Mitnick: Security Not about Technology 387
renai42 writes "Companies eager to tighten up their information security perimeters should focus not on technology but on teaching their employees how to say 'no', ex-hacker done good Kevin Mitnick told a full house at Toshiba's MobileXchange conference in Melbourne yesterday. 'We can't expect our employees to be human lie detectors,' Mitnick said. 'One of the most difficult challenges in corporate cultures is getting people to modify their politeness norms.'"
As Nancy Reagan would put it... (Score:5, Funny)
Definition of geek (Score:5, Funny)
FREE KEVIN! (Score:5, Funny)
FREE MARTHA! (Score:5, Funny)
FREE TIBET! (Score:5, Funny)
** _ (Score:5, Funny)
How is this news? (Score:4, Interesting)
Re:How is this news? (Score:3, Insightful)
Comment removed (Score:5, Interesting)
That's what LC5 is for... (Score:2, Funny)
Re:How is this news? (Score:5, Insightful)
The biggest problem is that people's views are flawed, they need to be told WHY they shouldn't give their passwords out. Rather than saying, "I won't ever ask for your password, don't give it out," say something like, "there are these people who use social engineering..." etc...
Will this prevent social engineering attacks? No, but it WILL help to prevent them. People won't do what they are told if they don't know why they shouldn't do it, regardless of the profession (is that enough double negatives?)
But what do I know, I'm just Anonymous Coward.
Re:How is this news? (Score:3, Interesting)
Divulging a password is a disciplinary offence too, but it still happens regulary - mostly because it's rarely enforced.
Here are some random office rules that are obeyed without question, these are
Re:How is this news? (Score:3, Interesting)
Wow! you must be a youngster.
The average IQ here in the United States is below 100 (around 97 I recall)
That means on average everyone around you is only 17 tiny points away from being a clinical moron. A good strike to the head can get them there in a hurry.
I have people that we have had to LOCK DOWN their computer completely with TrustNoEXE because they can not understand what it means when we say "DO NOT DOWNLOAD AND INSTALL ANYTHING". Somehow they i
Re:How is this news? (Score:3, Informative)
An IQ of 100 is average.
An IQ test is very reliable in that you will always get close to the same score. However it is worthless because nobody really knows what any particular score means. You can say your IQ is X, but that gives no insight to anything about you.
Re:Locking down computers (Score:3, Insightful)
I do, actually. It may be a more reasonable place than where you work, but it is still real.
marketing manager that demands he needs admin rights. other managers that think they need admin rights so it snowballs and then corperate deems that most have admin rights
If you are reasonable with people, they will be reasonable with you. Why does the marketing manager need admin rights? If she does, give them to her. If she is just demanding for no reason, say 'no'
Re:How is this news? (Score:4, Funny)
Re:How is this news? (Score:3, Interesting)
Re:How is this news? (Score:3, Insightful)
Re:How is this news? (Score:3, Insightful)
Sorry, but that isn't a good solution. In certain cases users have to have a password. We have to teach the users the consequences of giving away their password, and teach them some responsibility. What i always say is: If you give your password to somebody and that somebody uses it for less-than-legal purposes, it will be *your* responsibility. No excuses, no investigation and no second chances. Want to be safe? Don't give
Re:How is this news? (Score:4, Insightful)
As old hackers while away the years (in jail) the industry moves on, which means their skills become dated and they lose all their technical expertise that got them in so much trouble in the first place. So they move on to pretending that all you need to do is act nice and con the receptionist or some fool on the other end of a phone. That route of attack is not as affected by one's weathering technical skills.
Ring ring
Hello, this is Bill.
Bill, hi, this is "Steve". I'm stuck outside the building- this stupid thing won't let me in. Could you read me our private key real quick?
OK, it's A244C7735ABBFC01... hey, how do I know you're really Steve!
Re:How is this news? (Score:5, Interesting)
Invariably, front desk security was adequate, but it was easy to get into many Call Centres and Help Desks without a key card, fob or access code simply by waiting for an employee to walk towards the main door and then approaching the same door carrying an abviously heavy, large box full of training manuals - most people in service delivery roles want to be helpful so they often hold the door open for you! In 6 years of consulting I was only ever challenged once.
