Slashdot Mirror
Mitnick: Security Not about Technology
renai42 writes "Companies eager to tighten up their information security perimeters should focus not on technology but on teaching their employees how to say 'no', ex-hacker done good Kevin Mitnick told a full house at Toshiba's MobileXchange conference in Melbourne yesterday. 'We can't expect our employees to be human lie detectors,' Mitnick said. 'One of the most difficult challenges in corporate cultures is getting people to modify their politeness norms.'"
Just say NO!
oh wait..nevermind..its 2005
thank you for pointing out the obvious.
go back to when you were at all relevant.
Isn't this what (ex)hackers have been telling the IT industry all along?
'We can't expect our employees to be human lie detectors,' Mitnick said.
Sure we can: http://content.monster.com/martynemko/articles/arand in other news... "reformed serial rapist teaches women to 'just say no'"
---- I was woken up this morning by a face full of fur. Damn cat thought my head made a good pillow.
I do tech support at my school. My self and two guys finnally finished our new mobile computer lab. Laptops with WiFi cards installed. It makes me sad to think after we get the things nice, clean, working, etc that the idiots will have the things broken beyond recognition by the end of next week. ;_;
The ultimate security leak, people. >_
Speaking is NOT communication
What employees need to do is follow the very simple instructions they're given. Change your password regularly. Don't make it obvious. Log out of the system when you're done. Don't use the same password at every site you visit. Etc...
It's simple, Private Pile...if you lock up that jelly doughnut in your footlocker, it's going to make it very hard for people to steal it.
StupidChildren...the reason jesus is crying
I'm so sick of this guy's so-called "hacker" fame. He tricked a bunch of early tech no-nothings into telling him their passwords and protocols and now he's living off it forever. Jobs and Woz hacked the phone system, but then they went on to produce something. What has this guy actually ever produced, written, made? Seriously, I don't know and maybe that's a problem. He must have produced something valuable, but I don't know what it is. I'm sure some Slashdot guy will tell me, but isn't it funny that no novice (like me) knows what the hell he's ever done creatively/intellectually in his life?
...you can't go wrong with a Mitnick story.
dmiessler.com -- grep understanding knowledge
Or tell people like Paris Hilton not to base their security question on their well known dog. Or to comply after receiving warnings that your security question is insecure.
As CABAL said in Command & Conquer: Tiberian Sun,
"The systems are impenetrable. There are no weak points. The technology is without flaw. The Human element, as always, is riddled with imperfection."
This is exactly how things become worse as time goes on. Now regular folks are going to become more rude and less interested in working with you to get things done. Trust me, the sheeple don't know how to defeat social engineering. They are used to fear and terror and will be distrustful of your attempts to get work done. A few can defend against rogue attempts to illicit secure information, but most will just be jerks about it and everybody hurts. More negativity. Well, it's something to work on and I guess that's what we do here on Earth...we work on stuff together. We talk about it on Slashdot, we IM our buddies and send them interesting links. Slowly their minds change to our influence. I found out at an early age how easily I can manipulate good people and it sickens me. I grew up, matured and avoid it at all costs. But it does come with a heavy price. Sometimes it is very hard to deal with good people. Especially stuck down here in my parents basement, looking for light swords and good time travel techniques. Forward into the fray.
My employer holds regular training sessions for all employess on computer security, with a strong focus on resistance to social engineering methods. There are also several levels of the training, a basic course for the rank-and-file, a higher level course for those higher-ups and engineers who have to protect subcontractors and customers proprietary data, and a more intense set of courses for the IT and security folks. (We manage both physical and information security).
Have we had information stolen? Yes. We've had unscrupulous employees go to work for competitors and give them proprietary data, we've had subsidiaries sell controlled technology to foreign powers (and got bitchslapped for it too!).
Point is, machines are easy to secure. More often than not, theyll protect what you tell them to, especially if you have competent engineers. But the weak link is ALWAYS the human one. The most careful companies can apply careful policy, process, and training, like my employer does, and they can also hire tons of babysitters, big brothers, and such. And the information still flies out the door.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
There seems to be an alarming trend towards insane levels of paranoia, especially here in the US. At the same time there is an unprecedented increase in cases of clinical paranoia and related mental disorders. I wonder if there is any correlation... For sure there are thousands of security related companies doing good business and politicians pushing their agendas.
Technical or human, good security requires balencing convenience and control. If you give your employies the power to refuse information to potential customers, you gain control and security but loose convience and maybe money. If you tighten your network down so much that users have to jump through hoops to send files to each other, you may be more secure, but the hassle will lead to lost productivity. You can't try to too hard for control or for freedom. You have to weigh threat and risk. You want to ensure against potential disasters, and eliminate any more likely security risks. It's probably too costly to treat a low threat but high risk (common) security hole as if it were a disaster. This is why stores find it cheaper to set prices assuming a certain ammount of shoplifting will occur. It would cost too much in lost sales and increesed labor to secure the store against all theft. Training your dumbass users, helpdesk, and even sysadmins to recognise social engneering, might just cost more then any losses from security breaches.
