|This Article First Appeared on Exploitbyte.com|
Kevin Mitnick – When the term “computer hacker” is thrown around, most people think of Kevin Mitnick. Back in the 1970s, 1980s, and 1990s, Kevin Mitnick was the hacker. Mitnick used a combination of social engineering and lower-level operating system research to pull off all sorts of outrageous stunts, although the overall harm caused by him is debatable, especially when compared to today’s world of APT attacks and ransomware.
For More About Kevin Mitnick Click Here
Kevin Mitnick and his exploits have been written about in several books, have been made into a movie, and have generated a peculiar subculture of eccentric hacking stories attributed to him that he never did. The government’s own fear of Mitnick was so bad that he is the only U.S. prisoner not allowed to use a phone while incarcerated and kept in solitary confinement for fear that one word or sound from him could launch a nuclear missile. If you’ve ever seen a movie where the protagonist said one word into a phone and then a whole lot of bad cyber stuff happened, that scene germinated from the paranoia surrounding Mitnick.
I’m including Mitnick early in this book because since those early days of cyber mischief, he has dedicated his life to fighting computer crime, and he is one of the few reformed long-time blackhats that I completely trust. Today, Mitnick has written several books on computer security – works with several companies (including KnowBe4), has his own security consulting firm (Mitnick Security Consulting), has the busiest speaking schedule of any computer security figure I know, was on The Colbert Report, and has even had a cameo on the popular television show Alias. Mitnick’s lessons to the industry have resulted in a stronger recognition of the role social engineering plays in hacking and how to defeat it. After all, if you’re going to stop a criminal, it can’t hurt to learn from an intelligent reformed one.
I asked Mitnick what led to his interest in hacking. He said, “I was interested in magic as a kid. I loved magic. A kid at school showed me some tricks with the phone, like how to get free long distance phone calls, how to find out someone’s address with just their phone number, calling forwarding, etc. He would go into a phone booth, call someone [the phone company], act like he was someone else, and make something magical happen. It was my first experience of social engineering. It was like magic to me. I didn’t know it was called phone phreaking and social engineering. I just knew that it was fun and exciting and pretty much it began to take over my life. It’s all I did. I was bored with school, and because I was up all night phone phreaking, my grades began to suffer.”
I asked what his parents thought about his hacking exploits. He replied, “Well, early on they didn’t know anything. Or maybe they thought I was doing something questionable on a phone. But my mother must have thought, ‘How much trouble can he get to on a phone besides annoying people?’ But they really didn’t have a clue what I was up to until my mom got an official letter from AT&T informing her that they were turning off our phone service. She was very upset. You have to remember this was in the days before cell phones. Your home phone was your only lifeline to other people. I told her to calm down and that I would fix it.
“I basically socially engineered a phone back into our house. First, I made up a new housing unit. We lived in Unit 13. I called up the phone company’s Business Office department pretending to be someone else and made up Unit 13B. I waited a few days for that new unit to get into the system, then I called the Provisioning department and asked for a new phone to be installed in Unit 13B. I even went to the hardware store and got a B to add to our outside number. I called pretending to be a new customer named Jim Bond from England. I gave them a real previous phone number from England I found along with other identifying information, because I knew they wouldn’t be able to verify any foreign information. Then I asked if I could pick a ‘vanity number’, and they said yes, and I picked a phone number ending in 007. At the end of the conversation I asked if using my nickname of Jim was okay or did I have to use my full legal name? They said I had to use my legal name and I told them it was James. So, I was registered with AT&T as James Bond with a phone number ending in 007, and my mother had her phone back. AT&T got mad about that one when my scheme was finally caught.”
I realized at this point in our interview that he hadn’t mentioned anything about computer hacking. He was only talking about phone misuse. I asked how he got into computer hacking. He replied, “There was a kid in high school who knew I was into phone phreaking, and he thought I would be interested in a new high-level computer science class the school was offering. I said I wasn’t interested at first, but the kid said, ‘You know, I hear the phone companies are getting into computers.’ And that was enough for me. I had to learn about these computers.
