Everybody knows his name. He’s the most famous hacker in the world. He hacked for three years, got caught, and went to jail for five years. And now he attacks companies for money to find pig holes in their security systems. We all know what he does.
Yet, very few attendees of Reaktor Dev Day expected Kevin Mitnick to climb up on stage on and casually demonstrate how to drop Trojans through various methods, take total control of a fully patched Windows 7-laptop just to show how it’s done or cheat antivirus programs like they played absolutely no role in the protection of a computer.
Mitnick begins his speech by sharing his favourite hack experience.
- I was 16 years old and decided to take over McDonalds’ drive-in windows using a radio. It was awesome.
When Mitnick still only hacked for fun, he used to target operating systems and mobile companies. While the technology and the subtlety of hacks have changed significantly, the weakest link of the system remains the same: human factor. Social engineering is a particularly effective type of attack that relies on information acquired from a trusted computer user.
- It is easier to attack the human than to attack the system. Effective security includes people, processes and technology, Mitnick explains.
Social engineering is a serious threat, because only one person has to make the crucial mistake. It is not a new form of attacking a system: yet the general worker mindset hasn’t changed.
Mitnick guides the audience through the different ways and phases of hacking. He introduces different techniques of traditional attacks and social engineering: “dumpster diving”, information reconnaissance, tricks with USB-tricks all get demonstrated on stage.
- You guys are developers, right? I love you! You guys create the bugs I exploit, Mitnick laughs.
Astonishingly, Mitnick has never failed to hack a client’s security system. Social engineering is still 99,5 % effective – is it even possible for anybody to be a hundred percent secure?
- No.The only thing you can do is spend enough money to make attacking your system hard enough that the hackers go to somebody else, Mitnick states.
How do we protect ourselves from it, then?
Build a human firewall. Train the employees, attack your own database to find the flaws, teach the employees that it is okay to say no. After that, all you can do is hope for the best.
Seen at Reaktor Dev Day 2013