Friday 21 October 2011

The “world’s most wanted hacker,” Kevin Mitnick, has gone straight (interview)

This story is taken from VentureBeat

Kevin Mitnick was once labeled the world’s most wanted hacker. Back in 1992, he tangled with a mystery hacker named Eric, setting off a duel that led to a chain of events that spun out of control.
 
After a FBI manhunt, he was caught in 1995 with the help of security expert Tsutomu Shimomura, who wrote about the experience with New York Times writer John Markoff. Mitnick spent five years in jail, including eight months in solitary confinement.

At first, Mitnick wasn’t allowed to tell his side of the story, thanks to a gag order. Now he has penned a book on about his life on the run, co-written with author William L. Simon.  Called “Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker,” the title has stayed on the New York Times Bestseller list for several weeks.

After getting out of prison, Mitnick pulled his life together as a “white hat” hacker, or one who helps companies by testing the security of their networks via Mitnick Security Consulting. Now he frequently talks about how to protect yourself from wily cyber attacks.
Here’s an excerpt from the book. And below is an edited transcript of our interview with Mitnick.

VB: Hi Kevin. We’ve talked before when you published your books, The Art of Intrusion and The Art of Deception. At the time, you had a gag order that did not allow you to write about your arrest and the events leading up to it. Now that it has expired, you’ve revisited those memories. Why?

KM: I had a deal with the government for about, for seven years after I was released from custody. So it expired around Jan. 21, 2007.  After that, we decided to work on my memoir, Ghost in The Wires. That was finally published on August 15. The other two books mentioned my life on the run, but they were really about the lessons I learned with social engineering and how organizations could mitigate the risk of falling victim to it. That book was The Art of Deception. Art of Intrusion was really kind of just talking about the stories of other hackers that were in the news and some where the perpetrators were never identified.
So what I like about the best of all these three is my life story Ghost in The Wires because it’s kind of like a Catch Me If You Can version for a computer hacker. What is unique about it that it is a true story. People really seem to like it.

VB: Yeah I noticed you tweeted about how it’s still on the New York Times online bestseller list.

KM: Well this week it was 23 last week it was 12 the week before that it was 15, the week before that it was 16. So I have been on the New York Times best seller list a month so far.

VB: Congratulations. Why do people want to read it?

KM: Thank you so much. I never expected it but I guess it’s a great story and it’s written very well. So people are interested in it and I guess I’m the cyber version of Frank Abagnale.

VB: It’s probably only fair since there were other bestsellers that were written about you.

KM: I don’t think any of them actually made the bestsellers list. John Markoff’s book, [Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw, By the Man Who Did It], never made it the bestsellers list.

VB: Oh it didn’t?

KM: As far as I am aware, the only hacking book that made the bestseller list was a book called The Cuckoo’s Egg by Cliff Stoll. The Takedown book never made it to the list and in fact it was a very poorly reviewed book.

VB: Did you ever figure out why the government had such an unusual gag order in place here because that seems pretty rare?
 
KM: Well one of the things was they wanted to profit off my story and they wanted to keep everything under a protect order meaning that I was essentially forbidden to talk about it. So I had to be very careful because there is still stuff that is still under protective order that I couldn’t reveal. And so I had to be very careful to still tread around that restriction. The seven-year restriction was to prevent me from earning any revenue from my free public expression. They learned that from cases like the (murderer) Son of Sam.

So they had to do it that way because there are laws that are usually applied to violent crime cases to prevent people from profiting by telling the story. But it’s a prior restraint on free speech, so the Supreme Court has since struck down those laws. That was how the federal government dealt with it back then. It was part of the plea agreement.

VB: So what really drove you to write this new book after the gag order lifted and you were free?

KM: To get the story out. It wasn’t really about making money. I mean I make money from my security business and my public speaking career because I go around in the world doing a lot of public speeches, keynoting at conferences. I make plenty of money doing that. So it wasn’t really about the money it was about getting my side of the story out. I thought it was a great story to tell that people would enjoy it. And I want to really to focus on the chase because my story is kind of a cat-and-mouse game with the federal government.

VB: Tell us some stories about being on the run.

