First Hand

It Takes a Hacker: An Interview With Kevin Mitnick

Kevin Mitnick knows hacking. His name is practically synonymous with hacking, which may be the best possible advertisement for Mitnick Security Consulting, the information security firm he founded in 2003. And a good reason to seek him out for some tips on computer security.

Mitnick started early on the career that would make him the world’s most famous hacker: hacking bus transfers as a kid to get free bus rides all over Los Angeles; phone phreaking as a teenager; then graduating to exploits like breaking into Digital Equipment Corporation’s network and stealing source code from Motorola and Nokia. These break-ins, and rumors of even more daring and destructive exploits, eventually landed him in federal prison for five years.

Since being released from prison in 2000, his expertise has been sought by corporations and congressional committees. He has written two books, both co-authored with William L. Simon: The Art of Deception: Controlling the Human Element of Security (Wiley, 2002) and The Art of Intrusion: Real Stories Behind the Exploits of Hackers, Intruders, and Deceivers (Wiley, 2005). We talked with him last November, just before he spoke on social engineering at a CSC Executive Exchange in Pebble Beach, Calif.

CSC World: You’ve seen hacking from both sides since the late 1970s. Has there been much change?

Mitnick: Yes, because the Internet has changed and hackers have become more skilled. Back in my day, there were a lot of hobbyist hackers, who did it just out of a passion for the technology and for the intellectual challenge. There are still quite a few of them today.

But the trend has been toward criminals who use computers to steal money and property. Now the Internet can be used to defraud consumers and businesses, so criminals are using it to do what they have always done. They aren’t really hackers. They just use hacking methods to commit traditional crimes. Computer-related crime is less risky than dealing drugs because there’s a lot of money to be made on information alone. The Internet is a wonderful tool, and it can be used ethically or unethically.

CSC World: So the changes you’ve seen have come about because of changes in the technology of the Internet itself?

Mitnick: Right. Don’t forget, back in the early days there was no WWW. It was Arpanet that evolved into the Internet. Most of the vulnerabilities at that time were at the network and operating system layer. In today’s world, a lot of the vulnerabilities are at the application layer. And now that the Internet has become a publication medium, hackers don’t need to acquire special skills. They can use programs that were developed by sophisticated hackers.

CSC World:  You’re talking about the ankle-biters or script kiddies?

Mitnick: No, those are novice hackers who don’t know how to exploit vulnerabilities. I’m talking about people who may be technically astute but who use tools that are available on the Internet because why reinvent the wheel? For example, if I were doing a security assessment and found that a client had a vulnerability in Citrix, and an exploit was already written and tested, I’d use it in my assessment. I wouldn’t reinvent an exploit.

CSC World: Some of the most sophisticated hackers today are engaged in international espionage, even warfare.

Mitnick: There are sophisticated hackers, but they’re not the only problem. You also have to think about where all the chips that go into our hardware are being manufactured. Network cards, for example. Do you get to look at the source code, the computer instructions that are in the firmware of your network card? Could there be some surreptitious code in there that allows your communication to be intercepted? Firmware is usually proprietary, so how would you know that?

CSC World: In your most recent book, you write about a guy calling himself Khalid who conned a kid into doing some pretty impressive hacking. It wasn’t clear whether he was recruiting the kid or doing some social engineering to get the kid to do his dirty work.

Mitnick: Or whether he was undercover FBI. We didn’t have enough evidence either way. I’m sure that terrorist groups use encryption or steganography to communicate on the Internet, because it’s much safer than telephones. Even GSM, which is widely used in Europe, has been cracked. They can go into an Internet cafe in Amsterdam and send an encrypted e-mail to their cohorts anywhere in the world without detection. A lot of countries don’t have cameras in their Internet cafes, so it’s anonymous.

CSC World: Your first book was all about social engineering.

Mitnick: That threat has grown and it’s the hardest attack to defend against. There’s no technology to screen telephone calls or e-mail for such attacks, so individuals have to be trained to recognize the methods social engineers use to gain access to sensitive information.

CSC World: Judging by recent events in the corporate world, hackers aren’t the only ones who use social engineering.

Mitnick: Private investigators say they don’t do pretexting, but that’s not true. Back in my hacking days, when I was an information broker, PI companies would bring me on board to get information they couldn’t get.

CSC World: Information like phone records?

Mitnick: Right. The only legitimate way to get personal phone records is with a subpoena, and PIs can’t do that. But they can do it by pretexting. Most phone companies have online billing, and often the only identification they require is your account number and the last four digits of your Social Security number.

I can find your Social Security number on the Internet in about 60 seconds. Then I call the company and say, “Hi, this is John Smith, my phone number is xxx-xxxx, and I want to check my account online but I forgot my account number.” The person on the other end will say, “ All right, Mr. Smith. May I have the last four digits of your Social Security number?” Then I can get access to your records going back for a year. This goes on all the time, because there’s no legitimate way for PIs to get private phone records. You usually don’t hear about it because they don’t get caught.

CSC World: Another issue here in the United States has been the vulnerability of computer voting.

Mitnick: I haven’t followed it that much, I’d be leery of any computer that doesn’t have an auditing system in place to confirm that data was input properly and wasn’t manipulated. Any kind of electronic equipment can be manipulated. They do that in casinos. If you win a big jackpot playing poker on a machine, the casino is going to check the firmware to make sure someone hasn’t hacked the machine. Do they do that with voting machines? I don’t know.

CSC World: What’s the most common security mistake companies make?

Mitnick:  There are technology mistakes and social mistakes. The most common technology mistakes are not auditing Web applications and installing security hardware without configuring it properly. On the people side, by the time companies spend their security budgets on hardware and software, they’re out of money and can’t afford to set up security awareness training programs. So people aren’t trained to resist social engineering attacks. Hackers are going to go after the weakest link in the security chain, which is always the people. You can have the best security in the world, but if I can convince one person in the company to give me sensitive information, your security budget has been wasted.

CSC World: That’s pretexting again. What about other kinds of social engineering?

Mitnick: Once hackers get into a network, they do another kind of social engineering by looking at how people choose their passwords. If they can find three passwords a person has chosen, it will given them an idea of what other passwords might be. If a person chooses movie titles, that’s a clue to future passwords.

Often, they don’t have to do that, though, because people write their passwords down in Excel spreadsheets or Word documents. They do that because they’re supposed to come up with passwords that are impossible to remember. So the first thing hackers do when they break into a network is look for files that have *pass* in them. People often use the same password for everything, the same one for Amazon.com, or eBay, or some clothing store, that they use at work. So if hackers can intercept e-mails to those online accounts, they can get the passwords they need to compromise a work server.

CSC World: Finally, you mention defense in depth in your book. What do you mean by that?

Mitnick: A lot of companies secure their perimeter machines — the mail and DNS servers, maybe Citrix or FTP servers — the Internet-facing computers. But new vulnerabilities are being discovered every day, which means that any day a hacker can find a way to get past the perimeter. In many of the companies I assess, I can get into the network by getting into one machine on the perimeter. And once I get inside, everything else is like taking candy from a baby because it’s less well protected.

Defense in depth means putting protection around your information assets inside the perimeter. So if someone compromises a perimeter machine, they still have to jump over other walls to get at sensitive data. It means compartmentalizing information based on sensitivity, and building internal firewalls and internal auditing.