[plug] Mitnick comments on social engineering success

Tamara Thompson THOMPSON at gate.sunquest.com
Tue Mar 7 11:56:39 WST 2000 

You know what's really interesting? 

This whole yak thread has divulged a lot about the people who discussed it--if one were to study and 'bin' people.
My experience is that people are pretty simple, pretty modular, and therefore, just as easy or hard to crack as a security program.

The thing that has always bothered me about the Mitnick stories, since 93 or 94 or whenever it hit the papers, is that the media always try to portray Mitnick as some dysfunctional screwed up person.  ('rocked in his chair..')  They've done that sort of barb for a long time now, but they rarely mention lead CEO's bizarre habits.  So I thought perhaps Americans were experiencing a little media 'paint job' on the guy.  

Sorry, just adding random noise to the already *lengthy* and slightly non-technical _digression_ of this topic.  <grin>

Don't you guys have systems to admin or newbies to help?  <smiling sweetly>

goodnight, 
Tamara

<<< Christian <christian at global.net.au>  3/ 6  6:04p >>>
Greg Raftery wrote:
> 
> Thought that this was particularly relevant to the recent discussion about
> sources of cracking attempts.

Not really... although somewhat related to the brief, earlier discussion
of social engineering attacks.

> Just weeks after his release from federal prison, an animated Kevin Mitnick
> advised senators against focusing too much on technical protections at the
> expense of simpler safeguards - such as making sure a company receptionist
> does not disclose passwords to sensitive systems.

Should the company receptionist have passwords to "sensitive" systems? 
Security policy is important.

> Mitnick, 36, wearing a slightly ill-fitting navy suit and rocking gently in
> a witness chair, warned lawmakers about his favored technique of "social
> engineering", or deceiving others into believing he could be trusted. He
> told of duped victims at major corporations volunteering their passwords and
> even sending him secret software blueprints.
> "I was so successful in that line of attack that I rarely had to resort to a
> technical attack," Mitnick said. "Companies can spend millions of dollars
> toward technological protections and that's wasted if somebody can basically
> call someone on the telephone and either convince them to do something on
> the computer that lowers the computer's defenses or reveals the information
> they were seeking."

I'd certainly believe this...  in fact, it would be a interesting
thought experiment if, say, everyone on this list who's involved in a
company with a reasonable IT infrastructure were to ask themselves
whether or not a stranger ringing up on the phone (or even email) would
be able to in any way weaken or compromise the security of their
systems.  Chances are it wouldn't be hard to convince a lot of people to
install something like a BO trojan that they received by email on their
Windows machines.  Of course, in the specific case that initiated this
discussion (i.e. Jeremy's Unix machines) it is unlikely that this sort
of attack would succeed.

Also, the success rate for social engineering attacks isn't really
related to the other thread of discussion, namely the proportion of
attacks that come from insiders.

Regards,

Christian.

More information about the plug mailing list