[plug] Mitnick comments on social engineering success

Christian christian at global.net.au
Tue Mar 7 09:04:26 WST 2000


Greg Raftery wrote:
> 
> Thought that this was particularly relevant to the recent discussion about
> sources of cracking attempts.

Not really... although somewhat related to the brief, earlier discussion
of social engineering attacks.

> Just weeks after his release from federal prison, an animated Kevin Mitnick
> advised senators against focusing too much on technical protections at the
> expense of simpler safeguards - such as making sure a company receptionist
> does not disclose passwords to sensitive systems.

Should the company receptionist have passwords to "sensitive" systems? 
Security policy is important.

> Mitnick, 36, wearing a slightly ill-fitting navy suit and rocking gently in
> a witness chair, warned lawmakers about his favored technique of "social
> engineering", or deceiving others into believing he could be trusted. He
> told of duped victims at major corporations volunteering their passwords and
> even sending him secret software blueprints.
> "I was so successful in that line of attack that I rarely had to resort to a
> technical attack," Mitnick said. "Companies can spend millions of dollars
> toward technological protections and that's wasted if somebody can basically
> call someone on the telephone and either convince them to do something on
> the computer that lowers the computer's defenses or reveals the information
> they were seeking."

I'd certainly believe this...  in fact, it would be a interesting
thought experiment if, say, everyone on this list who's involved in a
company with a reasonable IT infrastructure were to ask themselves
whether or not a stranger ringing up on the phone (or even email) would
be able to in any way weaken or compromise the security of their
systems.  Chances are it wouldn't be hard to convince a lot of people to
install something like a BO trojan that they received by email on their
Windows machines.  Of course, in the specific case that initiated this
discussion (i.e. Jeremy's Unix machines) it is unlikely that this sort
of attack would succeed.

Also, the success rate for social engineering attacks isn't really
related to the other thread of discussion, namely the proportion of
attacks that come from insiders.

Regards,

Christian.



More information about the plug mailing list