Mitnick described how easily a hacker might call a company, ask for some seemingly-harmless information, and use it to get more sensitive information out of the company’s computers. He spoke about how smooth-talking tactics from someone who claims to be part of the company are sometimes all that’s needed to get to the important data, and that the criminals play on the fact that we as humans have an inherent desire to help others, even when we don’t know them personally. Mitnick painted a picture of a hacker (he used to be one of the best) who could simply use the staff directory information posted on a company’s website to call the right people, say the right things, and hang up with the keys to the kingdom. He made it sound both simple and widespread. The presentation left me and my fellow listeners a little stunned, and more than a little paranoid.

The main issue at the heart of social engineering tactics, Mitnick said, is that we as humans are trusting, helpful people. We don’t really believe someone could steal our identities until it actually happens to us. We don’t think to question it when “Bob from Accounting” calls for some simple information, even if we’ve never met Bob personally. And the helpfulness and trust don’t stop at work; Mitnick mentioned how nine out of ten people in London were willing to tell a stranger their password in exchange for a cheap pen, and how others will happily disclose their pet’s name or the school they attended, forgetting that those questions are the same ones used to verify accounts online (Privacy Council posted an article about protecting those security questions in September).  Psychological manipulation, he noted, is easier than breaking into a computer system.

Phishing is one form of social engineering attack, since it tries to trick the victim into clicking a link in an email and giving away sensitive information. Phishing works because it often attempts to use fear and urgency as motivators, sometimes by saying “your account will be closed if you don’t click immediately.” More recent phishing attacks contain a phone number for victims to call to “verify” their information, but instead of calling the bank or other organization, the victim is calling the hacker. This combination of deception and manipulation can lead to disaster for those who trust it.

Mitnick did touch on some newer technology threats in his talk; for example, USB drives left lying around can contain malware that lets a hacker see and manipulate the computer desktop of whoever plugs the drive in. He also rehashed old-school hacking techniques, such as Dumpster diving (it’s amazing in this day and age that many companies still don’t shred sensitive documents before putting them in the trash). He handed out business cards that double as lockpick sets, and he played with Caller ID spoofing technology that allows a caller to fabricate the number on a victim’s Caller ID. He told tales of past hacks, both his own and those of other notorious hackers, and he engaged and entertained the crowd for nearly two hours. But everything he said and did served to bring home an important lesson: To have an adequate security system, companies and individuals have to have not just technology, but also people and processes that are prepared to handle all kinds of high- and low-tech attacks.

So how can you protect yourself and your company against social engineering? Don’t share your information unless you REALLY know who’s asking for it, and train your staff to do the same. Test your staff by calling and pretending to be someone else who needs data, and see how they respond. Also, don’t ever write down passwords and put them on Post-It notes on your computer screen or under the keyboard. Shred everything that contains information about you or your company, from credit card offers to company directories. Adopt a “less is more” approach to information-sharing. Don’t use your mother’s maiden name, Social Security number, or birthdate as the security answers on any sensitive accounts (SS numbers, birthdates, addresses and even mother’s maiden names are part of the public record in many states and can be accessed for a fee). Play your cards close to your chest, and you have a chance of protecting what’s yours.

There’s no way to avoid EVERY attack, and a talented hacker might still use a combination of technology and manipulation to gain information. But you can still try to be ready for the worst; if anything, think like a hacker, and don’t share your information unless you’re sure!

For more information about Kevin Mitnick’s services and books, visit Mitnick Security.

You know those security questions that websites ask you when you forgot your password? It turns out those aren’t very secure, at least from a hacker’s perspective. When you think about it, it makes sense: it’s easier to guess someone’s favorite color or dog’s name than it is to guess a password that could be 8-20 characters, case-sensitive, and laden with symbols. And in this era of blogging and over-sharing, figuring out someone’s high school mascot could be as easy as reading their latest blog entry about their 10-year reunion. According to an article on MSNBC last week, personal trivia is getting less and less obscure, and it’s exactly that personal trivia that used to keep us safe from having our passwords reset and our accounts hacked.

MSNBC referenced a recent Scientific American study to make the point of how unsafe our security measures are. The chief security strategist of People Security, Herbert Thompson, tried an experiment to see how easy this sort of hack really is, and he amazed even himself. With just a few quick actions (and with permission to try his experiment), he made his way into an acquaintance’s bank and email accounts. In the article, he describes the process he went through, step by step, and makes the point that it’s not really hacking, but rather is mining the Internet for the data that’s already out there to be had. “I share it here because it represents some of the common pitfalls and illustrates a pretty serious weakness that most of us have online,” he said. 

Think your data isn’t out there for the taking? Think again. Entire databases of information such as people’s dog’s names can be bought for $15, according to MSNBC. A lot of this information actually comes from phishing emails that collect data under false pretenses (see our earlier articles on how to avoid the pitfalls of phishing). And while hacks of this nature haven’t become commonplace just yet, more and more attention from both criminals and researchers is turning that way. A rumor went around for a while that even Paris Hilton was a victim of this hacking method; the rumor claimed that her dog’s name (which was easily found because of her very public persona) was used as the means by which hackers accessed her cell phone in 2005 (this rumor was later debunked, but attention was drawn to the “forgot your password” hacking method). Even the government can work against us in these circumstances, as mothers’ maiden names can be found in public records, and city statistics can indicate what the more common dog names in the area are.

Before any panicking ensues, remember that you can help keep your information secure. You can start by not using the security questions if you can help it; perhaps your bank offers other ways to reset your password, if you ask. If you must still use the same security measures, though, consider being sneaky on YOUR end. For example, just because your dog’s name is Max doesn’t mean you have to enter it as Max… You can enter it as Rub1×50!. Of course, you’ll have to write down your fake security answers and keep them someplace safe (like a lockbox, NOT your wallet), but you’ll be able to rest assured that a hacker won’t simply guess the answers from what they’ve read about you on Facebook.

Sources for this article: MSNBC, Scientific American, Yahoo! News