________________________________________________________________________________ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 /* ... */ ********** >Date: Thu, 2 Mar 2000 14:57:38 PST >From: "Peter G. Neumann" >To: Declan McCullagh ... >03/02/00- Updated 05:24 PM ET >Hacker Mitnick testifies before Congress >Once prosecuted by government, infamous hacker sought for advice > >WASHINGTON (AP) - The government that imprisoned the world's most infamous >computer hacker for nearly five years sought his advice Thursday about how >to keep its own networks safe from intruders. >Just weeks after his release from federal prison, an animated Kevin Mitnick >advised senators against focusing too much on technical protections at the >expense of simpler safeguards - such as making sure a company receptionist >does not disclose passwords to sensitive systems. > >Mitnick, 36, wearing a slightly ill-fitting navy suit and rocking gently in >a witness chair, warned lawmakers about his favored technique of ''social >engineering,'' or deceiving others into believing he could be trusted. He >told of duped victims at major corporations volunteering their passwords and >even sending him secret software blueprints. > >''I was so successful in that line of attack that I rarely had to resort to >a technical attack,'' Mitnick said. ''Companies can spend millions of >dollars toward technological protections and that's wasted if somebody can >basically call someone on the telephone and either convince them to do >something on the computer that lowers the computer's defenses or reveals the >information they were seeking.'' ... *********** >From: "Kevin Poulsen" >To: >Subject: Mitnick >Date: Thu, 2 Mar 2000 16:48:51 -0500 > >Did you catch Mitnick's testimony? > > > Mitnick to Lawmakers: People, Phones are Weakest Links > > > > March 2nd, 12:14 PM PST > > By Kevin Poulsen > > > > WASHINGTON (SecurityFocus.com News) - In his twenty years of experience, > > Kevin Mitnick has cracked virtually every system he's targeted. And the > > secret of his success was letting his fingers do the walking, the hacker > > told a Senate panel Thursday. > > > > "When I would try to get into these systems, the first line of attack > > would be what I call a social engineering attack, which really means > > trying to manipulate somebody over the phone through deception," Mitnick > > testified in a hearing on federal government computer security. "I was so > > successful in that line of attack that I rarely had to go towards a > > technical attack." > > > > Mitnick, arguably the world's most famous computer intruder, plead guilty > > in March of 1999 to seven felonies arising from a string of intrusions > > into the networks of cell phone companies and computer makers, including > > Motorola (NYSE: MOT), Fujtsu and Sun Microsystems (Nasdaq: SUNW). He was > > released on January 21st, after nearly five years in prison. > > > > In his testimony before rapt lawmakers at the Senate Committee on > > Governmental Affairs, Mitnick criticized software companies for shipping > > products with flawed security, and expressed the opinion that open source > > software is safer because its workings can be closely analyzed by the > > public and academia. > > > > IRS, Social Security, vulnerable > > > > Mitnick also warned that dial-ups into otherwise secure computer networks > > are vulnerable, because the telephone network itself is insecure. > > > > But the hacker's most common refrain was that people, not computer bugs, > > are the path of least resistance to corporate and governmental secrets. > > By way of example, Mitnick testified that, on a whim, he once used a cell > > phone during a fifteen minute walk home to pose as a Motorola employee > > and persuade the company to send him proprietary source code. He said > > that similar techniques gave him access to confidential information from > > the Internal Revenue Service and the Social Security Administration. "And > > I did it all without even touching a computer," Mitnick said. > > > > That was in 1992, "which happens to be beyond the applicable statue of > > limitations," Mitnick quipped, drawing laughter from lawmakers and the > > gallery. > > > > "The human side of computer security is easily exploited and constantly > > overlooked," said Mitnick. "Companies spend millions of dollars on > > firewalls, encryption and secure access devices, and it's money wasted, > > because none of these measures address the weakest link in the security > > chain." > > > > Escape from Reality > > > > Near the end of Mitnick's forty five minutes of testimony, ranking > > member Joseph Lieberman (D-CT) asked him why he hacked. > > > > "My motivation was the quest for knowledge, the intellectual challenge, > > the thrill, and also the escape from reality," Mitnick replied. "Kind of > > like somebody who chooses to gamble to block out things that they'd rather > > not think about." > > > > Mitnick expressed support for a Senate bill designed to address the > > security of federal government computers, but suggested that lawmakers add > > more emphasis on training. He also suggested that agencies produce an > > educational video on the perils of social engineering attacks. > > > > Lieberman asked if increased criminal penalties might have the effect of > > "deterring the next Kevin Mitnick." > > > > Mitnick, whose prison term was among the longest hacker sentences in > > history, hesitated and raised an eyebrow. "You're talking about enacting > > further criminal legislation?" > > > > The Senator answered that he was. > > > > "I'd encourage coming up with methods of detection and prevention," > > Mitnick replied. > > ********** -------------------------------------------------------------------------- POLITECH -- the moderated mailing list of politics and technology To subscribe: send a message to majordomo@vorlon.mit.edu with this text: subscribe politech More information is at http://www.well.com/~declan/politech/ -------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0.2i iQA/AwUBOL/dk4Kt4tJ5L7V6EQKjCwCgzbaichCKSY4oa+dxOvfA3/A3EHQAoJN0 T7h2JxchyXuea9TP0iV4rh31 =iDQI -----END PGP SIGNATURE----- ::::::::::::::::::::::::::::: smash the fpoevp gouvernment! http://widerstand.netbase.org ::::::::::::::::::::::::::::: ________________________________________________________________________________ no copyright 2000 rolux.org - no commercial use without permission. is a moderated mailing list for the advancement of minor criticism. more information: mail to: majordomo@rolux.org, subject line: , message body: info. further questions: mail to: rolux-owner@rolux.org. archive: http://www.rolux.org