Book review: Social engineering can expose your company secrets: case Kevin D. Mitnick

I love books and one of the books that I remember reading years ago was the book by Tsutomu Shimomura and John Markoff “Takedown: The  Pursuit and Capture of Kevin Mitnick, America’s Most Wanted Computer Outlaw-by the Man Who Did It”. This book came out in mid-90’s and as I was already then in software business, I was interested in to learn more about the mindset of hackers and Kevin D. Mitnick was at the time the most known.  At the time, I do not remember learning anything about Social Engineering but having read the latest book “Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker” by Kevin Mitnick and William L. Simon, it became obvious to me how vulnerable humans are in revealing secrets to strangers without really thinking too much about it.

This book brings an intriguing perspective to what went on in Mitnick’s life and what makes it even more interesting is to see the other side of the coin and the comments that Mitnick makes about both Tsutomu Shimomura and John Markoff. According to Mitnick, many of the claims that Markoff’s book brings to light are false and it is obvious that Markoff is not one of Mitnick’s favorite friends. Whatever the case, this book brings the dark side of being a fugitive, not being able to spend time with family and having to move continuously from one place to another based on how close the authorities were able to get to him. He describes how bad he felt when he let down his mother and grandmother and the grief he cause to them by continuing on this illegal activity.

The book has lots of detailed examples of the hackings that he did to companies such as Nokia, Motorola, Sun Microsystems etc. The examples of Nokia were especially interesting when he explains how he called Salo product development in Finland and asked a person to send source code by using social engineering tactics. This is something that people do not think about and especially in large organizations where people assume that the request is coming from within the company and not from a hacker that pretends to be something else that he/she really is. The book explains the different tactics that Mitnick used and I think this book should be a required reading for any information system student or person that works within the technology field. It explains that the biggest threats in security might not be coming from weak security systems, but from the weakness of humans working in organizations. Mitnick knew the lingo and used this as a way to convince the other side on the telephone to do what he wanted. This is what social engineering is all about.

When reading the book, Mitnick claims that he was never after money or wanting to cause damage to any organization. He did hacking because of the challenge and I guess boredom. What was also obvious is that his friends that he was hacking with turned out to be not his friends as they became informers to get Mitnick prosecuted. I am not sure why Mitnick decided to spend a big part of this life having to worry about being arrested, but I guess many things in people and our lives can’t be explained. Mitnick also includes other famous hackers in his book such as Kevin Poulsen that spent time in prison and also wrote a book “Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground”

If you want to read about Mitnick’s side of the story, I think this is a good book to get started.

Who owns your data in the cloud and do you care if the vendor uses it to derivate work?

Last week we could read about a security breach at Dropbox  file passwords where a bug made passwords optional for a few hours. This break in security led to an outcry in the user community and with reason. What if you had your personal and very private information stored at Dropbox and now suddenly it was open to anybody. Dropbox said that less than 1% of users logged in during this time, but if the company has 25 million users, even one percent is a considerable number specifically if the breach caused users an issue.

A few days later Dropbox was yet again in the news and now by changing the Terms and Conditions of use and the new terms gives Dropbox the authority to use your information by having following statement in their terms

We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the Service. This license is solely to enable us to technically administer, display, and operate the Services. You must ensure you have the rights you need to grant us that permission.

The question that I have is now whether Dropbox can sell my content to be used by search engine vendors to index and to do targeted marketing. The timing of this topic is pretty interesting as I was reading last night a book by Eli Pariser called The Filter Bubble: What the Internet Is Hiding from You.  The book really opened my eyes concerning personalization of search results based on YOU and your profile. If you assume that the search results are the same for you and I want you to think again…. as you and I will have different search results even if we use the same search terms.

The Dropboxes of the world have a valuation based on the future expectations and according to Cnet News, the company has now more than 25 million users that are using the service for free. According to TechCrunch, the rumored valuation of the company today is as high as $1.5 or 2 billion. But this valuation is based on that people trust the service like TechCrunch concludes in their blog entry.

My question has always been that can we expect anything if we get things for free? If the only idea for your business is to take venture capital to drive the business on huge loss and then capitalize on valuation expectation like many other companies have, then I do get it. But if you build a software business with the idea of being around for a while and having a sustainable and profitable business, I can’t see a free model to work. I am sure that even Dropbox is considering to use the content in the “free accounts” to drive ad revenue as indexing the content will enable targeted marketing for the end user using the “free service”.

Michael Krigsman from ZDnet concludes that Dropbox is unlikely to read your “Stuff” but he suggest to discontinue the use of the product for applications where privacy and confidentially are mission critical. I believe this has nothing to do with the bug or security breach, but more how the terms and conditions are laid out for users. You need to be your own judge when you use the service and whether you feel it is OK to give Dropbox the authority to your data as the terms suggest. Dropbox has responded to the outcry of the change in terms and conditions in their blog so you can all judge based on the response how you want to see the change in conditions.