“I had to go to the instructor of the class, Mr. Kris, and ask him if I could join it because I didn’t have any of the necessary prerequisites (which at the time included advanced mathematics and physics) or grades, which had really begun to suffer from my lack of sleep due to phone phreaking. Mr. Kris wasn’t sure about letting me in so I demonstrated my phone phreaking to him by telling him his unlisted phone number, and those of his kids. He said, ‘That’s magic!’ and let me into the class.
“Our first assigned program was a FORTRAN program to calculate Fibonacci numbers, which I found too boring. I had actually gone to the local university, Northridge, and tried to get computing time on the computer there. They had the same computers and operating system. But I couldn’t get more than five minutes of time on them. So I went to the computer lab leader and asked for more time. He said that I wasn’t even a college student and shouldn’t be here,
but he also saw how interested I was in computers, and to encourage me he gave me his personal logon account and password to practice with. Can you believe it? Those were the type of days around computers then.
“I ended up learning about low-level operating system calls. This was stuff they were not teaching in my high school class. At the high school, we all shared a modem that used a dial-up handset and a modem coupler. The modem stayed up all the time, and people would log in and out to access the terminal and modem. I wrote a low-level program that stayed active in the background and recorded everyone’s keystrokes as they typed, including their logon names and passwords.
“When the day came for Mr. Kris’s students to show him how many Fibonacci numbers their class-assigned programs had calculated, I had nothing. Mr. Kris admonished me in front of the class about how he had let me into the class and taken a risk and I had nothing to show for it. Every eye in the class was on me. I said, ‘Well, I’ve been too busy writing a program to capture your password and your password is johnco!’ He said, ‘How did you do it?’ I explained it to him, and he congratulated me and told the whole class I was a computer whiz. He wasn’t mad at all. This was perhaps a very bad first ethics lesson for me to learn.”
I asked Mitnick what a parent should do if they see signs that their kid is doing malicious hacking. He offered, “Show them how to hack legally. Channel their interest into legal and ethical opportunities, like going to computer security conferences and participating in ‘capture the flag’ contests. The parent should challenge the kid by saying something like, ‘So, do you think you’re good enough to be in a capture the flag contest?’ The parent can socially engineer the kid, and the kid will get the same fun and excitement but from a legal way. I just got through legally hacking a company today, and it gave me the same thrill as it did when I wasn’t doing ethical and legal things. I wish they had all the legal ways to hack that they do now. I wish I could go back in time and do it differently. You know the only thing different between illegal and legal hacking? The report writing!”
I wondered how Mitnick, with experience on both sides of the fence, felt about the government’s right to know something versus an individual’s right to privacy. He said, “I think we all have a huge right to privacy. In fact, my latest book, The Art of Invisibility, is all about how someone can keep their privacy. I think it’s very difficult to stay private against someone like the NSA or government with unlimited funds. I mean if they can’t break your encryption, they can just use one of their many zero-days and break into your endpoint, or buy a zero-day. For $1.5M you can buy an Apple zero-day, for half a million you can buy an Android zero-day, and so on. If you’ve got the funds and resources, you’re going to get the information you’re after. Although in The Art of Invisibility, I think I have a way that will even work against them, but it’s very tough to do and involves a lot of OPSEC stuff. But it can be done in a way that I think even the NSA or any government would have a tough time defeating. I understand a government’s need to know in certain cases, like terrorism, but they want to see into everything and everyone. And if you are being watched, you change your behavior, and that means you have less freedom. I don’t think you can have freedom without privacy.”
I ended our interview by reminding Mitnick that we had briefly met once before at a security conference many years ago where he was going up to talk as the headliner after I did. As he passed me he realized he needed a USB thumb drive to get his presentation to the dedicated presenter laptop up on the stage. I had one in my pocket that I offered. He almost took it, but after reconsidering it a few seconds, he declined and said he didn’t trust anyone else’s USB key. A few people around us chuckled at his paranoia. After all, you couldn’t get infected by a USB device—or so everyone generally believed at the time.