Celebrity, ex-crim and possibly the world's most infamous hacker, Kevin Mitnick expounded on 'social engineering' to computer security professionals in Sydney on Wednesday via videoconference.
Mitnick once made a hobby out of breaking into computer systems causing many network administrators - not to mention the FBI - a lot of grief in the process. Now, from his bas in California, he advises professionals on how to counter tactics that hackers employ.
His message, in short, is that malicious hackers don't need to use covert computer wizardry to break into networks. Instead they often dupe an employee into giving them a password or other information. This practice Mitnick labels "social engineering".
"The greatest threat to security is the human element, the people," Mitnick said, at the SecurIT - Technology & Beyond conference in Sydney this morning.
"If an individual or spy wants to break into a network, why would they use technology when they could make a phone call to a trusted employee and get information they need?" Mitnick asked.
Mitnick, who is not allowed to use a computer until January 2003 as part of his parole conditions, shared tales of confidence tricks he had witnessed that demonstrate the ease with which an attacker can get information to gain access to a network. Whether he was relating his own exploits or not, no one was sure.
Larger enterprises are particularly at risk, according to Mitnick. A large number of employees across multiple locations and a lack of security policies and awareness are all factors that increase the risk of an enterprise.
Mitnick said it comes down to human nature.
"We implicitly trust people. People always desire to help one another. We are all naive to a point. A social engineer uses deception to get people to release information that gives an attacker access to a system," he said.
Enterprises need to educate employees that security is everyone's responsibility. To do this, Mitnick suggests reminding staff they have something at stake. Companies hold and protect employee information such as banking, superannuation and tax details.
"Motivate your employees to pitch in and become part of the solution, not the problem," he said. "Employees need to make security part of their daily responsibility."
Employees should be involved in the process of building security policies and be aware of social engineering techniques used by attackers, Mitnick said.
Sometimes employees are unaware what information is considered as classified. A company phonebook, for instance, is a "gold mine" for attackers.
"Company phone directories list everyone's name, the departments everyone works in and their extension. It's a goldmine and some enterprises don't even classify it as sensitive," he said. "Back in the 80s, when we were phone phreaking, we'd look in dumpsters on dumpster nights for this kind of valuable company information.
Once an attacker gets this information, he can name-drop to imply authority and gain trust. He could target any department, such as calling a systems administrator and posing as a vendor offering help, Mitnick said.
Mitnick also painted the profile of the social engineer as one who is comfortable lying to others and adept at reading responses. They will flatter, flirt, name-drop and lie to get information. The hacker could be looking to change information, create a new user account or obtain dial-up numbers, IP addresses or passwords.
"The golden rule is: verify, verify, verify," he said.