Tag Archives: Computer Safety

Your biggest security vulnerability, according to the World’s Greatest Hacker

Kevin Mitnick was a hacker before hacking was even illegal. He was famous for having broken into the computer networks of some really large companies. He didn’t make a single dime from his activities; he just wanted to prove it could be done. He was eventually arrested, convicted and given a harsh five-year sentence, served in solitary confinement because the judge was convinced Mitnick could “start a nuclear war by whistling into a pay phone” (source: Wikipedia).

Later, he was released from prison and started a security consulting business (Mitnick Security Consulting, LLC), and now gets paid by companies to break into their computer systems and tell them what they need to fix.

Since he’s no longer dangerous (many argue that he was never all that dangerous, in the “this guy wants to destroy the world” way the prosecution claimed), Mitnick has also become a popular conference speaker. He knows the single biggest security flaw in every single commercial or private computer system, including yours:

It’s the people.

Time and again, Mitnick bypassed high-tech means of hacking (using software to force his way into a system) in favor of low-tech hacks: calling people on the telephone and asking for information.

It’s called social engineering, and it amounts to tricking people into giving away information simply by talking to them.

Mitnick concentrates on corporate network security, teaching businesses how to keep their data safe. However, the same goes for your own personal online safety: you are the weak point. How public have you made the names of your pets, your birthdate, your children’s names and birthdates, or the school(s) you attended? (I’m looking at you, MySpace and Facebook users.) All of this information can be used to steal your identity, by providing a would-be thief with enough information to talk you into accidentally revealing too much information.

Mitnick’s business card, a miniature lock-picking set, has become quite famous these last few years. Look at his website again, under the “Get Kevin’s Business Card” section. It says “Send your IP address and password to:” and his address. It’s obviously meant as a sly inside joke, but I wonder how many people actually mail this information to him.

Not even the FBI Director is above falling for a phishing scam

I spend a lot of time on this site repeating (explicitly or implicitly) these two ideas:

  1. You can take steps to vastly reduce your chances of becoming a victim of fraud or identity theft
  2. That said, nobody is ever 100% safe, and nobody is “too smart” to walk right into a scam

The following is an excerpt from a recent speech by FBI Director Robert S. Mueller, III:

Most of us assume we will not be targets of cyber crime. We are not as careful as we know we should be.  Let me give you an example.

Not long ago, the head one of our nation’s domestic agencies received an e-mail purporting to be from his bank. It looked perfectly legitimate, and asked him to verify some information. He started to follow the instructions, but then realized this might not be such a good idea.

It turned out that he was just a few clicks away from falling into a classic Internet “phishing” scam—“phishing” with a “P-H.” This is someone who spends a good deal of his professional life warning others about the perils of cyber crime. Yet he barely caught himself in time.

He definitely should have known better. I can say this with certainty, because it was me.

After changing all our passwords, I tried to pass the incident off to my wife as a “teachable moment.” To which she replied: “It is not my teachable moment. However, it is our money. No more Internet banking for you!”

If I didn’t dislike vapid clichés like “it really makes you think” so much, I’d probably say that right now. I mean, it would be funny (but not ha-ha funny) enough if someone like myself fell for a phishing email, but the FBI Director?

I think the Soup Nazi-esque “no online banking for you!” response is extreme, although I can see how a high-profile figure like Mueller could have his reasons beyond just his own personal finances for going offline—namely, his very credibility.

For the rest of us, though, online banking and bill payment is still very safe, as long as you’re informed when it comes to the dangers. If you get an email that appears to be from a financial institution, don’t click on any links within that message. Go directly to that bank, credit union or credit card company’s website by typing the URL manually, or by running a search on Google, and log in from there. Of course, if it’s from an institution you don’t even have a relationship with, you’re pretty safe in assuming it’s phony.

The full text of Mueller’s speech is an interesting read, if you have a few minutes, by the way.