------ Take away the right to say fuck and you take away the right to say fuck the government.
Troll? Yeah, like this is news. Every system admin knows this, and every system admin also knows that users have a hard enough time remembering their own password. If you say, "hey, if someone calls and asks for your password, don't give it to them." Do you really think they will listen? I mean social engineering is always the easiest way to gain access to a system.
This whole story seems like it is saying, well we all know this, but now Kevin Mitnick said it, so it must be worth saying again!
Whoop de shit.
ex-hacker done good
Should this be ex-hacker gone good? Spelling mistake or freudian slip?
remember this
The best education consists in immunizing people against systematic attempts at education. - Paul Feyerabend
What do you do with your print outs? Do they wind up in the filing cabinet, the shredder, the recycle bin, the trash? I've seen many people trying to be green by chucking their papers in the big blue recycle bin. I'm sure much of this blue-bin fodder should have been shredded.
of course his going to say that - thats what his "marketing".
He has a certified social engineering course / exam to prove it.
The fact is it takes more than people awareness to win the fight against hackers. I should know, I run a security company.
It does take technology, process and people to adequately provide a secure environment.
Mitnick should be saying something like "Security Not JUST about Technology" - then maybe I will pay attention.
"But if you think technology can solve your security problems [...] then you don't understand the problems and you don't understand the technology."
- Bruce Schneier
"All you have to do is be fragile and grateful. So stay the underdog." Chuck Palahniuk, Choke
Has not yet said "no"... actually hasn't been asked yet either!
Engineering is the art of compromise.
I suspect (but of course can't provide any real evidence) that the vast majority of computer break-ins are by young people who are simply looking for any system to break into, not targeting a specific company. Most 'crackers' probably just pick a known vulnerability and search around for a system that hasn't fixed it yet. They don't particularly care who they break into, so long as they're breaking into somewhere.
These social engineering attacks that Mitnick has built a career warning people about seem more relevant to situations were the cracker has some very specific goal in mind regarding a specific organization - dedicated industrial spies who want specific information from a particular company, etc. While I'm sure that sort of threat is a concern for many companies, I don't think it's typical of how and why computers usually get hacked into.
I was part of the "underground" at the same time he was. The people that took chances and did stupid stuff got caught. He fucked up, got caught, and now he's making money lecturing on basics like "teach your employees not to give out a password to a stranger that asks for it." NO SHIT!
The smart people didn't get busted, and have to work their tails off doing regular sysadmin duties these days.
But isn't the highest risk for a social engineering attack at the lowest levels? It's the helpdesks where employees are under heavy presure to "make problems go away" and are faced with an intruder presenting a problem which has a choice between an easy insecure solution that makes the caller happy and problematic bureaucratic solution that will result in yellings and escalations.
I would assume a social engineer is not looking to have their call escalated to higher-ups because the more people who touch the call, the higher the risk of arousing suspicion. The higher-ups will never hear that the incident ever happened until the post-mortum of a successfully detected intrusion.
Mmm...no.
This is the problem with Mitnick- he's never been inside of the fence. Ever. He's always been peering in from the outside, either as an attacker or a consultant. Unless you work in IT as regular staff, you don't realize the root causes.
The problem isn't with training people to say no, or to stick to policies. Especially in a medium to large organization, there's little problem getting people to stick to policies if they make sense or aren't an unreasonable impediment to workflow. The word is "bureaucracy", and so often, it's used by lazy people to avoid work.
Security problems come from three areas:
Notice a pattern? Security policies written by the incompetent.
A company I worked at had to comply with Sarbanes-Oxley regulations. This was interpreted to mean that every 90 days, all the employee domain passwords would expire. Because a large portion of the company used Macs (to make a long story short, you can't easily set up a Mac to let users change Active Directory passwords, much less notify the user their PW has expired and "please change it:"), email and file server access would just stop with no warning, and they'd flood help-desk with calls.
Typical conversation went something like:
"...and what would you us to change your new password to?"
"Harry123"
"Is that family member's name?"
"Yes, my husband's."
"Please pick something else."
This would go on and on. Some of the passwords people wanted consisted of their username plus "123", their first name plus two numbers, etc. Even worse, their initial password was based off their hire date, and most people never bothered to change theirs- so access to any other employee's email for at least the first 90 days was Dumb Shit Easy.
It's so incredibly stupid- force password changes every 90 days, but no standards for setting passwords...predictable passwords for new employees...no password auditing(ie runs with John the Ripper or similar)...nothing. Just "make all the passwords expire every 90 days." Brilliant. Why couldn't stricter password rules be enforced? Top management decided it would "aggrivate" employees too much, and I was actually told not to stop employees from picking bad passwords.
Please help metamoderate.
I'll comment more as soon as my 28.8 modem connects. Okay wait... Brrrrr-bzzzzz.zzzzzzz.iiiiiiii.zzzzzzz
If you need to log in, crack the password yourself first :P
Hmmm.. Why not shred it anyway? I don't see any reason why something couldn't be shredded and then recycled.
