Being aware key to fighting cyber attack, says ex-hacker

Kevin Mitnick says humans softer target than technology.

Bernd Debusmann Jr.

Published: Fri 5 Jun 2015, 12:50 AM

Last updated: Wed 8 Jul 2015, 3:09 PM

Dubai — Companies and individuals are vulnerable to cybercriminals using “social engineering” techniques to hack into their computer and mobile systems, according to one of the world’s most infamous former cybercriminals turned security consultant.

Kevin Mitnick, 51, now travels the world lecturing on cyber security threats and how to protect yourself against them. But as a young man, Mitnick was one of America’s most wanted cybercriminals, with a long record of breaking into the systems of more than 40 well-known international corporations, including IBM, Nokia and Motorola.

After years as a fugitive, Mitnick was eventually arrested by the FBI in 1995 and imprisoned for five years on the charges of computer and wire fraud, as well as charges related to the illegal interception of private communications and causing damage to computers.

Speaking to Khaleej Times at a Dell-sponsored event in Dubai on Wednesday, Mitnick explained that the easiest way for hackers to gain entry into systems is through the manipulation of human beings, rather than through technical know-how.

“Cultures are different. It’s much easier to target someone in Japan than in Russia. Different cultures have different etiquettes for trust,” he said. “An attacker who does his research targeting a particular company, understands its structure, keeps an eye on who works for them and who they do business with, can easily plan his attack and execute it. If you target one or two people at a time, it’s very effective.”

As an example, Mitnick said that hackers recently gained access to the White House by going through the unsecured e-mail of a State Department employee.

“Social engineering has a 100 per cent success rate,” he noted. “It requires lots of training, and lots of trying to attack your own people within the company. Once people become more security-aware, they are less likely to be conned.”

To prove his point, Mitnick conducted a “live-hack” demonstration in which — within the span of minutes — he seized control of an individual’s computer and intercepted log-in details of a hypothetical Emirates NBD account by sending a false but realistic-looking pop-up message requesting a software update, which was then clicked on and downloaded.

Mitnick, who claims his company has a 100 per cent success rate while penetrating major corporations to test their security over the last 14 years, said criminal hackers likely have similar success rates.

“They’re probably getting 100 per cent as well,” he said. “It’s not because we are unique and special. It’s because it’s so effective and easy to attack. It’s easy to find one or two people in an organisation that are going to be fooled.”

Mitnick noted that the best security would be through technology that pre-supposes that humans will fall victim to trickery one way or another.

“The best solution is to develop technology that assumes that the user will be fooled, so even if they are fooled, the trick wouldn’t work,” he said. “But that technology hasn’t been developed yet.”

“There are a lot of people who are worried about it, they just have no control...For now, it’s a game of being aware.”

bernd@khaleejtimes.com