KM: I think the federal government came down harder on me is because I was playing games on them. At one point the government sent an informant to come and trap me, around 1992, after I was released from an earlier prison sentence. I quickly worked out what was going on and in the process I compromised the local cell phone company. I was able to identify the cell phones in Los Angeles that were calling the informant. I didn’t know the guy was an informant at the time, as this was part of my usual investigation.

I learned that people calling him were the FBI and it was the agency cell phone numbers. So what I did is I programmed these cell phone numbers into a device at a company where I was working as a private investigator. So if any of the cell phones came within a few miles radius of me, it would send me an alert. It was an early warning detection system that I had set up.

So in September of 1992, I was walking to my office one morning and I disabled the alarm. But I kept hearing a beeping. And I figured out that the alarm was disabled and I starting walking around everyone’s office to find out what this weird beeping was. It turned out it was coming from my office and it was my early warning system going off. A few hours earlier one of the FBI agents was actually making a phone call from the pay phone across the street from my apartment. He was within a mile of where I was.

I realized that the FBI happened to be to at my apartment when I was sleeping and nobody knocked on the door. So I realized they weren’t there to like arrest me immediately. They were probably preparing to get the stuff on my computer. I thought they would do a search. So I cleaned out my floppy disks, computers, and notes. I moved them over to a friend’s house. I went to Winchell’s doughnuts and got a box. I took a Sharpie and wrote “FBI doughnuts” on the box and stuck it in the refrigerator. The next day, the FBI executed the search warrant. The day before they were just gathering a description of my apartment to get the warrant.They searched my apartment and found nothing but the doughnuts. I think they were really pissed off.

I did these immature things that were funny at the time and it irritated them to no end. I think the agents took it personally. So when I was prosecuted, it felt like it was because I was playing games with them. When I was running from the government and living in Denver, I was working for this law firm. I had a legitimate systems administrator job. My hacking was all about becoming the best at circumventing security. So when I was a fugitive, I worked systems administrator jobs to make money. I wasn’t stealing money or using other people’s credit cards. I was doing a 9-to-5 job. I was at this law firm in Denver for a year and a half. One of my jobs was supporting the firm’s telephone system. I put code into the system so that if anyone were to call the FBI in Los Angeles or Denver, or the U.S. Attorney’s office, it would send me a page. I would know if there was an internal investigation or someone working me. I lived under the name Eric Weisz, the real name of Harry Houdini. I did these smart ass things and the government really frowned on it. I made a mockery of them and that’s probably why they came down hard on me.

My hacking did cause losses. But the losses were minimal compared to what the government alleged. The government alleged that I caused $300 million worth of damage, where the damage was that I copied source code. I was interested in the source code for operating systems like [Digital Equipment Corp.'s] VMS. And I wanted to look at the source code; my only purpose was to examine the flaws within the operating system so I could bypass security. So it’s really just leveraging the source code to become a better hacker. Now certainly it was illegal to copy the source code but the government really took that and ran with it.

Some of the FBI agents solicited these companies to actually say their losses $80 million each, based on the value of the source code that I looked at. So basically that was the entire research cost for developing it. It’s kind of like stealing a can of Coke and then getting charged with stealing billions of dollars because you have Coca-Cola formula. In my case, the fair losses would have been like something a few hundred thousand dollars.

VB: So why didn’t that make sense?

KM: It was only in the thousands, not the millions. So what I had done was poked at the tiger too much. They were trying to get me a really substantial prison sentence. My lawyer checked with the Securities and Exchange Commission because any publicly traded company has to report it when they suffer a material loss. Otherwise, they are defrauding shareholders. My attorney founded that none of these companies had reported to the SEC any loss that was attributed to my hacking. So, again, I was punished for causing these multimillion dollar losses.

VB: So there was a mythology to being the world’s most wanted hacker.

KM: Yeah I was you know I was the world’s most-wanted hacker in the 1990s. I would hack in at all these companies and look at their source code and the source code was a trade secret. So the companies themselves had no idea why they have this mysterious person hacking into their system. They were doing investigations. There were some real losses for sure.  I’m sorry that I caused anybody any loss at the time. As a hacker, I was thinking that all they have to do is change a few passwords and they would fix it. They would patch a security hole in their operating system and then I would be locked out. It might take them 30 minutes for them to do that. What I didn’t realize was what the other side is doing. The other side is like rebuilding their operating system from scratch. They are auditing the source codes. They are going through all these significant measures because they don’t know who is on the other side. They don’t know it’s just me. So you know what I’m saying? The victims had to do a lot of work.

