MANILA, Philippines – It was, at first, a strange sight to see a hacker who was once among the FBI’s most wanted deliver a keynote speech at a big cybersecurity event hosted by PLDT’s digital business solutions arm, ePLDT.
This hacker was arrested in 1995 by the FBI, slapped with multiple charges of wire fraud, possession of illegal access devices, the breach of electronic communications, and unauthorized access to federal equipment, among others.
He cloned phones to hide his location while he was on the lam for more than 2 years, and stole software from telecommunications and computer companies. If a criminal gang needed a computer guy, he’d have most likely been that guy, the guy in the chair typing code furiously, breaking into computer systems.
Of course, after his release, Kevin Mitnick, did a face-turn, and that is why, on a fine day in April, here Mitnick stood in front of stakeholders – ePLDT customers, partner organizations, journalists, many of whom are Mitnick fans – explaining hacking. Mitnick now uses his talents for good in a consulting capacity, and in his speaking engagements, a magician revealing his trade’s tricks.
So then it wasn’t strange after all: what better way to understand cybersecurity than from the perspective of those who necessitated the establishment of the cybersecurity industry in the first place?
‘No patch for stupidity’
“There is no patch for stupidity,” Mitnick asserts.
Mitnick’s core strategy is social engineering, which is basically the exploitation of human behavior and psychology to make an individual do things, most often to their detriment, and always in favor of the hacker. His techniques revolve around lulling people to become careless and the use of smoke and mirrors to trick people.
Given this, what you’ll learn from Mitnick is that actual technological implements may hardly be the best defense – arming users with knowledge, or putting them far away from a position where they may be exploited may prove to be even more important. “You can have the best technology, computers in the world, but if your users are fooled, then it’s game over,” Mitnick said.
One technique that is used now is the cloning of websites. Let’s say a person regularly goes to a site called “safewebsite.com” where they log in using credentials. A hacker can clone the website using a similar URL, say “safewebsite.co,” and then email the user to go to the link and get them to log in.
What the hacker wants is for the person to not notice the slight difference in URL, and log in. What the victim won’t know is that once they type in their credentials, the hacker will be able to log those, steal them, and use them for their own purposes.
“Social engineering is hard to detect, free and low-cost, and is easier than hacking a system, and is 99.5% effective,” the expert said.
Assume user negligence
The crucial thing here, for owners of big computer networks, is to “assume users can be negligent.” The enterprise now has to be protected not just from external attackers but also from your own users.
Mitnick reveals another trick: hackers target people in departments other than the IT department such as sales and marketing because “most likely, the IT guys know their stuff.” The usual attack trajectory for companies is this: first, the con (i.e. an email that hardly seems harmful) and second, the delivery of software that resides under the desktop that enables information reconnaissance (i.e. malware).
And while companies now have systems that stop malicious email, what some attackers do is buy a domain that may seem reputable so they can get by email filters.
Mitnick also demoed that even two-factor authentication systems can be beat with social engineering. Using cloned sites, a hacker can also steal what is called a “session cookie” which appears after the user inputs the second-factor authentication code that is usually sent to a user’s phone. The hacker tries to get a hold of that session cookie, which he can then paste onto his console, and then access the account.
A few other tricks: A hacker can name his WiFi hotspot after a popular public hotspot, say, “Starbucks.” If the user has connected before to a connection with the same name, likely, the phone will autoconnect again to that hotspot – only this time it’s a hotspot hosted by a hacker, looking to gain control over a device.
“Do not trust open wireless networks,” warns Mitnick.
Mitnick stressed the need for security awareness training for staff at all levels of an organization, and that regular security penetration testing and monitoring are parts of a truly successful cybersecurity model.
“Cyber security should no longer be viewed as ‘optional,’ especially in today’s constantly changing landscape. As cyber threats become more complex, we at the Enterprise Group assure our customers that we can provide them with equally evolving and sophisticated services that can keep them protected,” said the head of PLDT and Smart Enterprise Groups, Jovy Hernandez.
At the event, ePLDT introduced its portfolio of cybersecurity solutions and ecosystem and their Security Operations Center, their base of operations. The company explained that their solutions are built on three pillars: consultation (risk management and vulnerability assessment); cybersecurity management; and incident response. These three form the company’s approach to effectively battling threats in today’s landscape. – Rappler.com