A conversation with America's most famous computer hacker
One of the most unusual and interesting interviews in my book, The Best of Goldstein on Ge
Here is a transcript of one of my interviews with Kevin. (I actually interviewed him twice.) For a video of the interview, scroll further down the page.
Douglas Goldstein: You’ve been described in the past as America’s Most Wanted Hacker. You’ve hacked into everything in the world. What motivated you to get started with doing that?
Kevin Mitnick: It was all about fascination, intellectual curiosity, challenge, and the seduction of adventure. What brought me into hacking was my fascination as a young boy with magic. When I was a young kid, I used to ride my bicycle over to the magic store and sit there all day on the weekends to learn the secrets of the tricks that they were demonstrating for the customers. Eventually, when I became a high school student, I met this kid who could work magic with the telephone and he was able to do all these tricks. He could get me to call on one telephone number and he’d call on another telephone number and we magically joined. He could get hold of anybody’s unlisted number, or when I gave him my mom’s number on its own, without any details, he was able to tell me the name the phone was listed in and the address.
What was really cool was when he gave me this phone number that when you called it, it made a weird tone. Then you would put in a 5-digit code and you could call anywhere in the world for free. This guy’s name was Steve, and I asked him, “What is this thing?” and he said, “It’s a phreak with the phone company.” Steve showed me many tricks that he could do with the phone company and I became hooked. Before long, I got involved in this hobby, which was called “phone phreaking.” It’s the same hobby that Steve Jobs and Steve Wozniak involved themselves in during the mid-70s. This was when they were building these things called “blue boxes.”
Blue boxes are devices that emit certain tones. When you press the touch tone on your telephone, it has a certain frequency. These blue boxes had the same type of tones, but different frequencies that would control the phone system. Steve Wozniak actually built a box, and I think Steve Jobs was selling them on Berkeley’s campus so people could have free phone calls. In fact, they earned enough money to buy the boards to build the first Apple 1 by phone phreaking.
This hobby of phone phreaking is what actually brought me into computer hacking, because I was so fascinated by it and it was so interesting that when the phone company started moving over to computerized systems, I wanted to get control of the computers so that I could basically pull pranks on friends. I was a prankster and a phone phreaker, and this was my foot in the door of computer hacking.
Douglas Goldstein: Was it difficult at the time to do this?
Kevin Mitnick: It was a lot different than it is today. Today, you can go to websites that are out there. There’s a whole community of hackers and they share exploit codes and tools. None of this was available back when I started. I started hacking before the first IBM PC was out on the market. I started in 1978, and I think the first IBM PC was out in 1980, but the Apple was out by that time.
The kind of stuff I used to do was hack into a telephone company switch that controlled a friend’s telephone service at home, and I would change the class of service to a pay phone, so whenever he or his parents tried to make a call, it would say, “Please deposit 25 cents.” My friend would call me all annoyed and say, “Change it back. What are you doing? My parents are going to be furious!” So then I would change it to a prison pay phone, where it would say “You can only make a collect call, sir.” This is the type of stuff I used to do. What really brought me into hacking was my fascination with telephones and manipulating the phone system. That’s what led me on this path.
Inside the Mind of a Computer Hacker
Douglas Goldstein: Who are the people who are hacking into computers today? Are they dangerous terrorists and criminals like in the movies, or are they more likely to be curious teenagers looking to explore?
Kevin Mitnick: I think there are both. I think a lot of the hacking today is for profit, which is different from old-school hacking, which was mainly for the curiosity and the challenge. The trend is that most of the bad guys out there are doing really bad things like stealing credit card numbers, stealing identities, and stealing bank accounts, but there are still some people out there that are probably old school and are doing it for the same reasons I did, which was the seduction of adventure, challenge, and pursuit of knowledge.
Douglas Goldstein: When you started doing this in the late 1970s, the computer systems were much easier to get into and they simply didn’t have the defenses that we have today. We’d like to believe that our money and our data are safe with these big companies that hire firms like yours to check their security. How confident should we really be?
Kevin Mitnick: It’s kind of scary out there. I’ve been hired as an ethical hacker in many of what we call “penetration tests” over the last eight years. Pretty much in every penetration test, we’re able to get either complete access to our client’s computer network or access to confidential information, and we’re always able to find something. Now, you have to think about the companies out there that are what we call the “low-hanging fruit.” They don’t bother testing their security. They just have an internet presence and they hope that they’re not going to be compromised. They feel confident until something bad happens, and this affects their corporate image. It causes potentially significant losses, and confidential information is exposed or the integrity of the information is compromised.
