Look no further than Kevin Mitnick’s business card to see how some things never change.
Cut from stainless steel, the card includes breakaway pieces of a
fully functional lock-picking kit. It’s an apt symbol for a man who has made a career, first criminal and now legitimate, of breaking locks both digital and physical and going places where he has not been invited.
We met in Hanover, Germany, this month where he had been invited to speak on security issues at the CeBit technology conference; he was billed by its organizers as the “world’s most famous hacker.” He earned the title in the 1990s, when the world was still waking up to the existence of the Internet. Mitnick was, for a two-year period ending in 1995 with his arrest by the FBI in North Carolina, its most-wanted outlaw. A 1994
New York Times profile breathlessly described him as having hacked into computers at the North American Air Defense Command as a teenager. It wasn’t true, but it became part of his legend.
In 1999, as part of a deal, he pled guilty to four counts of wire fraud, two counts of computer fraud and one count of illegally intercepting communications. All told he spent five years in federal prison ending in 2000. That included eight months in solitary confinement because a federal judge believed he could “
whistle tones into a phone and launch a nuclear missile.” Again, the legend.
Now 51, he concedes that he hacked into computers belonging to companies like Motorola, Nokia and Sun Microsystems “for the pursuit of knowledge and adventure,” he said, not for personal profit or to cause any meaningful harm. In an age when hackers in the pay of criminal gangs or third-world countries daily pilfer data from multinational corporations around the world for sale on the black market, the notion of hacking for sheer curiosity hearkens back to a more innocent time.
These days, Mitnick is a highly paid and successful security consultant to some of the world’s largest companies including FedEx, Toshiba, CBS, IBM and Lockheed Martin. And he’s good at what he does. “My primary business is doing penetration testing,” he said. “We test the physical security, the technical security, the people. We test their wireless networks, their VOIP phones. We test everything across the board to look for vulnerabilities so our clients can fix them.”
By “testing” Mitnick means accepting a large fee — he didn’t say how much — to do to these companies exactly what landed him in prison two decades ago: Gain entry to their computers, their networks, their phones and even their buildings, by any means necessary without being detected and then to report back on how he did it.
And here’s probably the most interesting fact: Mitnick and his constantly changing team of speciality hackers have a 100 percent success rate. That’s no legend. “It’s not even bragging,” he said. “It’s just a fact.”
At this point Mitnick spins off on a detailed account of a recent job for a large retailer in New York. For 15 minutes he weaves a tale rife with technical details and specifications recited from memory on how he and his team tricked a store manager into believing Mitnick was a technician from its alarm company. As Mitnick tells it, any reasonable person would have fallen for it. He arrived on the scene with a working building access card with the alarm company’s logo stamped on it. His ruse was that he was there to “make some adjustments” to some of the alarm system’s motion sensors.
The end objective was to penetrate not only the retailer’s computer network — the weak spot there turned out to be a networked printer with a default password — but also to sneak into one of its high-profile Manhattan stores after hours without being caught. It took four weeks of reconnaissance and research including building a machine to copy employee building access cards. When the job was done Mitnick delivered his report, containing step-by-step instructions on how to correct each problem found, to the senior executive who had hired him — but not by email. “I still had access to their network so I left a copy of the report on his PC’s desktop,” Mitnick said. “It was more secure to do it that way than email it. He thought that was a nice touch.”
His story illustrates the common thread that occurs in practically all the consulting gigs he takes on and in the
three books he’s written: The human element.
On most of his jobs Mitnick is asked to attack not only a company’s computers, but also to fool its employees into letting him walk right in to places from which he would otherwise be locked out. These “social engineering” attacks amount to tricking someone with access to a computer or a building or some other asset to give up information. Hacking humans is easier than hacking computers: “The most effective way to carry out an attack is to get the client — a person — to do something stupid,” he said. And as the old saying goes, there’s no cure for stupid.
When the aim is to breach a computer network, the best way to do that is to get someone inside a target company to open a computer file they shouldn’t. “If you’re going after a law firm, for example, you can usually get someone to click to open a PDF document in a heartbeat,” he said. That innocent-looking PDF might be loaded with malware that gives the attacker a foot in the door to the firm’s network.
One foot in the door is all it takes. It’s usually not long before that door and many like it swing wide open under Mitnick’s determined probing: He’ll look for lists of other computers and what software they run, directories of people, their user names, passwords, cellphone numbers and any other useful information to help more thoroughly compromise a network. One way in is never enough.
Looking back he thinks little of the profound irony that he’s hacking for a living 20 years after it landed him in prison. But without the prison time, there would be no legend. And without the legend, there would be no hefty consulting fees. (How hefty? He still won’t say.) “I started all this for fun as a hobby and now I do it for a living,” he said. “I never thought in a million years that there would be opportunities like this.”
And if you’re still unconvinced that this ex con has gone straight, consider this: You may have already benefitted indirectly from his work. One of the three major credit bureaus — he won’t say which one — hired him recently for another of his “tests.”
The result was pretty much the same as that of the retailer. Again Mitnick spins a yarn with lots of detail ripped from memory but here’s the tl;dr version: “We owned them. We owned their networks, their buildings and their people. We had access to everything. It’s going to take them three years to fix all the problems we found.”
0 comments: