Mitnick on Misdirection: Hacking as Close-up Magic
Information security experts routinely warn those they work with about the dangers of social engineering. One way to approach social engineering is to realize that it's magic, and by that we mean stage-and-street magic, not ritual magic. Like the conjuror who performs at a kid's birthday party, the social engineer relies on your trust, your expectations, and your susceptibility to misdirection.
Kevin Mitnick, who now runs Mitnick Security Consulting and also serves as Chief Hacking Officer for the anti-social-engineering training shop KnowBe4, is well known for his days as a black hat. The FBI eventually caught him in a famous and controversial investigation into wire fraud and other computer-related offenses. He did his prison time in the late 1990s, and was released in January 2000, with his access to information technology restricted to a landline phone as a condition of his supervised release. (That supervised release period is more than a decade in the past.)
Mitnick's rehabilitation and subsequent career as a white hat hacker are now famous. At the 2017 Cyber Investing Summit, he described his own path into hacking. It began, he said, with an early interest in magic, conjuring, and was fostered by a high school friend who was into phone phreaking, one of the ancestral forms of hacking where people would make free long-distance calls by whistling the right tone into a phone.
He demonstrated several hacks that bore an interesting resemblance to street magic, including theft of physical access card credentials using a remote card reader, microphone and webcam hacks, and the compromise of a workstation through a plausible social engineering attack.
One of Mitnick's timelier demonstrations was the introduction of a Trojan into a patched, AV-equipped Windows 7 machine. Installation in memory makes it hard to detect an implant, he noted. "Any AV product can be bypassed."
He showed a live instance of WannaCry, using a Shodan search to to identify potential targets. The exploit he used employed a spoofed and quite persuasive GoToMeeting site.
To avoid infection, Mitnick recommended "inoculating" personnel against attack by attacking them in training sessions. He also strongly recommended implementing well-crafted egress rules in the enterprise.
A cautionary observation in closing. Many concerned with security are confident they can see through social engineering, and sometimes they're (we're) right—they (we) don’t believe the person sending the email is really the widow of a Nigerian prince, or that "Microsoft help desk" has really called us to help fix our MacBook. But, as they say, don't get cocky, kid. Spend some time watching card mechanics do their stuff. You probably can't tell how the ace of hearts got there, no matter how closely you look. If the social engineer is as good as the performer at Junior's birthday party, well, they might reel you in, too.
Video of Mitnick's presentation may be found here.