Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mitnick: Security Not about Technology

Posted by CowboyNeal on from the locking-the-doors dept.

renai42 writes "Companies eager to tighten up their information security perimeters should focus not on technology but on teaching their employees how to say 'no', ex-hacker done good Kevin Mitnick told a full house at Toshiba's MobileXchange conference in Melbourne yesterday. 'We can't expect our employees to be human lie detectors,' Mitnick said. 'One of the most difficult challenges in corporate cultures is getting people to modify their politeness norms.'"

27 of 387 comments (clear)

  1. How is this news? by Anonymous Coward · · Score: 4, Interesting

    Isn't this what (ex)hackers have been telling the IT industry all along?

    1. Re:How is this news? by digitalchinky · · Score: 4, Interesting

      When working as sys-admin I clearly tell people 'Do NOT give ME your password, I don't need it to do my job' - Ten seconds later - Now log in for me, 12 seconds later, my password is 'fluffy'...

      People are dumb until it's too late, not all, but enough to make the stereotype hold true anyway.

    2. Re:How is this news? by Errtu76 · · Score: 2, Interesting

      I remember when i worked at a university, there was some intern (sent out by the IT guys) going by every department, asking people to give up their passwords. This was because of some inventory/migration/bullshit-excuse. I kid you not. I refused to give my password to anyone, saying that if i had to give it up to anyone other than the login screen, it was worthless. What was weird about it, was that apparently i was one of the few who refused to give it. Most people had no problem handing over their 'secret' and 'highly personal' data, just because somebody asked for it...

    3. Re:How is this news? by Anonymous Coward · · Score: 1, Interesting

      I have been telling people why they should not give passwords out. Still, when I was admin, almost every problem description included the password (in the e-mail or whatever).

      Now, tell me, what have you said so that your users do not behave like mine did?

    4. Re:How is this news? by Linker3000 · · Score: 5, Interesting

      In my previous job I worked as a trainer and consultant for many blue chip companies and spent a lot of time in their corporate HQs, Call Centres and Help Desks.

      Invariably, front desk security was adequate, but it was easy to get into many Call Centres and Help Desks without a key card, fob or access code simply by waiting for an employee to walk towards the main door and then approaching the same door carrying an abviously heavy, large box full of training manuals - most people in service delivery roles want to be helpful so they often hold the door open for you! In 6 years of consulting I was only ever challenged once.

      In reverse, I would occasionally be coming out of a building and someone would ask me to hold the door because they had forgotten their pass - it would really piss them off when refused to let them in and said if they waited outside I would fetch a team leader or manager for them!

      --
      AT&ROFLMAO
    5. Re:How is this news? by bampot · · Score: 3, Interesting

      It is against Company Policy here (very large multi-national company) to divulge your password, even if for critical busines issues. Employees are expected to log a call with the service desk for a reset. Working in the middle of the night on a critical project? Tough - you should have arranged on-call support.

      Divulging a password is a disciplinary offence too, but it still happens regulary - mostly because it's rarely enforced.

      Here are some random office rules that are obeyed without question, these are all disciplinary offences, and are regularly enforced:

      * always hold the handrail on the stairs
      * do not walk AND talk on the phone/read bits of paper
      * hot drinks MUST have lids on
      * etc.

      People follow these rules without question (I don't), but I think the average perception is that it's harmless to give out a password.

      Unless there very real personal consequence of divulging passwords etc., it's always going to happen.

    6. Re:How is this news? by Lumpy · · Score: 2, Interesting

      I don't really believe that most people are dumb.

      Wow! you must be a youngster.

      The average IQ here in the United States is below 100 (around 97 I recall)

      That means on average everyone around you is only 17 tiny points away from being a clinical moron. A good strike to the head can get them there in a hurry.

