Modernizing Authentication — What It Takes to Transform Secure Access
I had the pleasure of spending an hour with Kevin Mitnick at the Infosec World Conference in Orlando, Florida last week. Kevin Mitnick, in case you don't already recognize the name, is the "super-hacker" of the 80's who was finally captured by the FBI in 1995 after being on the run for two years.
Having already spent four years in federal prison without a trial, without bail and for eight months in 23-hour-a-day solitary confinement, Kevin reached a plea agreement with the government. He was released from custody into supervised release in early 2000. In January 2003, Kevin was freed from those restrictions.
Giving testimony before Congress, Kevin once said, "I have gained unauthorized access to computer systems at some of the largest corporations on the planet, and have successfully penetrated some of the most resilient computer systems ever developed. I have used both technical and non-technical means to obtain the source code to various operating systems and telecommunications devices to study their vulnerabilities and inner workings."
In person, Kevin is completely forthright about the nature of his wrongdoings, but stresses in his own defense that he never used anything he obtained to gain monetary advantage. "All of this activity was to satisfy my curiosity; to see what I could do; and to find out secret information about operating systems, cell phones, and anything else that stirred my curiosity."
Kevin Mitnick is now a security consultant to corporations worldwide and co-founder of Defensive Thinking, a Los Angeles-based consulting firm. He has testified before the Senate Committee on Governmental Affairs on the need for legislation to ensure the security of the government's information systems. His articles have appeared in major news magazines and trade journals, and he has appeared on Good Morning America, 60 Minutes, CNN's Burden of Proof and Headline News. Kevin has also been a keynote speaker at numerous industry events and has hosted a weekly radio show on KFI-AM 640 Los Angeles.
He is also an author. In his book, "The Art of Deception" (co-authored with William Simon, Wiley Publishing) Kevin delves into "Social Engineering" — essentially con-man tactics used to get employees to divulge fragments of corporate information which, when assembled correctly, provide the basis for an intrusion attack.
The book highlights vulnerabilities in human nature that are easily exploited by the "social engineer", and suggests a variety of methods for reduction of the associated risks in the enterprise. His company, Defensive Thinking, also produces training videos that are both entertaining and eye opening.
In person, Kevin is a charming and very likeable man, and it is clear how he was able to use this type of skill so successfully! Here are some extracts from our conversation.
So what is your message today?
Kevin Mitnick: My message today is primary the same... I usually go around speaking on the threat of the human element, particularly on social engineering. I go around speaking on wireless security. I'm writing a new book,
I have a company where we do vulnerability assessments and pen[etration] testing and I'm an expert witness. I'm an expert witness in a case that's in appeal about a guy who allegedly misappropriated source code from a major, major company — he actually worked there and then apparently they found it on his laptop later.
So the guy that did the forensics for the State of California really botched up the job, so I'm called in as an expert on the "Habeas" petition, which is a 2255. And I'm an expert witness on another major hacking case. The defendant actually recently pled, but I'm looking for another person that can help on loss evaluation. That's what I'm doing, pretty much, today.
Page 2: Hiring Hackers and Mitnick's Motivation
Kevin also went on to talk about his reasons for being at Infosec. He mentioned the name of the person who was to interview him at a session the following day:
Kevin Mitnick: ...Mark Rash. Now that's another interesting can of worms because Mark Rash, as a part of his resume, actually states that he worked on my case for the Department of Justice, while he was with the DOJ. So that'll be interesting! But he's a nice guy and we going to be meeting later today and discuss the boundaries of the interview.
Last year I spoke at RSA and I was put on the hot seat — it was like a debate, "do you hire the hacker"... and that's where I was basically attacked right away as the, you know, "once a criminal, always a criminal" - that type of mindset. And even though nobody "won" it still didn't really bring any value to the audience, because what the audience wants to know is "Hey, we have a huge problem out here. We have problems with our physical security, operational security through to management. What can we do to shore up our defenses?" and "Do you hire the hacker?"
On Hiring a Hacker
I basically look at it as... if the guy hacked into Citibank and stole millions of dollars, would I hire him to secure my bank? Maybe not! I would look at it as the guy physically embezzled money through the computer so I'd say the risk would be too high.
Now let's say the same guy; and I'm with the Los Angeles School District and I want to protect student information; so even if this guy got hold of it, what can he do with it? Then if this guy had really, really good skills and he was really sharp, then I'd say maybe it is worth the risk.
You know there's a risk involved, but there's two opposing things. You have the criminal history and you have the skill set and it's up to the person making the call, the certifier, the person doing the hiring to asses the risk and make the call. It's simple mathematics today.
Now, fortunately, in my case, the Department of Defense has contacted me directly to submit a bid to do an assessment for the DOD, and a civil part of the US government has asked me to submit a bid, so here I have the US government that wants to hire me, so they've obviously had to weigh the pros and cons as well.
Then again, my case was all about the misappropriation of source code because I wanted to become the best hacker in the world and I enjoyed beating the security mechanisms. It was a challenge. I wanted to get behind the door; pick the lock; not because I wanted to steal what was on the other side of the lock, but because the challenge was being the best at getting through the lock; so the harder it was to break the more of a challenge it was.
So what I did was; I made some very stupid decisions and I said, "I'm going to go and get the source code to that lock, I'm going to go get the design specs to that lock; and figure out what in the designs makes some problems with it and I'm going to about them because I'm going to sneak into their computers and see their secret plans." So that's what I did with the source code.
Any type of operating system that I wanted to be able to hack, I basically compromised the source code, copied it over to the university because I didn't have enough space on my 200 megabyte hard drive. So I'd move it over to USC and I'd sit there and first I'd look through the comments, pick through the security holes, and then I'd see what the developer did to fix it because they'd always leave it well commented - thank you very much - and then I'd work back and figure out how I could write exploit code to exploit their vulnerabilities.
So what I was essentially doing was, I compromised the confidentiality of their proprietary software to advance my agenda of becoming the best at breaking through the lock.
Then and Now
I made stupid decisions as a kid, or as a young adult, but I'm trying to be now, I'm trying to take this lemon and make lemonade. It's amazing that I've been successful in this endeavor because now I travel round the world speaking about security.
Of course I'm sure half the people there hate me and half the people like me. It's half and half because most of the people have formed their opinion about Kevin Mitnick from what they've read in Takedown and what they've read in the media and how I was portrayed. I was pretty much the government's poster boy for what I had done. I've always looked at it as, what I did was wrong and I should have been punished, but the punishment didn't fit the crime.
Be sure to check out Part 2 of Vince's conversation with Kevin Mitnick.