorola by posing as an employee in its own R&D department.

Mitnick also mentioned how he is not immune to the social engineering scourge and was sent an e-mail 'phishing' for information from his PayPal account earlier this year.

"The attacks are real and the threat is real so I encourage everyone to do something about it," he said, adding the main target is the helpdesk because "it's there to help".

Pretexting, where the hacker takes on an acting role, is the heart of social engineering, Mitnick said, because people need reasonable justification to fulfill a request.

Hackers establish an identity and role, build a rapport through linking or other influence tactics, and leave an "out" to avoid "burning" the source.

Intelligence gathering exercises may include seeking titles of company positions so hackers know who to target, and good old "dumpster diving" where the company's garbage is screened for information.

Mitnick said even large companies participate in dumpster diving, as Oracle was recently caught sifting through Microsoft's garbage. When Mitnick was 17, he did some dumpster diving and found an employee directory and source code in piles of rubbish.

To combat social engineering attacks, Mitnick said organizations need to build a "human firewall" and fill existing holes such as illusions of invulnerability. "It can happen to anyone," he said. "People naturally want to help people and underestimate the value of information."

Mitigation techniques begin with top management buy-in and demonstrating personal vulnerability.

"Establish an employee participation program," he said. "Develop simple rules to define what is sensitive information [and] build a human firewall by raising awareness."

Mitnick recommends performing social engineering pen-tests, and not forgetting the periodic dumpster diving, and modifying the organization's politeness norms - "it's OK to say No!

"Use technology to remove employee decision making," he said. "The big challenge is to balance productivity and sensitivity."