Slashdot Mirror
Mitnick: Security Not about Technology
renai42 writes "Companies eager to tighten up their information security perimeters should focus not on technology but on teaching their employees how to say 'no', ex-hacker done good Kevin Mitnick told a full house at Toshiba's MobileXchange conference in Melbourne yesterday. 'We can't expect our employees to be human lie detectors,' Mitnick said. 'One of the most difficult challenges in corporate cultures is getting people to modify their politeness norms.'"
More specifically this is what Mitnick has been telling people all along - I seem to read about him saying this regularly....
"When no-one around you understands start your own revolution and cut out the middle man"
What employees need to do is follow the very simple instructions they're given. Change your password regularly. Don't make it obvious. Log out of the system when you're done. Don't use the same password at every site you visit. Etc...
It's simple, Private Pile...if you lock up that jelly doughnut in your footlocker, it's going to make it very hard for people to steal it.
StupidChildren...the reason jesus is crying
As CABAL said in Command & Conquer: Tiberian Sun,
"The systems are impenetrable. There are no weak points. The technology is without flaw. The Human element, as always, is riddled with imperfection."
This is exactly how things become worse as time goes on. Now regular folks are going to become more rude and less interested in working with you to get things done. Trust me, the sheeple don't know how to defeat social engineering. They are used to fear and terror and will be distrustful of your attempts to get work done. A few can defend against rogue attempts to illicit secure information, but most will just be jerks about it and everybody hurts. More negativity. Well, it's something to work on and I guess that's what we do here on Earth...we work on stuff together. We talk about it on Slashdot, we IM our buddies and send them interesting links. Slowly their minds change to our influence. I found out at an early age how easily I can manipulate good people and it sickens me. I grew up, matured and avoid it at all costs. But it does come with a heavy price. Sometimes it is very hard to deal with good people. Especially stuck down here in my parents basement, looking for light swords and good time travel techniques. Forward into the fray.
What's particularly ironic is that his success mostly stems from getting caught. Had he not failed at the thing he is such an expert on, he'd never have been considered an expert.
My employer holds regular training sessions for all employess on computer security, with a strong focus on resistance to social engineering methods. There are also several levels of the training, a basic course for the rank-and-file, a higher level course for those higher-ups and engineers who have to protect subcontractors and customers proprietary data, and a more intense set of courses for the IT and security folks. (We manage both physical and information security).
Have we had information stolen? Yes. We've had unscrupulous employees go to work for competitors and give them proprietary data, we've had subsidiaries sell controlled technology to foreign powers (and got bitchslapped for it too!).
Point is, machines are easy to secure. More often than not, theyll protect what you tell them to, especially if you have competent engineers. But the weak link is ALWAYS the human one. The most careful companies can apply careful policy, process, and training, like my employer does, and they can also hire tons of babysitters, big brothers, and such. And the information still flies out the door.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
There seems to be an alarming trend towards insane levels of paranoia, especially here in the US. At the same time there is an unprecedented increase in cases of clinical paranoia and related mental disorders. I wonder if there is any correlation... For sure there are thousands of security related companies doing good business and politicians pushing their agendas.
Isn't this what (ex)hackers have been telling the IT industry all along?
As old hackers while away the years (in jail) the industry moves on, which means their skills become dated and they lose all their technical expertise that got them in so much trouble in the first place. So they move on to pretending that all you need to do is act nice and con the receptionist or some fool on the other end of a phone. That route of attack is not as affected by one's weathering technical skills.
Ring ring
Hello, this is Bill.
Bill, hi, this is "Steve". I'm stuck outside the building- this stupid thing won't let me in. Could you read me our private key real quick?
OK, it's A244C7735ABBFC01... hey, how do I know you're really Steve!
What do you do with your print outs? Do they wind up in the filing cabinet, the shredder, the recycle bin, the trash? I've seen many people trying to be green by chucking their papers in the big blue recycle bin. I'm sure much of this blue-bin fodder should have been shredded.
"But if you think technology can solve your security problems [...] then you don't understand the problems and you don't understand the technology."
- Bruce Schneier
"All you have to do is be fragile and grateful. So stay the underdog." Chuck Palahniuk, Choke
Uh? What? My uid is lower than that, I know pretty much nil about security and don't follow Mr. Mitnick's post-hacking career. I just happen to have geeky tendencies and stumbled across the site awhile ago and then registered. /. uid #!
My point is: don't make assumptions, especially ones based on things as silly as a
I suspect (but of course can't provide any real evidence) that the vast majority of computer break-ins are by young people who are simply looking for any system to break into, not targeting a specific company. Most 'crackers' probably just pick a known vulnerability and search around for a system that hasn't fixed it yet. They don't particularly care who they break into, so long as they're breaking into somewhere.
