KEVIN MITNICK
Kevin Mitnick (born August 6, 1963) is an American computer security consultant, author, and hacker. In the mid nineties, he was “The World’s Most Wanted Hacker”. Since 2000, he has been a successful security consultant, public speaker and author. Kevin does security consulting for Fortune 500 companies, performs penetration testing services for the world’s largest companies and teaches Social Engineering classes to dozens of companies and government agencies. His last book ‘Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker’ was a New York Times best-seller.
Computer hacking
At age 13, Mitnick used social engineering and dumper diving to bypass the punch card system used in the Los Angeles bus system. After he made a bus driver tell him where he could buy his own ticket punch "for a school project", he was able to ride any bus in the greater LA area using unused transfer slips he found in a dumpster next to the bus company garage. Social engineering later became his primary method of obtaining information, including user-names and passwords and modem phone numbers.
Mitnick first gained unauthorized access to a computer network in 1979, at 16, when a friend gave him the phone number for the Ark, the computer system Digital Equipment Corporation (DEC) used for developing their RSTS/E operating system software. He broke into DEC's computer network and copied their software, a crime he was charged with and convicted of in 1988. He was sentenced to 12 months in prison followed by three years of supervised release. Near the end of his supervised release, Mitnick hacked into Pacific Bell voice mail computers. After a warrant was issued for his arrest, Mitnick fled, becoming a fugitive for two and a half years.
According to the U.S. Department of Justice, Mitnick gained unauthorized access to dozens of computer networks while he was a fugitive. He used cloned cellular phones to hide his location and, among other things, copied valuable proprietary software from some of the country's largest cellular telephone and computer companies. Mitnick also intercepted and stole computer passwords, altered computer networks, and broke into and read private e-mails.
Kevin Mitnick was once known as the ‘World’s Most Wanted’ social engineer and computer hacker. One doesn’t acquire a title like that – nor an accompanying prison sentence – for vanilla exploits. While in Federal custody, authorities even placed Mitnick in solitary confinement; reportedly, he was deemed so dangerous that if allowed access to a telephone he could start a nuclear war by just whistling into it.
From the 1970s up until his last arrest in 1995 Kevin Mitnick skillfully eluded and bypassed corporate security safeguards, penetrating some of the most well-guarded systems, including, amongst countless others, the likes of Sun Microsystems, Digital Equipment Corporation, Motorola, Netcom, and Nokia. He has even had to go on record and deny hacking into the Department of Defense’s North American Aerospace Defense Command (NORAD) and wiretapping the Federal Bureau of Investigation.
At a recent app-enabled cloud network performance and security briefing hosted by Citrix and Palo Alto Networks in Washington, DC, Mitnick opened up about his former life and introduced himself to the Washington crowd accordingly.
“I assume there are a lot of Federal agencies here so we may know each other from a past life,” Mitnick said in a devious, yet still tempered tone.
With the bylines of “Most Wanted” and “Infamous” and a laundry list of corporate names etched onto his belt of exploits, it’d be fair to assume that Mitnick’s hacking masterpiece evolved from one of his more high profile penetrations. That assumption, however, couldn’t be further from the truth.
Actually, the seminal stunt of his hacking career is much more puerile but nonetheless humorous. As Mitnick explained, “My favorite hack was actually when I was a kid.”
Mitnick hacked the frequency of a local McDonald’s drive-through ordering system and took control over the drive-through speaker, relishing the consequential bewilderment of unsuspecting McDonald’s employees.
“I would sit across the street from McDonald’s and I would take their order and tell them they were the 50th customer so your order is free. Please drive through your order is free,” Mitnick reminisced. “People would drive up to the window and I would say, ‘Our weight detection system detected your car is a little heavy so we recommend the salad instead of the Big Mac’.”
“It got to the point that the manager of the McDonald’s was wondering what the heck was going on and he walked outside and looked in the cars and around the parking lot, but he could not see anything because I was across the street. He even walked up to the drive-through speaker and looked at it and then stuck his head inside to see if there was actually someone inside and I yelled, ‘What are you looking at?!’”
Mitnick didn’t only revel in the joy of trolling individual customer orders, though. He went on to explain, “But my favorite was when the police drove up and I would say, ‘Hide the cocaine, hide the cocaine!’” Alas, the theater of the ensuing build-up and moment when the unsuspecting employee met the suspicious glances of the police would befit any comedic late night show.
McDonald’s, when reached for comment, was less than amused by Mitnick’s claims. As all Fortune 500 companies take hacking very seriously, Danya Proud, Director of Media Relations, McDonald’s USA stated, “We are not aware of this matter; however, security of our business, information and systems remains a top priority.”
No word yet if McDonald’s plans to hire Mitnick to consult on the protection of the integrity of their drive-through ordering process. One can only hope that measures to counter such nefarious hacks have been implemented.
At any length, look across the street if you ever encounter a problem during a wee-hours drive-thru run to Mickey D’s. The world’s once most wanted and infamous Mitnick may be enjoying a little bit of reflective levity at your expense, especially if you’re the 50th customer.
Could you hack into the New York Times best-seller list and change the ranking of your new book, Ghost in the Wires?
Probably. These days companies hire me to break into their systems to find their security vulnerabilities. I don't know if I could compromise the New York Times network, but I think it's likely. Of course, I would only do it with authorization.
Your first crime involved fake bus transfers. Do you think if somebody had cracked down on you earlier, your life might have gone a different way?
I think it goes back to my high school days. In computer class, the first assignment was to write a program to print the first 100 Fibonacci numbers. Instead, I wrote a program that would steal passwords of students. My teacher gave me an A.
What made you a good hacker was less the coding skills and more the social-engineering skills. What were they?
Social engineering is using deception, manipulation and influence to convince a human who has access to a computer system to do something, like click on an attachment in an e-mail. Most of the computer compromises that we hear about use a technique called spear phishing, which allows an attacker access to a key person's workstation. It's extremely difficult to defend against.
Has social networking changed hacking?
Made it easier. I can go into LinkedIn and search for network engineers and come up with a list of great spear-phishing targets because they usually have administrator rights over the network. Then I go onto Twitter or Facebook and trick them into doing something, and I have privileged access. If I know you love Angry Birds, maybe I would send you an e-mail purporting to be from Angry Birds with a new pro version. Once you download it, I could have complete access to everything on your phone.
How easy was it for those tabloid reporters to hack into celebrities' phones?
This kind of boggles my mind. A lot of the cellular operators would create a default PIN for people's voice mail as 1111 or 1234. It doesn't take a hacker to guess a PIN like that.
What is the perfect PIN then?
The perfect PIN is not four digits and not associated with your life, like an old telephone number. It's something easy for you to remember and hard for other people to guess.
What do you think of people like Julian Assange and the WikiLeaks crowd?
It's more Bradley Manning who was responsible for all of that. Here's an enlisted guy who's able to dump secret documents from SIPRNet to CDs. It is a huge security failure on the part of the U.S. government--the worst that I know of.
Which of your hacks are you most proud of?
I think when I hacked into Pac Bell Cellular to do traffic analysis on the FBI agents who were tasked with capturing me--not for hacking into Pac Bell but for how I leveraged that information to stay one step ahead of the government.
You used Money's rankings of the 10 most livable cities to find places to hide. Should the FBI monitor that list?
No, it was just allowing Money to randomize my choice. If I had my own choice, somebody might have figured it out.
You served five years. How do hackers get treated in prison?
Pretty well. A Colombian drug dealer offered me $5 million to hack into the Bureau of Prisons network to get him an early release date. I said, "Let's talk."