The “world’s most wanted hacker,” Kevin Mitnick, has gone straight (interview)

VB: What do you think is relevant today, from the days when you were learning to be a hacker?

KM: Hacking is exploiting security controls either in a technical, physical or a human-based element. Back in my day you know, I learned a lot about the human factor in security. I manipulated the human operator into doing something that gives the hacker an advantage. The Art of Deception, which was published in 2011, was about social engineering. Google, RSA, and Lockheed Martin were all successfully compromised through what we call spear phishing attacks. That took advantage of human weaknesses, where you respond to a message from a friend.

Back in my day, we would find servers that were on the company’s perimeter network: a mail server, a web server, a DNS server or whatnot. And then we would attack the server and find a vulnerability in a service. We would get into the server that way. Now the trend has changed towards client-side exploitation, meaning the software that is on the user’s desktop. You take advantage of weaknesses in Adobe Acrobat, Adobe Flash, Java, Active X. They are riddled with vulnerabilities.

So the hacker could break into that person’s desktop or workstation by exploiting that vulnerability. But the problem is they would have you have one component that I have written about extensively called social engineering. You have to trick the target into doing something that triggers the technical exploit. And that’s precisely how they were able to hack Google. It was by finding a vulnerability in the Internet Explorer 6 that was unpatched. They still had to get the user to click a link and once they clicked the link it would go to a website that would exploit the vulnerability. With RSA’s hack, it was through an Excel spreadsheet I believe was labeled a ‘2011 recruitment plan.’  The spreadsheet in the Excel document had an embedded Flash object that was vulnerable.

So now when the victim opened up that Excel doc, it triggers the Flash object, and then the hacker got into that person’s desktop, which was connected to RSA’s network. I mean now so now the trend is instead of attacking the server side you’re now attacking the client side. But any time you attack the client side, you must have a component of social engineering. So I’d say social engineering is still a viable threat.

VB: Does it surprise you that so many companies have been hacked this year, with things like the PlayStation Network going down for six weeks?

KM: I don’t think it surprises me because there is a lot of low hanging fruit out there. A lot of companies do not bother testing their security. So really what they will do is they will do is compliance. They hire a firm that would run a  scanner. If they don’t find anything, they say the company is in compliance. That is the problem because companies are not concerned enough about the underlying security. They are more concerned about compliance. I have to explain what the difference is between scanning security companies and what we do. Albert Gonzalez, who was sentenced to 20 years for hacking TJ Maxx and others, found that his team could break into systems for these huge brands that had met compliance. So there is a lot of low-hanging fruit like Sony.

VB: What do you think of all the hacktivism that has happened, and what should companies be doing about it?

We ought to be doing security assessments and deploying top security controls. But I think it’s a waste of time for the people behind the attacks because they’re not going to change public policy. I think the only good thing that comes out of it is the security awareness. Even my company we got a few new clients because they were concerned about this Anonymous hacking spree. That is the greater good that occurred out of it. But at the end of the day Anonymous doesn’t really get what it wants other than a lot of attention by law enforcement. Their goal is to make to change. The change will never happen that way.

VB: Do you have conversations with young hackers?

KM: Not really. I mean I go to conferences around the world and I have a substantial Twitter following. But I don’t really talk to them. I get people emailing all the time. They want to learn how to hack or they want to hack into their girlfriend’s Facebook account. I pretty much ignore them. They try to social engineer me sometimes. I got an email where they said a family member was murdered and they had to get into a person’s Hotmail account to investigate it. I told them they had to get a subpoena from a judge to get the information. The crazy requests make me chuckle.

VB: How do you talk someone out of being a criminal hacker?

KM: Nobody comes up to me and says they’re a black hat hacker. But if they did, I would certainly encourage them not to follow in my footsteps. Now there are so many resources for them to learn how to hack legally. If they were true criminals, and they wanted to steal credit card numbers, you can’t change them. But if they are just curious, you can change their direction by letting them know that there are tools today that weren’t available to me. You can learn in a socially acceptable and ethical way.

VB: Have you ever heard from anyone who was a significant player in the book? Like maybe Markoff or Shimomura?

KM: Not them. I heard from one person who was my old boss when I was pretending to be Eric Weisz in Denver, at a law firm. I described her in the book. I said she had a school teacher mentality. She found me on LinkedIn and said her husband was loving my book. She said that my description was right because she became a school teacher. That was ironic. I heard from one of my social engineering victims who worked at Novell. He was wondering how the government could have held me for so long without a trial. We became good friends and he works at Fusion-io now. We have been really good friends.

VB: You mention you used the Freedom of Information Act in the book. Did you find things out about your case you didn’t know?

KM: That’s a good question because when we were writing the book we submitted the request to the FBI and the FBI claims that the Los Angeles bureau of the FBI lost my file and they could not find it. We went to Senator Barbara Baxter to get her to help because we thought the FBI was lying. How can they lose my file? That was about as ludicrous that I could launch a nuclear weapon. Doesn’t the FBI make copies? Baxter wrote a letter on our behalf as a constituent and the FBI lawyers reaffirmed that they cannot find the file.

They did provide files from when I was juvenile that were largely blacked out and they gave us 8,000 pages of newspaper articles. In summary, I was an obsessive hacker because I enjoyed beating the system and getting through security for the intellectual challenge. I’m here today and am a respected security consultant, and I even work for the federal government. Now the companies and even the federal government have recognized that I have learned my lesson. And now I’m an asset to the community rather than being a pain in the ass.

VB: Thanks very much, that’s a great way to end the conversation.