Scary Stories

It gets harder every year to avoid the swarm of zombie movies that crawl in increasing numbers onto my basic cable subscription during the Halloween season. I have to fight the urge to take just a peek , even though scenes of the flesh-eating antics of the living dead leave me sleepless for weeks. It's sick, I suppose, but also human. It's like that compulsion we all feel to go slow past a traffic accident, even though we know it'll haunt us if we glimpse any loose body parts. (Or is that just me?)

But I still managed to get the peewadden scared out of me this week. There are no flesh eaters in Kevin Mitnick's stories, but they're guaranteed to keep you up at night. 

The world's most famous hacker was in San Francisco for the SupportSoft UserForum to give a presentation during what event organizers called the ''Spy vs. Spy'' sessions. This title was a bit of a misnomer; Mitnick is no spy. He was nabbed by the FBI in 1995 for criminal hacking after a long and much publicized chase. He pled guilty to charges of wire and computer fraud, and then spent five years in the pokey. Today, Mitnick Security Consulting, LLC, helps the good guys by providing Mitnick's ''ethical hacking'' expertise to U.S. and foreign government agencies, state and local law enforcement, and global 2000 corporations. He has also co-authored two books, and he appeared in a first-season episode of Alias .

This remarkable rise from the dead notwithstanding, Mitnick himself isn't scary. He's cheerful and quick and appears to be having a hell of a good time.

''If you received a telephone call and it showed your company's telephone number or a number that you knew to belong to one of your IT people, would you believe it?'' he asked his audience gleefully. ''Would you accept that as some sort of authentication that this person was who they said they were?''

Most of us would, the many nodding heads in the audience seemed to indicate, though his question clearly made us suspicious.

Mitnick confirmed our suspicions when he pulled a volunteer onstage and used a nifty program to fool the guy's cell phone into thinking it was getting a call from the White House. (Yup, the one where George W. parks his ten speed.) ''Imagine that an attacker could be anyone he wants to be on the telephone,'' he said. ''It gives him the credibility he needs to begin a social engineering attack.''

Social engineering, of course, is the technique Mitnick used extensively during his criminal hacking days. In fact, most of his attacks where reportedly more about tricking hapless users into giving up their passwords than actual technical exploits. To me, that's scarier. You can fix the technology (eventually), but human nature will be forever flawed.

Eric Schultze, the chief security architect at Shavlik Technologies (and sometime manager of the Microsoft Security Response Center), who joined Mitnick's presentation near the end, agreed. ''Technology can't really protect the users from themselves,'' he said.

The session was moderated by Dave Margulius, technology analyst and consultant at Enterprise Insight . To Margulius' question about which type of attack--technical or social--should be most feared today, both experts agreed that modern attackers tend to blend the two.

''Blended attacks are how it happens in the real world,'' Mitnick said. ''They find the zero-day exploit, and then use a social-engineering attack to find out where in that world wide network is the target they want.''

As an example, he told a fictitious-but-scary story about a telecommuting middle manager who receives a wireless access point for Christmas. Thinking it's from a customer or the company, he plugs it in, but the gift giver is actually a black hat who has modified the firmware in the device to give him access from the parking lot. Now, when the manager VPNs to the corporate network, the cracker gets in with him. The modified access point is the technology, but it took creative social engineering to get it into... the manager's... hooooommme....

(Did it just get colder in here?)

''I guarantee that if we took a small PDA or a laptop and just walked around San Francisco--even with no special software--you'd be amazed at the number of open wireless access points we'd find sitting behind the firewalls in local businesses,'' Mitnick said. ''With the tools that are available today--tools that anyone can download--a bad guy can get the keys to your network... in less than ten minutes .''

(Okay, I definitely felt a chill.)

Although the new species of professional criminal hacker is dangerous, Mitnick explained, these crooks tend to move on from systems that are well-guarded to look for easier pray. 'That's why you bought The Club for your car,' Mitnick said. 'The criminals look for the low-hanging fruit.' But the curious amateur, the 'pure hacker,' will be drawn to the more secure systems, because of the challenge they present, he said. So the very act of securing your network, in a way, makes it… lesssss… secuuuurrre....

(insert teeth-rattling shudder)

And once the bad guy gains access to the corporate net, it's often very hard to get rid of him. Mitnick pointed out that, as a teenager, he lived on Digital Equipment's Easynet... for... tennnn... yearrrrssss!

MWAAH-ha-ha-ha-ha!

George Romero, John Carpenter, Rob Zombie; eat your hearts out.

###