The Art of Deception

Kevin Mitnick

Famous Social Engineer Hacker• Went to prison for hacking• Became ethical hacker

"People are generally helpful, especially to someone who is nice, knowledgeable or insistent."

Kevin Mitnick

Arrested and convicted on several counts of computer crime,

including hacking and theft of intellectual property

Kevin Mitnick

Arrested and convicted on several counts of computer crime,

including hacking and theft of intellectual property

Began at age 12 with faking punch cards for the bus system to

gain free rides and continued on to phone phreaking.

Kevin Mitnick

Arrested and convicted on several counts of computer crime,

including hacking and theft of intellectual property

Began at age 12 with faking punch cards for the bus system to

gain free rides and continued on to phone phreaking.

Used social engineering to steal passwords to company systems.

Kevin Mitnick

Arrested and convicted on several counts of computer crime,

including hacking and theft of intellectual property

Began at age 12 with faking punch cards for the bus system to

gain free rides and continued on to phone phreaking.

Used social engineering to steal passwords to company systems

He still believes this is far easier to do, even today, than hacking

into a system.

Kevin Mitnick

Arrested and convicted on several counts of computer crime,

including hacking and theft of intellectual property

Began at age 12 with faking punch cards for the bus system to

gain free rides and continued on to phone phreaking.

Used social engineering to steal passwords to company systems

He still believes this is far easier to do, even today, than hacking

into a system.

Since his release from prison, Kevin has started his own computer

security company and gives talks around the country about social

engineering and other security topics.

What is Social Engineering?

What is Social Engineering?

• Attacker uses human interaction to obtain or compromise information

What is Social Engineering?

• Attacker uses human interaction to obtain or compromise information

• Attacker my appear unassuming or respectableo Pretend to be a new employee, repair man, etc.o May even offer credentials

What is Social Engineering?

• Attacker uses human interaction to obtain or compromise information

• Attacker my appear unassuming or respectableo Pretend to be a new employee, repair man, etc.o May even offer credentials

• By asking questions, the attacker may piece enough information together to infiltrate a companies networko May attempt to get information from many sources

Kevin Mitnick - Art of Deception:

Kevin Mitnick - Art of Deception:

• "People inherently want to be helpful and therefore are easily duped"

Kevin Mitnick - Art of Deception:

• "People inherently want to be helpful and therefore are easily duped"

• "They assume a level of trust in order to avoid conflict"

Kevin Mitnick - Art of Deception:

• "People inherently want to be helpful and therefore are easily duped"

• "They assume a level of trust in order to avoid conflict"

• "It's all about gaining access to information that people think is innocuous when it isn't"

Kevin Mitnick - Art of Deception:

• "People inherently want to be helpful and therefore are easily duped"

• "They assume a level of trust in order to avoid conflict"

• "It's all about gaining access to information that people think is innocuous when it isn't"

• Here a nice voice on the phone, we want to be helpful

Kevin Mitnick - Art of Deception:

• "People inherently want to be helpful and therefore are easily duped"

• "They assume a level of trust in order to avoid conflict"

• "It's all about gaining access to information that people think is innocuous when it isn't"

• Here a nice voice on the phone, we want to be helpful

• Social engineering cannot be blocked by technology alone

Examples of Social Engineering

Examples of Social Engineering

• Kevin Mitnick talks his way into central Telco office

Examples of Social Engineering

• Kevin Mitnick talks his way into central Telco officeo Tells guard he will get a new badge

Examples of Social Engineering

• Kevin Mitnick talks his way into central Telco officeo Tells guard he will get a new badgeo Pretend to work there, give manager name from another

branch

Examples of Social Engineering

• Kevin Mitnick talks his way into central Telco officeo Tells guard he will get a new badgeo Pretend to work there, give manager name from another

brancho Fakes a phone conversation when caught

Examples of Social Engineering

• Kevin Mitnick talks his way into central Telco officeo Tells guard he will get a new badgeo Pretend to work there, give manager name from another

brancho Fakes a phone conversation when caught

• Free food at McDonalds

Examples of Social Engineering

• Kevin Mitnick talks his way into central Telco officeo Tells guard he will get a new badgeo Pretend to work there, give manager name from another

brancho Fakes a phone conversation when caught

• Free food at McDonalds

Live Example

Live Example

• Convinced friend that I would help fix their computer

Live Example

• Convinced friend that I would help fix their computer

• People inherently want to trust and will believe someone when they want to be helpful

Live Example

• Convinced friend that I would help fix their computer

• People inherently want to trust and will believe someone when they want to be helpful

• Fixed minor problems on the computer and secretly installed remote control software

Live Example

• Convinced friend that I would help fix their computer

• People inherently want to trust and will believe someone when they want to be helpful

• Fixed minor problems on the computer and secretly installed remote control software

• Now I have total access to their computer through ultravnc viewer

Weakest Link?

Weakest Link?

• No matter how strong your:o Firewallso Intrusion Detection Systemso Cryptographyo Anti-virus software

Weakest Link?

• No matter how strong your:o Firewallso Intrusion Detection Systemso Cryptographyo Anti-virus software

• You are the weakest link in computer security!o People are more vulnerable than computers

Weakest Link?

• No matter how strong your:o Firewallso Intrusion Detection Systemso Cryptographyo Anti-virus software

• You are the weakest link in computer security!o People are more vulnerable than computers

• "The weakest link in the security chain is the human element" -Kevin Mitnick

Conclusion

Social Engineering will always exist, and it is

extremely difficult to defend against, but the

success of such attacks can be decreased

substantially with proper policy and personnel

training

Policy from a Social Engineer

“The Art of Deception” – K. Mitnick

Policy from a Social Engineer

“The Art of Deception” – K. Mitnick

Kevin Mitnick outlines an excellent security policy at

the end of the book with detailed reasoning at every

level to defend against Social Engineering Attacks.

Policy from a Social Engineer

“The Art of Deception” – K. Mitnick

Kevin Mitnick outlines an excellent security policy at

the end of the book with detailed reasoning at every

level to defend against Social Engineering Attacks.

This book teaches you the tricks of deception so that

you can learn how to protect against them.

Policy from a Social Engineer

“The Art of Deception” – K. Mitnick

Kevin Mitnick outlines an excellent security policy at

the end of the book with detailed reasoning at every

level to defend against Social Engineering Attacks.

This book teaches you the tricks of deception so that

you can learn how to protect against them.

This is a must read for all security professionals.

Questions?