CNET’s Dan Patterson interviewed Kevin Mitnick, a former most wanted computer criminal, and now the founder of Mitnick Security Consulting and chief Hacking Officer of the security awareness training company KnowBe4, about emerging cybersecurity trends and how we can prepare for attacks. The following is an edited transcript of the interview.
Dan Patterson: Can you help us understand what the Russians did in 2016, and what they’re likely to do in 2018?
Kevin Mitnick: Well, what they did in 2016 really wasn’t all that sophisticated. What they were able to do was send a fake email to John Podesta, the campaign manager, and it purportedly looked like it was coming from Gmail and said that his account had been accessed—it was unauthorized access to his account and to immediately change the password. What John did was he sent it over to his IT guy; his IT guy took a look at the email and thought, “Oh, this looks very suspicious” and instead of writing an email back to John Podesta saying, “Hey, this is an illegitimate email,” he actually said it was a legitimate email.
So, John just followed the instructions of his IT staff, went ahead and clicked the button inside the email to change his password, and it did change his password. But at the same time, it gave his new password to the Russians, and then the Russians had access to all his email, downloaded it, and gave it over to Julian Assange at Wikileaks, and we know the rest of the story.
This is the type of trade craft that nation states use, which is this type of phishing attack, but it’s very commonly used by criminals and “hack-tavists,” some other types of hackers, to compromise you, as a consumer, or to compromise businesses.
Dan Patterson: What other types of cyber attacks can we anticipate during the 2018 campaign and beyond?
Kevin Mitnick: I ended up, back in 2013, I was brought in to help secure the elections in Ecuador, and my job was to make sure that any of the websites that were internet facing were not compromised.
In that case, there’s lots of moving parts to securing the election. You have the voting machines themselves, you have the systems that actually count the votes, and this sort of thing. So I suspect that the Russians will continue with their influence campaigns like we have seen, but to attack the election is quite difficult because it’s all decentralized, right? But that’s not to say that the election, the individuals behind running the federal election should actually have a security team—we call it red teaming—actually test their equipment, test the voting machines, test the internal infrastructure to make sure that a sophisticated hacker, that it would be extremely difficult for a sophisticated hacker to attack it.
A system could be attacked simply with a cable. So you see this cable, it’s an ordinary micro USB cable, I also have a lightning cable, and a USBC cable. I could simply have a victim plug this into their computer, and it will actually install malware on the computer. So if I’m able to send them this cable, put it on their desks, switch it out if I get physical access to their work area, and I’m able to switch out the cable and just leave it on the desk, this cable actually works, but if you plug it in, it actually exploits their computer.
Dan Patterson: How should campaigns, grassroots organizations, and other political groups defend themselves from cyberattacks?
Kevin Mitnick: How John Podesta could have protected himself against being the victim of a phish was simply by enabling two-factor authentication. A two-factor authentication is not only do you have to have your username and password, but to log in you might have an application that has a code. You have to type in that code, or you might have it set up so it’s sends you an SMS message to your mobile phone, and you have to put in that code.
To mitigate being the victim of social engineering, people need to be educated about how social engineering works, how phishing works, and they need to deploy certain types of technology, like two-factor authentication to make it harder for the bad guy.
Dan Patterson: Can you explain how social engineering has evolved over the last two decades?
Kevin Mitnick: Actually, in the 1970s when I started becoming familiar with social engineering it wasn’t about phishing; it was about placing pretext phone calls to targets and persuading that target in the phone call to either release information, it could be their password, it could be the type of anti-virus software they’re using, or to actually type commands into their computer to change their password and this sort of thing.
Pretext phone calls is a part of social engineering, and it’s still used today by attackers to compromise targets.
In fact, I run a company where companies hire us to do social engineering, to test their security, and whenever we’re allowed to make pretext phone calls to their users, to their employees, we get in 100% of the time. So, social engineering encompasses pretext phone calls, in other words tricking somebody over the phone into doing something or into revealing something and phishing attacks, where the attacker is sending an email that’s malicious, that if the person complies with what the request is in the email, they end up being compromised.
Dan Patterson: Kevin, what emerging cyber security trends surprise you or scare you?
Kevin Mitnick: Wow! What scares me or surprises me? Just about the sophistication that the bad guys have about the security researchers finding security vulnerabilities in about every type of device. Now, what consumers have to be worried about is when they buy some device that’s hooked up to the internet, it could be their alarm clock, and it gets the time, makes sure the time is accurate from the internet; it could be the refrigerator; it could be their baby monitor; it could be cameras they install in their home; and these are called IoT devices.
These devices are placed in homes by unsuspecting consumers, and these devices could easily be compromised by the bad guys to do things like gain access to your network, secretly watch you on your camera if you have a camera inside the home.
These sort of things really are scary because the unsuspecting populace has no idea how easy it is for a bad guy to do this. And one of the biggest reasons this stuff works is a lot of people buy appliances, and they plug it in and it has a default password, and nobody ever changes it. So what ends up happening is the bad guys can connect to this device, simply log in with what is the default password that comes with the product, and they’re in and nobody knows the better.