BBC NEWS Americas Africa Europe Middle East South Asia Asia Pacific

BBC News World Edition
 You are in: Technology  
News Front Page
Middle East
South Asia
Talking Point
Country Profiles
In Depth
BBC Sport
BBC Weather
Monday, 14 October, 2002, 09:31 GMT 10:31 UK
How to hack people
Kevin Mitnick, AP
Mitnick shortly after his capture in 1995
The biggest threat to the security of a company is not a computer virus, an unpatched hole in a key program or a badly installed firewall.

In fact, the biggest threat could be you.

So says Kevin Mitnick, and he should know.

Mr Mitnick won notoriety as a hacker during the late 80s and early 90s and his exploits regularly became front page news.

Jail time

He started out as a so-called phone phreak who got his kicks exploring and exploiting the phone system.

The weakest link in the chain is the people

Kevin Mitnick
He kept up as these networks became increasingly computerised and soon found himself arrested for breaking a new law that criminalised unauthorised access to computers.

He served a one-year jail sentence, but on his release found it hard to give up his obsession.

The FBI was soon looking for him again for breaking the terms of his parole, which tried to restrict what he could do with computers.

He evaded capture for more than two years and won fame because of a series of articles that inaccurately portrayed him as some sort of master hacker criminal.

By contrast, Mr Mitnick has always said he was motivated by curiosity rather than financial gain and never profited from his exploits.

Kevin Mitnick, AP
Mr Mitnick after his release from jail in January 2000
He has certainly suffered for them. Once recaptured in February 1995, he spent almost five years in jail without trial, including eight months in solitary confinement.

He was released in January 2000 and the terms of his release severely restrict what he can do with computers. He is not allowed to use the net or an e-mail account.

A clock on the website counts down the days remaining until these restrictions are lifted.

Weakest link

Mr Mitnick even had to get permission from his probation officer to use a computer to write his book, The Art Of Deception, which is all about the biggest threat to the security of all companies: their own employees.

The book details the ways that employees can inadvertently leak information that can be exploited by hackers to compromise computer systems.

"The lethal combination is when you exploit both people and technology," Mr Mitnick told BBC News Online.

"What I found personally to be true was that it's easier to manipulate people rather than technology," he said.

Those people are especially useful when they have access to the core computer systems that hackers would otherwise struggle to penetrate.

Headset and phone, Eyewire
Employees could be leaking important information
"Most of the time organisations overlook that human element," he said.

Mr Mitnick found that armed with a little knowledge, a hacker can sound like an employee of a firm and get other workers to inadvertently supply them with enormously useful information.

The Art Of Deception book details how hackers go about this "social engineering" to gain access and privileges that would otherwise be impossible to secure.

The book is scary in ways that computer security texts usually do not manage to be.

Most of them are hugely thick tomes detailing exact procedures for tweaking particular programs.

By contrast, Mr Mitnick's book details how a skilled social engineer can wheedle information out of people, almost without them realising what they are doing.

Businesses have yet to work out that security is an ongoing process rather than a product you buy off the shelf, said Mr Mitnick.

Now he has established a company to show businesses how they can combat social engineering attacks and train staff to be more vigilant.

"The weakest link in the chain is the people," he said.

See also:

29 Apr 02 | Science/Nature
16 Jul 02 | Science/Nature
27 Oct 00 | Science/Nature
28 Mar 99 | Science/Nature
11 Feb 00 | UK
12 Feb 00 | Science/Nature
Internet links:

The BBC is not responsible for the content of external internet sites

Links to more Technology stories are at the foot of the page.

E-mail this story to a friend

Links to more Technology stories

© BBC ^^ Back to top

News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East |
South Asia | UK | Business | Entertainment | Science/Nature |
Technology | Health | Talking Point | Country Profiles | In Depth |