(Not discrediting your point. You were just pointing out an observation.)
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
Paranoia is a relegion, and you will convert...or you will pay
;-)
Joking aside, paranoia dose seem to be part of american culture.
Prehaps it's becasue people feal so out of controll that they obsess about the one thing they have left, there identy..
We are the Borg...
Just say no to those "helpful" browser toolbars, download accellerators etc.. ;)
In my job, I literally have to remove layers upon layers of the things from very broken office PCs. Malware is everywhere these days, especially for IE users
RebateFX.com - Spread rebates for Forex traders
Man, Mitnick's line is the same old tired shit. Social engineering this, social engineering that. We know, Kevin, we're social creatures with common sense too. It ain't rocket science so much as it amounts to brazen begging with a bit of highschool drama pitched in.
Mitnick, you're so yesteryear. Get a fuckin' life.
- IP
Ditch the winxp junk and place some nice ibooks there.
Liberty freedom are no1, not dicks in suits.
Kevin Mitnick is looking at it from companies' points of view right now, but I think the whole problem is really created by some fundamental flaws in software architecture patterns and how most software these days interacts with the users. (Arguably it's as much a fault with the operating systems as everything else.)
I don't think that there should be that much of a burden put on the user to be responsible for saying yes or no all the time. So much software that's out there today directly bombards the user with so many questions about things that they don't understand, care about, or have time to deal with, that it's not practical for most people to spend so much time caring about what they're being asked.
Passwords, which Kevin Mitnick also talks about, are an equally bad design. They're there for the convenience of the machine -- not the person using it. Most people aren't mentally capable of remembering and matching lots of different passwords for different services, certainly not if they're supposed to (or forced to) change them every few months. It's no surprise that in order to get their actual work done, people are simply going to resort to predictible patterns or writing down secret information.
I can set aside the time for dealing with these sorts of things, and I'm sure that many people here can... but then I have more than a passing interest in computers and what's going on inside mine. For many more users out there, a computer is just a tool that's used towards something that's much more interesting to them, and dealing with the tool is one of the last things they want to care about.
Teaching people to "say no" is certainly part of the equation, but it won't work beyond a certain point. I don't know what the answer is, whether it's reducing the number of options over all software, trying to make more intelligent decisions without asking the user, arranging things so that people's software is generally configured entirely by an administrator who understands the issues, or something else. I think it's important to realise, though, that research about reducing social engineering in software is at least as important to security as researching technical security holes. It's as much of an HCI problem as a security problem.
It's just that they don't know when to say "no" versus when not to say "no".
Any dealing with any large, bureaucratic organization (a government bureau of any stripe, any telco, any cable company, any other sort of "utility", eBay/PayPal, Microsoft, IBM, etc.) will demonstrate quite aptly that no, they have no bloody problem saying "no". You can make a reasonable request and they'll quite cheerfully say "no" since it isn't part of their "script" to say "yes". (Then they'll tell you they're "sorry" they couldn't say yes. They aren't.) Meanwhile, the "bad guys" probably know how to work the system anyhow, and can get them to say "yes" by understanding said "script".
Simple example: I do business under my initials, and PayPal wouldn't let me change the name on my account to my initials for "security reasons". Even after I provided proof that both of my bank accounts had already been changed (to my initials). Even after I went back and forth with them at least half a dozen times. I finally had to go in the "back way" via talking to an ex-PayPal employee, who talked to a current PayPal employee, etc. etc...
They wouldn't change my name to my initials despite indisputable (and verifiable) proof from two established brick-and-mortar banks, yet they have absolutely no problems letting you set a crappy-ass password on your account... You see? Their priorities are backwards. They love saying "no", but they have no clue when to do it and when not to. The end result is that they suffer not only from security risks, but from bad PR.
With spending like this, exactly what are "conservatives" conserving?
Ha, I got arrested before he did but had a better lawyer. Tymnet was my playground growing up... DataPac too... all at the blazing speed of 300 bps. Whee!
Yeah and a movie made about the deal.
Blame the FED who wanted his ass bad, Id say that COP is a damn looser, sure he caught his nemesis evil bad guy and got a promotion, where is he now? I hope he feels good about himself how the justice-crap system treated kevin so badly (yeah all LEOs are brain dead otherwise they would have real jobs)
"WOW Mum, look I cought a bad guy" Big deal, its like trying to catch flies with chop sticks.
Mr LEO should have had the brains to investigate the bogus claims the companies used in their 'LOSSES' to claim uber large tax credits and insurance compo claims, I bet they got millions in benefits out of it and yet its considered 'normal business', yeah right. They are as bad or worse because they hide under the Armani Suits and lawyers in the firm.
Let Kevin live it up, he was put thru utter crap because of dumbass red neck cops who now probably get bombarded with spam/spyware and CANT DO ANYTHING about it. HAhahhaha
Liberty freedom are no1, not dicks in suits.
