Kevin Mitnick
(Credit: Declan McCullagh/CBS Interactive)After having his AT&T wireless account breached and his personal information posted on the Web, famed hacker Kevin Mitnick thought the least the cellular service provider could do was compensate him for his troubles.
Instead, the company informed Mitnick it plans to cancel his contract and not pay damages for the breach, he said. (His service was still working Thursday afternoon.) Now he may sue.
"AT&T wants me off their network because they can't secure my account, and after being a loyal customer for almost a decade I find that reprehensible," he told CNET News on Thursday. "It apparently is more cost effective to drop me than to secure their customer's information."
"My attorney is going to review my contract to see what, if any, restrictions are in my service agreement," he said. "I may file a lawsuit for invasion of privacy for the failure to adequately protect my information."
The irony is that he speculates that whoever is responsible for getting into his account used social engineering to do so. Mitnick spent five years in jail for breaking into computer networks, mostly using social engineering to get information out of insiders that enabled him to access their networks.
He describes such social engineering techniques in fictional stories in his book "The Art of Deception," including examples involving PacBell in which workers at retail stores reveal customer account details over the phone to someone they think works for the company.
"These guys probably read my book and decided to steal my information using social engineering because it is so easy," he said. "I told AT&T about this and they just ignored it."
"The bigger issue is that this ineffective security affects all AT&T customers," he said. "They need to start shoring up their defenses."
Mitnick learned in June that someone had posted his address, land and mobile phone numbers, PIN, e-mail address, instant messenger handles, and the last four digits of his Social Security number on the Web in March.
When he failed to get a response from AT&T after he complained, he called a lawyer who asked AT&T to pay an undisclosed amount for damages to his reputation and property rights, he said.
"We investigated Mr. Mitnick's claims and determined they were without any foundation," said AT&T spokeswoman Jenny Bridges. "We refused Mr. Mitnick's demands for money, but did offer to let him out of his contractual obligations so that he could find a carrier that he would be comfortable with."
Asked if Mitnick could keep AT&T as his provider, Bridges said she could not comment beyond that statement.
Mitnick's high-profile status makes him a celebrity among some hackers and a popular target for others. He's had his Web site hacked numerous times over the years, including twice in the past several months. He's even had trouble with Facebook after the social networking site disabled his account, believing him to be an impostor.
Most recently, Mitnick's site was among a group of security sites that were hacked and publicized on the eve of the Black Hat conference last month. As a result of the hacking, Mitnick was asked by his Web hosting provider, HostedHere.net, to find another place to host his site.
This isn't the first time Mitnick's AT&T account information apparently has been breached.
CNET News learned almost a year ago that someone had gotten access to Mitnick's mobile account while he was on a trip to Bogota, Colombia, but at the request of Mitnick at that time, agreed not to publish the information while the case was being investigated.
On his way to Colombia, during a stopover in Los Angeles, Mitnick received warning that his AT&T account would be breached with a social-engineering attack, he said in an instant message exchange in September 2008. He called AT&T with the details and asked it to take extra precautions to protect his account and require someone trying to change the account to provide the password verbally and not just the Social Security number, he said. Despite that effort, when he landed hours later, his password had been reset and the account was no longer in his control.
"I learn that these hackers (they called to warn me first) called an ATT Corporate store in Idaho (I have the rep's name) and she changed my e-mail address to what the hackers requested. So they just did a pw reset," he wrote in the IM exchange.
Asked about it in a follow up conversation months later, Mitnick said the matter had been resolved and declined to comment further.
That Colombia trip was noteworthy for Mitnick for other reasons. On his return, Mitnick was detained for four hours and his computer equipment inspected after he landed in the Atlanta airport for unknown reasons.
Kevin Mitnick
(Credit: Declan McCullagh/CBS Interactive)There is no question who the most famous hacker is. One of the first computer hackers prosecuted, Kevin Mitnick was labeled a "computer terrorist" after leading the FBI on a three-year manhunt for breaking into computer networks and stealing software at Sun, Novell, and Motorola.
