Kevin Mitnick: 'The only thing McAfee is good at is making videos'

Outspoken security expert and reformed hacker claims that anti-virus software is next to useless, and shows how peer to peer software can cause devestating leaks of sensitive corporate data

Security expert and reformed hacker Kevin Mitnick has branded anti-virus software useless, claiming: "The only thing McAfee is good at is making videos."

Speaking at IT conference IPExpo in London this morning, Mitnick explained that other security firms produced equally worthless software, listing Kaspersky Labs and Symantec as examples.

He added that application vulnerabilities and social engineering are the most fertile areas for hackers to exploit today, with a hybrid attack involving both vectors even more likely to result in a security breach.

"The attacker only has to find one person in the business to make a bad decision and then they have a foot in the door," he said.

Mitnick demonstrated how easy it is to hack a computer, even when secured by the latest McAfee AV client, which he claimed was fully patched. He explained that the simplest form of attack is to identify a specific individual target in a firm, then research them on social media in order to tailor a message to them that will make them more likely to open an infected attachment.

"The attacker only has to find one person to open a PDF, so you do the attacks surgically. LinkedIn is the best tool - you search for networks and positions. You might want to target sales and marketing, because they're the most likely to comply with my request. So you find out who they communicate with, their partners, customers and suppliers. You can then spoof communications that appear to come from a trusted source.

"You could even find out who their account rep is from a supplier - like Cisco for instance. So you call Cisco, claim to be from the company you're targeting and ask who the account rep is. They won't background check you, they'll just tell you. Then register a domain like CiscoSecurity.com, and you send them a PDF from that legitimate-looking account. And once they open it, game over."

Mitnick demonstrated the attack using hacking tool metasploit. He showed an infected Word document on a laptop, and scanned it using the McAfee AV client. The document was passed as clean, but when it was opened it sent the hashed (encoded) user's username and password to a second laptop, which was acting as the "hacker" in the demo.

The problem, Mitnick explained, is that while most firms have fairly tight rules on ingress - what they allow into the corporate network - they're "very sloppy" on egress - what they allow out.

"Companies allow too much information out," he said. "For example, most firms enable port 445 to output information from the corporate network, and that enables this sort of attack. You get the user's hashed details, and you can then use a dictionary attack, or brute force attack to get the rest of the information you need to get network access."

[Turn to next page]

Kevin Mitnick: 'The only thing McAfee is good at is making videos'

Outspoken security expert and reformed hacker claims that anti-virus software is next to useless, and shows how peer to peer software can cause devestating leaks of sensitive corporate data

He then showed a similar attack using a PDF file, which was also passed as clean by the McAfee client.

"It doesn't matter what AV tool you use as this can bypass them all. This uses a ‘heapspray' technique, which freezes the PDF as the user is opening it like something's hung, but it's spraying malicious code over the machine's memory. This executes code to drop a malicious trojan on the target's laptop."

Mitnick then switched to the "hacker's" laptop to demonstrate how it was able to connect to the now infected "user" machine. The trojan, he claimed, enables the hacker to upload or download any file to or from the computer, change its registry, turn on the webcam, or use it in any way that the user would expect to be able to do.

"And it's a rootkit attack," he added. "So if you look at the processes, registry, or files, you won't see it. The operating system will lie to you that it isn't there, because it doesn't think it exists."

He also sounded a note of warning for firms that use peer-to-peer software as part of their business, or whose employees use it for uploading or downloading software.

"When you install a peer-to-peer client, it inadvertently shares your entire hard drive with that peer-to-peer network," stated Mitnick.

He showed the audience a detailed network topology map, which included all the switches and routers on the network, and all of the internal and external IP addresses. The network in question was the Pentagon Secret Backbone. Mitnick explained that someone at the Pentagon had installed a peer-to-peer client at some point, and not realised that various important documents, such as this map, had been leaked as a direct result.

More worryingly still, he also showed a list of thousands of HSBC clients, complete with their credit card data (including the number, expiry date and the customer's address), which had also been leaked as a result of a peer-to-peer client install.

"And this was obtained 100 per cent legally, because it's on peer to peer. It's an identity thief's wet dream," he concluded.