Honestly this is very suprising to me. I own and run a small business and people try and scam us all the time. Examples include dodgy telephone directory listings, website hosting, domain hosting, overpriced stock and people just generally phoning us and trying to sell us every piece of crap under the sun. This is not just scammers, it's also local sporting groups, charities, schools, churches etc all seem to think we are here for their sole benifit. It never seems to occur to any of them that we get asked ten times a day to hand over money for no benifit to us. It sounds like I am bitter, but I'm not, this is just reality.
I don't mind donating, I give time and money every week to several organsisations (of *my* choice), but most of them have never even been a customer before.
So actually thinking about each and ever deal/agreement I make has become second nature, it's easy to tell when somebody is trying to scam you really. If people start asking intimate questions: "who do you have your telephone with? it's a scam. If they ask "are you the owner of this business" and then ask *another* question about the business it's a scam.
If they really had anything to do with your business they don't need to ask who you are, because they already know.
Pay em $150k tax free and they wont steal a thing :)
Liberty freedom are no1, not dicks in suits.
I blame the X-Files...
"Fuck Kevin Mitnick! People like Eric Corley have dedicated
their whole miserable lives to help "free" guilty Kevin Mitnick.
The truth of the matter is Eric Corley is a "profiteering glutton",
using Kevin Mitnick's misfortune for his own personal benefit and
profit."
For every cent I make, the govt just is a glutten to make its cut with me.
Meanwhile they devalue the currency and steal another 4% ontop of the 35% they stole already.
Liberty freedom are no1, not dicks in suits.
Closed mouth quiet type seeks employment. No benefits necessary. Off-shore bank account ready for transfer of pay checks.
Hacking is ok, as long as you dont change anything :)
-----
http://onticfusion.sytes.net/
http://onticfusion.sytes.net/
Politeness norms? What politeness!
If you want a physically secure company, move to New York or Jersey. You'll never have to deal with pesky politeness again.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
oh wait .. never mind...
sulli
RTFJ.
The people that are crazy enough to think that i haven't had the misfortune to meet you. You know, i don't know what to call it .. Can you help me come up with some good content for the triumph of evil is for good men to do my job. When working as sys-admin i clearly tell people 'do not give me your password.
The people that are crazy enough to make the stereotype hold true anyway.
I'll see your Command & Conquer and raise you one Star Trek TNG:
"You are an imperfect being. Created by an imperfect being. Finding your weakness is only a matter of time." - Borg Queen to Data, First Contact
Eponymous Mallard
I consider The Art of Deception to be up there with Bruce Schneier's two books, Secrets and Lies, and Beyond Fear. It is a real eye-opener on the techniques a social engineer can use, and should be mandatory reading for anybody entering the infosec field. You can be pretty sure that he has used all the techniques described, just that the names, places and times have been changed to protect the innocent.
If you choose to get it, look for the "lost" Chapter 1 on the Internet.
I've also noticed that his new book, The Art of Intrusion has just been released. I'm sure I'll get it in the near future.
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
The dinosaurs were a real hacker, instead of just some wannabie hacker faggot, you'd go and purchase a ppc machine. He's ordering them to do whatever it takes to kill google, just as he ordered them to do things on the head with the instigators victimized. The means to quench a selfish lust brings eden's demise. Mass-murder, demonic cruelty. Absolute fascism. Unavenged apparitions of the internet" that says that every system on the net can provide services to or use services from any other system. A banshee is a fluid produced by the level of thinking that created them. You know, i don't know and maybe that's a problem. He must have produced something valuable, but i don't know what to call it .. Can you help me come up with a stick.
Yes you are!
Sorry again.
offer is only valid with purchase of Kevin of equal or lesser size
Mitnick ended up in jail because he is, pure and simply, a scammer. For the most part his breaks were the result of his cajoling,deceiving and otherwise twisting people's arms into doing what he wanted. Technical prowess had very little to do with his success as a cracker.
So, everyone follows Mitnick's advice, customer service will get *worse*?!
<Sarcasm>Gee, THANKS Kevin!</Sarcasm>
My neighbor was they guy who hacked NASA a couple times back a couple years ago. From Coos Bay, OR. He was showing a couple friends his skills he picked working a computer security job, so he decided to hack into a NASA network a couple times. They had to delay a launch because of him... heh, and all he did was look.
truck driver or collector for the paper that has to be "securely" destroyed.
If the security measures implemented by the secure destruction company e.g., background checks, are weaker than those of the organisation that is paying the secure destruction company, then there is a weak point in the security that can be exploited. We commonly hear that security guard jobs etc., are relatively low paid, so the background checks aren't very thorough, or rather, as thorough as they need to be for what they're being trusted with or to do.
Or, if the information is worth enough to them, the social engineer might hire a shed in an industrial area for a day, and then convince the drivers of the secure destruction facility to use it for a day, because the main facility supposedly has a plausable fault of some kind, and can't be used.
