Sales and marketing staff could be a back door to cyber criminals, according to one of the world’s most notorious computer hackers.
Hunted by the FBI until his high profile arrest in 1995, Kevin Mitncik has worked as a security consultant, public speaker and author since 2000.
Speaking at IPEXPO in Manchester, he warned that people – not computers – are the weakest security link, and they can be manipulated into unknowingly allowing access confidential information.
Mitnick, whose business card is a lock-picking set, recalled the case of Hillary Clinton’s campaign’s chairman, John Podesta, who had his personal Gmail account compromised last year through phishing.
The 53-year-old said: “It’s all about people and in my experience it’s always been the people who have been the weakest link. They can be manipulated or influenced into unknowingly helping hackers.
“You can’t go to the computer and download a patch for stupidity. You have to protect your information from your own users.
“For hackers, the wonderful thing about LinkedIn is that you can build a target base, or list, from it. The information is just there.
“You can target people who are from IT who could be working for or have links to an organisation.
“But we tend to target people in sales and marketing – people who are on the road with laptops, perhaps remotely accessing information. Then we target the business once they are back inside the company.”
“What we actually want to learn is the target’s circle of trust. The best way of doing that is by posing as a friend of the business. Essentially spoof that we’re inside the company.”
Currently, Mitnick consults for Fortune 500 companies and the FBI, and performs penetration testing services for the world’s largest organisations.
According to the Californian, companies have a misplaced reliance on security technology, which has become ineffective against hackers using a technique he calls ‘social engineering’.
Con artists will leverage tendency to trust, which they see as a significant weakness because trust can be exploited.
He stressed that peer-to-peer sharing platforms popular for downloads during the dot com boom, such as BearShare, could still be exposing devices and companies when left on employees’ devices.
“It’s amazing how much information people unknowingly expose,” he said.
“A hacker can discover the programmes a worker is using, such as Windows Vista or Microsoft Office 2007, then send him an email attachment with a link to that version of Office.
“It would take an 11-year-old five tries to guess an email address once you know the name of an employee and the company they work for.”
Security expert Graham Cluley held a discussion on a similar theme at Unlocked – Manchester, an event organised by UKFast and Secarma, last month.
He warned the worldwide web is about to become a lot more dangerous thanks to the Internet of Things.
Increased connectivity poses a serious risk to a digital sector worth an estimated £118bn per year to the UK, as cars and even washing machines become smart devices.
He said: “The truth is you can’t trust anything these days. You can’t trust the internet. And the internet is on the brink of getting enormously bigger.
“In fact, it’s already getting bigger and it’s going to get way, way bigger still. It’s going to get bigger because of the Internet of Ghastly Things.”
He added: “What’s happening is everyone who’s got anything to sell you, they’re plugging the internet into it. They’re using as a feature, as a reason why you [would buy that product].
“But unfortunately security and privacy is not a high priority, and these devices will be coming into organisations.”
Cluley has worked in the computer security industry since the early 1990s, writing the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows, before moving on to senior roles at Sophos and McAfee.