Saturday, September 9

Indianapolis ISWT

Last Thursday I attended the Indianapolis Information Security & Wireless Technology Conference. It was a standard event with vendors and such, with one added bonus: Kevin Mitnick.

Kevin spoke for around an hour about standard social engineering and then had some "live" interactive events. He shared information on how he stole the Microtek source code from Motorola and how he himself had been socially engineered prior to the release of his latest book The Art of Intrusion. During these events, he would call up audience members to participate in different activities.

The most interesting portion of his speech was about a phishing / IVR dupe. We all know about phishing and what it entails, however, now there are hackers who are recreating IVR systems and then phishing for marks to call in. This new attack recreates an IVR (intelligent voice response) system for purposes of data collection, such as banking logins and passwords. Kevin had used a service called IPKall to bind a POTS number to an IP. The IP was bound to a *nix based IVR software. The interesting thing is Kevin also took the steps to copy the real IVR responses (and tree logic) from a real bank. With the system recreated, one could then "spear phish" customers in the area of bank X. All password entries would give an error message, noting an incorrect password. Kevin displayed this real time as his IVR scooped up his own self-generated traffic.

Amazing.

Also, his business cards are metal and break up into a lock pick set.

For those that may complain, I understand he is a criminal, however, it behooves us all to understand how these guys think. They truly have no limits to their thinking and as a result are very creative. At times, in the professional world, we allow ourselves to become too systematic in our thinking.

4 comments:

Didier Stevens said...

Didn't know about his business card, I found a picture here on Flickr: http://www.flickr.com/photos/ranh/106709219/

I suppose the bottom tool is the tension tool, and that you need to twist it before using

Stephen R. Moore said...

That would be it!

Ed said...

"For those that may complain, I understand he is a criminal, however, it behooves us all to understand how these guys think. They truly have no limits to their thinking and as a result are very creative. At times, in the professional world, we allow ourselves to become too systematic in our thinking."

Yes Kevin was a criminal according to the law but many things "hackers" do in the spirit of curiosity or the quest for knowledge constantly get defined as against the law (DMCA). I think many of us are all hackers in spirit and the statement above just seems like a stereotypical statement about "those evil hackers". My point is that the comment above seems to reinforce the common misunderstandings about people who "hack" be it computers, cars, etc.

Stephen R. Moore said...

Hello Ed,

I support those to want to expand their knowledge, be it about a web server, tivo, or an engine block. That spirit should be fostered and reinforced.

You make an excellent point; I should have included something analogous to it in my blog entry so I appreciate your addition to my post. I was not trying to demonize people with a creative or curious spirit.

You always learn the most from systems which either break on their own (b/c you must then fix them) or which you “break” intentionally.

My only "catch" is when someone aims at harming an individual or a company I represent by taking his or her curiosity too far.