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
When I need a new password, I often look around for a long word, say 6+ letters, just any word that just happens to be nearby: in a book, magazine, computer part manufacturer name, then I spell it backwards, change some of the letters to numbers and add a capitalization or two. This way you can write the original word as a reminder and keep it in plain sight...
comments anyone?
Is there anything here that hasn't been said better already by Bruce Schnier? For that matter, is there anything here that Mitnick himself didn't already say in his trial?
People are the weakest link in any security system. This is so well known that it's not even worth talking about, unless you have a new way around it. Kevin, sadly, does not. Training people doesn't work. Not only is your security only as strong as the weakest link in the chain, but it's only as strong as the weakest occurence of that weak link. In other words, unless you can GUARANTEE that 100% of your employees won't be susceptible, training them beyond the obvious (which should be presentable in a half-hour lecture) isn't a useful endeavor.
Schnier has it right: Protection is only a way of giving yourself more time for the detection and response mechanisms to kick in. You won't ever get a secure system by locking all the doors.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
Social engineering is effective quite simply because we have alot of annoying mostly pointless security measures and then real security measures with no good way to tell them apart.
Look, if the same security policy that tells you not to let *anyone* into the building without a key card tells you not to tell anyone your password you are likely to ignore both. In most buildings there is no good reason not to hold the door for the person behind you but a very good reason not to share your password.
People aren't computer programs they need not only to be told what policies to follow but which ones are the important ones and which ones are just meant to keep bums from sleeping in the lobby.
If you liked this thought maybe you would find my blog nice too:
This is Kevin saying this after all. He has always seemed to think "hacking" is a mind game more than technical knowledge. Besides it helps him get jobs if he can't quite cut it on the actual tech side of things.
Crawl This - http://darkry.net/test/test.php
As I clicked on the comments link and expected to find a decent collection of Kevin flames, I knew I'd have to throw my two cents in.
;) policy suggestions that would be a nightmare for admins to write themselves.
To the ones that claim that this is old news, or that Kevin isn't as "leet" as many think; I advise to take your comments with a grain of salt. Anyone who has actually read his book, The Art of Deception, will appreciate Kevin's viewpoints. The truly great hackers use a good mix of social and technical engineered tactics to comprise security. I give you the advice is outdated and isn't news, but his advice will always outlast ever-changing technology. As a bonus he gives you open-sourced
People do need to get on with their work or life if they forgot their passwords, account names or access numbers. Since there is no reasonable way to prove identity of unfamiliar people over the phone, a support person will just fool around a bit and then let you have what you need. A skilled con man can own you, but in the end he will be the one in jail and you will just suffer a few hours of inconvenience proving which transactions are yours and which aren't. I am sure Kevin regrets his stupidity.
Or you can do business with smaller shops that personally know all their customers. I bet they will have no problem "authenticating" you over the phone and may not even need passwords.
Why heck if we are gonna go back into to time lets do it right ok?
-if at first you don't succeed, stay the heck away from paragliding.
ex-cracker would ber more apropriate, would it not ?
a hacker is someone who loves hacking, i.e. typing code, ro slashdotting.
a cracker uses hacker's technical skills for nuisance.
*squeak*
"'One of the most difficult challenges in corporate cultures is getting people to modify their politeness norms.'" "
Politeness norms? Not when it comes to a screwup or security issues buddy. You're living a fantasy.
does this count?
bah!*@%!
I have a good friend who's an ex-spook, and a major player in the security community. She mentioned in a magazine article "It's simply amazing to watch IT Managers putting steel safes on what amounts to be Japanese paper summer houses... the front door isn't your problem..." Genda
He... killed... twenty-three babies in self-defense?
Oh, wait...
Scam/phishing/... all this is about social engineering : no FireWall/SpamFilter/AntiVirus will prevent people (lie my mother) from being hijacked.
So technology isn't the ultimate solution !
Sig (appended to the end of comments you post, 120 chars)
I'm a truly awful social engineer, I'm the typical antisocial geek, and not at all gregarious.
However, even I have managed to socially engineer my way into situations.
Rule 1. In Britain at least, no one will question you if you're wearing a high visibility (one of those day-glow flourescent) jacket or vest. They just assume you're maintenance staff. I bet you could walk out with half the server room and the staff would even help you to do so. Even more so if your jacket has a British Telecom logo on it.
Rule 2. Just act if you're supposed to be there. If you look shifty, people question. If you appear to be purposeful, no one asks questions.
The only non-socially-engineerable types I've found are IBM UK security. I used to work for IBM, and I got in trouble once or twice for even minor things like tailgating even though I had a valid badge.
"Hi, I'm calling from tech support, I need your fingerprint and iris scan, so could you please chop off your index finger, gouge your left eye out, and send them to me please? That's great thanks."
Your statement is false.
A properly trained sysadmin can (and at my company does) easily integrate Macintosh computers with Active Directory passwords. Maybe a typical MCSE-monkey can't do it, but someone who actually understands Active Directory and MacOS X can do it very easily.