Known more for social engineering his way into networks than actually hacking them, Mitnick frustrated law enforcement not only by staying one step ahead of them but also with pranks like leaving doughnuts for them to find when they raided his home.
Finally arrested in 1995, Mitnick pleaded guilty to wire and computer fraud charges and was released from prison in 2002. His notoriety has helped him get lucrative speaking engagements and launch a security consultancy, where he gets paid for doing some of the very actions that landed him in jail.
In the first in a three-part Q&A series with hackers, CNET News talked to Mitnick, now 45, about what got him interested in computers in the first place, the differences between hacking today and three decades ago, and whether it's wise to hire a former black hat hacker to do security work.
Q: When did you start hacking?
Mitnick: When I was 16 or 17 years old, when I was in high school--1979 time frame; before it was even illegal.
How did you get into it?
I became very interested in phones. I was a ham operator, an amateur radio operator, for about three years and in high school I met this other student whose dad was a ham radio operator and this other student had a hobby of phone freaking and he introduced me to this. He was able to do amazing things with the telephone system. He was able to get unlisted numbers. If he had my number he could get the name and address...He could do all these magic tricks with the phone system. I also had an interest in telephony over ham radio. He introduced me to phone phreaking and when the phone companies started converting over to electronic systems from electromechanical systems they used front-end computers to control it. So the phone company was in the process of automating their processes. To further my phone phreaking I needed to become familiar with the phone systems' computers. So that was my foray into hacking.
So you went from phone phreaking into hacking?
Yes. The phone company had this computer system called COSMOS, which stood for Computer System for Mainframe Operations. Well, my first hacking occurred as a student at Monroe High School in Sepulveda, Calif., in the San Fernando Valley. I met another student who was very heavy into computers and at this time it was the Commodore VIC-20. They offered a computer training course for seniors but I wasn't a senior so he introduced me to the professor. He wasn't going to let me into the class. So I did all these electronic tricks with the phone system and the teacher was amazed and he waived the prerequisites and let me in the class. I think he regrets that decision today.
What could you do with the phones then?
I think I demonstrated calling into comp systems. You could interact with them with your voice and control them by touch-tone. He gave me his name and the city he lived in and I was able to get his telephone number. I was able to interface my ham radio with the telephone system and dial into computers and access them through the touch-tone pad. At that time it was pretty advanced because you didn't have voice response systems then like you do today.
What's the hacking activity you are most proud of?
Ethical or unethical (laughing)? You probably want to hear about when I was a hacker. I guess my intrusion into Motorola. I was able to call an employee at Motorola and convince her to send me the code for the MicroTAC Ultra Lite cell phone...Motorola had their whole campus protected by SecurID and I was able to use an elaborate social-engineering scheme by also manipulating the telephone network and set up call-back numbers within Motorola's campus. So I convinced a manager in operations to tell one of the employees to read off his RSA SecurID code any time I needed it so I could access the network remotely. That's how I was able to access their internal network and then I was able to use technical means to hack into their development servers for cell phones...I was able to find the source code to all the different cell phones.
I was interested in the MicroTAC series because it looked like a Star Trek communicator. I wanted to understand how these phones worked, how the codes controlled the processor. I wasn't interested in selling the source code or doing anything with it. It was more about the challenge of getting it. I had to breach like four layers of security to get in. I'm not really proud of it because it was obviously wrong...I made a stupid and regrettable decision and decided to go after the source code.
When you say it was about the challenge of getting it, can you elaborate?
At the time I was actually a fugitive in Denver, Colo., and one of my colleagues handed me a brochure of this phone and I thought it was ultra cool, like the iPhone of today. I really wanted to understand what are the protocols used, how does the phone talk to the communications network, how does the whole thing operate? And I thought maybe I could modify the firmware for the code in my phone and make it more difficult for the government to track me. For example, there are certain methodologies the government uses, like any time your phone is on, it is communicating with the mobile telephone company. I wanted to be able to toggle that off and on, so basically take my phone offline and do extra things to it. At the time I had that idea, but I never went through with it because I was so busy hacking...It was pretty much the trophy. Once I got the source code, that Motorola phone intrigued me. I looked at it, read through it, and tried to understand what I could understand.
