Kevin Mitnick, previously a most-wanted criminal, but now a security consultant, at the Gulf Information Security Expo and Conference. Mr Mitnick urged firms to stage false attacks to evaluate reactions. Razan Alzayani / The National
Kevin Mitnick, previously a most-wanted criminal, but now a security consultant, at the Gulf Information Security Expo and Conference. Mr Mitnick urged firms to stage false attacks to evaluate reactioShow more

UAE

Secrets of a master hacker revealed at Gulf security conference

Kevin Mitnick was once the most-wanted cyber criminal in the United States and spent five years in jail in the 1990s for computer fraud. Today, he is a security consultant shedding light on how to combat cybercrime.

Awad Mustafa

June 05, 2013

DUBAI // Despite technological advances in cyber warfare the human element remains the greatest vulnerability, experts said yesterday.

Sophisticated hackers now use "social engineering" - exploiting the psychological vulnerabilities of human users - rather than technological weaknesses in security systems, famous former hacker Kevin Mitnick told a cyber security conference in Dubai.

Mr Mitnick, 49, from Los Angeles, was once the most-wanted cyber criminal in the United States and spent five years in jail in the 1990s for computer fraud. He is now a security consultant.

He said social engineering was a low-risk, low-cost and high-return method used by criminals to retrieve valuable information through manipulation of unsuspecting employees or consumers.

"Social engineering attacks are 99.5 per cent effective as over-reliance on technology and inadequate employee awareness leaves gaps in human firewalls," he said. "There isn't a single security package on the market that can fully prevent social engineering, or a single app that can be downloaded to prevent an employee's ignorance, greed or naivety.

"Social engineers exploit human nature, so companies should explore human-centric solutions such as secretly staging false attacks on their own networks, to evaluate how employees react and teach them effective counter-hacking behaviour."

Dubai, he said, was "a financial centre and a rich region and criminals follow the money. Therefore it's a high-target area".

Other experts called for a unified global stance against cybercrime.

"The men and women in the national security seats around the world do not have the information that is possessed by the hackers because these cybercriminals spend the better part of their day hacking. We need for information to be shared by the security agencies," said Michael Wellington, the chief executive of ZeroDay, a private sector IT security firm.

British Telecom's chief security officer, Tareque Chodhury, said that despite the International Telecommunications Union conference in Dubai last year, nothing had been achieved on that front.

He said that the cyber battlefield had become a reality and cyber experts had stepped up their efforts to fight "an invisible enemy".

"Groups such as Anonymous work independently but for a unified cause they communicate through Irc (internet relay chats) and nine out of ten warnings they put out are followed through," he said.

"An example is the attack in Saudi Arabia two weeks ago," he added

Mr Chodhury referred to the sabotage attack in May against government websites in Saudi Arabia, disabling until the attacks were repelled. An inquiry traced the "coordinated and simultaneous attacks" to hundreds of internet protocol addresses in a number of countries, according to the Saudi interior ministry.