Modernizing Authentication — What It Takes to Transform Secure Access
This is part two of my conversation with Kevin Mitnick. Part one can be found here.
A Hacker's Point of View
Kevin Mitnick: The hacker mindset doesn't actually see what happens on the other side, to the victim. As a hacker you think "Well, they were kind of naive, they picked easy passwords, I got in, I installed an SSHD Trojan, and when they figure it out all they've got to do is fix the Trojan and change a couple of passwords, so what's that going to take - ten minutes?"
That's how a hacker thinks, but on the other side, now that I work as a security specialist, it's more like "Oh my God! Who is this? What are they trying to do? We have to reload everything, we have to check every system on the network for integrity issues." Now it's a question of integrity — can we really trust our information? So now you're seeing man hours build into tens of thousands of dollars worth of loss in time and productivity. As a hacker you don't think about that.
There's also a question of ethics. As a young boy, I was taught in high school that hacking was cool. My first program was supposed to be written in basic and was supposed to find the first thousand Fibonacci numbers, but I decided I was going to write a program that was a log-in simulator so that when the teacher would go up to the computer and sign us in, it would snarf his password and log him in.
He would never know. Then I would tell him his password all the time. It was like a cat and mouse game with the teacher. When he finally figured it out and I told him about the program — I also told him that I didn't have enough time to do his assignment — he still gave me an "A".
Today, I'd be expelled, hauled off by the police, and my Mom would be picking me up from the police. Back in the seventies it was more like "this guy's smart, he's gifted, he's a whiz-kid," and I was actually patted on the back for this type of conduct. So the ethic I was taught in school resulted in the path I chose in my life following school.
Q: Do you think either approach is right? The seventies' approach or today's approach?
KM: I think equating hacking with a sort of cyber-terrorism is a bit of overkill, for example there's a new law that says that if you use a computer and cause serious bodily injury or death to a victim you get life without the possibility of parole — because there's no parole in the Federal system — but if you take a hammer or a motorcycle and you kill someone or seriously injure them it's not nearly as punitive. So, why? If the computer is the tool, why is the punishment so harsh? We should punish the person based on the harm they caused, not on the tool they used.
Q: Except that Joe on the street understands a hammer but he doesn't understand the computer, right?
KM: Right. So he's that much more scared of it.
Q: Isn't that one of the problems with legislators getting involved and trying to mandate defenses, because they don't understand the problem?
KM: Well, I'll give you an example. I went to Capitol Hill to testify about identity theft. So these older, people — much senior to me — decided that one of the biggest ways they were going to combat theft is that when you go to a restaurant they were going to make it mandatory that they don't print the whole credit card number on the receipt, so nobody could fish it out of the dumpster. So I'm thinking they're going about this all wrong.
They've got to start thinking like the bad guys. All they need to do is to set up some website somewhere selling some bogus product at twenty percent of the normal market prices and people are going to be tricked into providing their credit card numbers. So what you have to do is think about authenticating credit card transactions more than thinking about obfuscating the credit card number. They just didn't get it. They just don't understand the problem, so they're never going to come up with the solution.
Q: Which is the bigger threat, social engineering or specific technologies?
KM: Both! If the truth be known, you actually use a combination to compromise any type of security controls, where there is the least risk and it's the least costly. For example, Motorola; let's say I wanted to get a copy of the source code for Digital Voice Privacy because I wanted to eavesdrop on the FBI and they use DVP Astro Motorola radios. And I think maybe they made a programming error so the crypto they implemented in this product might not be sound and I could eavesdrop on Federal Agents and that would be fun, right?
So you find a vulnerability into one of Motorola's gateways into their network through a technical flaw. So once there, the hacker wants to know "where is the DVP source code?" So what's the quickest way of finding out? Social engineering, right? So he calls the department and finds out who's working on that project, and that's a lot faster than trying to scour every machine on Motorola's campus. It's a blended attack.
