Watching the world’s most famous hacker, Kevin Mitnick, do what he does best live in front of an audience at the Red Sky Security Conference was both exciting and depressing. It also reminded me of the importance of many of the basics of cybersecurity. I learned a good deal about how modern hackers gain access to systems and data, and will consequently start doing a few things differently as a result. I am hopeful this blog will help you do the same.
Who is Kevin Mitnick?
Kevin Mitnick was (at one point) on FBI’s most wanted list for his hacking activities, and was eventually caught and convicted in 1995. His famous story was told in the movie Track Down, where he was played by Skeet Ulrich (The movie is not great, but it does teach you a lot about social engineering. Make sure you also watch Sneakers, which is a much better movie.) Mitnick now runs his own consulting company that specializes in “white hat” hacking (i.e. hacking for the “good guys”) and claims to have a 100 percent success rate.
How does he do it?
Every single hack Mitnick discussed or performed on stage was based in some part about social engineering, which is by definition: psychological manipulation of people to get them to perform actions that will divulge confidential information. If you find yourself thinking, “I would never fall for such things,” don’t be so sure. Here are a few stories from the talk, but remember when reading the stories that since he is a white hat hacker, they are all done at the behest of the company being hacked.
Breaking into the data center of a bank
A bank with armed guards hired Mitnick to break into their data center. First, he convinced a property manager that he was interested in renting a space in the building, after which she gave him a guided tour around the building. Since he knew the building uses HID cards for security, he brought along a HID card sniffer hidden in his day planner to read and clone her card, which he later used to get into the building itself. He then hung out in the bathroom and used a long distance HID card sniffer hidden in a backpack to read HID cards of men using the restroom. He then cloned one of those cards and walked right into the data center.
The mundane becomes a weapon
To demonstrate how he “does what he does”, Mitnick had an audience member join him on stage and inspect an iPhone charging cable to see if it looked any different than any standard cable, which it did not. Mitnick then plugged the cable into a laptop and suddenly was able to control the laptop via the USB port and a remote control device Mitnick was carrying. We all know best practice is not to plug in strange USB devices, but I know I am always looking for an iPhone charging cable. Mitinick did not take questions, but I was curious to know if Apple’s default security protocol – which asks if a device should be trusted before allowing it to execute anything on a USB port – would be sufficient to stop this attack.
We are like Pavlov’s dogs
Mitnick looked at another client’s website to find someone who speaks at conferences, and then proceeded to invite this person to speak at his “conference,” which included $5000 plus travel. After the target took the bate, Mitnick told him they should have a web conference to discuss details. He sent him a fake web conference invite via his calendar, which the client clicked. As is often the case with such meetings, the conference system requested to download the latest version which the target of course did. Done and done. Mitnick now had control over the target’s computer.
Web meeting tools are constantly downloading and installing software on your computer, training us to simply install that software without once thinking it could be malicious. Mitnick leveraged this behavior to download a fake meeting client that when executed gave him control of the computer. He then executed the real meeting client so that the target would not suspect happened.
Lessons learned
Here are a few things I will either do forever or never do again as a result of watching this talk:
- I will never plug an unknown device of any kind into the USB port of my computer.
- I will continue to subscribe to an identity management service. I have been a subscriber for a while now, and I’m always impressed how quickly I get notified when I do something like open a new checking account.
- I will pay more attention when I download web meeting clients.
- I think that HID cards alone, without requiring additional input, are a worthless security measure.
- We need more training in social engineering beyond the basics that we do in most companies. It appears to be the primary tool used by modern hackers. Stay tuned for a future blog post.
Watch out for hackers like Mitnick and protect your system and data from ransomware. Be diligent – very diligent. Good luck out there.