In reverse, I would occasionally be coming out of a building and someone would ask me to hold the door because they had forgotten their pass - it would really piss them off when refused to let them in and said if they waited outside I would fetch a team leader or manager for them!
Re:How is this news? (Score:3, Funny)
Your on my list now buddy!
Re:How is this news? (Score:3, Insightful)
But even if you're the guy who the cops thought could launch cruise missiles by whistling into a phone, it's hard enough to stay on top of all this crap when you're, say, not forbidden by a judge to go near a computer for several years. And he got into trouble in the first place at least partly by social engineering. Which is an area of computer security that nobody thinks abo
Re:How is this news? (Score:3, Insightful)
Re:How is this news? (Score:3, Funny)
Yeah, but for some reason nobody ever believes them, and I think I know why.
boss: "So, you're a computer geek hacker-type, eh?"
ex-hacker: "Yes."
boss: "And what you want to teach us is..."
ex-hacker: "How to relate to people."
boss: *laugh* *chortle* *door slam in face*
Sure we can... (Score:5, Interesting)
'We can't expect our employees to be human lie detectors,' Mitnick said.
Sure we can: http://content.monster.com/martynemko/articles/arRe:Sure we can... (Score:4, Interesting)
Re:Sure we can... (Score:2, Interesting)
On another note, it seems that the easiest way to learn to lie is just to subscribe to relitavism. Being able to believe, honestly, that reality is merely the subjective interpretation of the human mind allows one to effectively emulate other realities in one's own mind while speaking, easing the body language. Essentially, you just have to be able to put your conscious mind into the altered reality state while maintaining enough subconscious realizati
pots and kettles (Score:5, Funny)
Computer Security, The Ultimate Oxymoron (Score:3, Interesting)
The ultimate security leak, people. >_
Please... (Score:4, Insightful)
What employees need to do is follow the very simple instructions they're given. Change your password regularly. Don't make it obvious. Log out of the system when you're done. Don't use the same password at every site you visit. Etc...
It's simple, Private Pile...if you lock up that jelly doughnut in your footlocker, it's going to make it very hard for people to steal it.
Re:Please... (Score:2, Informative)
Re:Please... (Score:2, Interesting)
THEN, you can fix "social engineering"
Re:Please... (Score:5, Insightful)
That's fine for making general users more secure..
What he's talking about is more to do with making admin types more skeptical / less polite. The common 'exploits' that Mitnick, and many others, have done is to learn enough about a target company's practices, and talk your way into getting privileges that employees get.
e.g. call the phone company's internal support line, talk the talk of the phone technician, and get them to change your account, give you information, etc.
Or, call a corporate support line complaining of problems with your dialup access to the corporate network. Get them to reset "your" password for you, and you're in the network. 99% of the calls they get are legitimate employees, probably with the same old problems. If you sound like one of those normal employees, the support people will work hard to get you access to the network.
Re:Please... (Score:5, Informative)
Two immediate issues - sure, the employees computer comes up every 'X' number of days and forces a password change. Most employees alternate between "password A" and "password B" with the only difference being one different letter or number.
Second issue, the password is forced to be some 8 character password that conforms to a complexity rule that requires letters and numbers, a mix of upper and lower case, and sometimes some non-letter/number characters. These conforming passwords are ones that very few, if any employees can remember so they do what? Write it on a post-it note and stick it on the monitor, under the keyboard, in a drawer, between the pages of the intercompany printed phone book or employee manual or some other 'safe' place that could be determined by an unauthorized person. How do these contribute to increased security??
Better to break those "politeness norms". You see someone you don't recognize involve them in a conversation. Introduce yourself, ask them about themselves, what they do, who their supervisor is. It's not confrontational, it's non-threatening, and if the person does not seem genuine the questioning employee can make a report to building security with a description. Stop tail-gating at controlled entrances, keep an eye out for co-workers who may forget or seem to be having problems. Respond to unusal requests from outside people by telling the caller you don't have the information handy but can call them back with it within a short time. It also gives time to check with others if the sharing of information is unclear. ALWAYS call back however even if it is to tell the caller that the information cannot be relased. These subtle changes as well as others should foster a culture of security that becomes so second nature to every legitimate employee that the "simple rules" and the threats that accompany non-compliance are no longer the focus.
