Kevin Mitnik To Prove That Your Firm's System Can Be Accessed in an Hour
Governments and private companies must be better prepared to protect themselves against social engineering hacking attacks, as according to Kevin Mitnick, one of the world's most famous hackers from the US, obtaining personal information via social engineering is "child's play".
He explained that social engineering relies on influence, deception and manipulation to convince another party to comply with a request in order to compromise their computer network.
Speaking on the sidelines of the Gulf Information Security Expo and Conference (Gisec) that opened on Monday (April 1), Mitnick warned businesses in the region: "Make your staff hack-conscious, or it could bring your company to its knees."
In live examples, Mitnick managed to obtain confidential e-mail data that would have allowed him to penetrate a local bank. He also hacked his way through Gmail accounts and LinkedIn, live on the stage.
"The main point of weakness for any company lies in poor cybersecurity awareness in staff," he said.
"People aren't being trained about how to defend their workplace from these attacks. If they are, then they're not listening. These social engineering tricks worked in the 1970s and still work in 2019."
Weaponised cables are potential threats
Mitnick also demonstrated how a simple USB cable can be weaponised to access a user's computer system. Using WiFi or Bluetooth, attackers can access a victim's computer and data. The key logger can be used to get credentials; access file systems; access the audio tools, webcam and much more.
Today, any device that can be plugged into a computer can be weaponised to give hackers access, he said.
"When teaching staff about security, have something relevant, entertaining and informative at hand - not a boring book that they won't read. Hackers are lazy. He or she is always going to go after the weakest link, and social engineering is the easiest attack your enemies will use today," explained Mitnick.
Hacking live at Gisec stage, he highlighted how, within just an hour, he was able to access HR data, including names, social security numbers and how long an employee has worked at a certain company.
As a first step, social engineering hackers conduct an "information reconnaissance", he said. They do their research online to find the information that will support their social engineering attack.
"Social media platforms like LinkedIn can be used to identify people, their backgrounds, name, titles, and discover leads to their e-mail addresses," said Mitnick.
Live hacking events also took place at a secondary stage during the event called 'Dark Stage', which discussed the intricacies of the 'dark web'.
Cybersecurity consulting firm Kuwait Hackers presented a live demo on how mobile phones can be easily hacked.
Jason Dibley, director of QCC Global, gave a live demonstration of TSCM (technical surveillance counter-measures). According to Dibley, TSCM is the original US Federal government abbreviation denoting the process of bug-sweeping or electronic counter surveillance.
Dr Aisha bint Butti bin Bishr, director-general of Smart Dubai, officially opened Gisec, the largest cybersecurity event in the Middle East, Africa and South Asia, It will run until April 3 at the Dubai World Trade Centre.