These social engineering attacks that Mitnick has built a career warning people about seem more relevant to situations were the cracker has some very specific goal in mind regarding a specific organization - dedicated industrial spies who want specific information from a particular company, etc. While I'm sure that sort of threat is a concern for many companies, I don't think it's typical of how and why computers usually get hacked into.
I was part of the "underground" at the same time he was. The people that took chances and did stupid stuff got caught. He fucked up, got caught, and now he's making money lecturing on basics like "teach your employees not to give out a password to a stranger that asks for it." NO SHIT!
The smart people didn't get busted, and have to work their tails off doing regular sysadmin duties these days.
Mmm...no.
This is the problem with Mitnick- he's never been inside of the fence. Ever. He's always been peering in from the outside, either as an attacker or a consultant. Unless you work in IT as regular staff, you don't realize the root causes.
The problem isn't with training people to say no, or to stick to policies. Especially in a medium to large organization, there's little problem getting people to stick to policies if they make sense or aren't an unreasonable impediment to workflow. The word is "bureaucracy", and so often, it's used by lazy people to avoid work.
Security problems come from three areas:
Notice a pattern? Security policies written by the incompetent.
A company I worked at had to comply with Sarbanes-Oxley regulations. This was interpreted to mean that every 90 days, all the employee domain passwords would expire. Because a large portion of the company used Macs (to make a long story short, you can't easily set up a Mac to let users change Active Directory passwords, much less notify the user their PW has expired and "please change it:"), email and file server access would just stop with no warning, and they'd flood help-desk with calls.
Typical conversation went something like:
"...and what would you us to change your new password to?"
"Harry123"
"Is that family member's name?"
"Yes, my husband's."
"Please pick something else."
This would go on and on. Some of the passwords people wanted consisted of their username plus "123", their first name plus two numbers, etc. Even worse, their initial password was based off their hire date, and most people never bothered to change theirs- so access to any other employee's email for at least the first 90 days was Dumb Shit Easy.
It's so incredibly stupid- force password changes every 90 days, but no standards for setting passwords...predictable passwords for new employees...no password auditing(ie runs with John the Ripper or similar)...nothing. Just "make all the passwords expire every 90 days." Brilliant. Why couldn't stricter password rules be enforced? Top management decided it would "aggrivate" employees too much, and I was actually told not to stop employees from picking bad passwords.
Please help metamoderate.
Well, he tricked a bunch of know-nothings into telling him their passwords and then got rammed in the ass by the government to the point of absurdity.
Matyrdom sells, ya see.
"Never attribute to malice that which can be adequately explained by stupidity." -- Hanlon's Razor
1. find something obvious
2. organize a corporate speech session
3. charge $4000 for a talk
4. profit.
Liberty freedom are no1, not dicks in suits.
Have you read his book? If you have you've discounted a lot of the threat of social engineering. Not only do you have to call someone from an external phone network, but in many cases have to know enough to convince anyone from a secretary, white collar worker or IT professional/system administrator to do your bidding.
I don't think you give social engineers enough credit - because they have to have the ability to pass off as someone who knows more than you do about your own systems and from what I've read he suceeded rather well at this - not only did he convince people to do what he wanted, but he had enough knowhow to do something with that info. And it does take some knowhow - after all once you gain access to a server, telephone switch, network etc - you have to know enough to change its configuration or access it to get what you want. (actually this sounds like my job - technical support)
Long before he was ever caught I had read about his exploits in computer magazines and the paper. His capture, and the scadal about his stay in federal prision I think made him famous. He's the only one - aside from those stuck in Guantanomo Bay who have been held without trial.
I don't really believe that most people are dumb. Most people just want to do their job, whatever it is, and they think that it is up to YOU to prevent people from "hacking the system." In their mind if something goes wrong, it's YOUR fault.
The biggest problem is that people's views are flawed, they need to be told WHY they shouldn't give their passwords out. Rather than saying, "I won't ever ask for your password, don't give it out," say something like, "there are these people who use social engineering..." etc...
Will this prevent social engineering attacks? No, but it WILL help to prevent them. People won't do what they are told if they don't know why they shouldn't do it, regardless of the profession (is that enough double negatives?)
But what do I know, I'm just Anonymous Coward.
Kevin Mitnick is looking at it from companies' points of view right now, but I think the whole problem is really created by some fundamental flaws in software architecture patterns and how most software these days interacts with the users. (Arguably it's as much a fault with the operating systems as everything else.)
I don't think that there should be that much of a burden put on the user to be responsible for saying yes or no all the time. So much software that's out there today directly bombards the user with so many questions about things that they don't understand, care about, or have time to deal with, that it's not practical for most people to spend so much time caring about what they're being asked.