After that I went after other different cell phone companies and it really was about the trophy. It was the challenge of getting in and getting the code, storing it at USC in Los Angeles, and moving onto the next one. That's how I got caught. The USC administrators noticed that a lot of their disk space was being used and that their systems were breached and they called the FBI. The companies themselves didn't realize they were hacked. It was USC that discovered it...I didn't spend any time trying to hide it (source code). That was my downfall.
Did know what you were doing was illegal?
I started hacking back in the '70s and there were basically no laws against it, against phreaking or hacking. In school, my parents and other people actually encouraged it. There were no ethics taught. If you could hack into the school's computer you were considered a whiz kid. Today if you do it you get expelled or they call the cops. It was like a reward of intellect back when I got started. Then they criminalized it later. I was so hooked into the adventure of the hacking game, doing it for a number of years even though it became illegal. It was thrilling, adventurous. It was all about solving the puzzle, using intellect to get around obstacles. It was like a huge game.
What would you do differently if you could go back in time?
In hindsight, I wouldn't do what I did because now I'm much smarter and wiser, and I caused a lot of network and systems administrators a lot of headaches undeservedly. It was the wrong thing to do. But at the time there was no such thing as penetration testing and no school curriculum on security. You had to be self-taught. That's how I learned about security and systems--through hacking. I took the wrong road in doing it. I wouldn't repeat it. Today there are degrees, pen testing, books on the subject. At the time, a lot of companies and universities didn't give much thought to security.
When I was 17 years old, the phone company was so livid with me for hacking their systems--and not hacking through a computer but through social engineering and calling and controlling touch phones or calling employees. There were no laws against it. They actually yanked out the phones in our house, and I was living with my mom at the time. I was in high school. They wouldn't let us have a phone and cited California Public Utilities Commission rules that if there's fraud or abuse the phone company can yank the phone.
Rather than stop my activities I figured I would one-up them. We were living in a condo. The condo had unit numbers and we were unit 13. I went to the hardware store and got the numbers 1, 2, and a B for unit 12B. I called the phone company and told them the builder had built another unit in the condo complex. Then the phone company came out and installed a phone for a new subscriber in 12B under my name or my mother's. Then we had a phone for two weeks and one day it just went dead. The phone company was livid because I had done this elaborate thing to trick them. After about six months we got the phone service back but we could only make outgoing calls.
Let me ask about your time in jail. How much time did you serve and what was that like?
I served five years, and I ended up in solitary confinement for a year because a federal prosecutor told the judge that if I got to a phone I could connect to NORAD (North American Aerospace Command) and somehow launch an ICBM (Intercontinental Ballistic Missile). So the judge, reflecting on the movie War Games, put me in solitary confinement. I think it was a strategy they used to get me to plead out or cooperate. I was held for four and a half years without a trial. I spent a lot of time focused on the defense and reading cases and serving as assistant to my attorney. At the end of the day I realized justice is economic; unless you have enough money to properly mount an effective defense you always lose.
I wanted to admit that I was hacking, but the intention and the purpose of it wasn't fraud because to commit a fraud you have to convert property to your own use and benefit, to profit. In my case that was lacking. I was doing it for the trophy. I was cloning my cell phone to random subscribers and dialing into computers from the cell phone. The purpose wasn't to make free calls; it was to make it more difficult for the government to track me. They claimed all my hacking into those companies was a huge elaborate fraud and that I caused $300 million of damage. They said the value of property I copied, the R&D development cost, was $300 million. The government tried to use the old (definition of) loss for tangible property. If I copied that code and they no longer had use of it, it would be a $300 million loss or whatever.
They told my attorney that if I didn't cooperate and plead out, not only would they take me to trial in Los Angeles, but they would put me in a revolving door of trials and put me on a bus and take me from federal jurisdiction to federal jurisdiction. So I signed the deal and admitted causing between a $5 million and $10 million loss. I signed it not believing it. I signed it to get out. I really don't believe to this day that my actions caused that amount of loss, because none of the victim companies lost use of their code, they never claimed any losses due to my activities. Sure there were losses, maybe in the thousands of dollars, for their time to investigate who hacked into their systems and to secure them. Those are the real losses. But I was the example for the federal government, so they needed to put me away for a long time. That's why I was very angry and bitter against the government at the time, because I wasn't being punished for what I did. I was being punished for what I represented at the time. I have no qualms about being punished for what I did. The punishment should fit the crime.
