Newsmaker: Kevin Mitnick on hacking's evolution

(continued from previous page)

Social engineering happens quite frequently now. It happened with Network Solutions, it happened with Paris Hilton. These are the attacks you hear about. There are many social engineering attacks you never hear about because they are not detected or because the person who was attacked doesn't want to admit it.

It is growing because security technologies are getting more resilient. There are better technologies to protect information assets and the attacker is going to go after the weaker link in the security chain. Social engineering is always going to be here. The more difficult it is to exploit the technology, the easier it becomes to go after people.

If you look at the folks who attack vulnerabilities in technology today and compare that to when you were first starting out, what trends do you see?
Mitnick: Back then, a lot of the holes in technology were not readily available and published like they are today on the Internet. Nowadays anybody with a browser could pretty much purchase commercial hacking tools like Canvas or go to a Web site where a lot of exploits are readily available. Ten years ago, if you were hacking you had to develop your own scripts. Today is like a point-and-click hacking world. You don't have to know how the engine is working, you just know to get in the car and drive. It is easier.

What would you say is the single biggest threat out there?
Mitnick: It is pretty much a blended threat. I think social engineering is really significant because there is no technology to prevent it. Companies normally don't raise awareness about this issue to each and every employee. It is at the end of the priority list in the security budget.

There will continue to be software vulnerabilities. In a lot of companies that I tested, if you are able to breach a perimeter machine, like an FTP server, mail server or DNS server, a lot of times you find those computers are not in the DMZ (De-Militarized Zone, a separate security area). Instead, they are on an internal network and the network is flat. So if you are able to compromise one, it is quite easy to spread access to other systems. Often times they even use the same passwords. Bottom line: More companies have to think of a defense-in-depth strategy, rather than just protecting the perimeter.

Over the past years we have seen a couple of arrests of virus writers, bot herders and others. Everybody knows you were arrested as well. Is law enforcement advancing? Are they doing the right thing and catching the right people, or are a lot still going free?
Mitnick: I am sure there are a lot of people doing this they don't catch. Wireless networks are ubiquitous. It is very difficult for law enforcement if somebody goes and takes a laptop and changes their media access control address so you can't identify the machine. If you're out in a car or van or sitting in a restaurant next to a wireless access point and don't use the same access point all the time, it could be extremely difficult to track you.

So there is a big challenge for law enforcement. Do you think they are doing a good job, or could they do better?
Mitnick: I don't know. We need stats for that. We need metrics on how many criminals they are apprehending. It is a guess that they are getting better, because they are getting help from the private sector. They are probably better than they were 10 years ago, but I don't know their capabilities. I know their strengths are in forensics. So if they seize a computer of somebody thought to possess child pornography, they use Encase and can recover that contraband. That's what they are good at. In doing hacker investigations--I really don't know their capabilities.

So what about when it comes to virus writers, bot herders, phishers?
Mitnick: With virus writers, I don't believe the FBI is technically doing the analysis. They just farm it out to a Microsoft, Symantec or McAfee because it is easier. These companies are not going to turn down law enforcement because they are doing a public service.

Do you believe that more of these criminals should be caught?
Mitnick: They should try. But the bottom line is that there is so much hacking going on that they have to set a dollar limit. Unless there is a fraud or a loss that equals $50,000--maybe $100,000--they are not going to investigate. Small criminals knowing this can always stay under this threshold. That's at the federal level. Then there are states, which might have a different monetary threshold, but their competency is probably less than the feds.

Do you think if you were doing today what you did 10 years ago, would you be caught sooner?
Mitnick: If I knew what I know now and I could use what I know now back then, no. But if they had the technology that exists today, and I was doing the exact thing I was doing, yes. Law enforcement's capabilities for tracking communications are much greater than years ago.

More Newsmakers

[jcpole]

Why are we still talking about Mitnick???

I don't get the media's fascination with Mitnick. He was never
any kind of "master hacker", or anything even close. He was
nothing more than a script kiddie that got caught. He used
other people's tools, and anyone that read the transcripts knows
that he didn't have the expertise to create the tools himself.

He definitely knows about social engineering, but then again, so
does just about any good salesman.

The whole Mitnick situation was a gigantic media stunt, and the
media continues to let him milk it.

Finally, any company that hires Mitnick to do security work is
insane. Hiring a "reformed" "hacker" is a terrible idea.

Mitnick should be working at McDonalds right now. Why on
Earth do we keep hearing his name???

J.C. Pole

[tx_roundup]

All in perception

Mitnick was one of the first so called big time hackers to be caught and sent to jail. I think the media's fascination with him is part curiosity into what they see is a world unknown to the masses. And part stereotyping from the movies where a kid gets caught, reforms and then uses his talents to the betterment of society.

Right wrong or indifferent, the every day home user has little to no knowledge (and little to no interest in learning) on how to protect themselves. If they did, the Nigeria scam would have flopped on it's face. If Mitnick can help raise that awareness I'm all for it.

What are you on?

Seriously? How can you use other people's tools, or be a sscript kiddie, when you're TALKING ON THE PHONE?! Do you even know what social engineering is?

Further more, your attitude about hiring "reformed hackers" is an ignorant stance. How do you think Anti-virus companies...BECOIME ANTI-VIRUS COMPANIES?! They know how to program a virus, thus, they make a definition for it so it doesn't affect your computer.

Mitnick was not jsut a "media stunt." Far from it. Do you even know what he was doing when he got caught?

Seriously, people like you should not be allowed to even own a computer.

Media Kiddies

The media likes Mitnick because he talks well.
He has written a couple of books, which focus
on Social Engineering, which is something that
the English Majors at Time Magazine can relate
to. Therefore, he is the kind of hacker that
the reporter can relate to, more or less.

On the other hand, some German guy who dresses
in sloppy black clothing and grunts a lot, who
wrote an IRC script to relay bot commands for
some kind of zombie network, is not going to
get a lot of media attention. The typical editor
at the Chronicle will say "What's an IRC??".

Until somebody who has similar skills AND IS
BETTER LOOKING comes along, Kevin Mitnick will
continue to be the media face of hacking.


(The TV people, in particular, would really like
to have a 20-something hacker babe to put on
their ads. It would probably increase the
ratings 30%, which is good money, even on basic
cable. TV is such a meat puppet kind of
medium. . .)

[sdencar]

reformed hacker?

A "reformed" hacker is a lot like a "reformed" child molester. Criminal activity is part of who they are. Like the previous post said, a company who hires a "reformed" hacker is nuts. Go ahead, hire a reformed child molester to run your day care.

[profiler_911]

evolved hacker

I don't think that Kevin would ever again go into nasty hacking business. Now he's got much better stuff to do and it probably pays off better ;-)

[Topher2798]

Enough Already!

I am so damn sick and tired of hearing the term "Social Engineering". Can we please stop this silly farce?

A Social Engineer is a just a ******** term for a Con-Artist. It makes about as much sense as a trash man calling himself a Sanitation Engineer.

Mitnik is a joke, and is nothing more than a Con-Man. Just reading the interview, it's obvious the fool doesn't even know what he's talking about. He's completely out of touch with the current state of Technology.

[rbannon]

M$

The line about M$ being on top of the security game must be a
joke.

[vincentt]

Yup..

Yup its a joke, M$ is way underground on security. Anyway, hiring reformed hackers isin't that bad its like hiring ex-criminals, i guess its ok but the media is just blowing it way out of porpotion, liike they always do

[farbuckle]

Is this reporter completely new to the beat?

The question "Would you say Microsoft is a leader and the rest of the industry is still catching up to that?" suggests the reporter has a way to go towards gaining basic knowledge of the industry and security.

MSFT has made a massive PR push on security after at least a decade of mocking others' efforts precisely because their products have been so insecure. When the National Security Agency had industry roundtables on security, MSFT would send low-level mignons to sit alongside giants at Whitfield Diffie. The junior managers were quite blunt. "No one pays for security, so we're here," they would say. "Our top level guys are busy making money instead of chasing academic problems."

MSFT's negligence was as jaw dropping as its arrogance. Now _they're_ playing catch up -- the rest of the industry addressed many of the same problems years ago. The only question is, can MSFT possibly fix its bloated code base in time?

Dan Geer did an excellent piece on the problem, one I heartily recommend to Mr. Evers. John Borland even wrote about it: <http://news.com.com/Microsoft+critic+dismissed+by+Stake/2100-1009_3-5082649.html>

Best of luck to you, Joris. You might start your reeducation by getting in touch with Dan Geer. He's at Verdasys.com, these days.

[Stating]

We Are All Social Engineers

Politicians. Lobbyists. Activists. Celebrities. PR/Media Consultants. Propaganda (Truth) Ministers. Talking Heads. Lawyers. Sales Reps. Marketers. CEOs.

Let's face it, the fabric of society is social engineering. From the family, to the tribe, to the community, to the nation, to the world. Rather than focus on the narrow problem of social engineering as it pertains to hacking, step back and focus on the con at all levels. Cultivate "street smarts" and don't let anyone pull the wool over your eyes, be it a hacker or an Enron energy trader. Trust no one and you probably won't be taken in.

[benaround]

OH MAN....

The dude got caught on wireless phone stuff when it was in its beginnings. DefCon..to be a speaker what a joke anymore. It was great at the first 3 conferences and was real but now just a side show. All this reminds me of the scene in Jurasic Park.
When the girl sits down at the Silicon Graphics Workstation. " This is Unix I know Unix !"

[Master2U]

Terrorist in given news sources

I recall, when I couldn't convince the telephone company, He was using thier maintence computors, to attack My home, around the clock, for a yr, with calls. I am quite angry, he gets past a lawsuit, for damaging My life, because I didn't have a way to catch his whereabouts, when he left Mn. Seeing him in the news media, is like honoring Saddam.