Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mitnick: Security Not about Technology

Posted by CowboyNeal on from the locking-the-doors dept.

renai42 writes "Companies eager to tighten up their information security perimeters should focus not on technology but on teaching their employees how to say 'no', ex-hacker done good Kevin Mitnick told a full house at Toshiba's MobileXchange conference in Melbourne yesterday. 'We can't expect our employees to be human lie detectors,' Mitnick said. 'One of the most difficult challenges in corporate cultures is getting people to modify their politeness norms.'"

20 of 387 comments (clear)

  1. How is this news? by Anonymous Coward · · Score: 4, Interesting

    Isn't this what (ex)hackers have been telling the IT industry all along?

    1. Re:How is this news? by digitalchinky · · Score: 4, Interesting

      When working as sys-admin I clearly tell people 'Do NOT give ME your password, I don't need it to do my job' - Ten seconds later - Now log in for me, 12 seconds later, my password is 'fluffy'...

      People are dumb until it's too late, not all, but enough to make the stereotype hold true anyway.

    2. Re:How is this news? by Errtu76 · · Score: 2, Interesting

      I remember when i worked at a university, there was some intern (sent out by the IT guys) going by every department, asking people to give up their passwords. This was because of some inventory/migration/bullshit-excuse. I kid you not. I refused to give my password to anyone, saying that if i had to give it up to anyone other than the login screen, it was worthless. What was weird about it, was that apparently i was one of the few who refused to give it. Most people had no problem handing over their 'secret' and 'highly personal' data, just because somebody asked for it...

    3. Re:How is this news? by Linker3000 · · Score: 5, Interesting

      In my previous job I worked as a trainer and consultant for many blue chip companies and spent a lot of time in their corporate HQs, Call Centres and Help Desks.

      Invariably, front desk security was adequate, but it was easy to get into many Call Centres and Help Desks without a key card, fob or access code simply by waiting for an employee to walk towards the main door and then approaching the same door carrying an abviously heavy, large box full of training manuals - most people in service delivery roles want to be helpful so they often hold the door open for you! In 6 years of consulting I was only ever challenged once.

      In reverse, I would occasionally be coming out of a building and someone would ask me to hold the door because they had forgotten their pass - it would really piss them off when refused to let them in and said if they waited outside I would fetch a team leader or manager for them!

      --
      AT&ROFLMAO
    4. Re:How is this news? by bampot · · Score: 3, Interesting

      It is against Company Policy here (very large multi-national company) to divulge your password, even if for critical busines issues. Employees are expected to log a call with the service desk for a reset. Working in the middle of the night on a critical project? Tough - you should have arranged on-call support.

      Divulging a password is a disciplinary offence too, but it still happens regulary - mostly because it's rarely enforced.

      Here are some random office rules that are obeyed without question, these are all disciplinary offences, and are regularly enforced:

      * always hold the handrail on the stairs
      * do not walk AND talk on the phone/read bits of paper
      * hot drinks MUST have lids on
      * etc.

      People follow these rules without question (I don't), but I think the average perception is that it's harmless to give out a password.

      Unless there very real personal consequence of divulging passwords etc., it's always going to happen.

    5. Re:How is this news? by Lumpy · · Score: 2, Interesting

      I don't really believe that most people are dumb.

      Wow! you must be a youngster.

      The average IQ here in the United States is below 100 (around 97 I recall)

      That means on average everyone around you is only 17 tiny points away from being a clinical moron. A good strike to the head can get them there in a hurry.

      I have people that we have had to LOCK DOWN their computer completely with TrustNoEXE because they can not understand what it means when we say "DO NOT DOWNLOAD AND INSTALL ANYTHING". Somehow they interpet that as "Please install Webshots, Elf bowling, yahoo Toolbar and oh that cute free time keeper app! we LOVE it when you install that cutsey stuff."

      If that is not a sign of stupidity, then I have no idea what is....

      But then a bulk of my users are Marketing and Sales, so I wonder if the average IQ here is far lower than the norm.

