Two years ago, computer security companies bragged about hiring former hackers--who better to plug security holes, the thinking went, than the folks who were so good at finding and exploiting them?
But ever since the passage of the Patriot Act in October 2001, with its stern penalties for hacking, that kind of thinking has fallen out of fashion. Generally, I think that's a good thing: I don't think convicted hackers should be rewarded or become celebrities simply because of their crimes. The same holds true for those who've escaped prosecution.
That said, I think Kevin Mitnick, who spoke at the RSA conference, and others like him have some valuable lessons to teach anyone who's concerned about security.
As you may recall, Mitnick was convicted of a variety of hacking offenses in the early 1990s; in 1995, he was sentenced to five years in jail. That sentence also included three years of probation, during which he was forbidden from using a computer. (He was granted an exemption to use a word processor to write a book.) In February of this year, Mitnick was finally allowed to access the World Wide Web again. He now runs his own consultancy and travels the conference circuit. Judging by the standing-room only crowd at RSA, he's a bona fide hit.
While there's no doubting Mitnick's proficiency at exploiting digital systems, what separated him from other hackers was his mastery of so-called "social engineering." For example, in what he calls "pretexting," Mitnick was able to extract sensitive, inside information from companies and individuals. Pretexters take advantage of human vulnerabilities to extract exploitable information from even the most casual of exchanges.
Consider one case. In the early 1990s, Mitnick heard about a new Motorola cell phone and wanted to see its source code. He started by calling the company's toll-free number. Under the pretext that he was a developer working on a project connected to the new phone, he was connected to the voicemail of someone in charge of the project. Lucky for Mitnick, the voicemail indicated the person was on vacation, and that calls should be directed to another person. When Mitnick spoke to that second person, she (perhaps not wanting to look bad) went out of her way to make sure he got the information he was looking for.
The trick to good pretexting, says Mitnick, is improvisation. Knowing how much information to give, when to give it, and always allowing yourself an "out" helped him get as far as he did. In some cases he was able to obtain the information he needed in a matter of minutes; in others, he milked a contact over a series of weeks or months.
It also takes a fair amount of research to become a good pretexter. Knowing a company's internal structure and corporate lingo helps, particularly when a suspicious contact begins asking detailed questions. Much of that research can now be done online.
Ultimately, that's the unfortunate message that Mitnick is out to deliver: It's hard to defend against social engineering. That's because human beings tend to give others the benefit of the doubt; people naturally want to help. Mitnick says this vulnerability can be exploited.
One trick he employed was to call a potential contact pretending to be a member of the company's IT department "regarding that Outlook problem." Even if the person hadn't filed a Help ticket, there's a high probability that he or she needed some help with Outlook. In return, the person was often willing to provide him with further information.
Can pretexters be thwarted? Mitnick says education can help. He contends that most people don't realise the value of information they freely release to the world. Consider that voicemail at Motorola. Mitnick used it to find out who could help him, and it helped him reinforce his story with the "inside" knowledge that the primary contact was on vacation. Armed with the contact's full name, he could have run a Google search and found a newsgroup chat or Web page in which that person was involved. Under the cover of a "shared" interest, he could have further put the potential contact at ease over the phone.
Mitnick's key lesson here is that there's more to information security than battening down the network. It must also include the ways you deal with unsolicited callers. For example, your company's phone system should be configured so outside callers can see only the public reception phone number, not individual desk extensions. Callers who dial your company's toll-free line should be informed that the call might be recorded--a definite deterrent.
Mitnick further suggests that companies adopt what he calls a "human firewall." Companies should classify and limit access to critical business documents, develop and enforce a security policy (such as assigning access rights to each user), and create an incident-response plan to handle breaches of corporate security.
Meanwhile, we can all start being more careful about the information we make public. For example, don't publish your address, phone, or social security number on your online resume. Instead, provide these details only on request. You might also want to remove your e-mail address from personal Web sites (unless it's a secondary address you've set up to screen out spam and unsolicited contacts); ditto for newsgroups you post to frequently.
It's not enough to have a firewall between you and the Internet. We also need to think about how public information might be used by others. For companies, that could mean keeping corporate org charts off the Net. For you and me, it means following some simple common sense: Do you really want to publish a map showing where you live on your personal Web site?
Have you ever considered the ways public information about you or your company might be used against you? Why or why not? TalkBack below or e-mail edit@zdnet.com.au.
