I had an opportunity to attend a very large IT health care show up in Chicago awhile back and I was surprised to discover that Kevin Mitnick, the somewhat infamous computer hacker, was scheduled to give a speech.
Now even though I don’t move in computer security circles that much, I know about Kevin Mitnick. I know about him because I read Tsutomu Shimomura’s book Takedown: The Pursuit and Capture of Kevin Mitnick, America’s Most Wanted Computer Outlaw-By the Man Who Did It. If you’ve never read the book, I can recommend it. In a nutshell, Mitnick was a hacker who had evaded capture until he ticked off Shimomura who is a computer security pro. After he did that, Shimomura went after him with a vengeance and eventually helped the authorities catch him and send him to jail.
Now here in America, we all enjoy a good comeback story and that’s basically what Kevin’s been living. He has reinvented himself as a computer security consultant and by all accounts appears to be making a very nice living for himself.
Since getting out of prison, Kevin’s been quite busy. He’s an author and he’s written two books: The Art of Deception: Controlling the Human Element of Security andÃ‚Â The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers.
Kevin is actually a pretty good speaker. The focus of the speech that he gave was to remind CIOs that no matter how much they have invested in firewalls, RSA tokens, and passwords that change every 90 days, it’s social engineering that they need to fear the most.
Kevin’s speech basically consisted of stories in which he would tell how he had broken into various computer systems using a variety of low-tech methods. These included making phone calls and asking for cell phone source code (thanks Motorola!) or simply doing dumpster diving to collect scraps of paper with usernames and passwords on them.
Kevin pointed out that one of the most valuable items that he had ever gotten his hands on was the corporate directory for GTE. Once he had this, he had everyone’s phone number and knew who was the boss of who. With this info, he could place calls to get more and more information.
Kevin’s stories and his continuing success on the right side of the law this time should serve as a reminder for all of us that at the end of the day, it’s the people who work in an IT department that are your weakest link in security. If you fix this issue, then you’ll be much closer to having a secure organization.
HaveÃ‚Â you ever had a problem with someone trying to gain access to your department / network by using social networking? What do you do to prevent “dumpster diving” from being successful at your place of work? Would you ever hire a convicted hacker to help you improve your cyber security? Leave me a comment and let me know what you are thinking.