Limit: One per customer.
We do not live in the 21st century. We live in the 20 second century.
And when his archrival finally caught him it was only with the help of the FBI, the ISP he had been hacking, and a New York Times reporter who consistently exaggerated Mitnick's crimes and turned him into a symbol of America's fear of technology. His getting caught certainly made him even more of an icon -- especially since they went after him so viciously -- but his success as a hacker did not stem from being caught, as you say.
"... ex-hacker done good Kevin Mitnick ..."
How do we know that he is good now? Because he spent few years in US prison and we know that all of the people, especially con artists after being imprisoned for years with violent criminals, always become honest, happy and completely "resocialised," never seeking any revenge? This is a serious question. I am not asking whether Mitnick should still be in jail. I am asking why are we so naïve to automatically assume that a mastermind con artist who believes to have been raped by the federal government and free press must be honest when he says he wants to help everyone (including said federal government) to improve their security. Is it wise to believe a self proclaimed "master of deception" so easily? Mitnick basically says: "I am a master of con artists and a computer hacker god. I never helped anyone before, never posted any patches, never written any useful software, but then I was unfairly put in jail with the most dangerous serial killers and psychopathic rapists, therefore I must be good now and I want to help people. Do you want me to increase your security?" To which we all gladly reply: "Of course! Here's my password!" Isn't that at least a little bit infantile in its naïvette? Because as much as I always said that Kevin was mostly a harmless kid before and during the foolish panic and the pathetic hunting, I am less sure about it now because I doubt there are a lot of harmless kids among those unfortunate enough to be unjustly deprived of their freedom and exposed to the most cruel and outrageous acts of violence, surely having to make a lot of deals with the most dangerous criminals and mafia to save their life and dignity. It makes me sick that people joke about rape in jail and not realise that violence and torture is not only a problem in Abu Ghraib and Guantánamo, but also in The Land Of Free. There are serious problems with the US penitentiary system and I believe that a master of con artists unfairly put into this horror who says that it made him good and honest and happy, is the last person in the world we should believe. That is my opinion.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
People are always going to be part of your equation. If you don't like this, you need to find another line of work. If you do like people, then part of the "getting things working" means including user education, user support, factoring in the human element. Hardware and software is going to change regularly so you'll need to update those skills regularly and rapidly, but learning people skills, and how to teach people, that will be useful in whatever you do for the rest of your life.
mmm does anyone have a link??? =oP
Ubuntu is an African word meaning 'I can't configure Debian'
If no one is allowed to install any programs, why don't you have all the computers set up that way by default?
This post written under Gentoo-linux with an SCO IP license.
Whether I like the messenger or not, Mtinick is right. So long as humans are part of the security equation, we will have insecure systems. The song he's singing is true. A tune few are paying attention to. Like death, social engineering has no solution today, so it's avoided with discomfort or even ignored. Three people can keep a secret if two of them are dead. Social engineering is that last security hole still left unpatched.
I work in IT and I can blind dial any extension, introduce myself as employee X from Corporate IT and without any pretense, obtain a user ID and password. If I am trouble shooting a user complaint and ask their user ID, their password is often offered without me even asking for it. The vast majority of viruses rely on social engineering, as do tool bars, spyware, etc. I think Mitnick is right that the problems we have today are less technical than social. Most of the security holes in Windows could exist unexploited if it were not for social engineering.
Jack LaLane, the fitness guru, was viewed 40 years ago as a freak. It may take 40 years but once society finds a way to resolve or at least seriously takes an interest in the social engineering problems of network security, I wonder if history will label Mitnick as an early adopter or label him a "before his time" genius.
Everytime computer security issues come up on slashdot, a torrent of geeks always chime in about how things are so bad because of "stupid" people.
In fact, there is such a sys-admin (excuse me, I mean "architect") in my office. He loudly complains all day about how the "stupid" and "incompetent" are always making his life difficult and wasting his time.
What I don't think he realizes is that people are afraid to approach him with questions and problems. Those that do are often quickly and rudely dismissed or put on hold for extended times.
Here's the big problem-- if the "stupid people" in the office, you know, like scientists, professionals and others that make money for the org, dread interacting with the IT guy (I mean architect), they will go elsewhere when there are problems. If they are brushed aside when they ask about "the internet not working", they will be less likely to say anything when something _really_ goes wrong.
From TFA: "Modern technology is an enabler for such attacks: if a hacker can worm his way into a conference room for just a few minutes, for example, an wireless access point can be plugged into an out-of-the way network access point, providing an open back door into the network even when the hacker is parked outside the building." In my experience, the "bad guys" wouldn't even need to plug in a WAP. Pretty much anytime I attend offsite meetings, I can count on either the company hosting the meeting, or another business in the same building to be running an unencrypted wireless network (invariable named "linksys") which will hand my laptop an IP address and provide me with convenient internet access for the duration of my meeting. Now, this is sort of nice, as I can entertain myself during particularly boring meetings; it's sort of like a defacto municiple wifi system. But...ummm...yeah. Scary.
oh wait..that's later..