      I have people that we have had to LOCK DOWN their computer completely with TrustNoEXE because they can not understand what it means when we say "DO NOT DOWNLOAD AND INSTALL ANYTHING". Somehow they interpet that as "Please install Webshots, Elf bowling, yahoo Toolbar and oh that cute free time keeper app! we LOVE it when you install that cutsey stuff."

      If that is not a sign of stupidity, then I have no idea what is....

      But then a bulk of my users are Marketing and Sales, so I wonder if the average IQ here is far lower than the norm.

      --
      Do not look at laser with remaining good eye.
    7. Re:How is this news? by Anonymous Coward · · Score: 1, Interesting

      Not just the DOD...

      Wal-Mart's corporate offices have this same policy.

      As a vendor, I've been both the escorted and the escort, and good luck getting back in the building, EVER, if you're caught with a guest badge without an escort, or your charge is caught without your escort respectivly.

      It's quite hard to do your job without being able to access the building.

    8. Re:How is this news? by Techguy666 · · Score: 2, Interesting

      I work in a school so the security needs aren't as severe, but when a student's own laptop is completely bogged down in viruses and spyware, cleaning Windows XP actually goes a lot faster when you have the student's password. Spyware tends to cling to a profile and unless you're running that profile, it's difficult to see whether you've been successful.

      I suppose we can re-image a machine that's been infected but students become severely traumatized when they lose work, programs, and the iTunes they've collected. On the other hand, I'm contributing to entire generations of people who would rather trade their passwords than lose their music collection. I don't know which makes me feel more guilty.

  2. Sure we can... by Anonymous Coward · · Score: 5, Interesting

    'We can't expect our employees to be human lie detectors,' Mitnick said.

    Sure we can: http://content.monster.com/martynemko/articles/arc hive/lying/
    1. Re:Sure we can... by jspoon · · Score: 3, Interesting

      That's an article that reads like an explanation of why most social engineering is done over the phone.

    2. Re:Sure we can... by Anonymous Coward · · Score: 2, Interesting

      Good anti-lying-detection article for social engineers.

      On another note, it seems that the easiest way to learn to lie is just to subscribe to relitavism. Being able to believe, honestly, that reality is merely the subjective interpretation of the human mind allows one to effectively emulate other realities in one's own mind while speaking, easing the body language. Essentially, you just have to be able to put your conscious mind into the altered reality state while maintaining enough subconscious realization of the act to keep from believing it yourself. Or just believe it yourself. Religious fanaticism certainly has strong adherants who in their own mind certainly never lie.

    3. Re:Sure we can... by Anonymous Coward · · Score: 1, Interesting

      I had a friend that made a living reading palms. She explained to me that what she did was effectively act as a human lie detector - picking up on some of the same cues that the machines do - rapid breathing, holding breath, increased pulse, sweat, etc.

  3. Computer Security, The Ultimate Oxymoron by Toloran · · Score: 3, Interesting

    I do tech support at my school. My self and two guys finnally finished our new mobile computer lab. Laptops with WiFi cards installed. It makes me sad to think after we get the things nice, clean, working, etc that the idiots will have the things broken beyond recognition by the end of next week. ;_;

    The ultimate security leak, people. >_

    --
    Speaking is NOT communication
  4. Con-man gains fame at others expense... by Che+Guevarra · · Score: 3, Interesting

    I'm so sick of this guy's so-called "hacker" fame. He tricked a bunch of early tech no-nothings into telling him their passwords and protocols and now he's living off it forever. Jobs and Woz hacked the phone system, but then they went on to produce something. What has this guy actually ever produced, written, made? Seriously, I don't know and maybe that's a problem. He must have produced something valuable, but I don't know what it is. I'm sure some Slashdot guy will tell me, but isn't it funny that no novice (like me) knows what the hell he's ever done creatively/intellectually in his life?

    1. Re:Con-man gains fame at others expense... by Candiri · · Score: 5, Interesting

      You should read up on the guy. His talent lay more with the social engineering aspect of security. He could talk his way into or out of just about anything. His book on social engineering is a good read, McPaper-sized examples, but still very eye-opening. I'm a network admin, 18 years running, and I wound up with a large security laundry list to discuss with my boss the following Monday.

