In Depth

Anti-Social Engineering

By Simson Garfinkel

October 07, 2002 — CSO — Kevin Mitnick is the most famous computer hacker of our time. His capture in February 1995 by computer scientist Tsutomu Shimomura was the subject of three hugely popular books. Since his release from prison on Jan. 21, 2000, Mitnick has taken on the role of "reformed hacker extraordinaire"a man who seeks to undo the damage he has done by teaching corporate America how to defend against social engineering attacks (while making a pretty penny in the process).

This month Mitnick releases his first book, The Art of Deception. It is filled with stories of how an enterprising social engineer can outsmart office workers, circumvent security technology, and generally make a mockery of our attempts to protect computers and networks. Mitnick's message is simple: Humans are the weakest link in any security system. Companies need to spend more time training their employees on how to resist such attacks.

That's all trueand not surprising to hear from an allegedly reformed con man turned security consultant. (By almost all accounts, it was Mitnick's ability to trick people, rather than his skill at computing, which made it possible for him to penetrate so many organizations.) However, Mitnick's systematic downplay of technology and its value in defending sensitive information is yet another act of deceptionone that could be far more damaging than any of his other exploits to date.

Awareness Isn't Everything

To be sure, many organizations need to improve the security of their "human factor." Social engineers use internal phone numbers, knowledge of procedures and even industry lingo to gain the trust of their intended victims.

One Mitnick anecdote: The intrepid social engineer calls up the network operations center of a cell phone company during a snowstorm. After befriending the operators, he asks them: "I left my SecureID card on my desk. Will you fetch it for me?" he asks. Of course, the network operators are too busy to do that, so they do the next best thing: They read off the ever-changing code on their own token, allowing the hacker to break in and steal the company's source code. In this example, the caller is able to "prove" his identity by telling the network operators his office number, the department where he worked and the name of his supervisorall information that the attacker had gleaned from previous phone calls to the company. Mitnick's message is that organizations need to treat phone lists, org charts, technical procedure manuals and other information as highly confidential in order to protect themselves from social engineering attacks.