Dinner with Kevin Mitnick is at once fascinating and frightening. In the time that it took the chef to prepare dinner, Mitnick did a little vishing on a major bank's IVR system (with each number pressed on his cell phone appearing in real time on his laptop sceen) after looking up -- through legal online subscription data resellers -- a dinner companion's social security number, drivers license number and mother's maiden name.
Mitnick, an early and infamous hacker who was convcted of computer crimes in 1999, has taken a turn as an information security consultant to government and industry. We were both in Columbus, Ohio for a Government Technology event. Interestingly, he is beginning to work magic (or, more properly, illusions) into his speeches and presentations, which takes him back to a childhood curiosity about slight of hand that became a pranksterish era of phreaking (phone freaking), all of which was a precursor to a short but headline-grabbing career as a computer hacker.
He has now gone legit, with a consulting firm and a 2002 book, The Art of Deception, which focuses on the promise, pitfalls and perils of social engineering.
Mitnick, whose metal business card can be broken out into a lock-picking kit, tells a great story but the underlying message is rather basic: Do not use information that is readily available -- SSNs, divers license numbers and mothers' maiden names -- for authentication because it just invites mischief, or worse. (He differentiates between old school hackers who were motivated by intellectual curiosity and a new underground economy of commercial, malicious hackers who are in it for the money -- yours.)
Granted, information security is the purview of Dan Lohrmann's Securing GovSpace blog but allow me an observation or two: As sophisticated as the attacks and defences have become on this front (and they have), it is telling that the successful exploits remain rather simple, taking advantage of human foibles and poor technical design.
Mitnick, an early and infamous hacker who was convcted of computer crimes in 1999, has taken a turn as an information security consultant to government and industry. We were both in Columbus, Ohio for a Government Technology event. Interestingly, he is beginning to work magic (or, more properly, illusions) into his speeches and presentations, which takes him back to a childhood curiosity about slight of hand that became a pranksterish era of phreaking (phone freaking), all of which was a precursor to a short but headline-grabbing career as a computer hacker.
He has now gone legit, with a consulting firm and a 2002 book, The Art of Deception, which focuses on the promise, pitfalls and perils of social engineering.
Mitnick, whose metal business card can be broken out into a lock-picking kit, tells a great story but the underlying message is rather basic: Do not use information that is readily available -- SSNs, divers license numbers and mothers' maiden names -- for authentication because it just invites mischief, or worse. (He differentiates between old school hackers who were motivated by intellectual curiosity and a new underground economy of commercial, malicious hackers who are in it for the money -- yours.)
Granted, information security is the purview of Dan Lohrmann's Securing GovSpace blog but allow me an observation or two: As sophisticated as the attacks and defences have become on this front (and they have), it is telling that the successful exploits remain rather simple, taking advantage of human foibles and poor technical design.
Informative blog. thank you.