Renowned hacker and former FBI fugitive Kevin Mitnick brought his hands-on, demonstration-filled presentation on hacking to a packed lunch-hour crowd at the RBC Convention Centre Winnipeg on May 16, 2017, as part of the Western Canada Information Security Conference.
Mitnick’s presence was timely, coming just days after a massive cyber-attack was unleashed against computer systems around the world. The 53-year-old’s presentation, entitled How Hackers Attack and How to Fight Back, took a deep look into how exploiting human behaviour (“social engineering”) plays into security breaches.
Once on the FBI’s most wanted list after hacking into major corporations, Mitnick is now a trusted security consultant for Fortune 500 companies and governments around the world. He’s now paid to hack, whether with technical strategies or by talking his way into access to systems. Mitnick and the Global Ghost Team have a perfect record — they’ve been able to crack the security of any system they’ve attempted to access.
Mitnick was introduced by the City of Winnipeg’s Chief Innovation Officer, Michael Legary.
“In 1979 he was breaking into systems with the true passion of a hacker and has gone on to not just shape the industry, but shape the culture of what cybersecurity and hacking is,” Legary said. “He has truly continued to become a thought leader.”
Using “social engineering” to influence your behaviour
Mitnick focused on tales from his own storied life as a prankster and hacker, and showed off some of the tradecraft he and his company use in their tests to point out human weaknesses when it comes to cybersecurity.
He also used several high-profile cases to show that social engineering hacks are widely effective. One prime example included the email breaches of John Podesta, Hillary Clinton’s presidential campaign manager, and John Brennan, the former CIA director, who both fell prey to fairly straightforward phishing attempts. Then there was the 2016 experiment in London in which 70 per cent of people offered chocolate Easter eggs handed over their email usernames and passwords.
In this sense, social engineering is defined as a form of hacking that relies on influence, deception and manipulation to convince a target to comply with a request in order to compromise their computer network.
“Hackers are always going to look for the weakest link in your security chain and in my experience as a black hat and as a (penetration) tester, it’s always been with the people,” Mitnick said. “Why do hackers use social engineering? It’s actually easier than doing a technical exploit. Doing a technical exploit always leaves logs. Forensically, we can go back and kind of figure out what happened. When you’re targeting a person, there’s no opportunity for forensics.”
In addition to being low-risk for the attacker, Mitnick said social engineering hacks are almost 100 per cent effective.
“More importantly, you can’t go to Windows Update and download a patch for stupidity,” Mitnick said.
Hacking a McDonald’s drive-thru
One of Mitnick’s favourite social engineering hacks goes all the way back to his tapping into the radio frequency of a McDonald’s drive-thru radio in 1979.
“Since I could see the people driving up, I could do different types of pranks,” Mitnick said.
Then, during his black hat days in 1993, Mitnick was able, during one 15-minute phone call with Motorola, to get transferred up through the company and have source code for one of the company’s cellphones sent to him via FTP — all with the blessing of one of the company’s security managers. It’s not surprising Mitnick has some insight into manipulating human behaviour when it comes to accessing data.
“It only took 15 minutes and good gift of gab to basically use social engineering tradecraft to get the source code,” Mitnick said.
Ways hackers can breach your company
Plenty of publicly accessible data is out there to allow hackers to plan for social engineering-based attacks by tracing organizational or corporate structure and finding out how to contact personnel in every way possible.
“We’ll go after sales and marketing, because once we can get our foot in the door and compromise a sales guy’s laptop, and once that person plugs into the network then we can use technical exploitation to target other workstations,” Mitnick said.
While many potential victims have wised up when it comes to plugging a randomly found USB stick into a computer, new methods, both technical and through social engineering, can help those weaponized gadgets find their way into a port. From tagging “Payroll Data/Confidential” onto a USB stick or involving the device in a more elaborate ruse of becoming a “client” at a business, Mitnick said a little social engineering can go a long way. Add in a little tech twist that exploits the firmware of the USB drive (even formatting it won’t de-weaponize the device) and bingo, you’re in.
“It just takes one person to plug it in and it’s game over,” Mitnick said.
Mitnick also demonstrated reader-copiers for security/entry cards that allow hackers physical access to workspaces and devices that allow direct memory access to a computer to facilitate access to login credentials.
“Innovative attackers find new ways to exploit you,” Mitnick said.
Even banking or credit card email phishing scams have had makeovers.
“Man in the middle” cyberattacks: Know the risk
“It’s not like clicking on a link, opening up an attachment – it’s simply, ‘You have a problem, please call us,’” Mitnick said. “Which is likely going to fool a lot of people.”
Called “man in the middle” attacks, hackers provide the target with a phone number they have set up, but then proceed to actually call the legitimate bank, collecting the data the bank client says or enters while on the line. And it comes down to simple behavioural tendencies.
“Most people will not Google a phone number before dialling it,” Mitnick said. When it comes to defending against social engineering, Mitnick said we need to work on our “human firewalls”.
“You have to think about what your users could already be leaking to potential attackers,” Mitnick said.
A key strategy involves testing your own users, Mitnick said, employing the types of exploits bad guys use. “Once they’re victimized in a legitimate way, it becomes a very teachable moment,” he said. “People don’t like being fooled.”
Mitnick also cautioned that potential targets have to become more comfortable with the word “no.”
“People do not like turning down other people over the phone,” Mitnick said. “It’s perceived as impolite.”
Mansel Belyea, Director of Sales and Marketing with Epic, a Bell MTS company, was on hand at the conference’s trade show and took in Mitnick’s lunch-hour keynote.
“Bringing in someone of Mitnick’s calibre to address the Manitoba business community is a win for everyone,” Belyea said. “That was the biggest part of my day, and taking some of what he told us back to our clients. He’s wearing the white hat now, which is good for everybody.
“You need to learn from people who have been there. Conferences like this allow us to better educate our clients and prepare for what’s coming.”
Currently in its 15th year, the WCICS brought together information security professionals and IT audit and control specialists from across western Canada to expand their information security knowledge and skills, and to foster the free exchange of information, techniques and best practices. Epic was a bronze sponsor of the event.
Up Next: North America’s leading cybersecurity pros converge at The Technology Expo in Winnipeg—”Cyberattacks & keeping your business safe: Hot topics at The Technology Expo“