Scary Stories
It gets harder every year to avoid the swarm of zombie
movies that crawl in increasing numbers onto my basic cable subscription during
the Halloween season. I have to fight the urge to take just a peek
, even though scenes of the flesh-eating antics of the living dead leave
me sleepless for weeks. It's sick, I suppose, but also human. It's like that compulsion
we all feel to go slow past a traffic accident, even though we know it'll haunt
us if we glimpse any loose body parts. (Or is that just me?)
But I still managed to get the peewadden scared out of me this week. There
are no flesh eaters in Kevin Mitnick's stories, but they're guaranteed to keep
you up at night.
The world's most famous hacker was in San Francisco for
the SupportSoft UserForum to give a
presentation during what event organizers called the ''Spy vs. Spy'' sessions.
This title was a bit of a misnomer; Mitnick is no spy. He was nabbed by the FBI
in 1995 for criminal hacking after a long and much publicized chase. He pled
guilty to charges of wire and computer fraud, and then spent five years in the
pokey. Today, Mitnick Security
Consulting, LLC,
helps the good guys by providing Mitnick's ''ethical hacking'' expertise to U.S.
and foreign government agencies, state and local law enforcement, and global
2000 corporations. He has also co-authored two books, and he appeared in a
first-season episode of Alias
.
This remarkable rise from the dead notwithstanding, Mitnick himself isn't scary. He's
cheerful and quick and appears to be having a hell of a good time.
''If you received a telephone call and it showed your company's telephone
number or a number that you knew to belong to one of your IT people, would you
believe it?'' he asked his audience gleefully. ''Would you accept that as some
sort of authentication that this person was who they said they were?''
Most of us would, the many nodding heads in the audience seemed to indicate,
though his question clearly made us suspicious.
Mitnick confirmed our suspicions when he pulled a volunteer onstage and used
a nifty program to fool the guy's cell phone into thinking it was getting a call
from the White House. (Yup, the one where George W. parks his ten speed.)
''Imagine that an attacker could be anyone he wants to be on the telephone,'' he
said. ''It gives him the credibility he needs to begin a social engineering
attack.''
Social engineering, of course, is the
technique Mitnick used extensively during his criminal hacking days. In fact,
most of his attacks where reportedly more about tricking hapless
users into giving up their passwords than actual technical exploits. To me, that's
scarier. You can fix the technology (eventually), but human nature will be
forever flawed.
Eric Schultze, the chief security architect at Shavlik Technologies (and
sometime manager of the Microsoft Security Response Center), who joined
Mitnick's presentation near the end, agreed. ''Technology can't really protect
the users from themselves,'' he said.
The session was moderated by Dave Margulius, technology
analyst and consultant at Enterprise
Insight
. To Margulius' question about which type of
attack--technical or social--should be most feared today, both experts agreed
that modern attackers tend to blend the two.
''Blended attacks are how it happens in the real world,'' Mitnick said. ''They
find the zero-day exploit, and then use a social-engineering attack to find out
where in that world wide network is the target they want.''
As an example, he told a fictitious-but-scary story about
a telecommuting middle manager who receives a wireless access point for
Christmas. Thinking it's from a customer or the company, he plugs it in, but the
gift giver is actually a black hat who has modified the firmware in the device
to give him access from the parking lot. Now, when the manager VPNs to the
corporate network, the cracker gets in with him. The modified access point is
the technology, but it took creative social engineering to get it into... the
manager's... hooooommme....
(Did it just get colder in here?)
''I guarantee that if we took a small PDA or a laptop and
just walked around San Francisco--even with no special software--you'd be amazed
at the number of open wireless access points we'd find sitting behind the
firewalls in local businesses,'' Mitnick said. ''With the tools that are available
today--tools that anyone can download--a bad guy can get the keys to your
network... in less than ten minutes
.''
(Okay, I definitely felt a chill.)
Although the new species of professional criminal hacker
is dangerous, Mitnick explained, these crooks tend to move on from systems that
are well-guarded to look for easier pray. 'That's why you bought The Club for
your car,' Mitnick said. 'The criminals look for the low-hanging fruit.' But the
curious amateur, the 'pure hacker,' will be drawn to the more secure systems,
because of the challenge they present, he said. So the very act of securing your
network, in a way, makes it… lesssss… secuuuurrre....
(insert teeth-rattling shudder)
And once the bad guy gains access to the corporate net,
it's often very hard to get rid of him. Mitnick pointed out that, as a teenager,
he lived on Digital Equipment's Easynet... for... tennnn...
yearrrrssss!
MWAAH-ha-ha-ha-ha!
George Romero, John Carpenter, Rob Zombie; eat your hearts out.
###