[ISN] Companies exposed to 'social engineers' - Mitnick

From: InfoSec News (isnat_private)
Date: Wed Sep 04 2002 - 22:42:46 PDT

  • Next message: InfoSec News: "[ISN] Alberta hackers find wireless networks wide open"

    http://www.infoconomy.com/pages/news-and-gossip/group66338.adp
    
    Graeme Burton
    gburtonat_private
    Date: 4 September 2002
    
    Companies are leaving themselves exposed to hackers because of a lack
    of awareness of the 'social engineering' techniques deployed by the
    most dangerous attackers, according to former hacker Kevin Mitnick.
    
    "A lot of people think they are not gullible, that they can't be
    manipulated, but nothing could be further from the truth," says
    Mitnick. He claims that using such techniques - combined with
    substantial technical know-how - he was able to break into all but one
    of the systems he targeted in a 15-year hacking career.
    
    Social engineers attempt to break in to systems by persuading
    unwitting staff to part with vital information, including login names
    and passwords. "The threat of social engineering is substantial.  
    People ought to know that you can buy the best technology in the world
    and it won't protect the organisation against social engineering," he
    says.
    
    A lack of training means that staff are often unaware of the dangers
    and will hand over sensitive information to strangers on the phone
    posing as someone else in the company.
    
    For example, Mitnick was able to take control of US telecoms operator
    Sprint's switching equipment by calling the company and posing as an
    engineer from switch maker Nortel Networks. Staff were persuaded to
    hand over login names and passwords for the switches so that the
    'Nortel engineer' could perform remote maintenance.
    
    In addition, security procedures are frequently undermined by senior
    executives who demand that staff bend the rules when they want
    something done immediately. As a result, staff often will not question
    a request purporting to come from the CEO's office, for example.
    
    Social engineers normally do a lot of research into their targets
    before attacking. "A social engineer needs to understand the corporate
    culture, the corporate structure, the organisational chart, who has
    access to what information, where in the company that information
    resides," says Mitnick.
    
    Such valuable data can often be found in the company's rubbish bins -
    which ought to be locked and kept on private property. Sensitive files
    should be shredded before they are thrown out, he advises.
    
    Mitnick says that in addition to the usual technical security
    procedures - regular port scanning, for example - organisations need
    to more rigorously enforce security policies and train staff to be
    alert to the dangers posed by social engineers, particularly in
    companies that might be targeted by industrial spies.
    
    Kevin Mitnick earned notoriety in the 1980s and 1990s for his apparent
    ability to break into telephone and computer systems across the world
    at will. Arrested six times, his last capture resulted in a five-year
    jail term - the heaviest sentence ever handed down for a hacker. Now,
    38 year old Mitnick has 'gone straight', offering a rare insight into
    how hackers really operate.
    
    [...]
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Sep 05 2002 - 01:04:56 PDT