So, if someone were to ask you what lessons you've learned, what would you say?
Don't break the law. Don't intrude on other peoples' property. It's just the wrong thing to do. It's unethical and immoral. And now of course it's illegal. It's trespassing. You're violating somebody's property rights. And they have the right to control and keep their property confidential. What I attribute my change of heart to is growing up. Back then I was young and immature, and never damaged anything intentionally.
Do you feel that your hacking has led to positive change in some way?
Yes. It led to my career. Today I speak around world, I do pen testing all the time--and deep penetration testing, where I go after the most sensitive credentials at a company to see if I can get to the crown jewels. I see what I can do as an ethical hacker. I really enjoy this work because when is it that you can take a criminal activity, legitimize it, and get paid for it? Ethical hacking. It's not like you can be a drug dealer and go work for Walgreens...A lot of pen testers today have done unethical things in their past during their learning process, especially the older ones because there was no opportunity to learn about security. Back in the '70s and '80s, it was all self-taught. So a lot of the old-school hackers really learned on other people's systems. And at the time, I couldn't even afford my own computer. A dumb terminal was like $2,000. A 1,200-baud modem was like $1,200. The cost of this technology was out of my range as a high school student so I used to go to local universities and use their system, albeit without their knowledge, to learn.
Any advice for young hackers?
Yeah, don't follow in my footsteps. There are definitely other roads or other opportunities and ways that people can learn and educate themselves about hacking, security, and pen testing. Today it's a huge market. It's become a huge issue within the federal government with critical infrastructure.
Some people say companies shouldn't hire former black hat hackers. What are your thoughts on that?
I'm hired all the time. So far it has not really been an impediment. You have to evaluate the person's skill set, their maturity, and what they did before as a hacker. Were they getting credit card numbers and buying merchandise on the Internet? Or were they hacking systems for their own intellectual curiosity? You can't just lump black hat hackers into one category. You have to look at what they did in the past, what they've done since then, and what credentials they have to get the job done. People who have operated on the other side of the law, like Frank Abagnale, he is a prime example. He reformed himself and now is the leading authority on counterfeit money and checks. Look at Steve Wozniak. He even started out as a phone phreak (and sold blue boxes on UC Berkeley campus). But he took a whole different direction. He's done a lot of good for the community. That's another factor--what good has that person done for the community and industry since the transgression?
What are you doing now?
Consulting, author, public speaker. I go around the world speaking. That's my primary activity--ethical hacking, pen testing, system hardening, training, education. And I'm working on my autobiography. It's due out in spring 2010.
Corrected at 9:10 a.m. PDT:This post was updated to correct the spelling of MicroTAC Ultra Light, SecurID, the acronym COSMOS and clarify that Mitnick was at home when his apartment was raided.
In an ironic twist, Kevin Mitnick, a social engineering master who went to jail for impersonating others to get information to access computer networks without authorization, couldn't access his own Facebook account for weeks because administrators at the social networking site didn't believe he was who he said he was.
"It has frustrated me to no end. I used to be very influential at proving I was someone else. And now I can't even prove I'm the real Kevin Mitnick. It's kind of sad," Mitnick said, chuckling in a telephone interview on Monday.
Shortly after the interview, Facebook fixed the problem after being notified by CNET News.
Mitnick, who has been using Facebook for about two years, said he realized there was a problem February 22 when he couldn't access his account. He sent them an e-mail asking what the problem was and was informed that he had violated the site's terms of use by registering with a fake name.
So Mitnick sent them an e-mail from his corporate e-mail account at Mitnick Security Consulting to help prove he was the real Mitnick and not any of the imposters behind the six dozen or so other "Kevin Mitnick" accounts on Facebook.
Facebook's response? They don't accept e-mail from an account other than the one that was used to register at Facebook, which they had already rejected as authentication when they disabled his account. Since then, they had refused to respond to his pleas until Monday.
