Today at work I went and saw a presentation by Kevin Mitnick, formerly known as the most wanted hacker (by the FBI) in the world. He spent time in jail twice, the latter spending five years in prison with a full year of that in solitary confinement. I’m going to assume that you’re familiar with Mitnick and if not, here’s a link to his Wikipedia page.
Mitnick released a book last year entitled Ghost in the Wires. It’s his 3rd book and is about his life story whereas his previous two books were more on the technical side. As part of the terms of his release, he wasn’t allowed to write about his life story for a period of time. That ban finally expired in 2007. Previous books written about him didn’t get all of the stories straight.
Mitnick is a reformed hacker. He now runs a security consulting company and organizations now pay him to break into their computer networks but this time give him permission ahead of time. I have seen some interviews with Mitnick and what he spoke about today is similar to what he talks about elsewhere and is found in his book. Some highlights:
- Mitnick started hacking when he was 12 years old, but it wasn’t in a computer system. He bought a hole puncher and used it to punch transfer tickets so he was able to ride buses in Los Angeles for free.
- He started out doing phone phreaking, basically figuring out how then-modern cell phone networks, and land line phone networks worked, and used it to play pranks on his friends. Mitnick never did anything maliciously (i.e., steal data to profit from it), he did it for the challenge of being able to do it.
- Mitnick likes knowing how things work that you aren’t supposed to know. He has an interest in magic tricks (like me) and lock picking (also like me). In his younger days, he would go down to the library and pick up books on the subject, learning about the stuff. Even today, his business card is a thin metal card that contains his contact information, but it also contains a pop-out set of lock picks.
- He had some technical skills to break into various networks but much of his work was done with social engineering. He would phone up somebody at a company he was trying to steal from and say he was from their remote office and person X said that they would send him the source code. He was quick on his feet; he would get bounced around between departments, listen to the voicemail of various employees and then use that information in his social hacking.
For example, if an important employee was on vacation and said “I’m going to be gone from Monday the 12th to next Friday the 23rd,” he’d say “John last week said he was going on vacation but before he went, he was going to send me the data. Has he left yet?” And then the conversation would go from there; the unsuspecting 3rd party would see this as confirmation that Mitnick (impersonating an insider) was really working with the out-of-office person (how else would he know that they were on vacation? A random ham-and-egger wouldn’t know that).
- He was finally caught when someone he was working with ratted him out. He was always trying to stay one step ahead of the police, but eventually they tracked him down by using radio-tracking equipment and tracing his cell phone signal to an apartment block where he lived.
- Interestingly, he said that Anonymous would be broken up using the same tactics; government would flip an insider to turn against the rest of the group, and that’s exactly what happened. He predicted this six months before it was announced in the press.
Mitnick is an engaging speaker and he kept me entertained and informed. I have a passing interest in hacking but I never had the technical skills (I’d say mine are maybe a 5 or 6 on a scale of 1 to 10). However, I understand social engineering a lot better, so that part of the presentation hooked me.