I've been promoting and exposing these concepts as an admin and IT Manager since at least the mid 90's.
Re:Please... (Score:4, Insightful)
So, forget 1), and make sure that the first pw someone picks is almost impossible to guess, and let them keep it.
Re:Please... (Score:5, Insightful)
No, most security experts will tell you this is a very stupid thing to require people to do. Your password system should enforce strong passwords anyway. Enforcing strong passwords which have to change every month just encourages people to write them on a post-it and stick it to their monitor because no one can remember passwords that change that regularly unless they're really simple.
What's more, it doesn't actually do much for the security anyway: if someone hands random people their password then you're pretty much screwed anyway - people aren't going to wait until after the password change to try and use that password. If someone is brute-forcing passwords then they stand the same mathematical chance of hitting the new password as they did with the old password so no more security there. Infact, the only security it gives you is if someone steals your encrypted password file and it's going to take them a few months to crack. But if random people can get the password database then you've got bigger security concerns than weak passwords.
Re:Please... (Score:4, Insightful)
Change your password regularly.
...
What's more, it doesn't actually do much for the security anyway: if someone hands random people their password then you're pretty much screwed anyway - people aren't going to wait until after the password change to try and use that password.
Periodic password changes help limit the window of exploitation.
That's not to say that you aren't royally screwed in some situations (ie., root password/privelige escalation), but in other situations it can really help limit the damage. You don't ever really know if someone else has your password.
Password changes exploit the fact that it often takes time to leverage a compromised password into useful exploitation.
Yes, the users are the primary problem (the point of TFA!).
It's all about using layered defense to incrementally raise the bar of entry.
Con-man gains fame at others expense... (Score:3, Interesting)
Re:Con-man gains fame at others expense... (Score:5, Insightful)
Re:Con-man gains fame at others expense... (Score:2, Insightful)
not quite (Score:3, Informative)
Re:so did the cop who busted him (Score:2)
Re:Con-man gains fame at others expense... (Score:2, Insightful)
Matyrdom sells, ya see.
Re:Con-man gains fame at others expense... (Score:5, Informative)
You should do a little research grashopper. E.g. Mitnick demonstrated that sequence number attacks were possible with TCP/IP. NOT a small thing.
Re:Con-man gains fame at others expense... (Score:5, Interesting)
The other thing is his *years* of jail time were spent before he was ever convicted, i.e. pleaded guilty to some of the charges to cut short his lack-of-a-speedy trial. He's done his time. He can talk as long as people will pay him.
Besides, ignorance is not unexpected. Many novices probably couldn't tell you who Philo Farnsworth was, even though they've been looking at his invention all their lives.
Re:Con-man gains fame at others expense... (Score:4, Insightful)
I don't think you give social engineers enough credit - because they have to have the ability to pass off as someone who knows more than you do about your own systems and from what I've read he suceeded rather well at this - not only did he convince people to do what he wanted, but he had enough knowhow to do something with that info. And it does take some knowhow - after all once you gain access to a server, telephone switch, network etc - you have to know enough to change its configuration or access it to get what you want. (actually this sounds like my job - technical support)
Long before he was ever caught I had read about his exploits in computer magazines and the paper. His capture, and the scadal about his stay in federal prision I think made him famous. He's the only one - aside from those stuck in Guantanomo Bay who have been held without trial.
Re:Con-man gains fame at others expense... (Score:5, Insightful)
Likewise, the U.S. was able to get intelligence on the Soviets by sending a sub to tap an underwater cable in the Sea of Okhotsk. This cost tens of millions of dollars. For a couple million, the USSR bought off Aldrich Ames and got whatever intel they wanted. All in all, being able to manipulate people is probably a lot more useful and dangerous skill than being able to manipulate technology.
Re:Con-man gains fame at others expense... (Score:2)
Re:Con-man gains fame at others expense... (Score:2)
Re:Con-man gains fame at others expense... (Score:2)
Kevin was arrested for ip spoofing. Do you know what that is? Can you do that? Probably not, so please shut up.
Re:Con-man gains fame at others expense... (Score:2)
Re:Con-man gains fame at others expense... (Score:2)
Re:Con-man gains fame at others expense... (Score:2, Insightful)
I'm so sick of people here being proud of their ignorance. If you don't know what he's done, isn't it up to you to find out before passing judgement?