"I've been going around in circles," Mitnick said. "It's really pissing me off."
Asked for comment, Facebook spokesman Barry Schnitt said: "We are very aggressive in fostering and enforcing our real name culture and sometimes we make mistakes. But it's rare, and it's been fixed."
At least his last name isn't Yoda, Christmas, or Batman.
There are dozens of Facebook accounts with the name "Kevin Mitnick."
(Credit: Facebook)Updated at 7:55 a.m. PT on Wednesday to specify that the FBI cleared Mitnick of any wrongdoing in this event.
Since being released from prison eight years ago, Kevin Mitnick's brushes with the law have consisted of a few parking tickets and a citation for driving without a front license plate--that is, until he returned from a trip to Colombia two weeks ago.
(Credit:
Monty Brinton )
After landing at the Atlanta airport for a security conference, Mitnick was detained for four hours for reasons still not fully explained. To make matters worse, while customs officials in Atlanta were busy inspecting his cell phone, laptop, and luggage, police in Bogota were ripping open a package he had mailed to his U.S. address on suspicion that it contained cocaine.
The simultaneous incidents gave Mitnick deja vu of his days as a fugitive pursued by the FBI for breaking into computer networks, only this time, he hadn't broken any laws.
"There was uncertainty, fear, and panic because I didn't know what was going on, and I didn't do anything wrong," he said in a recent telephone interview with CNET News. "In my mind, I thought I was being set up for something."
Here's a rundown of what happened:
Mitnick's Delta Airlines plane landed in Atlanta on September 16 at around 3 p.m. He had flown in from Bogota, where he had gone to give a speech to the newspaper El Tiempo and to visit his girlfriend.
The first sign of trouble was when a U.S. customs agent swiped his passport through the computer system and started staring intently at the screen and typing. "Kevin," the agent said with a big smile on his face. "Guess what? There are some people downstairs who want to have a word with you, but don't worry. Everything will be OK."
... Read moreNEW YORK--Kevin Mitnick knows that the weakest link in any security system is the person holding the information.
As a young fugitive hacker, he went to jail for breaking into computer networks, mostly by using his cunning and persuasion than his tech skills. He was an early master of the science of social engineering--manipulating people into doing what you want, such as giving out passwords and other information that unlocks sensitive information on networks.
Kevin Mitnick takes the stage at the Last HOPE conference.
(Credit: Elinor Mills)Mitnick and a panel of other hackers discussed their social engineering pranks and gave live demonstrations at the Live HOPE (Hackers on Planet Earth) conference late on Saturday.
"Everything happened more than five years ago" and the statute of limitations has passed, he said. "I never said I didn't deserve to be punished, but it really went overboard putting me in solitary confinement" for eight months.
Mitnick, who was released in 2001 after serving five years in jail, announced that he has a contract to write his life story and showed a preview for a reality-based TV series in development in which he would test corporate networks by trying to break into them. As part of his plea agreement, he was banned from writing a tell-all until 2007. He also runs a security consulting firm and lectures.
Dubbed the "most dangerous hacker in the world," Mitnick was put in solitary confinement and prevented from using a phone after law enforcement officials convinced a judge that he had the ability to start a nuclear war by whistling into a pay phone, he said.
Mitnick didn't do any whistling on Saturday, but in his keynote following the panel he talked about how he listened in on FBI phone calls during the three years he evaded the FBI, left them doughnuts when he narrowly escaped raids and was chased down by a helicopter. He also demonstrated how to be able to see the phone numbers of callers on caller ID even when they have their number set to be blocked.
Below are some videos taken during the panel:
Mitnick and HOPE organizer Emmanuel Goldstein swap stories about using social engineering to get IDs and directories out of workers at telephone central offices.
Mitnick tells attendees at the Last HOPE conference about how he used social engineering on workers at a Hollywood telephone company central office in the middle of the night.
Goldstein does a live phone prank on a Starbucks employee offering aid for laid off employees from the fictional "Last HOPE Foundation" during a social-engineering panel at Last HOPE.
- prev
- 1
- next
