Fame, it is said, fades gradually after the spotlight moves on, but in the case of ex-hacker Kevin Mitnick – the uber-hacker who hit the security headlines in the last century for a mildly amusing set of exploits, it seems his moment of fame – for the visiting IT experts at IP Expo yesterday, at least, has not gone away.
Mitnick first gained unauthorised access to a computer network in 1979, at 16, when a friend gave him the phone number for DEC’s computer network and he then copied the firm’s software, a crime he was charged with and convicted of in 1988. He was sentenced to 12 months in prison followed by three years of supervised release.
Near the end of his supervised release, he then hacked into the Pacific Bell voicemail computers and went on the run for two and a half years, during which time he hacked into multiple computer networks, using cloned mobiles to hide his location.
When he was apprehended in February 1995, he was found with cloned cellular phones, more than 100 cellular mobile codes, and multiple false IDs. He was subsequently handed down a lengthy term in prison.
Fast forward to 2013 and Mitnick is now an ex-hacker and a security consultant, giving a Q&A session with his audience at IP Expo.
Mitnick recalled his former life as a hacker, and said that social engineering – aka the art of deception – is about getting people to either give you information or perform an action.
Back in the 1970s, he said, it was different, adding that today, cybercriminals and hackers are using a hybrid of social engineering and client-side exploits to invade organisations.
It is, he explained, much easier to attack than defend and it does not matter what security software you have installed, it just takes one person in the targeted organisation to make a bad business decision and it is game over.
“Security is about people, processes and technology, and organisations need to bolster the weakest link, which invariably is the human element,” he advised.
AV only 60pc effective
Perhaps surprisingly for a security consultant, Mitnick was disparaging about anti-virus software, which he claims is only 60pc effective and will never prevent the human element from giving away their personal secrets.
These secrets, he says, can include emailed copies of Word or PDF documents, which can be extracted using social engineering techniques. On top of this, he adds, it is now relatively easy to incorporate trojans and other malware within these types of documents, and which can install malware or turn on the PC’s Web cam.
“You can have as much security as you want , but when one guy makes a mistake it gives them a foot in the door,” he said, adding that, from there, access can be gained to an entire network resource.