The Independent

Comeback of the hacker king

http://news.independent.co.uk/digital/features/story.jsp?story=344565

Kevin Mitnick was the subject of a huge FBI manhunt, before being jailed for
computer fraud. But now his hacking days are over and, he tells Charles
Arthur, the poacher has turned gamekeeper

21 October 2002

If you need a working definition of ironic, you could do worse than this.
Last summer, Kevin Mitnick, the one-time hacker who was on the FBI's "10
Most Wanted" list of fugitives, was himself the victim of a scam just like
he used to work on people. It's a technique Mitnick, 39, calls social
engineering: getting access to information, including computer data, by
talking to people rather than by accessing computers. "I practised it for 15
years. I would think I would be the most aware of when it was being done,"
he says.

But in June he got a call on his mobile phone from a reporter from the
Associated Press. The reporter knew that Mitnick had written a book about
social engineering, and he was keen to talk about it.

"How did you get this number?" asked Mitnick, suspicious. The reporter
explained that he had called the book publishers who had given him the
number. Mitnick agreed to an interview and talked at length. When the
interview appeared, his publishers were aghast. "Why did you talk to him?"
they asked. Too late, Mitnick realised his mistake: "He misrepresented the
facts," he says. "And even I fell for it. Because I didn't verify the
authenticity of what he was telling me."

That's precisely the weakness that Mitnick, when he was a hacker (he insists
he's reformed now), would exploit: "Human nature, that we live in a world
where we presume that people are much like ourselves, mostly honest and
open, and we give people the benefit of the doubt."

Mitnick didn't get much benefit of the doubt in 1995. That was when he was
on the FBI's most wanted list; though Hannibal Lecter he wasn't. He went on
the run, having broken his parole on an earlier hacking-related offence,
before being arrested in February of that year.

The image you may have of him is of a superskilled computer hacker who broke
into dozens of networks, stole details of thousands of credit cards, scammed
his way all over the US, finally got caught and then served a long prison
sentence. Some of that's true. Precisely what is hazy; he disputes many
allegations, and the criminal charges were in the end quite narrowly drawn.
In August 1999 Mitnick received a 46-month sentence on fraud charges, and
was ordered to pay $4,125 in costs. In March 2000 he was convicted of wire
fraud, computer fraud and intercepting communications. Before these
convictions, he was on remand, often in solitary confinement, for four
years, the longest period that anyone has been held without a trial in the
US.

The effects of the sentence still linger: he wasn't allowed to use a
computer until January this year (he used it to write his new book, with
co-author William Simon, a very able co-author of business works). He won't
be allowed to use a computer that is connected to the internet until 21
January 2003. What's he looking forward to most? "Instant messaging,
e-mail... the usual communications media." At the moment, friends can read
him the e-mails sent to him, though it's never the same as doing it
yourself.

But that's not what Kevin Mitnick has got up on this California morning to
tell me about. Instead, it's to promote his new book, The Art Of Deception
(subtitled Controlling the Human Element of Security), which should put a
shiver into anyone responsible for looking after valuable computer data. Not
because it makes Mitnick look dangerous; but because it makes everyone look
vulnerable to anyone with the right personality and approach.

The Art of Deception is not about the sort of hacking that involves
exploiting strange scripting vulnerabilities in this version of Windows or
that version of Linux. The book is about the art of hacking peoples' heads.

The exploits are almost all fictional, but realistic, and enough to make
anyone wonder if their bank details might be given up as easily as in the
book. It's arguable that in the UK (which Mitnick says has rather better
banking security than the US) people would be more careful about giving out
data. But never underestimate the creeping effect of staff cuts and
reductions in training budgets - especially for security - on people's
willingness to believe what they're told by a convincing voice on the other
end of the telephone.

"Government and businesses and you and I are targeted by people who want our
information for identity theft or lawsuits," he says. Everyone else, surely,
but would anyone dare target Kevin Mitnick? "I have been targeted," he says
suddenly. "Somebody stole my identity to get cellphone service in Colorado.
But I've lived in California for three years. They used my social security
number and date of birth, to misrepresent themselves as me. So yes, I was a
victim of ID theft."

The Art of Deception has in its pages many scenarios, all of people in
companies being subverted by weaknesses in procedure. "These [scenarios]
really didn't happen," Mitnick says. "But I hope that the readers don't
think that they can't happen. The details can, and would, happen."

Some exploits in the book are true: he describes how in 1981 he and a friend
cracked the allegedly uncrackable protection on a new computer at a trade
fair, for which the prize was $300.

Social engineering played a key part there. Mitnick and his colleague
realised that the protection stemmed from the keyboards on show all being
plugged into a particular port on the computer. So while his colleague
distracted the person manning the stand over lunch, he used his lockpicking
skills to undo the plug and put it into the administration socket. When the
people who had written the protection system came back from lunch, Mitnick
was printing out the program code for their system - on their printer.

Mitnick has now started a security consultancy company called Defensive
Thinking, which provides conferences and seminars as well as staff training
in how to avoid getting turned over. Isn't a criminal record a slight
problem? "I never abused a position of trust in any work environment I was
in," he says. "Although I was convicted of computer hacking, a lot of people
know that the motivations weren't to cause harm. My motivation at the time
was the intellectual challenge. Now I have matured - I went to that special
place [prison] - and five years later I have decided to come out and expose
the methods that people use to do this."

In some ways, Mitnick is having the last laugh. The book tour will take him
to eight major cities. He's got a job, he's well-known, his life is stable.
"It's going to be exciting," he says. "At last I'll get to meet people. It's
good because of the demonisation there was of me. It's good that people meet
me and know who I am, rather than some character on a page."

'The Art of Deception' by Kevin Mitnick and William Simon, is published on
14 November, #19.95, by Wiley

************************************************************************************
Distributed through Cyber-Society-Live [CSL]: CSL is a moderated discussion
list made up of people who are interested in the interdisciplinary academic
study of Cyber Society in all its manifestations.To join the list please visit:
http://www.jiscmail.ac.uk/lists/cyber-society-live.html
*************************************************************************************