engineering attacks you never hear about because they are not detected or because the person who was attacked doesn't want to admit it.
It is growing because security technologies are getting more resilient. There are better technologies to protect information assets and the attacker is going to go after the weaker link in the security chain. Social engineering is always going to be here. The more difficult it is to exploit the technology, the easier it becomes to go after people.
If you look at the folks who attack vulnerabilities in technology today
and compare that to when you were first starting out, what trends do you see?
Mitnick: Back then, a lot of the holes in technology were not readily
available and published like they are today on the Internet. Nowadays anybody
with a browser could pretty much purchase commercial hacking tools like Canvas
or go to a Web site where a lot of exploits are readily available. Ten years
ago, if you were hacking you had to develop your own scripts. Today is like a
point-and-click hacking world. You don't have to know how the engine is working,
you just know to get in the car and drive. It is easier.
What would you say is the single biggest threat out there?
Mitnick: It is pretty much a blended threat. I think social engineering is really significant because there is no technology to prevent it. Companies
normally don't raise awareness about this issue to each and every employee. It
is at the end of the priority list in the security budget.
There will continue to be software vulnerabilities. In a lot of companies that I tested, if you are able to breach a perimeter machine, like an FTP server, mail server or DNS server, a lot of times you find those computers are not in the DMZ (De-Militarized Zone, a separate security area). Instead, they are on an internal network and the network is flat. So if you are able to compromise one, it is quite easy to spread access to other systems. Often times they even use the same passwords. Bottom line: More companies have to think of a defense-in-depth strategy, rather than just protecting the perimeter.
Over the past years we have seen a couple of arrests of virus writers, bot
herders and others. Everybody knows you were arrested as well. Is law
enforcement advancing? Are they doing the right thing and catching the right
people, or are a lot still going free?
Mitnick: I am sure there are a
lot of people doing this they don't catch. Wireless networks are ubiquitous. It
is very difficult for law enforcement if somebody goes and takes a laptop and
changes their media access control address so you can't identify the machine. If
you're out in a car or van or sitting in a restaurant next to a wireless access
point and don't use the same access point all the time, it could be extremely
difficult to track you.
So there is a big challenge for law enforcement. Do you think they are
doing a good job, or could they do better?
Mitnick: I don't know. We
need stats for that. We need metrics on how many criminals they are
apprehending. It is a guess that they are getting better, because they are
getting help from the private sector. They are probably better than they were 10
years ago, but I don't know their capabilities. I know their strengths
are in forensics. So if they seize a computer of somebody thought to possess
child pornography, they use Encase and can recover that contraband. That's what
they are good at. In doing hacker investigations--I really don't know their capabilities.
So what about when it comes to virus writers, bot herders, phishers?
Mitnick: With virus writers, I don't believe the FBI is technically doing the analysis. They just farm it out to a Microsoft, Symantec or McAfee
because it is easier. These companies are not going to turn down law enforcement
because they are doing a public service.
Do you believe that more of these criminals should be caught?
Mitnick: They should try. But the bottom line is that there is so much hacking going on that they have to set a dollar limit. Unless there is a fraud
or a loss that equals US$50,000--maybe US$100,000--they are not going to
investigate. Small criminals knowing this can always stay under this threshold.
That's at the federal level. Then there are states, which might have a different
monetary threshold, but their competency is probably less than the feds.
Do you think if you were doing today what you did 10 years ago, would you
be caught sooner?
Mitnick: If I knew what I know now and I could use
what I know now back then, no. But if they had the technology that exists today,
and I was doing the exact thing I was doing, yes. Law enforcement's capabilities
for tracking communications are much greater than years ago.
Play video
There are currently no comments for this post.