VB: Did you feel like you had to correct the record because of the book that John Markoff co-wrote?

KM: Oh my God. I mean we could go on for hours. For example when I hacked into DEC and I copied the VMS source code with the co-defendant. I remember my co-defendant actually set me up for a FBI sting and I was arrested. I ended up in federal prison. Three days later, they finally took me to court and I was expecting to get bail. What had happened was that a federal prosecutor told the judge not only do we have to detain this guy, we have to make sure he can’t get to a pay phone inside the prison. We have to make sure he can’t get to a pay phone because he could dial up to the North American Air Defense System (NORAD) and whistle tones and possibly start a nuclear war.

[Markoff declined comment, beyond pointing out that Mitnick pleaded guilty to computer and wire fraud in March 1999.]

When the prosecutor said this I started laughing because I had never heard something so ridiculous in my life. It’s kind of like you taking something out of the movie War Games and manipulating it to a ridiculous degree. The judge, however, bought it hook line and sinker. I guess the prosecutor was to be believed and I ended up being held in solitary confinement in a federal detention center for nearly a year based on this myth. Then all these other rumors the government started using as fact. They said that I hacked into the National Security Agency and got to their secret access codes.

VB: That sounds a little implausible.

KM:    Back in the beginning, around the mid-90s you could do a “who is” command on a site. Nowadays, you do that it shows who it belongs to. Back then, they used to list the registered users of the host and their phone numbers. So I had a file on my floppy disk at the time called “NSA.txt” and it was a file that the output of a system called Dock Master. And Dock Master was a system that was run by the National Computer Security Center, which was the public arm of the NSA. And it listed the user names in a four-digit number and the four-digit number was their telephone extension.

The prosecutor characterized that file as proof that I hacked into the NSA and got their secret access codes and those four-digit numbers were secret access codes. I was said to be stalking the actress Kristy McNichol. I was supposedly messing with her telephone and calling her at all times of the day and night. The rumor went so far I ended up on the front page of the National Examiner which was like The National Enquirer. And so I remember going to the supermarket and seeing a  front page photo of me where it says Mitnick is stalking Kristy McNichol and this is I couldn’t believe it. The government used this in court as to what a danger I was. My mom at the time was a waitress at Jerry’s Delicatessen in Studio City. She saw Kristy McNichol and walked up to her. She said my son is Kevin Mitnick. She told my mom that whatever was happening wasn’t true. Kristy McNichol was going to write a letter to the court and explain these things had never happened. Her agents stopped her because they didn’t want it in the news that she was supporting me. There was a report that I hacked into a news wire service and was trying to discredit Security Pacific Bank and that cause them a big loss. That was a totally made-up allegation. I mean the list just goes on and on you know I don’t want to bore you.

Then the true thing is that when I was younger I was able to get celebrities’ unlisted telephone numbers and then I would verify that they were indeed the right number. Then I would never call again. There was an allegation that I had wiretapped the entire Los Angeles office of the FBI, which wasn’t true. I did however monitor the locations of cell phones and looked at the call detail records. So I would know a person A is calling person B.  But actually, in the New York Times, it said that I was wiretapping their conversations which wasn’t true. One chapter of the book describes the court drama. Most of the book is focused on the adventure, the crazy things I did as a juvenile. The book isn’t about me whining about this.

VB: What was the hack that you were most proud of?

KM: The hack I was most proud was actually hacking the McDonald’s drive-through window. I did this when I was 17. It wasn’t about hacking a computer. It was actually hacking their drive up windows so that I could overtake the radio in the drive-through window. I could sit across the street and talk and pretend that I was the employee inside McDonald’s. The poor employee could hear what’s going on but my transmitter was more powerful than his.

