[ISN] World's greatest computer hacker raises alarm

From: InfoSec News (isnat_private)
Date: Fri Oct 04 2002 - 02:20:34 PDT

  • Next message: InfoSec News: "[ISN] CanSecWest/core03"

    By Simson Garfinkel
    October 03, 2002 
    Controlling the Human Element of Secrecy
    By Kevin Mitnick
    John Wiley & Sons
    304 pp., $27.50 
    Kevin Mitnick may have been the greatest computer hacker the world has
    ever known. At least, the FBI treated him that way. In the 1980s,
    Mitnick allegedly broke into computer systems belonging to Pacific
    Bell, Digital Equipment, and the North American Air Defense Command.  
    In the 1990s, Mitnick became the subject of a nationwide manhunt by
    the FBI. The New York Times ran a front-page story about his alleged
    attempts to steal cellular telephone software on July 4, 1994. He was
    finally apprehended by computer expert Tsutomu Shimomura on Feb. 15,
    Mitnick was held in jail for four years without facing trial because
    his attorney never had a chance to review the government's evidence
    against him. It was repeatedly withheld on the grounds that releasing
    it would compromise national security.
    Meanwhile, three books were published on Mitnick's capture – including
    one by Shimomura and John Markoff, The New York Times reporter who
    many say stepped over ethical lines and participated in the
    investigation. Disney and Miramax produced a movie on the caper. It
    premièred in France but was shut down by a combination of protests and
    a lawsuit.
    In the meantime, Mitnick's case became a cause célèbre among many in
    the shadowy world of the computer underground. When The New York Times
    website was hacked in September 1998, the hacker's message was that
    Mitnick had been unfairly targeted. Dozens of websites devote
    themselves to the treatment that Mitnick has received. Many others
    debunk the government's assertion that he was personally responsible
    for more than $80 million in corporate losses.
    This backstory is critically important for understanding Kevin
    Mitnick's first book, "The Art of Deception," in which the reformed
    hacker- turned-security-consultant explains in painstaking detail how
    the reliance on modern communications technology has made US
    businesses more vulnerable to 19th-century style cons and swindles.
    His book contains roughly two dozen case studies of "social
    engineering" in which a hacker successfully identifies a piece of
    information, gets it, and then vanishes.
    One such story describes how a man named Rick Daggot showed up one day
    at a small startup robotics company for a meeting with the company's
    founder and vice president. Daggot was friendly and well-dressed and
    claimed to be joining the company's team. There was just one problem:  
    The founder wasn't in town; Daggot had inadvertently come on the wrong
    Trying to make the most of a bad situation, Daggot offered to take the
    company's receptionist and a few engineers out for lunch. Over drinks
    they talked about – what else – the company's top-secret project. A
    few days later, Daggot called back, saying that he was in touch with
    the founder, and that copies of several key documents should be sent
    to the founder's new e-mail account, the only one he could get working
    while he was traveling.
    Of course, the whole thing was a ruse. The founder was traveling, but
    Daggot worked for the competition. Having gained the trust of a few
    engineers and gotten the documents he needed, Daggot disappeared. When
    the founder returned, he called in the police, but was told that no
    crime had taken place. A few months later, the competitor announced a
    product that was nearly identical to the one described by the stolen
    Daggot's story is a good one, and there are a lot of them in "The Art
    of Deception." But alas, all of these stories have the same problem:  
    None of them is true. Under the terms of Mitnick's plea bargain, he's
    prohibited from selling his story for 10 years. As a result, this book
    shines no light on the crimes that Mitnick allegedly perpetrated – or
    on the government's alleged excesses in prosecuting him.
    Ironically, it's Mitnick's reputation as a deceiver that gives him the
    credibility and even the moral authority to write this book. In
    interviews, Mitnick has confirmed that many of these stories are based
    on exploits from his past.
    Although some will accuse Mitnick of creating a handbook that teaches
    crooks how to break into organizations, the truth is that we all need
    to understand these con games to protect against them. To stress this
    point, his last two chapters contain policies, procedures, and
    training that companies can implement to further protect themselves.  
    In keeping with his premise that the most damaging security
    penetrations are the result of deceit – not technical penetration –
    almost none of Mitnick's suggestions is technical in nature.
    The most important recommendation is that when somebody contacts you
    claiming to be from your organization, you need to verify that they
    are working for your organization – no matter whether they are asking
    for your help, offering to help you, or just trying to be friendly.
    A more controversial suggestion is that organizations should launch
    simulated "social engineering attacks" on their own employees.  
    Although the training would be invaluable, Mitnick acknowledges that
    some companies might not want to intentionally lie to their employees.
    "Nine out of every 10 large corporations and government agencies have
    been attacked by computer intruders," states Mitnick, basing his
    analysis on the Computer Security Institute's annual survey. Let's
    hope that if they implement the strategies in this book, companies
    that are attacked won't be so easily penetrated.
    Simson Garfinkel is a graduate student at the MIT Laboratory for
    Computer Science, and the author of numerous books on computers,
    security, and privacy.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Oct 04 2002 - 04:54:07 PDT