Mitnick: Security Not about Technology

renai42 writes "Companies eager to tighten up their information security perimeters should focus not on technology but on teaching their employees how to say 'no', ex-hacker done good Kevin Mitnick told a full house at Toshiba's MobileXchange conference in Melbourne yesterday. 'We can't expect our employees to be human lie detectors,' Mitnick said. 'One of the most difficult challenges in corporate cultures is getting people to modify their politeness norms.'"

As Nancy Reagan would put it...

Just say NO!

Definition of geek

Has not yet said "no"... actually hasn't been asked yet either!

FREE KEVIN!

oh wait..nevermind..its 2005

FREE MARTHA!

oh wait .. never mind...

** _

offer is only valid with purchase of Kevin of equal or lesser size

Sure we can...

'We can't expect our employees to be human lie detectors,' Mitnick said.

Sure we can: http://content.monster.com/martynemko/articles/arc hive/lying/ [monster.com]

pots and kettles

and in other news... "reformed serial rapist teaches women to 'just say no'"

C&C

As CABAL said in Command & Conquer: Tiberian Sun,

"The systems are impenetrable. There are no weak points. The technology is without flaw. The Human element, as always, is riddled with imperfection."

Policy, Process, Training. And still, holes.

My employer holds regular training sessions for all employess on computer security, with a strong focus on resistance to social engineering methods. There are also several levels of the training, a basic course for the rank-and-file, a higher level course for those higher-ups and engineers who have to protect subcontractors and customers proprietary data, and a more intense set of courses for the IT and security folks. (We manage both physical and information security).

Have we had information stolen? Yes. We've had unscrupulous employees go to work for competitors and give them proprietary data, we've had subsidiaries sell controlled technology to foreign powers (and got bitchslapped for it too!).

Point is, machines are easy to secure. More often than not, theyll protect what you tell them to, especially if you have competent engineers. But the weak link is ALWAYS the human one. The most careful companies can apply careful policy, process, and training, like my employer does, and they can also hire tons of babysitters, big brothers, and such. And the information still flies out the door.

trade off

Technical or human, good security requires balencing convenience and control. If you give your employies the power to refuse information to potential customers, you gain control and security but loose convience and maybe money. If you tighten your network down so much that users have to jump through hoops to send files to each other, you may be more secure, but the hassle will lead to lost productivity. You can't try to too hard for control or for freedom. You have to weigh threat and risk. You want to ensure against potential disasters, and eliminate any more likely security risks. It's probably too costly to treat a low threat but high risk (common) security hole as if it were a disaster. This is why stores find it cheaper to set prices assuming a certain ammount of shoplifting will occur. It would cost too much in lost sales and increesed labor to secure the store against all theft. Training your dumbass users, helpdesk, and even sysadmins to recognise social engneering, might just cost more then any losses from security breaches.

Dumpster Diving For Info

What do you do with your print outs? Do they wind up in the filing cabinet, the shredder, the recycle bin, the trash? I've seen many people trying to be green by chucking their papers in the big blue recycle bin. I'm sure much of this blue-bin fodder should have been shredded.

Relevant quote (Schneier):

"But if you think technology can solve your security problems [...] then you don't understand the problems and you don't understand the technology."
- Bruce Schneier

Only useful for a small subset of threats

I suspect (but of course can't provide any real evidence) that the vast majority of computer break-ins are by young people who are simply looking for any system to break into, not targeting a specific company. Most 'crackers' probably just pick a known vulnerability and search around for a system that hasn't fixed it yet. They don't particularly care who they break into, so long as they're breaking into somewhere.

These social engineering attacks that Mitnick has built a career warning people about seem more relevant to situations were the cracker has some very specific goal in mind regarding a specific organization - dedicated industrial spies who want specific information from a particular company, etc. While I'm sure that sort of threat is a concern for many companies, I don't think it's typical of how and why computers usually get hacked into.

Mitnick's never been "inside the fence"

We can't expect our employees to be human lie detectors,' Mitnick said. 'One of the most difficult challenges in corporate cultures is getting people to modify their politeness norms.

Mmm...no.

This is the problem with Mitnick- he's never been inside of the fence. Ever. He's always been peering in from the outside, either as an attacker or a consultant. Unless you work in IT as regular staff, you don't realize the root causes.

The problem isn't with training people to say no, or to stick to policies. Especially in a medium to large organization, there's little problem getting people to stick to policies if they make sense or aren't an unreasonable impediment to workflow. The word is "bureaucracy", and so often, it's used by lazy people to avoid work.