      The other thing is his *years* of jail time were spent before he was ever convicted, i.e. pleaded guilty to some of the charges to cut short his lack-of-a-speedy trial. He's done his time. He can talk as long as people will pay him.

      Besides, ignorance is not unexpected. Many novices probably couldn't tell you who Philo Farnsworth was, even though they've been looking at his invention all their lives.

  5. trade off by delirium+of+disorder · · Score: 5, Interesting

    Technical or human, good security requires balencing convenience and control. If you give your employies the power to refuse information to potential customers, you gain control and security but loose convience and maybe money. If you tighten your network down so much that users have to jump through hoops to send files to each other, you may be more secure, but the hassle will lead to lost productivity. You can't try to too hard for control or for freedom. You have to weigh threat and risk. You want to ensure against potential disasters, and eliminate any more likely security risks. It's probably too costly to treat a low threat but high risk (common) security hole as if it were a disaster. This is why stores find it cheaper to set prices assuming a certain ammount of shoplifting will occur. It would cost too much in lost sales and increesed labor to secure the store against all theft. Training your dumbass users, helpdesk, and even sysadmins to recognise social engneering, might just cost more then any losses from security breaches.

    --
    ------ Take away the right to say fuck and you take away the right to say fuck the government.
  6. Mitnick by Stalyn · · Score: 4, Interesting

    remember this

    --
    The best education consists in immunizing people against systematic attempts at education. - Paul Feyerabend
  7. Re:Please... by jpiggot · · Score: 2, Interesting
    I get that...but what I'm saying is that the article doesn't address the larger point, which is that teaching employees to do the simple things can probablly prevent 90% of the problems in the first place.

    THEN, you can fix "social engineering"

    --
    StupidChildren...the reason jesus is crying
  8. Re:Dumpster Diving For Info by Anonymous Coward · · Score: 2, Interesting

    Simple answer is to put a heavy duty cross-cut shredder beside that recycle bin or even better one that reduces documents to something resembling confetti. Certainly some paper waste companies do shred the paper they pick up, sometimes right in the truck they use to pick up the recycling. However for important or sensitive information you should not rely on this "service". Also a company rep, manager, or other person should verify that shredding takes place either by casually visiting the pick-up vehicle if they shred on-site or performing a site audit/visit at any central recycling facility to confirm the company is doing what they claim and what you are paying them for.

    FOr myself, if it's particularly sensitive I'll shred the stuff at home.

    Speaking of home and bringing up home workers. Companies should also provide a cross-cut shredder as well as that company computer, printer, or other technology for work-at-home employees. Teach them to shred stuff, even allow them to shred personal stuff if they have them. It will provide some added "noise" to the company confidential shredded documents.

  9. Um, they have no freaking problem saying "no". by Caspian · · Score: 4, Interesting

    It's just that they don't know when to say "no" versus when not to say "no".

    Any dealing with any large, bureaucratic organization (a government bureau of any stripe, any telco, any cable company, any other sort of "utility", eBay/PayPal, Microsoft, IBM, etc.) will demonstrate quite aptly that no, they have no bloody problem saying "no". You can make a reasonable request and they'll quite cheerfully say "no" since it isn't part of their "script" to say "yes". (Then they'll tell you they're "sorry" they couldn't say yes. They aren't.) Meanwhile, the "bad guys" probably know how to work the system anyhow, and can get them to say "yes" by understanding said "script".

    Simple example: I do business under my initials, and PayPal wouldn't let me change the name on my account to my initials for "security reasons". Even after I provided proof that both of my bank accounts had already been changed (to my initials). Even after I went back and forth with them at least half a dozen times. I finally had to go in the "back way" via talking to an ex-PayPal employee, who talked to a current PayPal employee, etc. etc...

