Mitnick points out that the default setting isn't very secure because "it's a hundred bucks to become a developer."
"Just getting her a Mac and changing that setting" solved the problem of malicious downloads. He quickly noted that while that simple solution protected her against everyday phishing attacks, it wouldn't protect her from the NSA or other more skilled, determined hackers.
Thumbdrives and other attack vectors
Mitnick hacks as a kind of performance art in keynotes and talks at security conferences around the world. At CeBIT in Germany this year, for example, he performed several hacks including a demonstration showing how simply plugging in a thumb drive could give a hacker total control of your machine, including the ability to activate and monitor the camera and microphone or launch any program. In the hack, the USB thumbdrive tricks the laptop or PC into thinking it's a keyboard, rather than a storage device. That enables the hacker to inject keystrokes, which means he can do anything to your device that he could do by typing on your keyboard.
Mitnick demonstrates this hack because "people think USBs are safe now, because they turn off 'auto-run.'" He wants the public to know that thumbdrives are not safe.
The lay public also believes that PDFs are safe. So Mitnick demonstrates with visual tools how a hacker can use a PDF file to take control of a target machine.
Another hack he demonstrates involves a malicious hacker who can go to a coffee shop where there's a public Wi-Fi router, and instruct the router to boot all the users off the network. When they reconnect, the hacker can then offer a fake Wi-Fi network with the same name. Once users connect, a malicious payload can be delivered.
Just knowing this information might change your behavior. I know it's changing mine.
The bottom line is that you really, really don't want to plug in a thumb drive or download a PDF file to your laptop, even if you feel comfortable about the source. (Social engineering exists to make you feel comfortable.) And you should avoid public Wi-Fi hotspots.
While people in the security community focus on the code side of hacking, Mitnick emphasizes the social engineering side. Because that's how hackers gain access.
In other words, security and privacy is not a set-it-and-forget-it process. Above all, it's important to learn not only from security experts, who know the tools, but also from hackers, who know how to socially engineer their way into your phone or laptop.
Be smart. Be paranoid. And good luck
Sign up for CIO Asia eNewsletters.