Apparently, it is in searchsecurity.com’s best interest to continue to report on the Frank Abagnale controversy at the Computer Security Institute’s show in November, presumably because he will also be speaking at the RSA show in February.
If you are not familiar with the controversy, you can read the linked article above. In short – some security professionals refused to speak at CSI because Abagnale, subject of the movie "Catch Me if You Can" was a keynote speaker. Now, Abagnale is pulling out of the security space, but is contractually obligated to speak at RSA.
I happen to believe that it is reasonable to want to be disassociated with Abagnale (and other hackers – Kevin Mitnick was mentioned in the article). What was interesting to me was after the speech (I didn’t attend, but more because I am generally lackadaisacal at that type of event), I had people telling me that they thought he was a great speaker. Ummm, duh! This guy is the ultimate social engineer. In fact, he continues to social engineer throughout the searchsecurity.com article.
I happen to be reading Robert Cialdini’s "Influence: the Power of Persuasion" which is a great book for folks that think this isn’t detrimental to the security profession – in short, it doesn’t matter if you disagree with him, just giving him a showcase associates you (in this case, CSI and security professionals) with him.
Cialdini has a good passage in his book, which I will paraphrase (liberally, with my interpretation): If you find yourself liking somebody "more than you should" based on the amount of time you’ve known him/her and your relationship with him/her, it is an important time to take a step back and evaluate the situation.
The thing to remember about social engineering is simply that the best perpetrators intend to catch you off-guard and compromise your instincts. Of course, good friends do, too. That is why you take a step back and evaluate. Given that he is a proven social engineer, everyone should be wary. Remember, "fool me once, shame on you; fool me twice, shame on me."
I am disappointed, but not surprised, that security folks would be so easily socially-engineered. It happens all the time.
Greetings Pete!
Just found your blog and have linked it within mine.
I have to disagree with you on this one…
I think that Abagnale is a true security expert. He understands security beyond social engineering as evidenced by his involvement with currency protection and the FBI after his run in with the law. I have a hard time holding his past mistakes against him, if he has truly reformed (no longer uses social engineering for others harm). In fact he is able to provide great insight from his understanding of human nature as well as his experience in thwarting criminal activity. (I did not attend the CSI conference last Fall due to budget cuts – but seriously wanted to specifically because of Abagnale’s presence.)
I would however take your position in the case of Kevin Mitnick. He was a second rate social engineer who continues to profit from his exploits and doesn’t seem to have proven that he has reformed his attitude (just taking the path of least resistance… means that given the right opportunity he might take advantage of people again – doubt you can say that about Abagnale).
Hi, Stuart – I guess my point is that for a social engineer as good as he is, you can’t really tell if he’s reformed or not. Not ever. To be honest, I don’t care a whole lot – heck, I’d probably like the guy if I met him (given that that is the social engineer’s currency ).