Page 2: Cat and Mouse Game
A Cat and Mouse Game
KM: Security is always going to be a cat and mouse game because there'll be people out there that are hunting for the zero day award, you have people that don't have configuration management, don't have vulnerability management, don't have patch management...
I'm doing a new book called "The Art of Intrusion" so I'm looking for the people who are going to tell me [about] the sexiest hack of all time. So I was recently contacted by this Canadian kid who had already compromised four American banks, and he actually sent me files — of course after reading them I deleted them — as the proof. I asked him how he did it.
You'd think that it's very sophisticated, right? All he used was a port scanner looking for port 1494, which is Citrix. A lot of these banks have Citrix running on one of their machines that are connected to the internal net and their passwords are "password" or "administrator" or a dictionary word, and they feel safe because it's not like their public presence.
So this kid had installed key-loggers and got on-line manuals as to how the bank works and compromised their AS/400. He could actually wire money if he wanted to. He hasn't, because he's not interested in that. But right now, as we speak here today, he has full, complete access to four banks. I'd have to call it stupidity, or poor management. It shocked me! I didn't actually believe it.
So we have to do due diligence for the book — we require proof. Somebody's always going to try to pull the wool over my eyes — you know "Hey, I social engineered Mitnick and he put this fake story in his book!"
Q: You mentioned earlier the things that drive the enterprise's thinking in regards to security and all of them were external influences, none internal. Do you see them as reactive rather than proactive?
KM: I can't really stereotype the whole industry, but they'll be proactive about anti-virus software because they've already seen the effects. Some companies take security very seriously because they realize they have very valuable information assets and critical systems that, if they go down, they're going to lose revenue. So you have a mix.
But a lot of businesses out there don't see the return on investment, they look at it as a liability, and until they can understand that proactive security actually returns, gives them a return on investment, it's still a hard sell for people. It's still a grudge spend. I know people that live on their laptops and don't back them up — they live under this illusion that "nothing bad will happen to me" — it's always somebody else.
Kevin's Network Security Rx
KM: These days there are tools that you can get that do all the [hacking] work for you. Back in my day, I would probe by hand. Now you can get commercial software that does the job for you. You don't even have to know how it works under the hood. You can buy a product for a grand — you know it even has a few zero days in there — so if you have a grand, and you know that the target is vulnerable to this type of exploit, you're in!
That's why I think these days security has to be not only [about] prevention, but [also] time, protection and response. You've got to do all you can to limit the window of exposure, but at the same time you have to be really monitoring.
I believe in having each device secured and monitoring each device, rather than just monitoring holistically on the network, and then responding in short enough time for damage control. I am a strong believer in detection — detecting an attack and shutting them down before they can really do anything.
Misplaced Trust in Tech
KM: Some people think technology has the answers. For example, they trust the public telephone network, but I'll show you what I mean.
(Kevin then asked me for my cell phone number and took out his phone — "It's just an ordinary Nokia," he explained. He tapped in some numbers and then asked me what number I would like to have call me. I told him 212-555-1212 — New York City's information number — he tapped in a few more numbers and my phone rang. The caller Id showed 212-555-1212 was calling me. I answered; it was Kevin.)
It's a little XML script I wrote. The point is, if you think that's your office calling because even though you don't recognize the voice ("it's the new guy - today's my first day") it's their phone number on the caller Id, think again. If you have a system that authenticates incoming [computer] connections via caller ID, I suggest you use something else.
What's Kevin up to Now?
Kevin Mitnick is currently making the rounds, appearing at various security related speaking engagements in addition to running his consultancy firm, Defensive Thinking, with co-founder Alex Kasper. Needless to say, he doesn't blindly trust the numbers that appear on his caller ID.
Keep an eye out for his upcoming book, "The Art of Intrusion". In the meantime, his first book "The Art of Deception" provides a telling look into the role the human element plays in computer security.
For part one of this interview, click here.