    They wouldn't change my name to my initials despite indisputable (and verifiable) proof from two established brick-and-mortar banks, yet they have absolutely no problems letting you set a crappy-ass password on your account... You see? Their priorities are backwards. They love saying "no", but they have no clue when to do it and when not to. The end result is that they suffer not only from security risks, but from bad PR.

    --
    With spending like this, exactly what are "conservatives" conserving?
  10. You haven't read his book then ? by anti-NAT · · Score: 1, Interesting

    I consider The Art of Deception to be up there with Bruce Schneier's two books, Secrets and Lies, and Beyond Fear. It is a real eye-opener on the techniques a social engineer can use, and should be mandatory reading for anybody entering the infosec field. You can be pretty sure that he has used all the techniques described, just that the names, places and times have been changed to protect the innocent.

    If you choose to get it, look for the "lost" Chapter 1 on the Internet.

    I've also noticed that his new book, The Art of Intrusion has just been released. I'm sure I'll get it in the near future.

    --
    The Internet's nature is peer to peer - 20050301_cs_profs.pdf
  11. Re:Mitnick's never been "inside the fence" by rve · · Score: 3, Interesting

    From my experience in the workplace (100% tech savvy people, it's a software company): On the servers that force users to change their passwords every 90 days, most users use their regular password plus a number, adding exactly nothing to the security.

  12. Mitnick is the problem, not corporate culture by iamacat · · Score: 1, Interesting

    People do need to get on with their work or life if they forgot their passwords, account names or access numbers. Since there is no reasonable way to prove identity of unfamiliar people over the phone, a support person will just fool around a bit and then let you have what you need. A skilled con man can own you, but in the end he will be the one in jail and you will just suffer a few hours of inconvenience proving which transactions are yours and which aren't. I am sure Kevin regrets his stupidity.

    Or you can do business with smaller shops that personally know all their customers. I bet they will have no problem "authenticating" you over the phone and may not even need passwords.

  13. Re:so did the cop who busted him by Papparazzi · · Score: 1, Interesting

    I agree, but you forgot about the lying reporter who blew Kevins case into the huge federal fiasco that it became rather than a normal case where someone got into a system and had a peek, left few footprints adn did little (actually no) damage.
    He didn't even profit fron the things he did. Outsmarted people with big paychecks. That is why they wanted him so bad. He embarrassed the big boys and also was made an example of by the press and then the Feds who needed another whipping boy "big bad hacker" whom they claim was trying to bring down the nation.
    His real crime was seeing things they didn't want him to see. Or to put it better, showing that the buisness types can't nesisarily protect our privacy.
    My point being that the feds/cops are just tools and it's really all about the money.

    --
    01101101 01111001 00100000 01110011 01101001 01100111
  14. Re:Locking down computers by Anonymous Coward · · Score: 1, Interesting

    you dont work in a real IT environment.

    examples? sure!

    marketing manager that demands he needs admin rights. other managers that think they need admin rights so it snowballs and then corperate deems that most have admin rights, or better yet the idiots in the NOC set the global user profile to put them in the administrator group for some failed attemptto push out a path and forgets to move everyone back.

    corperate IT is hell. as the NOC morons are sure they know more, the managers demand more access or threaten your job, then bitch that they clicked on a strange attachment and want to know why you are not protecting them.

    solution? thow their asses under the bus. when a manager or Director infects his computer and then the office, ANNOUNCE who it was, espically to the IT heads.

    Dont know what lumpy works at, but this is the norm for the 4 corperations I worked at.

  15. Strong Passwords are worthless by fhage · · Score: 2, Interesting
    as soon as keystoke loggers are introduced into an organisation.

    My org was hit bad. One could ssh into a remote host and within seconds the box would be rooted and keystroke loggers installed.

    No amount of "social" training can solve this problem.

    BTW. The software based loggers are professional quality. They are undetectable without booting from known good media and examining the kernel, all its modules, and all applicatiions. Hardware based keystoke loggers are available too.