The legendary hacker Kevin Mitnick wasn’t necessarily the technical wizard that a lot of people think he is. But most of Mitnick’s hacks were simple classic con games, nothing more. Many assume he managed to “guess” passwords or had some other super secret technical ability to navigate around firewalls and login systems. Not the case. In one instance, he literally just walked into a supposedly secure facility, walked right into the computer room and physically grabbed a huge notebook of system user names and passwords, and then – simply walked right out, unchallenged. I heard he was just wearing a T-shirt and jeans in a coat-and-tie office, and nobody confronted him.
A typical approach he used was to phone a system administrator, pretending to be an authority figure of some sort, and demand access to a particular system to support a presentation he was supposedly giving at the time, and “it won’t be my hide when General so-and-so finds out this thing didn’t happen because somebody changed a stupid login password, do YOU want to explain why we couldn’t give this demonstration? Do YOU want to be fired?”
It often worked.
And apparently it still does. The buzz going around network security circles now is about the recent Def-Con contest where the winner phoned a system admininstrator at Wal Mart. (Canadian hacker dupes Walmart to Win Def Con prize, theStar.com, August 8, 2012). Using classic con-man techniques, the contest winner finagled 75 pre-determined data points out of the guy within 20 minutes. He did it all over the phone, through simple conversation, while sitting in a glass cage, as part of the observed competition.
The process of extracting secure data from human beings through direct interpersonal interaction (that’s “talking to people” for the layman) is apparently now called “social engineering”, which has a nice ring to it. I used to call it “that stuff Paul Newman and Robert Redford did in the movie The Sting“. “Social Engineering” sounds so much more impressive.
But here’s my question: did anyone at Def Con check to confirm that the Wal Mart guy provided actual secure information? After all, a typical response to a suspected incoming hack attack – technical or conventional – is to distribute bogus information to see how and where it turns up. Disinformation, in other words.
Did the Def Con folks confirm that the hack was truly successful?
Or was the hacker merely walking into a trap?