Security problems come from three areas:

• Security policies written by the incompetent
• Security policies influenced by corporate politics, such as "oh, the controller will complain if his accountants keep having to change their passwords, we share a boss, and he's got a lot of favor with the boss, so I don't want to piss him off" (see above)
• Security policies so complex or cumbersome, they're ignored or not followed as strictly as necessary (see above)

Notice a pattern? Security policies written by the incompetent.

A company I worked at had to comply with Sarbanes-Oxley regulations. This was interpreted to mean that every 90 days, all the employee domain passwords would expire. Because a large portion of the company used Macs (to make a long story short, you can't easily set up a Mac to let users change Active Directory passwords, much less notify the user their PW has expired and "please change it:"), email and file server access would just stop with no warning, and they'd flood help-desk with calls.

Typical conversation went something like:

"...and what would you us to change your new password to?"
"Harry123"
"Is that family member's name?"
"Yes, my husband's."
"Please pick something else."

This would go on and on. Some of the passwords people wanted consisted of their username plus "123", their first name plus two numbers, etc. Even worse, their initial password was based off their hire date, and most people never bothered to change theirs- so access to any other employee's email for at least the first 90 days was Dumb Shit Easy.

It's so incredibly stupid- force password changes every 90 days, but no standards for setting passwords...predictable passwords for new employees...no password auditing(ie runs with John the Ripper or similar)...nothing. Just "make all the passwords expire every 90 days." Brilliant. Why couldn't stricter password rules be enforced? Top management decided it would "aggrivate" employees too much, and I was actually told not to stop employees from picking bad passwords.

It's at least as much a software problem

Kevin Mitnick is looking at it from companies' points of view right now, but I think the whole problem is really created by some fundamental flaws in software architecture patterns and how most software these days interacts with the users. (Arguably it's as much a fault with the operating systems as everything else.)

I don't think that there should be that much of a burden put on the user to be responsible for saying yes or no all the time. So much software that's out there today directly bombards the user with so many questions about things that they don't understand, care about, or have time to deal with, that it's not practical for most people to spend so much time caring about what they're being asked.

Passwords, which Kevin Mitnick also talks about, are an equally bad design. They're there for the convenience of the machine -- not the person using it. Most people aren't mentally capable of remembering and matching lots of different passwords for different services, certainly not if they're supposed to (or forced to) change them every few months. It's no surprise that in order to get their actual work done, people are simply going to resort to predictible patterns or writing down secret information.

I can set aside the time for dealing with these sorts of things, and I'm sure that many people here can... but then I have more than a passing interest in computers and what's going on inside mine. For many more users out there, a computer is just a tool that's used towards something that's much more interesting to them, and dealing with the tool is one of the last things they want to care about.

Teaching people to "say no" is certainly part of the equation, but it won't work beyond a certain point. I don't know what the answer is, whether it's reducing the number of options over all software, trying to make more intelligent decisions without asking the user, arranging things so that people's software is generally configured entirely by an administrator who understands the issues, or something else. I think it's important to realise, though, that research about reducing social engineering in software is at least as important to security as researching technical security holes. It's as much of an HCI problem as a security problem.

Re:Con-man gains fame at others expense...

What's particularly ironic is that his success mostly stems from getting caught. Had he not failed at the thing he is such an expert on, he'd never have been considered an expert.

Re:Con-man gains fame at others expense...

You should do a little research grashopper. E.g. Mitnick demonstrated that sequence number attacks were possible with TCP/IP. NOT a small thing.

Re:Con-man gains fame at others expense...

You should read up on the guy. His talent lay more with the social engineering aspect of security. He could talk his way into or out of just about anything. His book on social engineering is a good read, McPaper-sized examples, but still very eye-opening. I'm a network admin, 18 years running, and I wound up with a large security laundry list to discuss with my boss the following Monday.

The other thing is his *years* of jail time were spent before he was ever convicted, i.e. pleaded guilty to some of the charges to cut short his lack-of-a-speedy trial. He's done his time. He can talk as long as people will pay him.

Besides, ignorance is not unexpected. Many novices probably couldn't tell you who Philo Farnsworth was, even though they've been looking at his invention all their lives.

Re:Con-man gains fame at others expense...

The insurgency in Iraq is a good case of how effective the human element is. The guys apparently know pretty much everything that's going on because they have moles and informers in the government, and because they can blackmail and threaten people for information. They just managed to take out a couple of the people in the Hussein trial. Meanwhile, for all their high-tech satellites, unmanned aerial vehicles and NSA technology, the U.S. still can't figure out where the hell Zarqawi is.

Likewise, the U.S. was able to get intelligence on the Soviets by sending a sub to tap an underwater cable in the Sea of Okhotsk. This cost tens of millions of dollars. For a couple million, the USSR bought off Aldrich Ames and got whatever intel they wanted. All in all, being able to manipulate people is probably a lot more useful and dangerous skill than being able to manipulate technology.