Passwords, which Kevin Mitnick also talks about, are an equally bad design. They're there for the convenience of the machine -- not the person using it. Most people aren't mentally capable of remembering and matching lots of different passwords for different services, certainly not if they're supposed to (or forced to) change them every few months. It's no surprise that in order to get their actual work done, people are simply going to resort to predictible patterns or writing down secret information.
I can set aside the time for dealing with these sorts of things, and I'm sure that many people here can... but then I have more than a passing interest in computers and what's going on inside mine. For many more users out there, a computer is just a tool that's used towards something that's much more interesting to them, and dealing with the tool is one of the last things they want to care about.
Teaching people to "say no" is certainly part of the equation, but it won't work beyond a certain point. I don't know what the answer is, whether it's reducing the number of options over all software, trying to make more intelligent decisions without asking the user, arranging things so that people's software is generally configured entirely by an administrator who understands the issues, or something else. I think it's important to realise, though, that research about reducing social engineering in software is at least as important to security as researching technical security holes. It's as much of an HCI problem as a security problem.
Honestly this is very suprising to me. I own and run a small business and people try and scam us all the time. Examples include dodgy telephone directory listings, website hosting, domain hosting, overpriced stock and people just generally phoning us and trying to sell us every piece of crap under the sun. This is not just scammers, it's also local sporting groups, charities, schools, churches etc all seem to think we are here for their sole benifit. It never seems to occur to any of them that we get asked ten times a day to hand over money for no benifit to us. It sounds like I am bitter, but I'm not, this is just reality.
I don't mind donating, I give time and money every week to several organsisations (of *my* choice), but most of them have never even been a customer before.
So actually thinking about each and ever deal/agreement I make has become second nature, it's easy to tell when somebody is trying to scam you really. If people start asking intimate questions: "who do you have your telephone with? it's a scam. If they ask "are you the owner of this business" and then ask *another* question about the business it's a scam.
If they really had anything to do with your business they don't need to ask who you are, because they already know.
I'm so sick of people here being proud of their ignorance. If you don't know what he's done, isn't it up to you to find out before passing judgement?
Oh right, it's up to everyone else to do that for you as well.
As I've said to people previously.. Nobody will ever know about the greatest hacker who ever lived. Well, maybe I stole that from somewhere, but meh..
Likewise, the U.S. was able to get intelligence on the Soviets by sending a sub to tap an underwater cable in the Sea of Okhotsk. This cost tens of millions of dollars. For a couple million, the USSR bought off Aldrich Ames and got whatever intel they wanted. All in all, being able to manipulate people is probably a lot more useful and dangerous skill than being able to manipulate technology.
It's news because (most of) the industry still isn't listening.
"If it's real, then it gets more interesting the closer you examine it. If it's not real, just the opposite is true." -
9. significant increase in blinking.
... er ... eye opener.
Just take a look at Bush during the 2004 debates. It was an
Is there anything here that hasn't been said better already by Bruce Schnier? For that matter, is there anything here that Mitnick himself didn't already say in his trial?
People are the weakest link in any security system. This is so well known that it's not even worth talking about, unless you have a new way around it. Kevin, sadly, does not. Training people doesn't work. Not only is your security only as strong as the weakest link in the chain, but it's only as strong as the weakest occurence of that weak link. In other words, unless you can GUARANTEE that 100% of your employees won't be susceptible, training them beyond the obvious (which should be presentable in a half-hour lecture) isn't a useful endeavor.
Schnier has it right: Protection is only a way of giving yourself more time for the detection and response mechanisms to kick in. You won't ever get a secure system by locking all the doors.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
Social engineering is effective quite simply because we have alot of annoying mostly pointless security measures and then real security measures with no good way to tell them apart.
Look, if the same security policy that tells you not to let *anyone* into the building without a key card tells you not to tell anyone your password you are likely to ignore both. In most buildings there is no good reason not to hold the door for the person behind you but a very good reason not to share your password.
People aren't computer programs they need not only to be told what policies to follow but which ones are the important ones and which ones are just meant to keep bums from sleeping in the lobby.
If you liked this thought maybe you would find my blog nice too:
Yes, it's skewed and oversimplified. I needed to set up my subtle joke about Bill Gates and Steve Ballmer. Too subtle unfortunately.
But even if you're the guy who the cops thought could launch cruise missiles by whistling into a phone, it's hard enough to stay on top of all this crap when you're, say, not forbidden by a judge to go near a computer for several years. And he got into trouble in the first place at least partly by social engineering. Which is an area of computer security that nobody thinks about- an obvious, accessible market for someone like him. So it isn't surprising that he's taking that approach. I'd do it too if I were in his situation.