My advice is always to be proactive with security if you’re a small, medium, or even a large business, and you don’t want to be caught with your pants down.
Douglas Goldstein: Does that mean bringing in an ethical hacker to see how vulnerable you really are?
Kevin Mitnick: Exactly. It’s a kind of a test in a moment of time. You want to know what your security posture is, and you’ll never know unless you’re tested, but then again, there are a lot of companies that offer these services. You have to be really careful because some of these companies just use what we call automated scanners, and what they’ll do is use these scanners to try to identify vulnerabilities. They’ll make a report and package it up with their logo, company, and brand and then give it to the customer. This is somewhat of a disservice, because a lot of times, these scanners find maybe 20% of the problems.
That’s what I pride my company on. We really focus on manual assessments. Our red team really goes out and focuses on finding all the vulnerabilities, but not relying on automated technologies, though we do use automated technologies in the beginning to look for the very low-hanging fruit.
Douglas Goldstein: When a company hires you, and when you send in your red team, what do they do?
Kevin Mitnick: Basically, it depends on the scope of the job. A lot of times, corporations have deployed applications that are fixing the internet, and many of these applications have potential security flaws. The number one security flaw is what we call “the sequel injection.” There’s a programming language called “structured query language” that is used by programmers and applications to communicate with databases. In some cases, when the application programmer is allowing users to input information into a form and they are not validating that information, meaning that it should match a very specific criteria, this may create a vulnerability that allows a hacker to input information that could be used to manipulate how the sequel programming language is working and compromise information in the backend database or even the server itself.
A client approached me about two weeks ago because Discover called them and said, “You guys had a breach.” They asked, “What are you talking about?” “Well, we’ve discovered that hundreds of Discover customers had their credit card numbers abused, and the common point was that these customers did transactions at your company.” They hired me to go in and do an investigation, and within very short order, I found that their entire credit card database of all their customers was stolen and this hacking technique called “sequel” injection had been used. There are a lot of tools out there. You don’t even have to be a really good hacker. You could purchase a tool to basically automate sequel injection attacks, and the attackers were able to steal all the information out of the database.
I had to go in and explain the how, the when, and the where, and help them deploy a security product to help repel those types of attacks and also to help them fix their code. It’s a big problem. There’s not a day that goes by when you don’t hear about a company getting hacked. Recently, I think a system of global payments out of the eastern part of the United States was compromised and millions of credit cards were stolen. This was probably related to some sort of vulnerability in an application that’s facing the internet, because the most common point of attack is applications, wireless networks, and social engineering. My first book, called Art of Deception, which was published in 2002, talks about the technique called social engineering, where the hacker doesn’t manipulate the technology. In the beginning, they manipulate the human factor, the people that are using the technology, to comply with some sort of request that benefits the attacker.
For example, imagine you receive in your email a PDF file from a company that you do business with, like a vendor, or a partner, or whomever. You open up that PDF file, and unbeknownst to you, it was a hacker who had sent that PDF file, and the file exploits a security vulnerability in Adobe Acrobat. What the hacker did in this case is simply went to LinkedIn and looked for people in your company that probably have extended permissions, even like system administrator permissions. They did a lot of research and found business relationships between those people and vendors. Then they registered a domain. Let’s say the vendor in this case is Cisco, and they registered a name called Cisco-support.com, which anybody could do, and they sent an email to the employee, to the target, pretending to be Cisco support with the PDF file that maybe speaks to you, “Please look at this attachment. We found this vulnerability in the Cisco gear that could affect productivity,” or whatever excuse the hacker would come up with. When you look up the file, the game is over.
Douglas Goldstein: Could you tell people how they can learn more about the work that you’re doing?
Kevin Mitnick: They can go to my website, www.mitnicksecurity.com. My new autobiography, called The Ghost in the Wires, was published on August 15th. It’s a New York Times bestseller, and there’s a website called www.ghostinthewires.com. That is a good way to reach me because you could look for the contact information on the website and send me an email. My personal email is firstname.lastname@example.org.
Disclaimer: This article is for educational purposes and is not a substitute for investment advice that takes into account each individual’s special position and needs. Past performance is no guarantee of future returns.
Amazon Price: $25.99 $9.91 Buy Now
(price as of Jun 25, 2014)
Amazon Price: $30.00 $1.99 Buy Now
(price as of Jun 25, 2014)