Re:How is this news?

When working as sys-admin I clearly tell people 'Do NOT give ME your password, I don't need it to do my job' - Ten seconds later - Now log in for me, 12 seconds later, my password is 'fluffy'...

People are dumb until it's too late, not all, but enough to make the stereotype hold true anyway.

Re:How is this news?

I don't really believe that most people are dumb. Most people just want to do their job, whatever it is, and they think that it is up to YOU to prevent people from "hacking the system." In their mind if something goes wrong, it's YOUR fault.

The biggest problem is that people's views are flawed, they need to be told WHY they shouldn't give their passwords out. Rather than saying, "I won't ever ask for your password, don't give it out," say something like, "there are these people who use social engineering..." etc...

Will this prevent social engineering attacks? No, but it WILL help to prevent them. People won't do what they are told if they don't know why they shouldn't do it, regardless of the profession (is that enough double negatives?)

But what do I know, I'm just Anonymous Coward.

Re:How is this news?

In my previous job I worked as a trainer and consultant for many blue chip companies and spent a lot of time in their corporate HQs, Call Centres and Help Desks.

Invariably, front desk security was adequate, but it was easy to get into many Call Centres and Help Desks without a key card, fob or access code simply by waiting for an employee to walk towards the main door and then approaching the same door carrying an abviously heavy, large box full of training manuals - most people in service delivery roles want to be helpful so they often hold the door open for you! In 6 years of consulting I was only ever challenged once.

In reverse, I would occasionally be coming out of a building and someone would ask me to hold the door because they had forgotten their pass - it would really piss them off when refused to let them in and said if they waited outside I would fetch a team leader or manager for them!

Re:Please...

> Change your password regularly. Don't make it obvious. Log out of the system when you're done

That's fine for making general users more secure..

What he's talking about is more to do with making admin types more skeptical / less polite. The common 'exploits' that Mitnick, and many others, have done is to learn enough about a target company's practices, and talk your way into getting privileges that employees get.

e.g. call the phone company's internal support line, talk the talk of the phone technician, and get them to change your account, give you information, etc.

Or, call a corporate support line complaining of problems with your dialup access to the corporate network. Get them to reset "your" password for you, and you're in the network. 99% of the calls they get are legitimate employees, probably with the same old problems. If you sound like one of those normal employees, the support people will work hard to get you access to the network.

Re:Please...

Good grief, changing your password regularly and make it non obvious... this is just such an outdated view that it's almost comical.

Two immediate issues - sure, the employees computer comes up every 'X' number of days and forces a password change. Most employees alternate between "password A" and "password B" with the only difference being one different letter or number.

Second issue, the password is forced to be some 8 character password that conforms to a complexity rule that requires letters and numbers, a mix of upper and lower case, and sometimes some non-letter/number characters. These conforming passwords are ones that very few, if any employees can remember so they do what? Write it on a post-it note and stick it on the monitor, under the keyboard, in a drawer, between the pages of the intercompany printed phone book or employee manual or some other 'safe' place that could be determined by an unauthorized person. How do these contribute to increased security??

Better to break those "politeness norms". You see someone you don't recognize involve them in a conversation. Introduce yourself, ask them about themselves, what they do, who their supervisor is. It's not confrontational, it's non-threatening, and if the person does not seem genuine the questioning employee can make a report to building security with a description. Stop tail-gating at controlled entrances, keep an eye out for co-workers who may forget or seem to be having problems. Respond to unusal requests from outside people by telling the caller you don't have the information handy but can call them back with it within a short time. It also gives time to check with others if the sharing of information is unclear. ALWAYS call back however even if it is to tell the caller that the information cannot be relased. These subtle changes as well as others should foster a culture of security that becomes so second nature to every legitimate employee that the "simple rules" and the threats that accompany non-compliance are no longer the focus.

I've been promoting and exposing these concepts as an admin and IT Manager since at least the mid 90's.

Re:Please...

Change your password regularly.

No, most security experts will tell you this is a very stupid thing to require people to do. Your password system should enforce strong passwords anyway. Enforcing strong passwords which have to change every month just encourages people to write them on a post-it and stick it to their monitor because no one can remember passwords that change that regularly unless they're really simple.

What's more, it doesn't actually do much for the security anyway: if someone hands random people their password then you're pretty much screwed anyway - people aren't going to wait until after the password change to try and use that password. If someone is brute-forcing passwords then they stand the same mathematical chance of hitting the new password as they did with the old password so no more security there. Infact, the only security it gives you is if someone steals your encrypted password file and it's going to take them a few months to crack. But if random people can get the password database then you've got bigger security concerns than weak passwords.