I have a good friend who's an ex-spook, and a major player in the security community. She mentioned in a magazine article "It's simply amazing to watch IT Managers putting steel safes on what amounts to be Japanese paper summer houses... the front door isn't your problem..." Genda
I'm getting tired of all the complaining about passwords and their insecurity. It is hard to change people, and if you don't want them to give away password information, don't give them any. If we can use keys to get into our homes we should be able to use them for authentication as well.
Tsunami -- You can't bring a good wave down!
and if you don't want them to give away password information, don't give them any
Sorry, but that isn't a good solution. In certain cases users have to have a password. We have to teach the users the consequences of giving away their password, and teach them some responsibility. What i always say is: If you give your password to somebody and that somebody uses it for less-than-legal purposes, it will be *your* responsibility. No excuses, no investigation and no second chances. Want to be safe? Don't give away your password, period.
Whether I like the messenger or not, Mtinick is right. So long as humans are part of the security equation, we will have insecure systems. The song he's singing is true. A tune few are paying attention to. Like death, social engineering has no solution today, so it's avoided with discomfort or even ignored. Three people can keep a secret if two of them are dead. Social engineering is that last security hole still left unpatched.
I work in IT and I can blind dial any extension, introduce myself as employee X from Corporate IT and without any pretense, obtain a user ID and password. If I am trouble shooting a user complaint and ask their user ID, their password is often offered without me even asking for it. The vast majority of viruses rely on social engineering, as do tool bars, spyware, etc. I think Mitnick is right that the problems we have today are less technical than social. Most of the security holes in Windows could exist unexploited if it were not for social engineering.
Jack LaLane, the fitness guru, was viewed 40 years ago as a freak. It may take 40 years but once society finds a way to resolve or at least seriously takes an interest in the social engineering problems of network security, I wonder if history will label Mitnick as an early adopter or label him a "before his time" genius.
"but the guy's a criminal, end of story."
Correction: "He was a criminal."
Just because a person was cute a young age, doesn't make him cute until he/she dies. Furthermore Mitcnick has served time in jail, so he is by law redeemed of his actions..(?)
To even remotely suggest that he is in similar category as paedophile's is just idiotic and/or ignorant.
Although it is probably safe to say that he won't be cleared for CIA related work, I would have no problem hiring him as a consultant on any security matter regarding my business..
Everytime computer security issues come up on slashdot, a torrent of geeks always chime in about how things are so bad because of "stupid" people.
In fact, there is such a sys-admin (excuse me, I mean "architect") in my office. He loudly complains all day about how the "stupid" and "incompetent" are always making his life difficult and wasting his time.
What I don't think he realizes is that people are afraid to approach him with questions and problems. Those that do are often quickly and rudely dismissed or put on hold for extended times.
Here's the big problem-- if the "stupid people" in the office, you know, like scientists, professionals and others that make money for the org, dread interacting with the IT guy (I mean architect), they will go elsewhere when there are problems. If they are brushed aside when they ask about "the internet not working", they will be less likely to say anything when something _really_ goes wrong.
I do, actually. It may be a more reasonable place than where you work, but it is still real.
marketing manager that demands he needs admin rights. other managers that think they need admin rights so it snowballs and then corperate deems that most have admin rights
If you are reasonable with people, they will be reasonable with you. Why does the marketing manager need admin rights? If she does, give them to her. If she is just demanding for no reason, say 'no'. Where I work departments can buy their own machines, but we don't have to take care of them if they choose to, so we have some leverage.
or better yet the idiots in the NOC set the global user profile to put them in the administrator group for some failed attemptto push out a path and forgets to move everyone back.
The NOC's first move was excessive, and then they were negligent. If they keep being incompetent, get someone who isn't.
corperate IT is hell. as the NOC morons are sure they know more, the managers demand more access or threaten your job, then bitch that they clicked on a strange attachment and want to know why you are not protecting them.
I'm happy I don't work where you do.
solution? thow their asses under the bus. when a manager or Director infects his computer and then the office, ANNOUNCE who it was, espically to the IT heads.
No, that's not a very good solution. That will just get more people mad and unreasonable. If someone has no need for a dangerous privlige, don't let them have it. Be willing to send out low-level techs to do admin-work on people's computers and install the software they don't have rights to install. Don't humilate people.
This post written under Gentoo-linux with an SCO IP license.
I can't remember the names of the burglars but the BBC have just paid the one who survived £4500 for assisting in making a documentary about the case.
I don't sympathise fully with Tony Martin but I do not believe that a convicted criminal should be allowed to make personal profit as a result of a crime they have committed - no different to what Mitnick is doing now.
Yes, he's served his time, he's paid his debt to society but he'd be a nobody now were it not for his previous hacker reputation.
Gentoo Linux - another day, another USE flag.