'Mafiaboy' spills the beans at IT360 on underground hackers
Social engineering plays a major part in computer hacking
ITWorldCanada - Attending IT360 last week didn't guarantee you a seat at Michael Calce's keynote with Craig Silverman. The conference room reached full capacity and left a crowd of onlookers spilling into the hall outside the doors.
Calce -- a.k.a. Mafiaboy, the Montreal teen hacker who was the subject of an international manhunt after bringing down some of the highest-profile Web sites on the Internet -- delivered on his promise to provide insight into underground hacker communities.
Social engineering is a much larger aspect of hacking than people think it is, said Calce. "Hackers rely on you to be naïve. They are counting on it," he said.
Internal IT hackers in your company are still more of a threat than remote exploits or denial-of-service attacks, he pointed out. Calce suggested securing your organization before worrying about outside threats.
"You have to integrate some type of security awareness program and training for your employees, because people are still being socially engineered and it's still a very viable threat," he said.
Calce delved further into the hacker mindset in a postconference interview. "They're all about people manipulation skills," he said. "One way or another, you have to manipulate someone."
Hackers can just dress up in a telephone company uniform and walk into your office, Calce explained. Some will print documents saying they work with the phone company or carry order and supply forms.
"As long as you look like you're there for what you're supposed to be doing, they don't really question why you're there -- especially if you do it well. If you're good and you keep a solid face and you have paperwork or a hat that goes with your façade, it's very effective," he said.
"People aren't expecting that angle," Calce explained. "They think that they secure their networks and they're not vulnerable. It doesn't necessarily operate like that. Hackers always think outside the box."
Keeping all angles in mind is an important part of evaluating a company's risk factor, according to Calce, who is forming his own penetration testing company. "I will be doing a lot of technical work and verifying their networks, but a huge portion of it is also social engineering -- how can I get in at the front desk," he said.
Even with the proper training and education, employees might continue to be the weak link in an organization. "They don't really care what happens to the company as a whole. They care about the paycheck they get, they do their job and they go home. But people need to take it to heart and realize that there is a lot at risk," he said.
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!