Ask Kevin Mitnick and he’ll tell you that there is a silent war happening everywhere around us. You could even be a casualty right now, and more than likely not even know it — most don’t. As he writes, “One of my team told me recently: ‘It’s almost a Cyber World War now, but barely anyone knows it, and those that do actually don’t know at any given time know who, or why they are fighting.’”
In this one-on-one with Mediaplanet, the renowned computer security consultant opens up the tool kit of today’s hackers for us to better understand and stay protect against.
What originally drew you into the world of hacking?
Challenge — pursuit of knowledge, seduction of adventure. In high school, I met this other kid who could perform magic with the telephone. It was called “phone phreaking,” and it facilitated my other great passion: pulling pranks. As the phone company started using computers to control devices, such as phone company switches, my interest in hacking began.
When I started, it was completely legal and hacking was cool. Hackers were considered the whiz kids. My favorite hack of all-time, still to this day, was when I was young, hacking the McDonald’s drive-through window. Truthfully, my passion for hacking has always remained the same. Businesses hire my company to try and break into their organizations to test their security. It’s like living in a heist movie. What’s not to love about that?
What are the biggest barriers a hacker faces when attempting to access private information?
Not much. Private information is freely available if you subscribe to the right databases, typically used by information brokers. These databases allow you to query a person’s social security number, birthdate, current and past addresses, current and past phone numbers. Once this information is obtained, it’s not too difficult to obtain the target’s credit report online.
As far as gaining access to enterprise information, the biggest barrier is layered security controls, meaning I would have to compromise several layers of security to break in. I travel the world and demonstrate live hacking at many conferences and speak to people of all walks of life. Lately, I’ve been showing how easy it is to steal someone’s personal identity in about 60 seconds! By accessing some databases I’ll know an individual’s mother’s maiden name, social security numbers — a whole bunch of stuff.
What are some myths regarding what hackers can actually get access to?
Hackers can get access to anything if they have enough time, money and resources. The myths are more about how they hack anything. Despite Hollywood’s insistence, I have never needed a skateboard to hack, and my fingers don’t move at supersonic speeds.
I think the most famous myth of how hacking can be done personally happened to me. The prosecutor in my case told a Federal Judge that I could dial-up a modem at NORAD and whistle into the phone and possibly launch a nuclear weapon. I almost burst out laughing in court when I heard that. But there was, and still is, so much fear built up by media and governments that the judge ignored the fact that prison officials would place me in solitary confinement so I was unable to get access to a phone in prison, just for the safety of the nation.
Remember: I hadn’t stolen for profit; I just loved the thrill of hacking because of the challenge. Most importantly, I had never threatened nor had any desire to hurt anyone, yet I was made out to be the poster boy for the new evil menace: hackers. I was just a kid looking for a challenge and adventure. It wasn’t a fun year.
When I started hacking, there was no legislation in place to deal with hacking. It doesn’t seem that long ago, but what seemed impossible then is a reality now. This year I showed the world the first video recording of an undetectable tap of a fiber optic cable. Concerning security, this has serious implications, for individuals, corporations and government organizations. Try to remember: If it’s important, use encryption. Possibly “air-gap” it too, meaning make sure your data is not connected the Internet.
How does security for mobile devices differ from that of corporate services and PCs?
Most people don’t even use security on their mobile phones, such as adding a passcode. The majority of people blindly use public Wi-Fi in public spaces. If there is one thing anyone can take away after reading this is use a virtual private network (VPN) service. One thing people should consider is purchasing a VPN subscription so that they can securely connect when using public Wi-Fi. Basically, if you aren’t using a VPN, your internet traffic may be monitored, or worse, you may be hacked when using open wireless networks.
Information security breaches have been a hot topic in the past couple years with Sony, Ashley Madison, NSA etc. What steps would you tell organizations to follow to improve their cyber security measures?
There are two important and easy steps that will provide much, much better cybersecurity for any organization.
Get tested regularly. Smart organizations are using the progressive strategy known as “red teaming.” This is a rewarding practice of using external, independent teams to challenge organizations to find ways to improve their effectiveness. The red teaming strategy encompasses and parallels the military use of simulations and war games, invoking references to competition between the attackers (the red team) and the defenders (the blue team).
For cybersecurity this is known as security penetration testing, the use of third-party penetration testers to simulate attacks by real intruders against systems, infrastructure and staff. The ultimate goal is to provide organizations with a thorough analysis of their current security.
Secondly, train all your staff on what social engineering is and how to detect it. People are the weakest security link. They can be manipulated or influenced into unknowingly and innocently helping hackers break into their organization’s computers and they can be manipulated into handing over the keys the kingdom. Social engineering is a technique used by hackers and con artists that leverages your tendency to trust. Providing security awareness training for staff is absolutely crucial in light of social engineering.
When our team is testing a company, we immediately target a sales individual who is willing to open any attachment, or go to any website. We booby-trap these events with malware that’s undetectable to anti-virus solutions. It’s not that hard to do. Consequently we then own the salesman’s machine and them work our way into the corporate network, and then its game over. Sometimes it only takes compromising one person to own an entire organization.
Finally, I know that the “business” of cybersecurity is new and growing, and I don’t ignore the irony that I’ve been able to turn lemons into lemonade. But I do see a problem with cybersecurity business as its now becoming a modern day gold rush with its own versions of fake claims. There is no silver bullet for security; there is no such thing as absolute security, nor is there any automated tool that even comes close to the skills of a motivated hacker probing for an organization’s vulnerabilities. The truth is simple. It takes one to know one.