Slashdot Mirror


Mitnick: Security Not about Technology

renai42 writes "Companies eager to tighten up their information security perimeters should focus not on technology but on teaching their employees how to say 'no', ex-hacker done good Kevin Mitnick told a full house at Toshiba's MobileXchange conference in Melbourne yesterday. 'We can't expect our employees to be human lie detectors,' Mitnick said. 'One of the most difficult challenges in corporate cultures is getting people to modify their politeness norms.'"

13 of 387 comments (clear)

  1. How is this news? by Anonymous Coward · · Score: 4, Interesting

    Isn't this what (ex)hackers have been telling the IT industry all along?

    1. Re:How is this news? by digitalchinky · · Score: 4, Interesting

      When working as sys-admin I clearly tell people 'Do NOT give ME your password, I don't need it to do my job' - Ten seconds later - Now log in for me, 12 seconds later, my password is 'fluffy'...

      People are dumb until it's too late, not all, but enough to make the stereotype hold true anyway.

    2. Re:How is this news? by Linker3000 · · Score: 5, Interesting

      In my previous job I worked as a trainer and consultant for many blue chip companies and spent a lot of time in their corporate HQs, Call Centres and Help Desks.

      Invariably, front desk security was adequate, but it was easy to get into many Call Centres and Help Desks without a key card, fob or access code simply by waiting for an employee to walk towards the main door and then approaching the same door carrying an abviously heavy, large box full of training manuals - most people in service delivery roles want to be helpful so they often hold the door open for you! In 6 years of consulting I was only ever challenged once.

      In reverse, I would occasionally be coming out of a building and someone would ask me to hold the door because they had forgotten their pass - it would really piss them off when refused to let them in and said if they waited outside I would fetch a team leader or manager for them!

      --
      AT&ROFLMAO
    3. Re:How is this news? by bampot · · Score: 3, Interesting

      It is against Company Policy here (very large multi-national company) to divulge your password, even if for critical busines issues. Employees are expected to log a call with the service desk for a reset. Working in the middle of the night on a critical project? Tough - you should have arranged on-call support.

      Divulging a password is a disciplinary offence too, but it still happens regulary - mostly because it's rarely enforced.

      Here are some random office rules that are obeyed without question, these are all disciplinary offences, and are regularly enforced:

      * always hold the handrail on the stairs
      * do not walk AND talk on the phone/read bits of paper
      * hot drinks MUST have lids on
      * etc.

      People follow these rules without question (I don't), but I think the average perception is that it's harmless to give out a password.

      Unless there very real personal consequence of divulging passwords etc., it's always going to happen.

  2. Sure we can... by Anonymous Coward · · Score: 5, Interesting

    'We can't expect our employees to be human lie detectors,' Mitnick said.

    Sure we can: http://content.monster.com/martynemko/articles/arc hive/lying/
    1. Re:Sure we can... by jspoon · · Score: 3, Interesting

      That's an article that reads like an explanation of why most social engineering is done over the phone.

  3. Computer Security, The Ultimate Oxymoron by Toloran · · Score: 3, Interesting

    I do tech support at my school. My self and two guys finnally finished our new mobile computer lab. Laptops with WiFi cards installed. It makes me sad to think after we get the things nice, clean, working, etc that the idiots will have the things broken beyond recognition by the end of next week. ;_;

    The ultimate security leak, people. >_

    --
    Speaking is NOT communication
  4. Con-man gains fame at others expense... by Che+Guevarra · · Score: 3, Interesting

    I'm so sick of this guy's so-called "hacker" fame. He tricked a bunch of early tech no-nothings into telling him their passwords and protocols and now he's living off it forever. Jobs and Woz hacked the phone system, but then they went on to produce something. What has this guy actually ever produced, written, made? Seriously, I don't know and maybe that's a problem. He must have produced something valuable, but I don't know what it is. I'm sure some Slashdot guy will tell me, but isn't it funny that no novice (like me) knows what the hell he's ever done creatively/intellectually in his life?

    1. Re:Con-man gains fame at others expense... by Candiri · · Score: 5, Interesting

      You should read up on the guy. His talent lay more with the social engineering aspect of security. He could talk his way into or out of just about anything. His book on social engineering is a good read, McPaper-sized examples, but still very eye-opening. I'm a network admin, 18 years running, and I wound up with a large security laundry list to discuss with my boss the following Monday.

      The other thing is his *years* of jail time were spent before he was ever convicted, i.e. pleaded guilty to some of the charges to cut short his lack-of-a-speedy trial. He's done his time. He can talk as long as people will pay him.

      Besides, ignorance is not unexpected. Many novices probably couldn't tell you who Philo Farnsworth was, even though they've been looking at his invention all their lives.

  5. trade off by delirium+of+disorder · · Score: 5, Interesting

    Technical or human, good security requires balencing convenience and control. If you give your employies the power to refuse information to potential customers, you gain control and security but loose convience and maybe money. If you tighten your network down so much that users have to jump through hoops to send files to each other, you may be more secure, but the hassle will lead to lost productivity. You can't try to too hard for control or for freedom. You have to weigh threat and risk. You want to ensure against potential disasters, and eliminate any more likely security risks. It's probably too costly to treat a low threat but high risk (common) security hole as if it were a disaster. This is why stores find it cheaper to set prices assuming a certain ammount of shoplifting will occur. It would cost too much in lost sales and increesed labor to secure the store against all theft. Training your dumbass users, helpdesk, and even sysadmins to recognise social engneering, might just cost more then any losses from security breaches.

    --
    ------ Take away the right to say fuck and you take away the right to say fuck the government.
  6. Mitnick by Stalyn · · Score: 4, Interesting

    remember this

    --
    The best education consists in immunizing people against systematic attempts at education. - Paul Feyerabend
  7. Um, they have no freaking problem saying "no". by Caspian · · Score: 4, Interesting

    It's just that they don't know when to say "no" versus when not to say "no".

    Any dealing with any large, bureaucratic organization (a government bureau of any stripe, any telco, any cable company, any other sort of "utility", eBay/PayPal, Microsoft, IBM, etc.) will demonstrate quite aptly that no, they have no bloody problem saying "no". You can make a reasonable request and they'll quite cheerfully say "no" since it isn't part of their "script" to say "yes". (Then they'll tell you they're "sorry" they couldn't say yes. They aren't.) Meanwhile, the "bad guys" probably know how to work the system anyhow, and can get them to say "yes" by understanding said "script".

    Simple example: I do business under my initials, and PayPal wouldn't let me change the name on my account to my initials for "security reasons". Even after I provided proof that both of my bank accounts had already been changed (to my initials). Even after I went back and forth with them at least half a dozen times. I finally had to go in the "back way" via talking to an ex-PayPal employee, who talked to a current PayPal employee, etc. etc...

    They wouldn't change my name to my initials despite indisputable (and verifiable) proof from two established brick-and-mortar banks, yet they have absolutely no problems letting you set a crappy-ass password on your account... You see? Their priorities are backwards. They love saying "no", but they have no clue when to do it and when not to. The end result is that they suffer not only from security risks, but from bad PR.

    --
    With spending like this, exactly what are "conservatives" conserving?
  8. Re:Mitnick's never been "inside the fence" by rve · · Score: 3, Interesting

    From my experience in the workplace (100% tech savvy people, it's a software company): On the servers that force users to change their passwords every 90 days, most users use their regular password plus a number, adding exactly nothing to the security.