Language Selection

English French German Italian Portuguese Spanish

What's your number, Kevin Mitnick?

Filed under
Security

Doing this, he said, would allow employees to verify a caller was who they said they were by calling them back at the provided number. In the case of someone looking to snaffle company details over the phone, it would scare them off immediately. If the caller was legitimate, they would be happy to comply with the request.

"If people would just call people back," Mitnick told attendees at a forum hosted by vendor Citrix this morning in Sydney, "it would eliminate 80 percent of the threat".

Mitnick described how the Motorola employee who delivered him secret company source code back in his hacking days gave him a nervous moment when the call was almost lost as she put him on hold to check some details with her security manager. Ultimately, however, that attempt succeeded.

While most people naturally wanted to help others who contacted them, he said, employees needed to be taught to deny requests that could compromise security.

The reformed hacker -- currently a security consultant -- pointed out those attempting to breach company security relied upon the intelligence-gathering they did in the lead-up to an attack. One fantastic target for such information, he said, was the company's IT helpdesk.

"They're there to help," he enthused, pointing out fraudsters calling a help desk number would be able to find out what verification tokens -- such as date of birth or employee ID number -- help desk staff used to verify a caller's identity. They could then go away, do some research and come back armed and ready to breach a user's account.

While Mitnick's social engineering tips are ultimately timeless and technology-neutral, the ex-hacker is obviously keeping up with today's tech gadgets.

He pointed out one of Apple's AirPort devices (a popular wireless hub) could instantly create a wireless access port into any company's headquarters if plugged into a company network port.

"You could just put a company logo on it, with a label saying 'IT Department, do not remove'," he said. "You could be browsing the network from the parking lot."

A USB bluetooth device would fulfil the same function if plugged into the back of an employee's PC, he said.

By Renai LeMay
ZDNet Australia

More in Tux Machines

LG Watch Sport review: Not the watch Android Wear needs right now

The LG Watch Sport just looks and feels like a “gadget” and not a “watch.” It harkens back to the days of those old Microsoft Spot watches (remember those?). Instead of reaching as broad a market as possible with the first full-featured Android Wear 2.0 watch, LG and Google have given us something with almost impossibly narrow appeal. This watch is almost exclusively for large-wristed athletic types whose fashion sense leans toward calculator watches. I found myself wanting to put it on just before I left for the gym, and itching to take it off the moment I got home. Android Wear 2.0 deserves a better showcase watch than this. With any luck, another manufacturer will step in with a more universally acceptable design that at least supports Android Pay and has a heart-rate monitor. Read more

Red Hat and Fedora

Red Hat: Fedora:
  • F25-20170221 Updated ISOs available!!
    It is with great pleasure to announce that the Community run respin team has yet another Updated ISO round. This round carries the 4.9.10-200 kernel along with over 780 MB of updates (avg, some Desktop Environments more, some less) since the Gold release.
  • F25-20170221 Updated Lives Released
    I am happy to announce new F25-20170221 Updated Lives.
  • Our Bootloader Problem
    GRUB, it is time we broke up. It’s not you, it’s me. Okay, it’s you. The last 15+ years have some great (read: painful) memories. But it is time to call it quits. Red Hat Linux (not RHEL) deprecated LILO for version 9 (PDF; hat tip: Spot). This means that Fedora has used GRUB as its bootloader since the very first release: Fedora Core 1. GRUB was designed for a world where bootloaders had to locate a Linux kernel on a filesystem. This meant it needed support for all the filesystems anyone might conceivably use. It was also built for a world where dual-booting meant having a bootloader implemented menu to choose between operating systems.

Android Leftovers

Google's Upspin Debuts

  • Another option for file sharing
    Existing mechanisms for file sharing are so fragmented that people waste time on multi-step copying and repackaging. With the new project Upspin, we aim to improve the situation by providing a global name space to name all your files. Given an Upspin name, a file can be shared securely, copied efficiently without "download" and "upload", and accessed by anyone with permission from anywhere with a network connection.
  • Google Developing "Upspin" Framework For Naming/Sharing Files
    Google today announced an experimental project called Upspin that's aiming for next-generation file-sharing in a secure manner.
  • Google releases open source file sharing project 'Upspin' on GitHub
    Believe it or not, in 2017, file-sharing between individuals is not a particularly easy affair. Quite frankly, I had a better experience more than a decade ago sending things to friends and family using AOL Instant Messenger. Nowadays, everything is so fragmented, that it can be hard to share. Today, Google unveils yet another way to share files. Called "Upspin," the open source project aims to make sharing easier for home users. With that said, the project does not seem particularly easy to set up or maintain. For example, it uses Unix-like directories and email addresses for permissions. While it may make sense to Google engineers, I am dubious that it will ever be widely used.
  • Google devs try to create new global namespace
    Wouldn't it be nice if there was a universal and consistent way to give names to files stored on the Internet, so they were easy to find? A universal resource locator, if you like? The problem is that URLs have been clunkified, so Upspin, an experimental project from some Google engineers, offers an easier model: identifying files to users and paths, and letting the creator set access privileges.