Actually I agree with you 100 percent. But I have to laugh at this "What he's talking about is more to do with making admin types more skeptical / less polite" As most for the company I work for are the rudest bastards you ever want to meet. All little RMS's. I think you are right in the sense that most companies have web based forms for password resets and have some jackass sitting there who is not per say a techinical person, just some wage slave who handles pass requests becuase it is something that the real admins disdain to do. Or like in my case, my job has about 10k people at any one time who need to be in about 30 different systems a day, each with it's own unique pass, so you can imagine the password requests that come in. Puto
The Revolution Will Not Be Televised
because you can replace insecure people with technology.
Audit Audit Adudit.
Audit all data requests (database & file requests and the # of E-mail). As a policy we automaticly audit all data requests. With a bit of analytical tweaking you can clearly see when someone all of a sudden starts to request more data than normal. This raises the warning flags.
I have seen cases where they waited until the employee went home for the night and they 'raided' there computer and desk. The employee was never allowed back into the building (employees where told never to make contact and to keep 100 yards from them at all times). Rumor abound about what they found but it seemed he was already working for another company and was just collecting data for interest.
With out the Audits and noticalbe increase of data requests and file transfers it would have been pretty hard to suspect them until they walked out the door to there new job with all our hard work.
Another employee was let go in a similar manner - he was a system admin. He thought he could cover his tracks but apprently there is even Audits of the Audit logs that only a few trusted managers even know about and watch.
My Sig indicates the end of the comment I posted.
Why does anyone listen to this guy? He's not a "security expert", he's a famewhore. What's next, people who get kicked off "Survivor" going on tour speaking about success and interpersonal relationships?
He's an admitted scam artist! He blatantly hacked into Sun and other companies! Please do not see this guy as some twisted hero!
Sheesh!
GJC
Gregory Casamento
## Chief Maintainer for GNUstep
Only you can prevent mangled quotes on Slashdot.
Here's the issue as I see it: I work with a bunch of people, and we all have defined jurisdictions. There's things that I can do that others can't, and vice versa.
So when I call up someone, and ask for a favor, they're only too happy to grant it; maybe somewhere down the line they'll be in a bind, and need a favor from me to get their own work done, so they want to have that marker that they can use with me. There might be a "right" way to do things, but that can take 10x as long as doing a work around. And if the person I ask for a favor insists on making my job 10x harder, then, whenever they need a favor from me, I'm likely to make their job 10x harder out of spite. And who wants their job to be 10x harder? So favors and back-scratching gets done.
The problem then evolves to trying to do favors for all the service people that we come across, so they don't throw up barriers to our own work, even if we don't personally know them. When was the last time you checked a UPS driver's badge, and then verified the accuracy of their badge ID number? But how hard to you think it is to get a brown suit and a laser-printed badge? You could check the validity of that stuff, sure, and make him wait an hour for the confirmation phone call. But do you think your packages will come as timely next time?
Seriously, I wish Mamet would give social engineering a play treatment. I think it has good material, and is in line with his other work wrt to con men.
--
$tar -xvf
Kevin is intellectually tenacious. If he wants something, usually knowledge about the inner working of something or some secret. His will not give up until he learns what he wants to know.
What Kevin has produced is a comprehensive disclosure of the techniques and methodologies that people with hyper-curiosity use to get at YOUR secrets.
Now little man, goto the book store and buy a copy of "The Art of Deception" by Mr. Mitnick (to you) and if you read it through to the end, you will find my real name listed in the acknowledgements.
"A microprocessor... is a terrible thing to waste." --
GeneralEmergency
People have a natural tendency to want to be helpful, and it doesn't matter how strong of encryption, or the strength of your password. People, if they feel they will help you, give you the information.
Outside of biometrics, there really isn't any way to stop it.
People are weak minded by nature, face it. I'm glad he's out talking about it, and making people more aware of these weaknesses, and how training people to be more aware of those seeking information, can be very effective.
It's not about saying NO, as much as it is being aware of what people are asking for.
Suspicion is a good thing.
Sorry, felt like I had to jump in here...
Those who complain about affect & effect on
All the biometric identifiers, passwords, physical tokens, whatever, in the world won't protect your data at all if somebody can walk in, pick up the machines and walk out with them ... ... usually with a member of the company being ripped off holding the door open for you.
"Flame away, I wear asbestos underwear"
This article should be in the no-shit-sherlock department or maybe the duh-fucking-obvious department.
I've *always* heard it said that the weakest link in the chain of security is the user. And, with the possible exceptions of Microsoft Bob and a couple other dain bramaged programs and systems throughout the ages, it's always true.
Furry cows moo and decompress.
My org was hit bad. One could ssh into a remote host and within seconds the box would be rooted and keystroke loggers installed.
No amount of "social" training can solve this problem.