So you can imagine what fun you can have as a teenager when customers would drive up. I would say, ‘can I take your order please?’ They give the order. And I would say, ‘OK I have your order you are the 50th customer today so please right forward. Your order is absolutely free. And then the cops would drive up to order something. And I would say, ‘I’m sorry we only serve doughnuts to cops. We don’t serve any type of other food.’ Or I would say, ‘Hide the cocaine, hide the cocaine. May I take your order sir?’ One time, a manager of a McDonald’s came out to find out what the hell was happening. He walked around the parking lot and couldn’t see anybody. He looked in cars. He walked up to the drive-through speaker and he put his face next to the speaker as if there were someone hiding inside. I yelled into the microphone, ‘What the f*** are you doing?’ and the guy flies back 15 feet. These are the types of hacks I enjoyed. As a young kids, I was a prankster. I hacked into my friend’s home telephone service so that it became a pay phone. Whenever his parents tried to make a call, it would say, ‘please deposit 25 cents.’

I was doing this starting in the late 1980s and there were no computer crime laws at the time. I had a teacher in high school where he encouraged it. One of my first programming assignments was to write a FORTRAN program that found Fibonacci numbers. I thought that’s kind of boring. So I wrote a password stealer so I could get any of the other students’ passwords in class. I spent a longer time working on developing that program because it was my first and I didn’t have time to do the other assignment. So I ended turning in my password stealer instead and the teacher was clearly impressed and even gave me an A. He started telling all the other students how smart and clever this was. So I was raised at a time where the instructors in high school encouraged hacking and there were no laws against it.

VB: You know today you are in the business of being an ethical hacker. Do you find that today that the issues that ethical hackers have to deal with are pretty difficult in terms of being able to stay on the right side of the law?

KM: Not really. I was a hacker for a number of years before I became involved in security because there was no such occupation for doing it legally. Companies dealt with security by having their internal IT departments deal with it. There was no the security industry. In fact, if that did exist when I was younger, I might have taken a different path. But I was so interested in learning about computers. My primary goal of hacking was the intellectual curiosity, the seduction of adventure. The No. 1 thing was the pursuit of knowledge and there was no way to get the knowledge back then because those avenues didn’t exist.

Now today, a 14-year-old can use a laptop and set up their own entire lab on a laptop with different operating systems. There are different frameworks that you can download for absolutely free. There are tons of material on the internet so you can learn all about hacking and all about security. You can learn about offensive and defensive measures.  So you can be a part of a red team are trying to hack into a target to test their security or you could be on the defense side.

So today’s world is completely changed where young kids and even adults have a more social acceptable way to learn about this stuff. In fact, at Defcon this year was the first time they had kids come. There were kids who were eight, nine or ten who were attending a hacking conference. Of course, they are interested in hacking games. And one ten-year-old girl found a vulnerability. The world has changed from 1978.

VB: It’s also easier to become a criminal hacker.

KM: The ethical thing is actually the easier thing to do. Now if you are a criminal, then you will use hacking techniques to steal money and property. The hackers of my time were never in it to steal money. They could break into systems to get access to information. But it wasn’t a for-profit venture. Today, you have organized crime using hacking.

VB: What do you think is relevant today, from the days when you were learning to be a hacker?
 
KM: Hacking is exploiting security controls either in a technical, physical or a human-based element. Back in my day you know, I learned a lot about the human factor in security. I manipulated the human operator into doing something that gives the hacker an advantage. The Art of Deception, which was published in 2011, was about social engineering. Google, RSA, and Lockheed Martin were all successfully compromised through what we call spear phishing attacks. That took advantage of human weaknesses, where you respond to a message from a friend.

Back in my day, we would find servers that were on the company’s perimeter network: a mail server, a web server, a DNS server or whatnot. And then we would attack the server and find a vulnerability in a service. We would get into the server that way. Now the trend has changed towards client-side exploitation, meaning the software that is on the user’s desktop. You take advantage of weaknesses in Adobe Acrobat, Adobe Flash, Java, Active X. They are riddled with vulnerabilities.

So the hacker could break into that person’s desktop or workstation by exploiting that vulnerability. But the problem is they would have you have one component that I have written about extensively called social engineering. You have to trick the target into doing something that triggers the technical exploit. And that’s precisely how they were able to hack Google. It was by finding a vulnerability in the Internet Explorer 6 that was unpatched. They still had to get the user to click a link and once they clicked the link it would go to a website that would exploit the vulnerability. With RSA’s hack, it was through an Excel spreadsheet I believe was labeled a ’2011 recruitment plan.’  The spreadsheet in the Excel document had an embedded Flash object that was vulnerable.

