Home » Data Protection » Malware/Cybercrime

Kevin Mitnick and Anti-Social Engineering

Lessons from reading Mitnick

Alas, trying to keep such information confidential is ultimately a losing proposition: Companies simply can't assume that this information won't get out to competitors, recruiters and potential attackers. If nothing else, employees are sure to take this information with them when they switch jobs. Years of effort have also shown the difficulty in training people to resist social engineering attacksthese attacks are so rare that the troops just don't get enough practice.

Instead, companies need to adopt both procedures and technology to minimize the impact that such confidential information loss can haveand to create systems and organizations that are resistant to social engineering attacks.

For example, many of the cons in Mitnick's book revolve around the theft of a credit card or Social Security number. In one case, the social engineer who pretends to be the manager at one video store builds up a friendship over the telephone with the clerk at a sister store across town. Then one day the engineer calls up the clerk, claims that his computer is down, and says, "I've got a customer of yours here who wants to rent Godfather II and doesn't have his card with him.... Could you verify his information for me?" Trying to help, the befriended clerk reveals the target customer's name, address, credit card number and his recent rentals.

It's important to teach clerks not to reveal such information over the phone. But there's also a technical solution: Terminals and application programs used by customer service representatives should never display a customer's credit card number. This is not a new idea; many firms, including VoiceStream and Amazon.com, have already deployed such technology. These companies have computer systems that keep customer credit card numbers on file for automatically billing future purchases, but the systems will not reveal a stored credit card number to either the customer or a customer service representative.

Simple Steps

Many of the most ingenious computer hacks in The Art of Deception are surprisingly simple: Time after time, the narrator simply convinces an innocent office worker to run a remote control program such as Netbus or Back Orifice on their office PC. Once the program is installed, the hacker can reach behind the company's firewall and probe for confidential Microsoft Word files, examine e-mail or an appointment calendar, or whatever. This attack is particularly effective when it's carried out against some high-level executive's secretary.

A likely attack? Definitely. But experience has shown that judiciously used technology can prevent clerical staff from running the vast majority of malicious software. Most hackers are incapable of writing their own so-called Trojans; instead, they use malicious software that's already in circulationand that's already recognized by today's antivirus systems. Good antivirus systems won't let a Trojan be downloaded over the Web or by e-mail, they won't let it be copied onto a user's hard drive from a floppy, and if the software is downloaded, the antivirus won't let it run.