Skip the navigation

'Mafiaboy' spills the beans at IT360 on underground hackers

Social engineering plays a major part in computer hacking

By Jennifer Kavur
April 14, 2009 12:00 PM ET

ITWorldCanada - Attending IT360 last week didn't guarantee you a seat at Michael Calce's keynote with Craig Silverman. The conference room reached full capacity and left a crowd of onlookers spilling into the hall outside the doors.

Calce -- a.k.a. Mafiaboy, the Montreal teen hacker who was the subject of an international manhunt after bringing down some of the highest-profile Web sites on the Internet -- delivered on his promise to provide insight into underground hacker communities.

Social engineering is a much larger aspect of hacking than people think it is, said Calce. "Hackers rely on you to be naïve. They are counting on it," he said.

Internal IT hackers in your company are still more of a threat than remote exploits or denial-of-service attacks, he pointed out. Calce suggested securing your organization before worrying about outside threats.

"You have to integrate some type of security awareness program and training for your employees, because people are still being socially engineered and it's still a very viable threat," he said.

Calce delved further into the hacker mindset in a postconference interview. "They're all about people manipulation skills," he said. "One way or another, you have to manipulate someone."

Hackers can just dress up in a telephone company uniform and walk into your office, Calce explained. Some will print documents saying they work with the phone company or carry order and supply forms.

"As long as you look like you're there for what you're supposed to be doing, they don't really question why you're there -- especially if you do it well. If you're good and you keep a solid face and you have paperwork or a hat that goes with your façade, it's very effective," he said.

"People aren't expecting that angle," Calce explained. "They think that they secure their networks and they're not vulnerable. It doesn't necessarily operate like that. Hackers always think outside the box."

Keeping all angles in mind is an important part of evaluating a company's risk factor, according to Calce, who is forming his own penetration testing company. "I will be doing a lot of technical work and verifying their networks, but a huge portion of it is also social engineering -- how can I get in at the front desk," he said.

Even with the proper training and education, employees might continue to be the weak link in an organization. "They don't really care what happens to the company as a whole. They care about the paycheck they get, they do their job and they go home. But people need to take it to heart and realize that there is a lot at risk," he said.

Reprinted with permission from Computerworld Canada. Story copyright 2012 ITworldcanada.com. All rights reserved.
Our Commenting Policies