It’s hard to believe – Kevin Mitnick, the former “Most Wanted” in cyberspace, himself looks like the bank manager whose IT security he now likes to test for weaknesses, and pays royally for it. Dark blue suit, tie, polished shoes, this is how the once feared star hacker from the 80s and 90s presented himself to his colleagues at an industry meeting of the IT security provider phion in the Tyrolean Alps. MIT Technology Review spoke to Mitnick about his past – and his future.

Advertisement

Security specialist Kevin Mitnick died on July 16 in Las Vegas of complications from pancreatic cancer. At this point we republish an interview with him. The author Tom Sperlich introduced it in 2008.

Advertisement

Mr. Mitnick, how did your life actually go on after you were released from prison at the beginning of 2000 after around five years of punishment?

Pretty soon after I got out of prison, I was asked by the US government to help protect their computer systems. Various senators like Lieberman and Thompson asked me to testify before a congressional committee in Washington. Well, now that I’m five years older and wiser, I’ve decided to put my talents to good use. I went from being an unethical hacker to being an ethical hacker – an interesting thing, because what other criminal act, which is hacking, after all, can you do ethically?

I also wrote two books and started my own IT security consulting firm. In principle, I’m doing the same thing I’ve been doing for years, but now with the authorization to do so. It’s also a kind of career.

Although, to emphasize it again, in the past a hacker was not necessarily regarded as a malicious criminal. But more as someone who constantly wanted to learn how computer and telecommunications systems work and how their security measures could be circumvented. I, for example, did this strictly for my own intellectual gratification and out of curiosity.

This premise doesn’t seem to be that common today. Has that changed significantly?

Yes, yes. In a way, I was still someone from the “old school” of hackers. Back then it was actually more about having fun, getting ahead with your friends, exploring the technology, pushing it to its limits. Today, evil hackers are all about making money, about profit. I was recently advising a friend who runs a small e-commerce company. His domain name was “hijacked” at the domain registrar and I was asked if I could do something about it.

In view of the effort and my fee, however, it turned out that the easiest and fastest way was to pay the hacker, a person from Iran named Omid, a kind of ransom, as I then researched. It was a daring venture, but paying him $3,000 to have the domain unblocked worked out in the end. Hopefully he’ll leave it at that now. When I looked, I found out that this Omid seems to be doing this all the time, is connected to some kind of global network and just keeps doing it – probably because Iran is a legal vacuum for it.

In your consulting activities for companies, you specialize primarily in the field of “social engineering”. What is so special or so dangerous about it?

Social engineering has been around long before there were computers. It’s actually a kind of acting. For example, there are the attempts at fraud by these Nigerian gangs, which already worked without the internet and computers. It’s about manipulating people to get passwords or other important information. But although the tricks of the Nigerian gangs have been known for a long time, people still fall for them. That’s why I see it as my mission to educate people about social engineering and how it works, so hopefully next time they’ll think about it and not be fooled.

Because people are the weakest link in the chain. We need to strengthen the “human firewall,” which is why I’m always on the road doing the necessary educational work. Surprisingly, the majority of companies do not care about social engineering at all. Not even large governmental organizations. Some time ago, the US Internal Revenue Service (IRS) conducted a security audit. 100 IRS managers were called and pretended to be IT people at the IRS. And 35 of the managers openly gave out their password and username on the phone.

As you can see, this is a significant threat. A company can spend a lot of money and buy all sorts of IT security hardware and software, but if an attacker finds just one person in this company who “plays along” who he can fool in order to finally get into the system, then all that good money for technologies is of no use at all. All you have to do is get employees to click on a prepared website and it can mean that malicious code nests on their computers. This means that the hacker is already in the network. You have to accept that and close the gaps in the chain accordingly.

To home page

Share this: Twitter

Facebook