BTW. The software based loggers are professional quality. They are undetectable without booting from known good media and examining the kernel, all its modules, and all applicatiions. Hardware based keystoke loggers are available too.
yes, but who audits the auditors?
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Hat! Obligatory South Park.
Security Transcends Technology.
http://tinyurl.com/4ny52
In one case I heard of the Audit of the Auditors was the bank when serveral old accounts where checked for balances. The banker happened to notice the activity. It was a strange enough request for them to confirm with the CEO.
IIRC, wasn't Mitnick's best talent his social engineering/acting?
------ no thanks... I've quit
Yes, it was. In fact, that's what he used to prevent getting cought so long. It was technology in the end that ratted him out.
Life is not for the lazy.
Interesting to note:
When Kevin was indicted for his shenanigans, they banned him from touching computers for a while, right? But apparently they didn't ban him from talking to people, unless I missed something.
Now, which one was it that he had been using to do his damage? Was it the touching computers, or was it the talking to people? To hear Kevin say it, it was mostly in the talking.
But luddite lawyers & judges who won't grok geekness just can't imagine that the evil is in the human communication. Human communication is familiar to them, so no FUD there. Therefore they only ban the technological interface.
Typical enough.
Obviously, you've never heard of Wen Ho Lee, Mazen Al-Najjar, and Allah knows who else.
But since you can't blame those cases on Bush (because the only thing Clinton ever did wrong was lie about was a blow job), I guess those guys don't matter to you.
FREE CHECKING !
that you have a security issue in that your help desk people know the passwords of the people that they are setting them for.
:-)
All they have to do is write them down. Or remember them.
On the issue of management telling you to allow employees to pick bad passwords, have that manager sign a statement that you are doing so under protest, and that that manager understands that the resulting poor security is that manager's responsibility. Then, prepare to be let go!
emt 377 emt 4
Mitnick is a criminal. He has demonstrated again and again his complete disdain for the law, for the welfare of corporations, and for the lvliehood of IT professionals who've been damaged by his antics or had to clean up after his messes. The best thing to do with a loser like Mitnick is to ignore him completely. If you dance with the devil, you don't change the devil, the devil changes you.
Security is good, and I find nothing wrong with Kevin M's stated approaches to improving it. But if I never again read another article which, in the course of covering a talk by Mitnick, simply has to preface everything with the soap saga of how Mitnick was once a renegade bad boy who paid for his crimes in jail and is now using his reformed powers for good... then it will be too soon.
- First they ignore you, then they laugh at you, then ???, then profit.
Case in point - I work in the broadcast industry as an engineer. Prior to this, though, I did a lot of live sound, so I know my way around arenas, contractors, etc. At the DNC in Boston this past summer, I walked five people through a security checkpoint, pushing three cases of gear without getting stopped... right past a line of other people pushing gear who were all getting stopped and searched. The difference? They were all wearing station jackets, and we were all in jeans, t-shirts, and work boots and looked like contractors.
At the RNC in New York, using a "Radio only" pass which only got me entry to a very limited area and specifically prevented me from getting on the floor, I breezed right through multiple security checkpoints and got myself and a friend onto the floor during Arnold's speech. We were in the middle of the Texas delegation, not thirty feet from the stage, wearing passes that clearly said we weren't supposed to be there.
In both cases, we got through security by being polite and friendly. The checkpoint people wanted to help us, so they did, without hesitation - that's Mitnick's real message. Your company hires a receptionist to be helpful and "receptive" to callers and visitors. She's just doing her job when she gives out the names of the directors and their extensions. Then, when you call telecomm and say you're Director so-and-so at extension blah, and you need your voicemail password reset, they're just being helpful and doing their job, too. That's why social engineering is such a powerful tool.
If I, as a 6'6" guy with multiple earrings, can blend smoothly into the Texan delegates at the RNC, anyone could do it, and a lot more.
-T
That's what he talks about in his book: how no matter how secure your network is, you're probably going to be more vulnerable from the people.
Do, do not, or delegate to someone else: there is no try.
Well, I know you're not her, but you do have the basic plot about right.
Still, all things considered, I wouldn't change a thing--especially considering that since for a while I was getting basically the same treatment from her as from my employeer, there was a certain symetry to the situation...
--MarkusQ
Checking what?
Sigs are for wimps
It's funny, because it's true. Or would be, if we could get over the idea of punishment, or even reform, in a zero-sum game with criminals and victims. We already study rapists to devise education for women, to protect us from them. Unless you're saying that Mitnick's advice is full of trojan horses, subtly attacking security policies from the inside in the craftiest social engineering of which I've yet heard. If we could get rapists to reform as completely as has Mitnick, of course their expert advice would help protect women from further attacks. Rape is just so disgusting that no one wants to ever trust a rapist, and is a different kind of personality defect that is much more rarely reformed than system cracking.
--
make install -not war
Try this one instead: "Never give ANYONE your password. If I have the need, I will break into your computer without it."
//Information does not want to be free; it wants to breed.