[转载]问与答:黑客的鼻祖——凯文·米特尼克(Kevin Mitnick)
原始连接:[url]http://software.silicon.com/security/0[/url],39024655,39153967,00.htm[quote]Notorious hacker turned security consultant on social engineering, big threats and catching today's hackers...[/quote]
[align=center][/align]
To many, the name Kevin Mitnick is synonymous with "notorious hacker". He was caught by the FBI in 1995 after a well-publicised pursuit. Mitnick pled guilty to charges of wire and computer fraud and served five years behind bars.
Today, Mitnick is a computer security consultant and has written two books, including one on social engineering, his forte. He is a celebrity, especially at events such as the annual Defcon gathering of hackers in Las Vegas, where attendees ask him to sign their badges.
-- Mitnick on security and the software industry
Mitnick spends much of his time on the road at speaking engagements. silicon.com sister site, CNET News.com, caught up with Mitnick after a gig at a San Francisco user event for SupportSoft, a maker of call centre software, and talked to him about software security, the evolution of hacking and social engineering, and law enforcement's action against hacking.
Q: What do you think of the state of software security these days? Is it getting better?
A: Software is always going to have bugs because there are human beings behind it doing the development. Hopefully, universities teach secure coding practices. When I went to school, there were many programming classes but nothing that taught secure coding practices. So, hopefully, there will be an educational process and companies will actually do source code audits before they release their software and also train their people in secure coding practices if they are already employed and not in school. That will reduce the amount of problems but there will always be problems.
Do you believe that the state of software security is better today than five or 10 years ago?
A: No, though it depends on what software you are talking about and what the company has done. I can't make one statement for the whole industry. Take Microsoft, for example. I think their current code base is more secure than Windows NT was.
Would you say Microsoft is a leader and the rest of the industry is still catching up to that?
A: It is whatever the market demands - and Microsoft is up there, front and centre, because they have such a broad user base. Maybe you can call them a leader but I am sure there are other companies who are taking security seriously. I am waiting for a case where a software maker gets sued for releasing buggy code but they will probably cover their ass with the long licence agreements that nobody ever reads.
We've been talking about weaknesses in technology, not weaknesses in humans, which can also be a threat. You're one of the social engineering gurus. Do you see it evolving?
A: They are always coming up with new scams. A year ago it was Nigerian scams. Now callers purport to be from the MasterCard or Visa fraud department, calling you to try to trick you into revealing your CVV (Cardholder Verification Value) number on the back of your card. The human mind is very innovative and the attacker will build trust and confidence to gain co-operation.
Are the social engineers or the people who do such attacks becoming more criminal, like computer hackers are becoming more criminal?
A: You can have a teenage kid who is using social engineering to get into his friend's AOL screen name or you can have a military spy using it to try to break in somewhere, and everyone else in between. Social engineering is simply a tool used to gain access.
Do you see a difference between social engineers today and when you were doing it?
A: When I got started, when I learned about social engineering, it was during the phone phreaking era, the predecessor to the hacking era. That was more about calling different departments at phone companies to gain an understanding of their processes and procedures and then being able to pretend to be somebody at the phone company and having somebody do something for you.
Social engineering happens quite frequently now. It happened with Network Solutions, it happened with Paris Hilton. These are the attacks you hear about. There are many social engineering attacks you never hear about because they are not detected or because the person who was attacked doesn't want to admit it.
It is growing because security technologies are getting more resilient. There are better technologies to protect information assets and the attacker is going to go after the weaker link in the security chain. Social engineering is always going to be here. The more difficult it is to exploit the technology, the easier it becomes to go after people.
If you look at the people who attack vulnerabilities in technology today and compare that to when you were first starting out, what trends do you see?
A: Back then, a lot of the holes in technology were not readily available and published like they are today on the internet. Nowadays anybody with a browser could pretty much purchase commercial hacking tools like Canvas or go to a website where a lot of exploits are readily available. Ten years ago, if you were hacking you had to develop your own scripts. Today is like a point-and-click hacking world. You don't have to know how the engine is working, you just know to get in the car and drive. It is easier.
What would you say is the single biggest threat out there?
A: It is pretty much a blended threat. I think social engineering is really significant because there is no technology to prevent it. Companies normally don't raise awareness about this issue to each and every employee. It is at the end of the priority list in the security budget.
There will continue to be software vulnerabilities. In a lot of companies that I tested, if you are able to breach a perimeter machine, like an FTP server, mail server or DNS server, a lot of times you find those computers are not in the DMZ (De-Militarised Zone, a separate security area). Instead, they are on an internal network and the network is flat. So if you are able to compromise one, it is quite easy to spread access to other systems. Often times they even use the same passwords. Bottom line: more companies have to think of a defence-in-depth strategy, rather than just protecting the perimeter.
Over the past years we have seen a couple of arrests of virus writers, bot herders and others. Everybody knows you were arrested as well. Is law enforcement advancing? Are they doing the right thing and catching the right people, or are a lot still going free?
A: I am sure there are a lot of people doing this they don't catch. Wireless networks are ubiquitous. It is very difficult for law enforcement if somebody goes and takes a laptop and changes their media access control address so you can't identify the machine. If you're out in a car or van or sitting in a restaurant next to a wireless access point and don't use the same access point all the time, it could be extremely difficult to track you.
So there is a big challenge for law enforcement. Do you think they are doing a good job, or could they do better?
