Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Social engineering disabling targets: Mitnick

Byron Connolly | May 6, 2015
Organisations also have dormant accounts that have not been disabled, says former black hat hacker, Kevin Mitnick

Many cybercriminals are using social engineering to get a foot in the door and gain access to corporate and government systems, says the world's most famous hacker, Kevin Mitnick.

Mitnick -- a former black hat hacker who was wanted by the FBI in the United States after hacking into 40 corporations just for a 'challenge' -- will speak about social engineering on Wednesday night at CeBIT in Sydney.

Mitnick describes social engineering as using manipulation, deception and influence to get a target to comply with a request to access a network.

Today, as chief white hacker at Mitnick Security, he is hired by organisations to hack into their networks to identify and remedy security holes.

"A lot of attacks these days are because of insecure Web applications that have vulnerabilities that we can exploit in social engineering," he told CIO Australia.

"The foot in the door is through social engineering and then when you are on the corporate or government network, you can use technical exploits to gain access to targeted systems.

"That's how the White House was hacked. Attackers got into the state department using social engineering through a phishing email. Once they hacked into the state department, they were able to worm their way into the White House network because they must have had an extranet."

Meanwhile, Mitnick told CIO that organisations he works with as a white hacker often have a lot of dormant accounts that have not been disabled.

"I also see password patterns. Once as a security tester, I was able to compromise the company and crack or obtain their domain passwords in an Active Directory environment.

"We could determine the patterns that people used so no matter where they have credentials or accounts, we could determine the next credential.

"For example, when Sony was recently hacked, Michael Lynton [CEO of Sony], his domain user account was 'Sonyml3' so I assumed the next password change would have been 'Sonyml4," Mitnick said.

Mitnick said that in his experience, everything has been hackable.

"You can raise the bar extremely high and make it extremely difficult but at the end of the day, everything I have seen out there has been broken. It just depends on timing and resources," he said.

 

 

Sign up for CIO Asia eNewsletters.