Kevin Mitnick, who once was on the FBI’s Most Wanted list and is now a computer security consultant, took to the stage at the Cayman Alternative Investment Summit to show off some of the newest ways hackers are breaking into computer systems.
After serving time in prison for his exploits breaking into private and government computer systems, Mitnick now helps clients shore up their own systems to protect against ever more sophisticated cyber criminals. Now when he breaks into corporate networks it’s because those companies have paid him to find their vulnerabilities.
He had a sobering message for the executives in the room: His team has a 100 percent success rate breaking into computer systems when they can use social engineering, that is, working the human side of the systems, along with their technical skill.
“At the end of the day, you have humans who operate computers,” he said, and they can make firewalls and the best security software in the world meaningless.
Cyberattacks can come in many forms, Mitnick told the hundreds assembled for the summit, but the most successful attacks target people to get access to passwords, banking information and corporate secrets.
“Phishing” is the most popular form of attack, sending emails with attachments in hopes that people will open them on their work computers. A malicious PDF attachment can quietly install software on a computer to record key strokes and passwords, or give a hacker full control over a computer to access everything from the camera and microphone to network drives and proprietary information.
Mitnick gave several demonstrations to strike fear into the heart of the investment managers who collectively control billions of dollars through their computer systems. He showed how a simple attachment could be downloaded and install software while a user is not paying attention, giving a hacker on the other end what’s called root-level access to a computer, and then the ability to go through the computer network to find anything and everything.
A hacker could use a USB stick, frequently given away for free at conferences and meetings, to install that same type of malicious software on a computer – the same way the United States allegedly broke into Iranian computers to destroy centrifuges in that country’s nuclear program.
He said his favorite way to get someone to use a USB stick is to download a company logo and put it on a sticker that reads “Confidential salary data” and leave the USB drive somewhere.
“We can bypass any firewall,” Mitnick said. “All it takes is one person in your company to open that attachment.”
Another attack he showed off uses a wireless router to create a free wireless Internet access point. The equipment is small enough to fit in a backpack and can fool people into using the free network, all the while recording their keystrokes. He created a free network on stage at The Ritz-Carlton, Grand Cayman, calling it “Ritz free Wi-Fi.”
“I am ‘Ritz free Wi-Fi,’” he said, and could easily steal any information anyone sent out over that network.
No one in the room would admit to signing on to Mitnick’s network. To protect yourself on free Wi-Fi, Mitnick advises using a VPN and never trusting an open network.
Given the high-profile hacker attacks on companies like Target, Sony and JP Morgan, executives are starting to pay attention to the growing risks not just to a company’s data, but also to its bottom line as investors and boards start asking pointed questions about cybersecurity.
“Who had to go on CNN when Target got hacked?” asked KPMG IT advisory principal Micho Schumann in a recent interview. The CEO was the one called to task on the international news channel, that’s who.
The biggest change Mr. Schumann has seen in the past 18 months is that now he is talking to senior managers, not just the IT department, when he does a cybersecurity audit. “The awareness is there,” he said. “The trend I’m seeing is CEOs, CTOs, upper management are taking notice.”
He said there is a renewed interest in what’s called “penetration testing,” where KPMG’s hackers try to break into companies’ networks to find vulnerabilities and patch up holes in the security systems.
Schumann, who attended Mitnick’s session at the Alternative Investment Summit and several side events with the notorious hacker while Mitnick was in Cayman, agreed that social engineering is the biggest risk. The technique, Schumann said, is to “learn the company lingo” and “sweet talk” your way in. He said people like Mitnick then have the technical skills to use that access.
A basic example, Schumann said, is to call someone in a big company and say, “This is Bob from IT and I need you to fix your password.” In another example, pretend to be a student at a local university doing a survey and ask people at the company what operating system they’re using, what version of Adobe Acrobat, what kind of anti-virus software and similar questions to develop intelligence about a company’s computer systems.
The most interesting demonstration for Schumann was a new technique to clone an HID access card, a common door access card for many companies. Mitnick showed off a small homemade device that allows a nefarious user to walk by someone and steal the credentials off their access card.
“If I’m able to clone your card and walk the walk and talk the talk,” Schumann said, he could get into the building and hack the network from the inside.