One of the most asked questions I receive is… can you teach me how to hack? What do you say to those people who want to get a start in the industry?
First, DON’T follow in my footsteps. The truth is, I took a very different path than most other professionals. But you have to learn the fundamentals.
For many hacking gigs, you have to be really good at systems, network administration and development. Then, you need to learn a lot about reverse engineering. Understand how developers write code, how you can reverse code and learn how to debug problems with applications.
But the skills you need really depend on where you want to focus in the cybersecurity industry. We work with physical security experts that are really great at breaking into buildings. Social engineering experts that don’t always have a traditional network administration and systems background either.
(But most importantly, you do not want to follow in my footsteps.)
How did you get started and what led you to become who you are today?
I got started in hacking because of my love of magic. As a young kid, I used to visit the local magic shop in Los Angeles to watch these guys perform their tricks over and over and over because I always wanted to know how the trick worked.
Fast forward to my high school years and I met a kid that could work magic with the phone system. He showed me how to do all of these cool things he could do with the phone.
For example, he called this number and it read back the number he was calling from, or he could get my mom’s unlisted number. Or he could call something called The Customer Name and Address Bureau and it was a secret thing you could do with the phone company. You give them any number and they would give you the name of the person it belonged to.
This was back in the 1970s. I thought, “wow, this is really cool. Like the type of thing you could use for magic tricks.”
It wasn’t long before I got into phone tricks and doing prankster things like changing my friend’s phones to payphones. Whenever his parents would try to make a call, it would ask them to please deposit 25 cents. When I got involved in this, another kid in school suggested I take a computer class.
So I was introduced to this computer science instructor and I didn’t meet the prerequisites to take the class. But I showed him all the tricks I could do with the phone and he lets me in. The first programming assignment he gives the class is to write a Fortran program to find the first 100 Fibonacci numbers. At the time I thought, “Well that’s kind of boring. I’ve got to write something cooler.”
Back in those days, we had a dumb terminal and we’d actually use a dial-up modem. We put the handset in this acoustic coupler modem and it dialed to downtown Los Angeles to this computer system.
I realized by watching the students and by watching the teacher that nobody would hang up the phone after they logged out of the computer. So I thought, what if I could write a program that could pretend to be the computer’s operating system and it would ask the user for their username and password? It would log them in and let them do their work, but at the same time, it would store their username and password in a file that I could retrieve later.
So my first programming assignment, I actually wrote a program to steal the teacher’s password.
When he came around the class to collect our assignments, I obviously didn’t have the Fibonacci assignment done. I turned in the password-stealing program instead. The instructor was so happy and amazed that he gave me a bunch of atta-boys.
These were the ethics that taught a young Kevin Mitnick that it’s cool to hack.
So that’s how I actually got started: the love of magic, my passionate interest in amateur radio and telephony. I really got involved in hacking not to cause damage or steal money, nothing like that. It was all about the challenge, the seduction of adventure and the pursuit of knowledge. It was like a big video game to me.
What is the most common method or tactic used by the bad guys?
The primary method of hacking is called spearfishing, a subsect of social engineering. You manipulate the human into giving access to the bad guy. To spearfish, the bad actor does research on the company, its employees, vendors, research, customers, etc.
Then, they create a false pretext for an email sent to a specific target with internal access. They impersonate someone the target would trust, in order to get them to click on a hyperlink or download an attachment. As soon as they do so, a malicious payload gives the bad actor access to that person’s computer and an initial foothold within a company’s system.
After that initial access, hackers use technical tradecraft to get further and gain access to the data they’re after.
Can you really whistle the launch codes?
Well, I’ve really been practicing. So...I can neither confirm nor deny this trick.
What is your Ghost Team, can you share more about them?
The Global Ghost Team is my pen testers. Our information security company does security testing for companies around the world. They hire our team to hack their company, whether it’s physically, to find security flaws in internet-facing applications, to compromise an onsite wireless network or in their external network services.
We go in and simulate a threat actor, trying to identify all the ways and means of compromising the company. Then we share that information with the company, telling them how we compromised it and what they need to do to fix it.
I think I have been hacked (or I need to hack someone for a good reason), can you help me?
Due to the high demand for our services, we don’t have the capacity to work directly with individuals or respond to individual requests for assistance in any format.
Hacking without permission is illegal. We encourage victims of hacking to contact the applicable law enforcement agency and consult an attorney.
If you’re looking for help hacking, don’t. (In fact, we hope no one helps you so that you change your mind and avoid breaking a bazillion different laws. Trust me, I understand the consequences better than you do.)