Oh right, it's up to everyone else to do that for you as well.
Re:Con-man gains fame at others expense... (Score:2)
It worked -- look at all the people rushing to explain things to him.
I've worked with Kevin... (Score:3, Funny)
Kevin is intellectually tenacious. If he wants something, usually knowledge about the inner working of something or some secret. His will not give up until he learns what he wants to know.
What Kevin has produced is a comprehensive disclosure of the techniques and methodologies that people with hyper-curiosity use to get at YOUR secrets.
Now little man, goto the book store and buy a copy of "The Art of Deception" by Mr. Mitnick (to you) and if you read it through to t
Re:Con-man gains fame at others expense... (Score:2)
Thats the great thing about the net. It's knowledge is the summation of everybody who participates.
Re:Con-man gains fame at others expense... (Score:2)
OK I'm confused. Is that supposed to mean "'It' is supposed to be 'Its'"? Or did you mean "'It's' is suppused to be 'Its'"? Did you say that sentence out loud before posting? I mean, if we're being grammar zealots...
Re:Con-man gains fame at others expense... (Score:2, Insightful)
My point is: don't make assumptions, especially ones based on things as silly as a
Re:Con-man gains fame at others expense... (Score:2)
It just goes to show... (Score:2, Funny)
C&C (Score:5, Insightful)
"The systems are impenetrable. There are no weak points. The technology is without flaw. The Human element, as always, is riddled with imperfection."
Re:C&C (Score:3, Funny)
"Crap, it's dark!"
Re:C&C (Score:3, Funny)
(three-headed monkey dances by)
Social Evolution (Score:4, Insightful)
Policy, Process, Training. And still, holes. (Score:5, Insightful)
Have we had information stolen? Yes. We've had unscrupulous employees go to work for competitors and give them proprietary data, we've had subsidiaries sell controlled technology to foreign powers (and got bitchslapped for it too!).
Point is, machines are easy to secure. More often than not, theyll protect what you tell them to, especially if you have competent engineers. But the weak link is ALWAYS the human one. The most careful companies can apply careful policy, process, and training, like my employer does, and they can also hire tons of babysitters, big brothers, and such. And the information still flies out the door.
Re:Policy, Process, Training. And still, holes. (Score:2)
Re:Policy, Process, Training. And still, holes. (Score:2)
more paranoia = more mental institutions (Score:2, Insightful)
Re:more paranoia = more mental institutions (Score:3, Insightful)
Re:more paranoia = more mental institutions (Score:3, Insightful)
Re:more paranoia = more mental institutions (Score:4, Insightful)
trade off (Score:5, Interesting)
Mitnick (Score:4, Interesting)
so is the govt... big deal (Score:2)
their whole miserable lives to help "free" guilty Kevin Mitnick.
The truth of the matter is Eric Corley is a "profiteering glutton",
using Kevin Mitnick's misfortune for his own personal benefit and
profit."
For every cent I make, the govt just is a glutten to make its cut with me.
Meanwhile they devalue the currency and steal another 4% ontop of the 35% they stole already.
Dumpster Diving For Info (Score:5, Insightful)
Re:Dumpster Diving For Info (Score:2, Interesting)
Relevant quote (Schneier): (Score:5, Insightful)
- Bruce Schneier
Only useful for a small subset of threats (Score:5, Insightful)
These social engineering attacks that Mitnick has built a career warning people about seem more relevant to situations were the cracker has some very specific goal in mind regarding a specific organization - dedicated industrial spies who want specific information from a particular company, etc. While I'm sure that sort of threat is a concern for many companies, I don't think it's typical of how and why computers usually get hacked into.
Mitnick is an idiot... (Score:3, Insightful)
The smart people didn't get busted, and have to work their tails off doing regular sysadmin duties these days.
Re:Mitnick is an idiot... (Score:4, Insightful)
Right. Smart. Working long hours for low pay, instead of fame, fortune, and easy work. Hm.
Sounds like Mitnick's still the best at making people do his bidding.
Re:Mitnick is an idiot... (Score:2)
I was lead to believe that the key to being a successful criminal is discretion. To me, that seems somewhat at odds with the idea of recognition for your achievements.
