'Mafiaboy' spills the beans at IT360 on underground hackers
Social engineering plays a major part in computer hacking
ITWorldCanada - Attending IT360 last week didn't guarantee you a seat at Michael Calce's keynote with Craig Silverman. The conference room reached full capacity and left a crowd of onlookers spilling into the hall outside the doors.
Calce -- a.k.a. Mafiaboy, the Montreal teen hacker who was the subject of an international manhunt after bringing down some of the highest-profile Web sites on the Internet -- delivered on his promise to provide insight into underground hacker communities.
Social engineering is a much larger aspect of hacking than people think it is, said Calce. "Hackers rely on you to be naïve. They are counting on it," he said.
Internal IT hackers in your company are still more of a threat than remote exploits or denial-of-service attacks, he pointed out. Calce suggested securing your organization before worrying about outside threats.
"You have to integrate some type of security awareness program and training for your employees, because people are still being socially engineered and it's still a very viable threat," he said.
Calce delved further into the hacker mindset in a postconference interview. "They're all about people manipulation skills," he said. "One way or another, you have to manipulate someone."
Hackers can just dress up in a telephone company uniform and walk into your office, Calce explained. Some will print documents saying they work with the phone company or carry order and supply forms.
"As long as you look like you're there for what you're supposed to be doing, they don't really question why you're there -- especially if you do it well. If you're good and you keep a solid face and you have paperwork or a hat that goes with your façade, it's very effective," he said.
"People aren't expecting that angle," Calce explained. "They think that they secure their networks and they're not vulnerable. It doesn't necessarily operate like that. Hackers always think outside the box."
Keeping all angles in mind is an important part of evaluating a company's risk factor, according to Calce, who is forming his own penetration testing company. "I will be doing a lot of technical work and verifying their networks, but a huge portion of it is also social engineering -- how can I get in at the front desk," he said.
Even with the proper training and education, employees might continue to be the weak link in an organization. "They don't really care what happens to the company as a whole. They care about the paycheck they get, they do their job and they go home. But people need to take it to heart and realize that there is a lot at risk," he said.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast Best Practices: How to Improve Business Continuity with Virtualization VMware solutions include a range of business continuity capabilities to help ensure availability for applications across your virtualized environment. Learn More>>
- Live Webcast
Transforming Finance, Procurement and Supply Chain Effectiveness with Cross-Functional Analytics
Date: May 6th, 2014
Time: 1 PM EDT
Attend this Webcast to find out how Oracle's packaged analytic applications enable line-of-business managers to examine all...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts