A Cat and Mouse Game

KM: Security is always going to be a cat and mouse game because there'll be people out there that are hunting for the zero day award, you have people that don't have configuration management, don't have vulnerability management, don't have patch management...

I'm doing a new book called "The Art of Intrusion" so I'm looking for the people who are going to tell me [about] the sexiest hack of all time. So I was recently contacted by this Canadian kid who had already compromised four American banks, and he actually sent me files — of course after reading them I deleted them — as the proof. I asked him how he did it.

You'd think that it's very sophisticated, right? All he used was a port scanner looking for port 1494, which is Citrix. A lot of these banks have Citrix running on one of their machines that are connected to the internal net and their passwords are "password" or "administrator" or a dictionary word, and they feel safe because it's not like their public presence.

So this kid had installed key-loggers and got on-line manuals as to how the bank works and compromised their AS/400. He could actually wire money if he wanted to. He hasn't, because he's not interested in that. But right now, as we speak here today, he has full, complete access to four banks. I'd have to call it stupidity, or poor management. It shocked me! I didn't actually believe it.

So we have to do due diligence for the book — we require proof. Somebody's always going to try to pull the wool over my eyes — you know "Hey, I social engineered Mitnick and he put this fake story in his book!"

Q: You mentioned earlier the things that drive the enterprise's thinking in regards to security and all of them were external influences, none internal. Do you see them as reactive rather than proactive?

KM: I can't really stereotype the whole industry, but they'll be proactive about anti-virus software because they've already seen the effects. Some companies take security very seriously because they realize they have very valuable information assets and critical systems that, if they go down, they're going to lose revenue. So you have a mix.

But a lot of businesses out there don't see the return on investment, they look at it as a liability, and until they can understand that proactive security actually returns, gives them a return on investment, it's still a hard sell for people. It's still a grudge spend. I know people that live on their laptops and don't back them up — they live under this illusion that "nothing bad will happen to me" — it's always somebody else.

Kevin's Network Security Rx

KM: These days there are tools that you can get that do all the [hacking] work for you. Back in my day, I would probe by hand. Now you can get commercial software that does the job for you. You don't even have to know how it works under the hood. You can buy a product for a grand — you know it even has a few zero days in there — so if you have a grand, and you know that the target is vulnerable to this type of exploit, you're in!

That's why I think these days security has to be not only [about] prevention, but [also] time, protection and response. You've got to do all you can to limit the window of exposure, but at the same time you have to be really monitoring.

I believe in having each device secured and monitoring each device, rather than just monitoring holistically on the network, and then responding in short enough time for damage control. I am a strong believer in detection — detecting an attack and shutting them down before they can really do anything.

Misplaced Trust in Tech

KM: Some people think technology has the answers. For example, they trust the public telephone network, but I'll show you what I mean.

(Kevin then asked me for my cell phone number and took out his phone — "It's just an ordinary Nokia," he explained. He tapped in some numbers and then asked me what number I would like to have call me. I told him 212-555-1212 — New York City's information number — he tapped in a few more numbers and my phone rang. The caller Id showed 212-555-1212 was calling me. I answered; it was Kevin.)

It's a little XML script I wrote. The point is, if you think that's your office calling because even though you don't recognize the voice ("it's the new guy - today's my first day") it's their phone number on the caller Id, think again. If you have a system that authenticates incoming [computer] connections via caller ID, I suggest you use something else.

What's Kevin up to Now?

Kevin Mitnick is currently making the rounds, appearing at various security related speaking engagements in addition to running his consultancy firm, Defensive Thinking, with co-founder Alex Kasper. Needless to say, he doesn't blindly trust the numbers that appear on his caller ID.

Keep an eye out for his upcoming book, "The Art of Intrusion". In the meantime, his first book "The Art of Deception" provides a telling look into the role the human element plays in computer security.

For part one of this interview, click here.