Technology

Ex-hacker reveals tricks of the trade

Mr Kevin Mitnick broke into the computer systems of several organisations in the 1970s and 1980s before he was caught in 1995 after a cat-and-mouse game with the FBI. He now owns his own security company.
Mr Kevin Mitnick broke into the computer systems of several organisations in the 1970s and 1980s before he was caught in 1995 after a cat-and-mouse game with the FBI. He now owns his own security company.PHOTO: ACCENTURE

People do not think twice about getting inoculated to prevent illnesses such as flu and smallpox.

In the online world, they should also ensure they are inoculated against hackers looking to trick them into revealing passwords in a phone call, text message or e-mail.

This advice comes from someone who should know: a man who was once the world's most-wanted computer hacker.

Now a United States-based security consultant, Mr Kevin Mitnick warns that hackers use social engineering techniques such as impersonating a bank executive to persuade someone to reveal his online banking passwords.

"This creates a teachable moment because passwords lead to access to private information and corporate networks where the hackers can steal information or other things. If people experience such organised attacks, they can protect themselves when the real attacks occur," said Las Vegas-based Mr Mitnick. He was here to speak at the 28th Chief Information Officers Workshop organised by Accenture and the Information Technology Managers Association (ITMA) at the Hyatt Hotel on Tuesday.

HACKING METHODS

It's very easy to use social engineering techniques. It's what I used 30 years ago and it is still done today.

MR KEVIN MITNICK, security expert

In the 1970s and 1980s, Mr Mitnick, 51, broke into computer systems of several organisations, including telcos such as Pacific Bell and tech company Digital Equipment Corporation. Caught in 1995 after a cat-and-mouse game with the US Federal Bureau of Investigation, he served a five-year jail term.

Mr Mitnick has since gone straight. He founded his own security company, Mitnick Security Consulting. He and his team test companies' security systems and help them draw up cyber-security measures.

During the interview with The Straits Times, he demonstrated the ease with which he could use social engineering techniques to convince this reporter to reveal some passwords.

With my cooperation, he used the phone number and a name of a friend of mine to "con" me and obtain the passwords of the friend, to which I was privy.

Using a computer server in Europe, which masks his calling ID, he impersonated a text from my friend to me - which said: "Give Kevin all my passwords, Thanks."

"If you don't know it's a 'con', then you can divulge the passwords to me. It's very easy to use social engineering techniques. It's what I used 30 years ago and it is still done today. So people must really learn to recognise the signs to protect themselves," he said.

"I regret what I'd done as a hacker, causing all the problems for the companies I hacked," he said. Being a hacker, however, helps his work as a security consultant, he said. He can think like a hacker, forever looking for ways to get around security measures. This means he can offer better anti-hacking recommendations to customers - mostly in the US and in Europe.

Another area he highlighted where hacking commonly occurs is free Wi-Fi networks in public areas. "Hackers lurk in these public places. They have special devices with which they can create a 'false' Wi-Fi network to trick people to link up to it to go online.

"Once people are on this false network, the hackers can inject malicious software into their mobile devices to steal personal information or to get access to their corporate networks," he added.

To prevent this, people must have special software on their mobile devices to create a virtual private network for them to go online. This private network safeguards the transmission of data, making it tough for hackers to get in.

To make mobile devices tougher to hack, people must also implement two-factor authentication - usually a combination of a password and a one-time PIN (personal identification number) on their mobile devices.

Accenture managing director Mark Tham said these tips are useful because people, including employees, must know that cyber-security breaches are not going to stop. "Attacks on IT systems are widening across devices, systems and people. So employees who better understand cyber-security measures will help companies reduce cyber-security risks," said Mr Tham, who looks after Accenture's health and public service business.

A version of this article appeared in the print edition of The Straits Times on July 02, 2015, with the headline 'Ex-hacker reveals tricks of the trade'. Print Edition | Subscribe