      --
      Do not look at laser with remaining good eye.
    6. Re:How is this news? by Techguy666 · · Score: 2, Interesting

      I work in a school so the security needs aren't as severe, but when a student's own laptop is completely bogged down in viruses and spyware, cleaning Windows XP actually goes a lot faster when you have the student's password. Spyware tends to cling to a profile and unless you're running that profile, it's difficult to see whether you've been successful.

      I suppose we can re-image a machine that's been infected but students become severely traumatized when they lose work, programs, and the iTunes they've collected. On the other hand, I'm contributing to entire generations of people who would rather trade their passwords than lose their music collection. I don't know which makes me feel more guilty.

  2. Sure we can... by Anonymous Coward · · Score: 5, Interesting

    'We can't expect our employees to be human lie detectors,' Mitnick said.

    Sure we can: http://content.monster.com/martynemko/articles/arc hive/lying/
    1. Re:Sure we can... by jspoon · · Score: 3, Interesting

      That's an article that reads like an explanation of why most social engineering is done over the phone.

    2. Re:Sure we can... by Anonymous Coward · · Score: 2, Interesting

      Good anti-lying-detection article for social engineers.

      On another note, it seems that the easiest way to learn to lie is just to subscribe to relitavism. Being able to believe, honestly, that reality is merely the subjective interpretation of the human mind allows one to effectively emulate other realities in one's own mind while speaking, easing the body language. Essentially, you just have to be able to put your conscious mind into the altered reality state while maintaining enough subconscious realization of the act to keep from believing it yourself. Or just believe it yourself. Religious fanaticism certainly has strong adherants who in their own mind certainly never lie.

  3. Computer Security, The Ultimate Oxymoron by Toloran · · Score: 3, Interesting

    I do tech support at my school. My self and two guys finnally finished our new mobile computer lab. Laptops with WiFi cards installed. It makes me sad to think after we get the things nice, clean, working, etc that the idiots will have the things broken beyond recognition by the end of next week. ;_;

    The ultimate security leak, people. >_

    --
    Speaking is NOT communication
  4. Con-man gains fame at others expense... by Che+Guevarra · · Score: 3, Interesting

    I'm so sick of this guy's so-called "hacker" fame. He tricked a bunch of early tech no-nothings into telling him their passwords and protocols and now he's living off it forever. Jobs and Woz hacked the phone system, but then they went on to produce something. What has this guy actually ever produced, written, made? Seriously, I don't know and maybe that's a problem. He must have produced something valuable, but I don't know what it is. I'm sure some Slashdot guy will tell me, but isn't it funny that no novice (like me) knows what the hell he's ever done creatively/intellectually in his life?

    1. Re:Con-man gains fame at others expense... by Candiri · · Score: 5, Interesting

      You should read up on the guy. His talent lay more with the social engineering aspect of security. He could talk his way into or out of just about anything. His book on social engineering is a good read, McPaper-sized examples, but still very eye-opening. I'm a network admin, 18 years running, and I wound up with a large security laundry list to discuss with my boss the following Monday.

      The other thing is his *years* of jail time were spent before he was ever convicted, i.e. pleaded guilty to some of the charges to cut short his lack-of-a-speedy trial. He's done his time. He can talk as long as people will pay him.

      Besides, ignorance is not unexpected. Many novices probably couldn't tell you who Philo Farnsworth was, even though they've been looking at his invention all their lives.

  5. trade off by delirium+of+disorder · · Score: 5, Interesting

    Technical or human, good security requires balencing convenience and control. If you give your employies the power to refuse information to potential customers, you gain control and security but loose convience and maybe money. If you tighten your network down so much that users have to jump through hoops to send files to each other, you may be more secure, but the hassle will lead to lost productivity. You can't try to too hard for control or for freedom. You have to weigh threat and risk. You want to ensure against potential disasters, and eliminate any more likely security risks. It's probably too costly to treat a low threat but high risk (common) security hole as if it were a disaster. This is why stores find it cheaper to set prices assuming a certain ammount of shoplifting will occur. It would cost too much in lost sales and increesed labor to secure the store against all theft. Training your dumbass users, helpdesk, and even sysadmins to recognise social engneering, might just cost more then any losses from security breaches.