Mitnick's never been "inside the fence" (Score:5, Insightful)
Mmm...no.
This is the problem with Mitnick- he's never been inside of the fence. Ever. He's always been peering in from the outside, either as an attacker or a consultant. Unless you work in IT as regular staff, you don't realize the root causes.
The problem isn't with training people to say no, or to stick to policies. Especially in a medium to large organization, there's little problem getting people to stick to policies if they make sense or aren't an unreasonable impediment to workflow. The word is "bureaucracy", and so often, it's used by lazy people to avoid work.
Security problems come from three areas:
Notice a pattern? Security policies written by the incompetent.
A company I worked at had to comply with Sarbanes-Oxley regulations. This was interpreted to mean that every 90 days, all the employee domain passwords would expire. Because a large portion of the company used Macs (to make a long story short, you can't easily set up a Mac to let users change Active Directory passwords, much less notify the user their PW has expired and "please change it:"), email and file server access would just stop with no warning, and they'd flood help-desk with calls.
Typical conversation went something like:
"...and what would you us to change your new password to?"
"Harry123"
"Is that family member's name?"
"Yes, my husband's."
"Please pick something else."
This would go on and on. Some of the passwords people wanted consisted of their username plus "123", their first name plus two numbers, etc. Even worse, their initial password was based off their hire date, and most people never bothered to change theirs- so access to any other employee's email for at least the first 90 days was Dumb Shit Easy.
It's so incredibly stupid- force password changes every 90 days, but no standards for setting passwords...predictable passwords for new employees...no password auditing(ie runs with John the Ripper or similar)...nothing. Just "make all the passwords expire every 90 days." Brilliant. Why couldn't stricter password rules be enforced? Top management decided it would "aggrivate" employees too much, and I was actually told not to stop employees from picking bad passwords.
Re:Mitnick's never been "inside the fence" (Score:4, Interesting)
Re:Mitnick's never been "inside the fence" (Score:4, Insightful)
On systems where this is not done, I use random strings as passwords. I know it's for long term use so I commit it to memory. On systems where this is done, I use simple patterns because I don't want to forget it while I'm on vacation. It's a dramatic reduction in security in my case and incredibly annoying. I note that many people even write them down to help their memory.
The only time I can imagine it helping is if someone breaks into your system. It means their time to do damage is limited. But not by much. On a system that requires new passwords every 90 days, I've got an average of 45 days of access before I lose it. 45 days!! Yipee!! Not much I can't do in that amount of time.
Devon
Slashdot.Nostalgia (Score:2)
It's at least as much a software problem (Score:5, Insightful)
Kevin Mitnick is looking at it from companies' points of view right now, but I think the whole problem is really created by some fundamental flaws in software architecture patterns and how most software these days interacts with the users. (Arguably it's as much a fault with the operating systems as everything else.)
I don't think that there should be that much of a burden put on the user to be responsible for saying yes or no all the time. So much software that's out there today directly bombards the user with so many questions about things that they don't understand, care about, or have time to deal with, that it's not practical for most people to spend so much time caring about what they're being asked.
Passwords, which Kevin Mitnick also talks about, are an equally bad design. They're there for the convenience of the machine -- not the person using it. Most people aren't mentally capable of remembering and matching lots of different passwords for different services, certainly not if they're supposed to (or forced to) change them every few months. It's no surprise that in order to get their actual work done, people are simply going to resort to predictible patterns or writing down secret information.
I can set aside the time for dealing with these sorts of things, and I'm sure that many people here can... but then I have more than a passing interest in computers and what's going on inside mine. For many more users out there, a computer is just a tool that's used towards something that's much more interesting to them, and dealing with the tool is one of the last things they want to care about.
Teaching people to "say no" is certainly part of the equation, but it won't work beyond a certain point. I don't know what the answer is, whether it's reducing the number of options over all software, trying to make more intelligent decisions without asking the user, arranging things so that people's software is generally configured entirely by an administrator who understands the issues, or something else. I think it's important to realise, though, that research about reducing social engineering in software is at least as important to security as researching technical security holes. It's as much of an HCI problem as a security problem.
