Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Security tips from a super-hacker: Kevin Mitnick’s advice on protecting laptops, smartphones and more

Mike Elgan | March 8, 2016


Mitnick says that "people are lazy" and that's a huge advantage for hackers. Even at the RSA Conference, he can simply watch security experts attending the show unlock their phones and he can tell that they're using the weaker four-digit unlock code for their phone, rather than a longer password. For starters, that's one way to identify a target - anyone wanting to break into a phone will have a big advantage with a four-digit unlock code.

The best defence against phishing isn't antivirus or firewall software per se, but training, education and awareness.

You might expect that Mitnick would use one of the new secure phones, such as the Blackphone 2 or the Turing phone.

But Mitnick says he uses a standard iPhone. It's secure because of his choices and behaviours, he says, which seem to be more important than the equipment.

For example, he uses an alphanumeric long passcode (rather than the four-digit password most of us use). And if thinks he might be ordered to unlock his phone (such as when he returns to the US from travelling abroad), he reboots the phone so Touch ID stops working (only the passcode can unlock a phone immediately after a reboot). He points out that in the US, "A court can force you to unlock your phone with your thumb, but they can't force you to reveal your code."

Mitnick prefers the iPhone because most mobile phone hack attacks go after Android phones. But he does say the iPhone is crackable and that no device is 100% secure.

Laptops and desktops

Mitnick secured his own mother's computer by taking advantage of Apple's code signing model for security.

He says his mother used to call him every week to fix her Windows PC because the machine was constantly getting infected. His mother would "fall hook, line and sinker... for social engineering attacks" and he had to re-install Windows every week.

So he bought her an iMac and installed an antivirus utility. And then he locked down the device.

In the 'Security and Privacy' settings in OS X, there's a 'General' tab. At the bottom, there's a setting labelled 'Allow apps downloaded from'. The default setting is: 'Mac App Store and identified developers'. For his mother's Mac, Mitnick changed that setting to 'Mac App Store', which means she can only download apps approved by Apple.

Mitnick points out that the default setting isn't very secure because "it's a hundred bucks to become a developer."

"Just getting her a Mac and changing that setting" solved the problem of malicious downloads. He quickly noted that while that simple solution protected her against everyday phishing attacks, it wouldn't protect her from the NSA or other more skilled, determined hackers.

Thumbdrives and other attack vectors

Mitnick hacks as a kind of performance art in keynotes and talks at security conferences around the world. At CeBIT in Germany this year, for example, he performed several hacks including a demonstration showing how simply plugging in a thumb drive could give a hacker total control of your machine, including the ability to activate and monitor the camera and microphone or launch any program. In the hack, the USB thumbdrive tricks the laptop or PC into thinking it's a keyboard, rather than a storage device. That enables the hacker to inject keystrokes, which means he can do anything to your device that he could do by typing on your keyboard.


Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.