A: I don't know. We need stats for that. We need metrics on how many criminals they are apprehending. It is a guess that they are getting better, because they are getting help from the private sector. They are probably better than they were 10 years ago but I don't know their capabilities. I know their strengths are in forensics. So if they seize a computer of somebody thought to possess child pornography, they use Encase and can recover that contraband. That's what they are good at. In doing hacker investigations - I really don't know their capabilities.
So what about when it comes to virus writers, bot herders, phishers?
A: With virus writers, I don't believe the FBI is technically doing the analysis. They just farm it out to a Microsoft, Symantec or McAfee because it is easier. These companies are not going to turn down law enforcement because they are doing a public service.
Do you believe that more of these criminals should be caught?
A: They should try. But the bottom line is that there is so much hacking going on that they have to set a dollar limit. Unless there is a fraud or a loss that equals $50,000 - maybe $100,000 - they are not going to investigate. Small criminals knowing this can always stay under this threshold. That's at the federal level. Then there are states which might have a different monetary threshold but their competency is probably less than the feds.
Do you think if you were doing today what you did 10 years ago, would you be caught sooner?
A: If I knew what I know now and I could use what I know now back then, no. But if they had the technology that exists today, and I was doing the exact thing I was doing, yes. Law enforcement's capabilities for tracking communications are much greater than years ago.
Joris Evers writes for CNET News.com 1111111111111 nb呀~~ [quote][b]下面是引用EvilOctal于2005-11-09 00:50发表的:[/b]
1111111111111[/quote]
汗~
正式成员也灌水? [s:36] [quote][b]下面是引用darkseraph于2005-11-23 00:16发表的:[/b]
汗~
正式成员也灌水? [s:36][/quote]
这是秘语 那他这句话是什么意思呢? [quote][b]下面是引用darkseraph于2005-11-23 00:16发表的:[/b]
汗~
正式成员也灌水? [s:36][/quote]
测试附件上传而已...前段时间出了点问题 可不可以不要发英语啊......... [s:38]
看不懂啊 [s:43] 看不太懂,发个机器翻译的,就前面一点的,太难弄了
----------------------------------------------------------------------------------------------------------------------
对很多来说,名字凯文·米特尼克与"臭名昭彰的黑客"同义。 他FBI 在1995在一宣布得好追逐之后赶上。 米特尼克对电线和计算机舞弊的指控承认有罪并且在狱中服务于5 年。
今天,米特尼克是一个计算机安全性顾问,已经写两本书,在社会工程,他的特长上包括一。 他是一位名人,特别在事件,例如在拉斯维加斯的黑客的每年Defcon 集会,在那里出席人要他在他们的徽章上签字。
--米特尼克在安全和米特尼克花费在道路在讲订婚时上的他的大部分时间的软件产业上。 silicon.com姐
妹场所,CNET News.com,为SupportSoft在一次旧金山用户事件在一场爵士音乐会之后赶上米特尼克,一
个电话中心软件的制造者, 并且与他谈软件安全性,黑客的演化和社会工程和对黑客的法律强制行动。
Q : 这些天你觉得软件安全性的状况怎么样? 它正变得更好吗?
A : 软件将总是有缺陷,因为在它后面有人做发展。 有希望,大学教安全的编码的惯例。 当我去上学时,除了教安全的编码的惯例的没有什么,有很多编程种类。 因此,有希望, 将有一教育过程和公司实际上将做源码审计, 在如果他们已经雇用和不在学校,他们发布他们的软件以及在安全的编码的惯例方面训练他们的人之前,审计。 那将降低问题的数量但是总有问题。
与5 还是10 年以前相比较,你相信软件安全性的状况今天更好吗?
A : 不,虽然它取决于你正谈论什么软件,但是和公司已经做的。 我不能为整个工业发表一个声明。 带微软公司,例如。 我认为他们的当今的编码基数比Windows NT更安全。
你将说微软公司是一位领导人,其余工业还卡住到那吗?
A : 它是不管市场需求如何 - 并且微软公司在那里上升,前面和中心,因为他们有这样的辽阔用户基础。 或许你能为他们叫一位领导人,但是我确信有其他公司正认真考虑安全。 我正等一个情况,一个软件制造者被要求的地方,发布轻便马车代码,但是他们或许将用没人读的长的许可证协议盖住他们的驴。
我们一直在技术方面谈论弱点,在人里的并非弱点,这也能是一次威胁。 你是社会工程专家之一。 你看见它逐步形成吗?
A : 他们总是提出新消息。 一年前它是尼日利亚消息。 现在呼喊者声称是来自万事达信用卡或者签证欺诈部门, 人类智力革新和那些攻击者建造将相信和获得合作的信任。 凯文·米特尼克 [s:34]
嘿嘿......很厉害也...... 传奇一样的人物 用看了一遍 其实我在书店看过了 大师级人物!传奇呃! 首先英语像米特尼克看齐 [s:267] 呵呵 我很崇拜 这个 家伙 真是NB啊 [s:270] [s:270] 几时我们也出一群那牛的人啊!
呵呵
中国好象到了近代史没有原来古人那么牛B的人了啊!
伤心,不要想当年拉,伙计们冲吧!
现在 的我们应该比先人们更牛啊!因为我们站在先人的臂膀上。 [s:264] 吓我一跳。我以为管理员都来这灌水呢!!!!
页:
[1]