Language Selection

English French German Italian Portuguese Spanish

What's your number, Kevin Mitnick?

Filed under
Security

Doing this, he said, would allow employees to verify a caller was who they said they were by calling them back at the provided number. In the case of someone looking to snaffle company details over the phone, it would scare them off immediately. If the caller was legitimate, they would be happy to comply with the request.

"If people would just call people back," Mitnick told attendees at a forum hosted by vendor Citrix this morning in Sydney, "it would eliminate 80 percent of the threat".

Mitnick described how the Motorola employee who delivered him secret company source code back in his hacking days gave him a nervous moment when the call was almost lost as she put him on hold to check some details with her security manager. Ultimately, however, that attempt succeeded.

While most people naturally wanted to help others who contacted them, he said, employees needed to be taught to deny requests that could compromise security.

The reformed hacker -- currently a security consultant -- pointed out those attempting to breach company security relied upon the intelligence-gathering they did in the lead-up to an attack. One fantastic target for such information, he said, was the company's IT helpdesk.

"They're there to help," he enthused, pointing out fraudsters calling a help desk number would be able to find out what verification tokens -- such as date of birth or employee ID number -- help desk staff used to verify a caller's identity. They could then go away, do some research and come back armed and ready to breach a user's account.

While Mitnick's social engineering tips are ultimately timeless and technology-neutral, the ex-hacker is obviously keeping up with today's tech gadgets.

He pointed out one of Apple's AirPort devices (a popular wireless hub) could instantly create a wireless access port into any company's headquarters if plugged into a company network port.

"You could just put a company logo on it, with a label saying 'IT Department, do not remove'," he said. "You could be browsing the network from the parking lot."

A USB bluetooth device would fulfil the same function if plugged into the back of an employee's PC, he said.

By Renai LeMay
ZDNet Australia

More in Tux Machines

Ubuntu Kylin 15.10 Alpha 2 Is Out for Testing with Linux Kernel 4.1, More

The development team behind the Ubuntu Kylin computer operating system have announced earlier today the immediate availability for download and testing of the second Alpha build of the upcoming Ubuntu Kylin 15.10 (Wily Werewolf) distro. Read more

Linux-powered smart sniper rifle can be hacked

Two years ago, TrackingPoint burst on to the scene with a Linux-powered smart sniper rifle that took the guesswork out of killshots. Now, however, a pair of hackers have figured out how to make it miss every single time. Read more

5 heroes of the Linux world

Linux and open source is driven by passionate people who write best-of-breed software and then release the code to the public so anyone can use it, without any strings attached. (Well, there is one string attached and that’s licence.) Who are these people? These heroes of the Linux world, whose work affects all of us every day. Allow me to introduce you. Read more

Open source part of Bulgarian eGovernment tender requirements

The Bulgarian government has added open source as a requirement to its 'Preliminary criteria for the eligibility of eGovernment projects'. The document states that: all rights with regard to the interface design and the source code of the project must be transferred from the contractor to the contracting party; the source code developed for the project must be made publicly available in an online Revision Control System during development; for all projects, it should be explored whether the whole or part (i.e. libraries, packages, modules) of the software can be based on existing open source software; if it is financially justified, using open source is the preferred approach; to facilitate the use of the online Revision Control System and to guarantee the real-time availability of the latest version of the source code, the system should function as the central and original repository. Read more