So you think your data is safe? It probably isn't, as keynote speaker Kevin Mitnick, “the world’s most famous hacker” and bestselling author, demonstrated at the 2019 NAPA 401(k) Summit.
Mitnick, once on the FBI’s Most Wanted list, is now a trusted security consultant to Fortune 500 companies and governments. He started hacking into systems in his teens “for the adrenaline rush,” he explained. That urge gradually grew to more complex pranks and challenges, eventually leading to hacking more than 40 major corporations just for the challenge.
One of the biggest warnings Mitnick offered is to beware of the human element of information security – via “social engineering.” This form of hacking relies on “influence, deception and manipulation” to convince another person to comply with a request in order to compromise their computer network, he explains.
Among these type of breaches are pretext phone calling and phishing schemes to help gain entry to information. What’s more, he notes, when hackers use social engineering schemes, there are no audit trails and they are generally 100% effective. “There are no Windows updates for stupidity,” Mitnick remarked.
Mitnick provided several examples of how he was able to obtain vital data, passwords and other critical information from the directors of HR, Security and IT departments simply by posing as a new or remote employee. He built rapport with those executives, who willingly turned over information without knowing they were being scammed.
Other key forms of hacking involve information reconnaissance by leveraging information on the Internet and social media networks to scrape for information that is used to launch broad-scale attacks on an organization’s computer system. In fact, Mitnick was able to obtain user names, contact information and even hacked passwords for various individuals on the “dark web.”
Beware Malware via Hardware
New forms of hacking involve the use of hardware, such as modified cables and USB sticks, to inject into a system malware that takes control. He demonstrated firsthand how this happens. By launching a malware attack, he showed attendees how he was able to take control of a computer and turn on its microphone and webcam for spying.
And it doesn’t stop with computer systems. Mitnick also showed how easy it is to clone access cards to gain entry to buildings and organizations. To demonstrate, he borrowed the building access card of an attendee, and hacked and duplicated the access card’s passcode using a scanner in about 30 seconds – just by getting within three feet of it. When this happens, he noted, he has full access to wherever that access card would take him.
Mitnick even demonstrated how two-factor authentication doesn’t even help in certain circumstances, showing the audience how he is able to circumvent such systems to gain access. He did note that a "YubiKey" authentication device can help prevent hackers from gaining access.
The Long Con
Another form of hacking to be mindful of, Mitnick warned, is the “long con.” This involves a multiple-step attack in which the hacker builds a relationship with a person over the course of several communications and then launches the attack after gaining their trust.
As an example, he cited a situation where the hacker targets an unsuspecting person for a bogus speaking engagement. After exchanging several emails with the person about the bogus engagement, the hacker launches the attack through a Trojan virus that the victim thinks is an email link with logistics about the speaking engagement.
Testing that Mitnick has performed with various organizations indicated that about 30% of the workforce will fall for these types of attacks, he says. The level of those who fall victim drops after cybersecurity training, he notes, but some individuals still fall for the attack.
A Call to Action
After demonstrating the vulnerabilities that exist, Mitnick issued a call to action urging attendees to go back to their firms and implement an effective security plan. Among other things, Mitnick recommended building a “human firewall” that prevents people from supplying private information unsuspectingly. He also recommends keeping the processes simple, with easy-to-understand security protocols that target the types of common mistakes that often lead to a security incident.
“The bottom line is you want to take the decisionmaking away from your users,” Mitnick says. “You need to think about the processes, the people and the technology, because the bad actors are going to look for the weakest link in your security chain. And in my experience, it has always been the people who are the weakest links,” he concluded.