Security expert and reformed hacker Kevin Mitnick has branded anti-virus software useless, claiming: “The only thing McAfee is good at is making videos.”
Speaking at IT conference IPExpo in London this morning, Mitnick explained that other security firms produced equally worthless software, listing Kaspersky Labs and Symantec as examples.
He added that application vulnerabilities and social engineering are the most fertile areas for hackers to exploit today, with a hybrid attack involving both vectors even more likely to result in a security breach.
“The attacker only has to find one person in the business to make a bad decision and then they have a foot in the door,” he said.
Mitnick demonstrated how easy it is to hack a computer, even when secured by the latest McAfee AV client, which he claimed was fully patched.
He explained that the simplest form of attack is to identify a specific individual target in a firm, then research them on social media in order to tailor a message to them that will make them more likely to open an infected attachment.
“The attacker only has to find one person to open a PDF, so you do the attacks surgically. LinkedIn is the best tool – you search for networks and positions. You might want to target sales and marketing, because they’re the most likely to comply with my request. So you find out who they communicate with, their partners, customers and suppliers. You can then spoof communications that appear to come from a trusted source.
“You could even find out who their account rep is from a supplier – like Cisco for instance. So you call Cisco, claim to be from the company you’re targeting and ask who the account rep is.
They won’t background check you, they’ll just tell you.
Then register a domain like CiscoSecurity.com, and you send them a PDF from that legitimate-looking account.
And once they open it, game over.”
Mitnick demonstrated the attack using hacking tool metasploit.
He showed an infected Word document on a laptop, and scanned it using the McAfee AV client.
The document was passed as clean, but when it was opened it sent the hashed (encoded) user’s username and password to a second laptop, which was acting as the “hacker” in the demo.
The problem, Mitnick explained, is that while most firms have fairly tight rules on ingress – what they allow into the corporate network – they’re “very sloppy” on egress – what they allow out.
“Companies allow too much information out,” he said. “For example, most firms enable port 445 to output information from the corporate network, and that enables this sort of attack. You get the user’s hashed details, and you can then use a dictionary attack, or brute force attack to get the rest of the information you need to get network access.”
[Turn to next page]