So now when the victim opened up that Excel doc, it triggers the Flash object, and then the hacker got into that person’s desktop, which was connected to RSA’s network. I mean now so now the trend is instead of attacking the server side you’re now attacking the client side. But any time you attack the client side, you must have a component of social engineering. So I’d say social engineering is still a viable threat.

VB: Does it surprise you that so many companies have been hacked this year, with things like the PlayStation Network going down for six weeks? 

KM: I don’t think it surprises me because there is a lot of low hanging fruit out there. A lot of companies do not bother testing their security. So really what they will do is they will do is compliance. They hire a firm that would run a  scanner. If they don’t find anything, they say the company is in compliance. That is the problem because companies are not concerned enough about the underlying security. They are more concerned about compliance. I have to explain what the difference is between scanning security companies and what we do. Albert Gonzalez, who was sentenced to 20 years for hacking TJ Maxx and others, found that his team could break into systems for these huge brands that had met compliance. So there is a lot of low-hanging fruit like Sony.

VB: What do you think of all the hacktivism that has happened, and what should companies be doing about it?

We ought to be doing security assessments and deploying top security controls. But I think it’s a waste of time for the people behind the attacks because they’re not going to change public policy. I think the only good thing that comes out of it is the security awareness. Even my company we got a few new clients because they were concerned about this Anonymous hacking spree. That is the greater good that occurred out of it. But at the end of the day Anonymous doesn’t really get what it wants other than a lot of attention by law enforcement. Their goal is to make to change. The change will never happen that way.

VB: Do you have conversations with young hackers?

KM: Not really. I mean I go to conferences around the world and I have a substantial Twitter following. But I don’t really talk to them. I get people emailing all the time. They want to learn how to hack or they want to hack into their girlfriend’s Facebook account. I pretty much ignore them. They try to social engineer me sometimes. I got an email where they said a family member was murdered and they had to get into a person’s Hotmail account to investigate it. I told them they had to get a subpoena from a judge to get the information. The crazy requests make me chuckle.

VB: How do you talk someone out of being a criminal hacker? 

KM: Nobody comes up to me and says they’re a black hat hacker. But if they did, I would certainly encourage them not to follow in my footsteps. Now there are so many resources for them to learn how to hack legally. If they were true criminals, and they wanted to steal credit card numbers, you can’t change them. But if they are just curious, you can change their direction by letting them know that there are tools today that weren’t available to me. You can learn in a socially acceptable and ethical way.

VB: Have you ever heard from anyone who was a significant player in the book? Like maybe Markoff or Shimomura?

KM: Not them. I heard from one person who was my old boss when I was pretending to be Eric Weisz in Denver, at a law firm. I described her in the book. I said she had a school teacher mentality. She found me on LinkedIn and said her husband was loving my book. She said that my description was right because she became a school teacher. That was ironic. I heard from one of my social engineering victims who worked at Novell. He was wondering how the government could have held me for so long without a trial. We became good friends and he works at Fusion-io now. We have been really good friends.

VB: You mention you used the Freedom of Information Act in the book. Did you find things out about your case you didn’t know?

KM: That’s a good question because when we were writing the book we submitted the request to the FBI and the FBI claims that the Los Angeles bureau of the FBI lost my file and they could not find it. We went to Senator Barbara Baxter to get her to help because we thought the FBI was lying. How can they lose my file? That was about as ludicrous that I could launch a nuclear weapon. Doesn’t the FBI make copies? Baxter wrote a letter on our behalf as a constituent and the FBI lawyers reaffirmed that they cannot find the file.

They did provide files from when I was juvenile that were largely blacked out and they gave us 8,000 pages of newspaper articles. In summary, I was an obsessive hacker because I enjoyed beating the system and getting through security for the intellectual challenge. I’m here today and am a respected security consultant, and I even work for the federal government. Now the companies and even the federal government have recognized that I have learned my lesson. And now I’m an asset to the community rather than being a pain in the ass.

VB: Thanks very much, that’s a great way to end the conversation.



No comments:

Post a Comment