Language Selection

English French German Italian Portuguese Spanish

What's your number, Kevin Mitnick?

Filed under
Security

Doing this, he said, would allow employees to verify a caller was who they said they were by calling them back at the provided number. In the case of someone looking to snaffle company details over the phone, it would scare them off immediately. If the caller was legitimate, they would be happy to comply with the request.

"If people would just call people back," Mitnick told attendees at a forum hosted by vendor Citrix this morning in Sydney, "it would eliminate 80 percent of the threat".

Mitnick described how the Motorola employee who delivered him secret company source code back in his hacking days gave him a nervous moment when the call was almost lost as she put him on hold to check some details with her security manager. Ultimately, however, that attempt succeeded.

While most people naturally wanted to help others who contacted them, he said, employees needed to be taught to deny requests that could compromise security.

The reformed hacker -- currently a security consultant -- pointed out those attempting to breach company security relied upon the intelligence-gathering they did in the lead-up to an attack. One fantastic target for such information, he said, was the company's IT helpdesk.

"They're there to help," he enthused, pointing out fraudsters calling a help desk number would be able to find out what verification tokens -- such as date of birth or employee ID number -- help desk staff used to verify a caller's identity. They could then go away, do some research and come back armed and ready to breach a user's account.

While Mitnick's social engineering tips are ultimately timeless and technology-neutral, the ex-hacker is obviously keeping up with today's tech gadgets.

He pointed out one of Apple's AirPort devices (a popular wireless hub) could instantly create a wireless access port into any company's headquarters if plugged into a company network port.

"You could just put a company logo on it, with a label saying 'IT Department, do not remove'," he said. "You could be browsing the network from the parking lot."

A USB bluetooth device would fulfil the same function if plugged into the back of an employee's PC, he said.

By Renai LeMay
ZDNet Australia

More in Tux Machines

Digia spins off Qt as subsidiary

Digia has spun off a subsidiary called “The Qt Company” to unify Qt’s commercial and open source efforts, and debuted a low-cost plan for mobile developers. The Linux-oriented Qt cross-platform development framework has had a tumultuous career, having been passed around Scandinavia over the yearsfrom Trolltech to Nokia and then from Nokia to Digia. Yet, Qt keeps rolling along in both commercial and open source community versions, continually adding support for new platforms and technologies, and gaining extensive support from mobile developers. Read more

Qubes: The Open Source OS Built for Security

No matter how good the code review process is, or how high the standards for acceptance, applications will always have bugs, says Joanna Rutkowska, founder and CEO of Invisible Things Lab. So will drivers. And filesystems. “Nobody, not even Google Security Team, can find and patch all those bugs in all the desktop apps we all use,” Rutkowska says in the Q&A interview, below. Read more

KDE Developer Says Community Managers Are a Fraud and a Farce

KDE developer Aaron Seigo is a very outspoken person and he is known for his strong opinions. He recently proposed for public debate a very heated and interesting subject about the role of the community managers for the open source project. He thinks that the community managers' role, as they are working today on various projects, is actually a fraud and a farce. It's unclear what determined him to make this statement, but he knew right from the start that it was going to rile up the community and various community managers. Read more

RadeonSI Gallium3D vs. Catalyst At 4K UHD On Linux

The open-source driver stack tested was with the Linux 3.17 Git kernel while using the Oibaf PPA to upgrade to Mesa 10.4-devel for the latest RadeonSI and LLVM AMD GPU code. The closed-source driver was the fglrx 14.20.7 / OpenGL 4.4.12968 Catalyst release. When running the Catalyst binary blob we had to downgrade from Linux 3.17 to Linux 3.16 for kernel compatibility. All tests were done from the Intel Core i7 5960X system running Ubuntu 14.10. Read more