Comment removed (Score:4, Interesting)
I'm surprised. (Score:3, Insightful)
I don't mind donating, I give time and money every week to several organsisations (of *my* choice), but most of them have never even been a customer before.
So actually thinking about each and ever deal/agreement I make has become second nature, it's easy to tell when somebody is trying to scam you really. If people start asking intimate questions: "who do you have your telephone with? it's a scam. If they ask "are you the owner of this business" and then ask *another* question about the business it's a scam.
If they really had anything to do with your business they don't need to ask who you are, because they already know.
politeness norms? (Score:2)
If you want a physically secure company, move to New York or Jersey. You'll never have to deal with pesky politeness again.
This is news? (Score:3, Insightful)
People are the weakest link in any security system. This is so well known that it's not even worth talking about, unless you have a new way around it. Kevin, sadly, does not. Training people doesn't work. Not only is your security only as strong as the weakest link in the chain, but it's only as strong as the weakest occurence of that weak link. In other words, unless you can GUARANTEE that 100% of your employees won't be susceptible, training them beyond the obvious (which should be presentable in a half-hour lecture) isn't a useful endeavor.
Schnier has it right: Protection is only a way of giving yourself more time for the detection and response mechanisms to kick in. You won't ever get a secure system by locking all the doors.
Too Much Security (Score:4, Insightful)
Look, if the same security policy that tells you not to let *anyone* into the building without a key card tells you not to tell anyone your password you are likely to ignore both. In most buildings there is no good reason not to hold the door for the person behind you but a very good reason not to share your password.
People aren't computer programs they need not only to be told what policies to follow but which ones are the important ones and which ones are just meant to keep bums from sleeping in the lobby.
To the anti-Keven crowd (Score:4, Informative)
To the ones that claim that this is old news, or that Kevin isn't as "leet" as many think; I advise to take your comments with a grain of salt. Anyone who has actually read his book, The Art of Deception, will appreciate Kevin's viewpoints. The truly great hackers use a good mix of social and technical engineered tactics to comprise security. I give you the advice is outdated and isn't news, but his advice will always outlast ever-changing technology. As a bonus he gives you open-sourced
Wielding the Clue-Stick... (Score:3, Insightful)
biometric authentication social engineering (Score:3, Funny)
40 years from now (Score:4, Insightful)
Whether I like the messenger or not, Mtinick is right. So long as humans are part of the security equation, we will have insecure systems. The song he's singing is true. A tune few are paying attention to. Like death, social engineering has no solution today, so it's avoided with discomfort or even ignored. Three people can keep a secret if two of them are dead. Social engineering is that last security hole still left unpatched.
I work in IT and I can blind dial any extension, introduce myself as employee X from Corporate IT and without any pretense, obtain a user ID and password. If I am trouble shooting a user complaint and ask their user ID, their password is often offered without me even asking for it. The vast majority of viruses rely on social engineering, as do tool bars, spyware, etc. I think Mitnick is right that the problems we have today are less technical than social. Most of the security holes in Windows could exist unexploited if it were not for social engineering.
Jack LaLane, the fitness guru, was viewed 40 years ago as a freak. It may take 40 years but once society finds a way to resolve or at least seriously takes an interest in the social engineering problems of network security, I wonder if history will label Mitnick as an early adopter or label him a "before his time" genius.
Its not about stupidity (Score:3, Insightful)
Everytime computer security issues come up on slashdot, a torrent of geeks always chime in about how things are so bad because of "stupid" people.
In fact, there is such a sys-admin (excuse me, I mean "architect") in my office. He loudly complains all day about how the "stupid" and "incompetent" are always making his life difficult and wasting his time.
What I don't think he realizes is that people are afraid to approach him with questions and problems. Those that do are often quickly and rudely dismissed or put on hold for extended times.
Here's the big problem-- if the "stupid people" in the office, you know, like scientists, professionals and others that make money for the org, dread interacting with the IT guy (I mean architect), they will go elsewhere when there are problems. If they are brushed aside when they ask about "the internet not working", they will be less likely to say anything when something _really_ goes wrong.
Re:no shit, kev (Score:2, Insightful)
2. organize a corporate speech session
3. charge $4000 for a talk
4. profit.
Re:no shit, kev (Score:4, Funny)
Mitnick, you are a clever one.
Re: (Score:3, Insightful)