I was once the world’s most notorious hacker, now I do the same thing I did years ago – but I do it with my client’s permission.
IN THE SPACE of 10 years, hacker Kevin Mitnick went from being on the run from the FBI, to spending five years in prison, to spearheading his own Fortune 500 company that probes online security, and ironically, hired by some of the companies that he had attacked himself a decade previously.
Since his teenage years, he had been using tricks to game the system, starting with free bus rides and working out his teacher’s password; eventually evolving to stealing powerful people’s passwords and emails by probing the defences of both corporate and federal websites.
Now, after spending several years in prison for those crimes, he’s hired by companies to test their defences against the increasing barrage of cyberattacks.
Ahead of his appearance at the BT Mindshare tomorrow, which takes place during the BT Young Scientist & Technology Exhibition at the RDS, Mitnick spoke to TheJournal.ie about the greatest threat to companies’ security – its employees.
He also spoke about the major security risks in an increasingly-automated world, how he’s not angry about the “harsh sentencing” he received for his past crimes, and how he became involved in hacking in the first place – it all started with a magic trick on a mobile phone, and a teacher who encouraged his mischief.
Now you see it, now you don’t
When we think of what the internet and other technologies of the Digital Age have been able to make possible in such a short space of time, it’s quite extraordinary.
A video pinged across the world in seconds, huge amounts of money disappears in one account and appears in another; voice controlled-activations, driverless cars, and the prospect of machine-learning.
Similarly, 13-year-old Mitnick was awestruck in high school by the tricks his friend was able to do with a mobile phone.
“What drew me into hacking was my love for magic.” he said. “So as a young boy, I used to ride my bicycle over to the magic store after school to watch the salespeople perform these tricks over and over and over again.
“And then when I ended up in high school, I met this kid who could work magic with a telephone and he did all these tricks – he was able to get my mom’s unlisted telephone number.
He did all this crazy stuff where he’d call another number, he’d get your tone, he’d put in the secret code and you could dial anywhere in the world for free.
This art of manipulating or experimenting with phones or other communication devices is called ‘phreaking’, and gained popularity in the 1960s and ‘70s. As phones became more digitised, the often illegal practice of phreaking became closely associated with hacking.
In the early 1970s, Apple co-founder Steve Wozniak invented a device that allowed them to make free calls anywhere in the world by using certain tones in the telephone system. After a series of pranks, Wozniak’s friend and the famous co-founder of Apple Steve Jobs started thinking of ways to monetise the illegal devices, and invented the ‘blue box’, which were sold during the 1970s. It was from the proceeds of this ‘phreaking’ phone device that Jobs and Wozniak were able to fund their first creation – the Apple One.
“So Apple computers started from the phone phreaking stuff, and me I was also a prankster. I used to use my phone phreaking skills to change the [messaging service] on a friend’s home phone to a pay phone. So I remember when he or his parents tried to make a call it said ‘please make a deposit of 25 cents’.”
He says that as phones became more computerised in the 1970s, he upskilled in order “to pull pranks on friends and family”. So he decided he wanted to take a computer class, which had just become an option in his high school. But because he didn’t have the required prerequisites, he wouldn’t be allowed to take the class. So his friend suggested Mitnick should “show him what you can do with the phone”.
After obtaining the teacher’s wife’s number from the classroom phone, connected through the dial-up modem, and a few other tricks, the teacher allowed Mitnick to take the class.
His teacher continued to encourage Mitnick; even after he neglected the first task he was given in favour of creating a code that revealed the passwords of his classmates and teacher.
So the first programme that I ever wrote in my life was a log-in simulator, similar to a modern-day phishing programme.
Kid’s stuff.
FBI Most Wanted
Between the age of 16 and 32 (the age at which he was arrested by the FBI) Mitnick had copied software at the Digital Equipment Corporation, had hacked into the Pacific Bell voicemail computers, had gained access to dozens of computer networks for access to passwords, emails, and private information.
But despite Mitnick’s desire to keep a low-profile, and who hacked systems “for the pursuit of knowledge and adventure” and not for personal profit, he was labelled as the bad guy. In a book published in 1995, Cyberpunk: Outlaws and Hackers on the Computer Frontier, authors Hafner and Markoff labelled Mitnick as a ‘darkside hacker’. Afterwards, USA Today published a picture of Mitnick’s face superimposed over an image of Darth Vader.
This came just before his arrest in February 1995 after a high-profile pursuit by the FBI. He was charged with and pleaded guilty to four counts of wire fraud, two counts of computer fraud and one count of illegally intercepting a wire communication, and served five years in prison.
Eight months of that sentence were served in solitary confinement, Mitnick says, because a prosecuting lawyer told the judge that he could use a prison payphone to communicate with a NORAD modem by whistling, which would launch nuclear missiles.
Mitnick says he responded by laughing, but the judge seemed to take the suggestion seriously, and agreed to putting him in solitary confinement, a decision that Mitnick cites as an example of the depth of their misunderstanding.
While on the run from the FBI, he repeatedly tricked agents using cloned cellular phones to hide his location, which Mitnick told TheJournal.ie is the reason he received such a hard sentence.
“They had egg on their face,” he said, adding that former FBI agents who he’s met since have agreed with him that he got a harsh sentence.
Today’s threats
Today, Mitnick says that although there are more ways of hacking into people’s accounts, and accessing private information, the number one way in which “the bad guys get in” has stayed the same since the ’70s – through talking people into giving up private information.
He calls this technique ‘social engineering’ (think Leo DiCaprio in Catch Me If You Can).
“Social engineering is using manipulation, deception and influence to get a target to comply with the request, usually to give information or to click on an attachment in an email. And once the victim opens up the attachment and follows the instructions of the attacker, the computer is compromised.”
He says that some nationalities are more skeptical to these types of approaches by phone – Russia and China, for example, while in countries like Japan and Australia people are more likely to trust a caller and accidentally give away security information.
He also expressed concern about how the Internet of Things (IOT) might increase the number of cyber attacks over the next few years because of the increasingly interlinked systems and weak passwords.
“What hackers do is find flaws in code. So developers make flaws in their code, or they don’t think ahead, and what hackers do is find these flaws and exploit them. As complexity is built into operating systems and applications, it usually breeds vulnerabilities.
“The big threat of today is the Internet of Things, so you can buy a toaster today that’s built into the internet, and so an attacker could compromise your toaster for example, and even install malware onto it so that they could break into other systems and devices.
The Internet of Things is like the Wild Wild West. A lot of the IOT devices out there have default passwords like ‘adminadmin’, or ‘password’; or some of them you can’t update, so if there’s a security flaw you have to throw it away.”
He’s also concerned about the fanfare around artificial intelligence and the limitations with that: yes you can use machine-learning to build ‘smarter’ products, but those with more nefarious intentions can also use them as attacking systems.
“It’s kind of like a hammer, you can use a hammer to build a house, or you can use a hammer to destroy a house.”
On his first visit to Ireland, Kevin Mitnick will appear in the RDS at 5pm tomorrow to perform a ‘live hack’ – or a demonstration of how easy it is to gain access to private information as part of the BT Mindshare event.
If you’d like to register for the event, click here.
To embed this post, copy the code below on your site
have your say