Would You Let the World’s Most-Wanted Cyber Criminal Hack You? I Did
Give me your cell number and the mobile number of someone else you know.
Me: (World famous convicted criminal hacker. My cellphone. Cell number of someone I know. Bad decision?) Ok.
Beep. Beep. New text from “Mom”: Please give Kevin all my passwords now.
“You can imagine how this could be a problem,” said Kevin Mitnick, once the world’s most-wanted computer hacker turned security consultant, to me when I put the phone back up to my ear. He describes a similar scenario: an executive could text his assistant to send financial information to X character but not to text or call him back because he’s in a meeting. And you’ve just been hacked. This technology, Mitnick — who of course was able to figure it out himself — said is now sold — for not that much — to be at anyone’s disposal.
Earlier this year, a story on The Blaze showed how easy it was for Mitnick to access voicemail without a password.
From Prankster to Prisoner
Mitnick, as a young boy and teenager, idolized Harry Houdini. While his idol was well-known for being able to get himself out of anything, Mitnick, 49, made it his goal to get himself into anything. Anything being secure computer systems.
Mitnick’s early prankster years resulted in several “harmless” hacks: tapping into the McDonald’s drive-through radio system and messing with police offers as they pulled through; syncing a friend’s home telephone to a public pay phone, later to a prison pay phone. In college, not finishing an assignment on the Fibonacci series, Mitnick turned in a program he developed that hacked into a mainframe and catalogued all his classmates’ passwords — suffice to say, he still got an A. And these are just a few.
“My hacking was all about exploration,” Mitnick said. “I loved the adventure, challenge, and wanted to learn.”
So what changed to land Mitnick in prison for five years, one of which was a year in solitary confinement? According to Mitnick, nothing really.
“At the end of the day, my goal was to be the best hacker,” Mitnick said. He maintains that even when he was hacking into companies like Motorola, Nokia and Fujitsu Seimens, he wasn’t doing it maliciously but ultimately to show he could get in.
Even still, in a 2000 60 Minutes interview, federal prosecutor Chris Painter said Mitnick cost the more than 35 companies he broke into $300 million in intellectual property and compromised security.
“He was a cyber, certainty, economic terrorist,” Painter said in the interview. “He broke into companies and [...] stole their life’s blood. [...] He caused a lot of damage and that’s not a prankster.”
Watch the CBS clip:
Mitnick says that he believes the $300 million was overblown because research and development costs were included, but also thinks “messing” with the FBI while a fugitive didn’t help his sentencing when caught. He tracked FBI cell phones so he knew when they were near and changed location. Adding insult to injury, he once put a box of donuts in his fridge labeled for FBI offers.
“Because I did these types of things, I think they came down hard on me,” Mitnick said. Mitnick also notes that all the companies he hacked into were publicly traded companies that didn’t record any loss.
But he‘s not saying he shouldn’t have been punished.
“I’m sorry for the hassle I caused. I know what it’s like; it’s a pain in the butt” Mitnick said of his new role catching hackers and finding vulnerabilities in systems as the owner of Mitnick Security Consulting LLC.
Old School Hacking Vs. New Age Stealing
Mitnick provided me with an interesting perspective of hacking then and now. When he was in high school, yes, hacking was still nerdy, but it was cool.
“I was hooked in before hacking was even illegal,” Mitnick said, noting that there wasn‘t even computer ethics when he was in high school because hacking to steal credit cards and other personal information didn’t exist.
Old school style Mitnick says was for intellectual gain — and I’ll add bragging rights. Today, Mitnick points out, hackers are stealing identities and other information for financial gain. Or other groups are hacking to gain attention for their agenda or from the media. The hacker collective Anonymous, for example, Mitnick says is trying to persuade the government or other groups to change policies of how they do things, but are leaving collateral damage — normal citizens like you and me — in their wake.
“I‘m not saying their cause isn’t important,” Mitnick said. “But they could go about it in socially acceptable ways.”
I then went on to ask Mitnick about the security of infrastructure systems in the United States, on which The Blaze recently reported. Mitnick reiterated the fact that, as of right now, much of the security and reporting is up to the individual companies. Many are hooking up their systems together to make it easier to manage, he notes, but this also makes it easier to hack.
For individuals who have similar insatiable urges to hack, he says there are “legal” hacking sites where they can practice their skills.
Mitnick is the Ghost in the Wires
One of his latest endeavors was writing a spy novel. If you read the New York Times best selling Ghost in the Wires and compared it to Mitnick’s life, it wouldn’t take you long to figure out who the ghost was — him.
Although an autobiographical account, Mitnick wanted his latest book to be entertaining and educational.
Here is an excerpt as included in Wired:
I compromised the Social Security Administration, for example, through an elaborate social engineering attack. It began with my usual research—the various departments of the agency, where they were located, who the supervisors and managers were for each, standard internal lingo, and so on. Claims were processed by special groups called “Mods,” which I think stood for “modules,” each one perhaps covering a series of Social Security numbers. I social engineered the phone number for a Mod and eventually reached a staff member who told me her name was Ann. I told her I was Tom Harmon, in the agency’s Office of the Inspector General.
I said, “We’re going to be needing assistance on a continuing basis,” explaining that while our office was working on a number of fraud investigations, we didn’t have access to MCS — short for “Modernized Claims System,” the amusingly clumsy name for their centralized computer system.
From the time of that initial conversation, we became telephone buddies. I was able to call Ann and have her look up whatever I wanted — Social Security numbers, dates and places of birth, mother’s maiden names, disability benefits, wages, and so on. Whenever I phoned, she would drop whatever she was doing to look up anything I asked for.
Ann seemed to love my calls. She clearly enjoyed playing deputy to a man from the Inspector General’s Office who was doing these important investigations of people committing fraud. I suppose it broke the routine of a mundane, plodding workday. She would even suggest things to search: “Would knowing the parents’ names help?” And then she’d go through a series of steps to dig up the information.
On one occasion, I slipped, asking, “What’s the weather like there today?”
But I supposedly worked in the same city she did. She said, “You don’t know what the weather is!?”
I covered quickly. “I’m in LA today on a case.” She must have figured, Oh, of course — he has to travel for his work.
We were phone buddies for about three years, both enjoying the banter and the sense of accomplishment.
Mitnick said he actually spends more time public speaking about security issues — up to 60 percent of his time — than he does finding vulnerabilities — with permission — in clients’ systems.
Watch his appearance on The Colbert Report:
No comments:
Post a Comment