The Kevin Mitnick Legacy is Alive and Well

August 14, 2012
 |  No Comments

So who is Kevin Mitnick and why do I care?  For most of the us focused on security this is an easy question to answer. One could call Kevin the Father of Social Engineering, although Social Engineering has been around a lot longer than Kevin. In the context of modern cracking Kevin certainly has a reputation for using  Social Engineering to crack into systems.  A really cool example of Social Engineering was put on display at this years Defcon in the “Capture the Flag Contest”.  Therefore,  I thought we should spend a little time talking about Social Engineering especially for small business.

Awareness, Awareness, Awareness!

The best defense is to ensure that we understand the threat and that we have communicated it well to our employees.  Social Engineering is the attacker’s path of least resistance. Why spend time on developing malware or phishing attacks or any other devious technology for stealing something when you can just get someone to give it away freely and of their own volition? Remember our weakest link seems to always lead us back to that notorious “human factor”.   Even the best policies do not work if they are not communicated and enforced. Having the best technical defenses will not make us secure if our people are not well informed and know what to protect and what the threats are to the assets we are trying to protect.

 

For Social Engineering probably the best way to understand the threat is to give you some real world examples of things attackers do. Let me give you a scenario for how Social Engineering can occur. Many of us use Social Media to market ourselves as individuals and businesses.  We also put up web sites that profile our companies, products, successes, and may profile people that manage our company or sit on our Board of Directors.  Just how much information do we give away?

 

Let’s suppose I want to target your small company. What can I find when I Google your company name, what will I find in Bing? Can I find things on Facebook about your company and employees, can I search Dun and Brad Street or news articles to find out who manages your company and sits on your board of directors.   Once I find out a few names what can I find out about them personally? Will I see Twitter accounts, or find them on sites like Spokeo.com, LinkedIn.com, Classmates.com, Whitepages.com, Mylife.com. Peoplefinder.com, Peekyou.com, Zoominfo.com, Corporationwiki.com, Peop.lead411.com, Myspace.com or others.  These are just a few that showed up when I searched my own name.  Someone who sits on one Board of Directors usually sits on others so other business web sites will also show up.  How long do you think it will take for me to figure out where you went to school, when you graduated, where you live, who your wife and children are, what conferences you attended, and even what your sports and leisure interests are?

 

Remember that people who are active on Boards and such probably meet a lot of people and will not remember everyone they meet. What if I approached one of them and asked him how he and his wife and children ( by name) were doing and I might ask if he remembered me from the security conference in Chicago we both attended a couple of years ago. Would that person out of courtesy and politeness talk to me even if he did not remember me? These attackers are the best of con artists, they will charm their way into a conversation with people based upon information they have been able to obtain, and believe me they do their homework.  With a little more work I can also figure out where a person might go to dinner to which place they might go to for entertainment because I want to have a chance encounter with them in a relaxed atmosphere where I can use that information I found to start talking to them.  This like James Bond at his best, how does a spy get his information, if it is not through Social Engineering? These are all documented techniques used by both the expert and novice and as per the reference article from Defcon people are practicing at using these tools all the time.

 

Well you might say I cleaned up all of my data on the Internet. Really, have you ever visited something like http://archive.org/index.php and used their Waybackmachine. What makes you think things ever get removed from the web? Yes, you can ask the folks at arhive.org to remove your data and they will comply but that is just one source of this type of data. Again, without fear of repetition in this new information world it may again be that “only the paranoid survive”.