EVENT REVIEW: What we learnt from the FBI’s former most wanted hacker, Kevin Mitnick

Kevin Mitnick, who was jailed in the 1990s, spoke at IP EXPO in Manchester - and shared a few tricks from the dark trade

The world's most famous hacker has come to Manchester to share the secrets of his dark trade.  During a packed out keynote speech at Manchester Central, Kevin Mitnick demonstrated several live hacks.  From accessing bank account details, to cloning an audience members security pass, Mitnick had it all up his sleeve.  And although the technicalities went well over our heads, here are a few things we learnt along the way...

Who is Kevin Mitnick?

According to his biog, Kevin is notorious.  He once hacked into 40 major corporations, including Nokia, Motorola, and the NSA 'just for the challenge' - earning him a place on the FBI's Most Wanted list.

During his speech at IP EXPO, the annual technology event, he gave a glimpse into his former life.  "Sometimes the hacker couldn't care a less about breaking into the company, they simply want the information," he said.

"I'm going to share with you one of my attacks from the black hat days, not because I'm proud of it, but I think it really illustrates the threat and impact of social engineering attacks.

"If we rewind back to 1993. I'm living in Denver, Colorado, and I'm not living under the name of Kevin Mitnick because the FBI was looking for me at the time and I really didn't want to talk to them.

"I was living under the name of Erik Weisz. Why? Because that was the real name of Harry Houdini and he was one of my idols.

"I love magic and that is how I got started doing this - I found out later that the FBI had no sense of humour but that's a story for another day."

What did he do?

  • From an early age Mitnick learnt how to compromise security systems, gaining free access to the Los Angeles bus system aged 13, and by 16, gaining unauthorised access to computer networks.
  • He would break in and copy software and went on to hack into telephone company Pacific Bell's voice mail computers.
  • After a warrant was issued for his arrest he fled and became a fugitive for two-and-a-half-years.
  • According to the US Department of Justice he gained unauthorised access to dozens of computer networks while he was a fugitive - using cloned mobile phones to hide his location.
  • He also intercepted and stole computer passwords, altered computer networks and broke into read private e-mails.
  • Arrested in 1995, he was charged with 14 counts of fraud among other offences. He served five years in prison.

Now turned 'white-hat', or an ethical hacker, Mitnick is a trusted security consultant to the Fortune 500 and governments worldwide.

His speech about the art of deception explained how people are always the weakest link of any corporation.

Cool. So what does a real life hacker look like?

In short unremarkable - and that's the key.

His arrival on stage was preceded by a high adrenalin video clip filled with a creepy disguised voice and claims to 'the perfect Hollywood script'.  After his jail time, the film showed how he was back on a new mission with a team of experts. The target? 'To access corporate secrets.'  Playing to the global stereotype of hackers leading this high octane life, exposing secrets, it all looked very James Bond.  Then steps out a middle-aged American guy in a smart blue suit and takes his place behind a column of wires - hooked up to no less than four laptops, three screens, a microphone and scanning machine. This is the true face of the 21st century hacker.

However, his ability to blend in is one of his greatest weapons. Along with an immense amount of knowledge, of course.

What hacks did he demonstrate?

These came thick and fast but the main take away message was the use of 'social engineering' to access information.  Basically this involves compromising the people that use the systems as they are the weakest point.  This could be tricking them to click on a fake attachment, logging in to a bogus Wi-Fi or getting them physically close enough to clone access cards to their place of work.  Social engineering involves compromising the individuals that use these systems. Attackers look to exploit weaknesses in human nature and coerce people into performing actions which give the attacker an advantage.

"One of my favourites is gaining access to a persons laptop and microphone because it essentially becomes a room bug", he laughs.  He then goes on to set up a fake Wi-Fi network impersonating a nearby coffee shop to see if anyone signs in and falls for it.

All very clever stuff and scarily difficult to protect against in the day and age where we log into public networks without a second thought.

My favourite story, however, was one of him on an ethical hacking mission to breech a large American corporation's data centre. He had been hired by the company to see whether it was possible.  Faced with two levels of security inside the building he devised a card reader machine which would copy a genuine card close by.  "These are available in China and Taiwan," he quips worringly.  "It only works when you are in close proximity so I decided to target them in the restroom.  Of course I couldn't just go in and scan it as that would look suspicious. So I concealed the reader in a laptop bag under my arm as I stood next to the guy I was targeting."

"For the second level I contacted the service manager for the building and pretended I wanted to rent office space. After a long tour and discussions of how long the lease would be I asked about getting keys cut for my staff.  She said 'oh no we have cards that access the building' and I asked if I could see one to get a better idea."  Needless to say it was read and cloned within seconds. The unsuspecting victim had just given him full access to all floors and security doors.

The language of hackers and an unexpected sense of humour

Admittedly 90 minutes of this and my head was boggled by all the technical speech. Although the crowd seem to understand which is a good sign for a cyber conference.  However, I do have a new found appreciation for the fantastic language used in the hacking world.  From weaponising USB sticks, to evil twins and even a raspberry pie I was hooked.  Perhaps I wouldn't be so enamoured if I knew the real use of a 'thunderbolt', but I don't, so I enjoyed their phonetic greatness on a whole other level. It also proved that I would never cut it as a hacker.

Also I found Mitnick funny. Entering passwords he joked it was 'Kevin123' and after cloning an audience members card he threw it to him saying 'if you ever lose your card here's a back-up buddy.'

It is also reassuring to know he is now out there on the right side - helping companies and governments worldwide to tighten up their cyber security.

This cool review and other interesting news can be found at the source.

Source: Manchester Evening News

Topics: Social Engineering, Speaking Engagements, USB sticks, weakest security link, cloning security pass, cyber security, Erik Weisz, FBI, Harry Houdini, Manchester Central, Pacific Bell, Wi-Fi, cloning access cards, computer passwords, black hat, hacks, IP Expo Manchester, Kevin Mitnick

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

Bypassing Key Card Access: Shoring Up Your Physical Security

As you build additional layers of defense into your cybersecurity framework, it's important to implement physical security strategies as well.

Read more ›

How to Prioritize Your Pentesting Report’s Remediation Recommendations

If you recently received a penetration test, you’re on the right track to improving your cybersecurity posture. However, you may be wondering what the..

Read more ›

Understanding Post-Inoculation Cybersecurity Attack Vectors

If you’ve recently improved your cybersecurity posture, you should know that the work to protect your company’s data is not over.

Read more ›