    --
    ------ Take away the right to say fuck and you take away the right to say fuck the government.
  6. Mitnick by Stalyn · · Score: 4, Interesting

    remember this

    --
    The best education consists in immunizing people against systematic attempts at education. - Paul Feyerabend
  7. Re:Please... by jpiggot · · Score: 2, Interesting
    I get that...but what I'm saying is that the article doesn't address the larger point, which is that teaching employees to do the simple things can probablly prevent 90% of the problems in the first place.

    THEN, you can fix "social engineering"

    --
    StupidChildren...the reason jesus is crying
  8. Re:Dumpster Diving For Info by Anonymous Coward · · Score: 2, Interesting

    Simple answer is to put a heavy duty cross-cut shredder beside that recycle bin or even better one that reduces documents to something resembling confetti. Certainly some paper waste companies do shred the paper they pick up, sometimes right in the truck they use to pick up the recycling. However for important or sensitive information you should not rely on this "service". Also a company rep, manager, or other person should verify that shredding takes place either by casually visiting the pick-up vehicle if they shred on-site or performing a site audit/visit at any central recycling facility to confirm the company is doing what they claim and what you are paying them for.

    FOr myself, if it's particularly sensitive I'll shred the stuff at home.

    Speaking of home and bringing up home workers. Companies should also provide a cross-cut shredder as well as that company computer, printer, or other technology for work-at-home employees. Teach them to shred stuff, even allow them to shred personal stuff if they have them. It will provide some added "noise" to the company confidential shredded documents.

  9. Um, they have no freaking problem saying "no". by Caspian · · Score: 4, Interesting

    It's just that they don't know when to say "no" versus when not to say "no".

    Any dealing with any large, bureaucratic organization (a government bureau of any stripe, any telco, any cable company, any other sort of "utility", eBay/PayPal, Microsoft, IBM, etc.) will demonstrate quite aptly that no, they have no bloody problem saying "no". You can make a reasonable request and they'll quite cheerfully say "no" since it isn't part of their "script" to say "yes". (Then they'll tell you they're "sorry" they couldn't say yes. They aren't.) Meanwhile, the "bad guys" probably know how to work the system anyhow, and can get them to say "yes" by understanding said "script".

    Simple example: I do business under my initials, and PayPal wouldn't let me change the name on my account to my initials for "security reasons". Even after I provided proof that both of my bank accounts had already been changed (to my initials). Even after I went back and forth with them at least half a dozen times. I finally had to go in the "back way" via talking to an ex-PayPal employee, who talked to a current PayPal employee, etc. etc...

    They wouldn't change my name to my initials despite indisputable (and verifiable) proof from two established brick-and-mortar banks, yet they have absolutely no problems letting you set a crappy-ass password on your account... You see? Their priorities are backwards. They love saying "no", but they have no clue when to do it and when not to. The end result is that they suffer not only from security risks, but from bad PR.

    --
    With spending like this, exactly what are "conservatives" conserving?
  10. Re:Mitnick's never been "inside the fence" by rve · · Score: 3, Interesting

    From my experience in the workplace (100% tech savvy people, it's a software company): On the servers that force users to change their passwords every 90 days, most users use their regular password plus a number, adding exactly nothing to the security.

  11. Strong Passwords are worthless by fhage · · Score: 2, Interesting
    as soon as keystoke loggers are introduced into an organisation.

    My org was hit bad. One could ssh into a remote host and within seconds the box would be rooted and keystroke loggers installed.

    No amount of "social" training can solve this problem.

    BTW. The software based loggers are professional quality. They are undetectable without booting from known good media and examining the kernel, all its modules, and all applicatiions. Hardware based keystoke loggers are available too.