"They don't make a patch for stupid." Famous hacker Kevin Mitnick launched into his keynote at the Atlantic Design and Manufacturing show in New York City by explaining that gullibility is the biggest vulnerability in corporate and government cybersecurity. He then spent the next hour demonstrating how to gain access to networks by discovering employee log-in credentials.
In his talk, "How Hackers and Con Artists Manipulate You and What You Can Do about It," Mitnick revealed the tricks hackers use to crack into networks, defying even recent advances in security such as two-factor authentication, which often involves a combination of a password and a smartphone OK. "Just because you use two-facor authentication you're not safe, not if they can also hack the phone system."
Mitnick began cracking networks as a teenager in the 1970s. He broke into computer networks while using cloned cellular phones to hide his location. He copied proprietary software from some of the country's largest cellular telephone and computer companies by intercepting computer passwords. This led to a well-publicized bust in 1995 and a five-year prison sentence. After leaving prison, he became a security consultant, public speaker, and author.
Your Plant. Smarter. Get informed on factory retrofitting, converging OT & IT, mastering cyber-physical transformation, predictive maintenance, 3DP in the factory, designing for maximum ROI and more in Industry 4.0: The Building Blocks of a Well-Oiled Smart Plant at Design & Manufacturing, Sept. 21-22, 2016 in Minneapolis. Register here for the event, hosted by Design News’ parent company UBM.
While explaining there are a number of ways to crack a network, he insisted the easiest way is to follow an employee through the company's or government office's cyber-door. "So who's the problem? It's the user," said Mitnick. "Your employees make mistakes." He noted that the first way a hacker breaks into your system is through your company's website. "You can see the corporate structure and the names of employees. Then you go to LinkedIn and search for titles such as system engineer web authentication. Once you get the names and titles, you can begin to connect." He showed how easy it is to figure out email addresses when you have the company, a name, and a title. "Once you connect, then you exploit."
He said an easy way to crack company networks is by using thumb drives that are so plentiful and freely distributed at trade shows. "You can go to conferences. Go to the memory stick bowls and swap out the free ones with weaponized sticks," said Mitnick. "When they get home, they plug it in the USB and trust it. You can go to the root file and find passwords. You can exploit the firmware and turn the USB into a keyboard to gain control. You can even enable the computer's microphone."
Another easy entrance into computers is through free WiFi. "When you're at an airport and you see free airport WiFi, how do you know it really belongs to the airport?" asked Mitnick. If you're providing the WiFi, you force their computers to connect to yours." He explained that you can then install a pop-up from a trusted source such as Adobe saying you need an update. The person may ignore the pop-up a few times. "Eventually you'll click on the update and then the hacker has access to your computer."
Rob Spiegel has covered automation and control for 15 years, 12 of them for Design News. Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years he was owner and publisher of the food magazine Chile Pepper.