Kevin Mitnick's hobby took him behind bars.. Today he advises how to avoid the hacker he was himself.
(Editor's note: Translated from Polish using Google Translator)
He began by dabbing with a public transport system in Los Angeles to be able to ride a bus for free. Later, he went into the phone networks until he finally got to the list of the most sought-after men in the FBI - one of the most famous hackers in the world.
The talk is about Kevin Mitnick, who lectured on Friday at the Inside Trends conference in Poland's Business Insider magazine in Warsaw. The editors of Živé.sk have come up with the chance to get a known IT world figure.
He changed the color of his hat
The 55-year-old American was once the so-called "black hat" hacker. It has been incorporated into multiple government systems, as well as dozens of large corporations. In the early 1990s, he escaped the law for more than two years.
He finally spent nearly five years in prison. A lot of time even in "solitude". Prosecutors made the judge believe that Kevin able to activate the American nuclear arsenal by a specific tonal dialing on the phone - even from prison.
After this experience, however, he went to the other side and is the so-called "white hat", an ethical hacker. As an IT consultant, his role is to attack client systems and look for weaknesses in them. The technique in which he excels is social engineering - he claims that the weakest element of each system is man.
What you read in the conversation:
- What led Mitnick to hacking and how he did it,
- Why he could not work for the SR and ensure security by the state system,
- On recommendations for Slovakia,
- Which concerns are ffrom the emerging generation of cyber threats,
- What is the difference in his hiding from the police in the past and his actions today,
- Whether he also has hacks that are still unknown.
I did not accept the "black" hacker
It is said that black hat hackers - attacking for their own profits and the damage of others - are generally well placed to become much better ethical hackers as they have valuable experience on the other side of the barricade. Is that so?
It depends on his overall abilities. You can have a black hat hacker that is much better, but worse. The white hat [ethical] hacker is the same thing - just going to university, being in the lab, doing just some sort of application, and the like, may not have a way of thinking about a real black hat hacker.
It's like playing in movies or on television. You can be a native actor without studying at all - it's just you. Or you can have someone who is explicitly taught to do a particular thing. I personally believe people who are naturally native hackers are the best in security. So at least after the "offensive" page.
Remember that there are many different areas of safety. My job is to attack - to find security vulnerabilities, so the customer can fix them. The other side is a defensive - the "blue team" that searches for possible attacks. In this area, my business is not engaging.
Do you still have a team of colleagues with a fate like you today?
I did not accept any black hat hacker in my company. I never needed it, because the people I've been employed are immensely capable of doing what they do. None of them has been punished in the past.
Of course, most security guards once did "something" when they were in high school or college. They will tell you this, but they have never been forgotten. They did exactly the same as I did, except when they stopped when the time came.
"It's a game of spies. Every country hits the other, no matter what. "
The current negative "trend" in the field of Internet security is the rise in the issue of ransom. Do you already have an idea what could be another generation of cyber threats?
I think there will be a deterioration in the Internet of Things - IoT, because people are buying and plugging ready-made devices as they are, they use factory default access data, many of these devices can not be repaired if they are not upgraded, and so on.
California has just approved the law that IoT manufacturers do not have to set up uniform default access data, which is actually quite good. I do not know if something is also done by the EU, but the Internet of things is like a wild west.
You must also take into account machine learning and artificial intelligence. Nowadays, bot or botnets are said to trigger surface attacks, but not really massive attacks. And now, you will learn how machine learning and AI technology will hit it, from which the invaders will benefit. How bad can it be?
Are they a bad Russians or from the USA?
The Slovak government has recently announced that our state systems are hacked almost daily . Can you tell if this is a global problem? What do you recommend to a small country like Slovakia to be more effective in defending?
First of all, the country attacks other countries every day. It's part of the espionage business and it will continue for a very long time.
So what government organizations can do to reduce risk is the same thing that [private] organizations can do. Basically, use the same risk mitigation processes and technologies, implement control and detection mechanisms. First of all, think of prevention, detection and correction (Mitnick reminds us of these three basic pillars of security, note red).
However, government organizations need to be more cautious, given the nature of their secret information, so their control mechanisms are more stringent.
The kind of communications in the US, say, President Trump, uses specific types of hardware approved by the NSA. So governments must, naturally, look at similar tough security solutions of army character.
Well, in the US, too, there have been many government hacks. So the agencies in this game are still lagging because they have the same problem - if their social workers can use social engineering , that's the way.
But there are other effective ways ...
There are. Let's say the financial office has a portal through which people can pay taxes, and this site would have a software bug that anyone can attack from outside ... It is potentially possible for a government agency to be hacked through this web application - at least in relation to to which data the portal has access to.
Would you also come to Slovakia if the government were interested in your services?
They can contact us, we have global clients around the world. However, I am not a citizen of Slovakia, so I probably would not think of it at all, as I would not get a security clearance for access to any classified information. So it will not happen, it's unreal.
Quite hypothetically, how many similar services are there?
We do our consultation by first evaluating the overall scale. Depending on the size of the project, the price will depend on it.
"I was a trophy hunter. The elegance of the hack was more interesting to me than the fruits of the hack "
In China, the young generation is educated with an emphasis on math and coding, so many children will be expected to become experts in security or hacking. Do you think we should also build a strong generation that could face potential threats?
When you learn to program, they should also teach you security. You want to write the code in a safe way so you do not tolerate vulnerabilities. So I think both go hand in hand. Whenever someone is educated in the field of development, security should be part of it.
Do you think China, Russia or North Korea are hacking leaders?
I also do not have detailed information, but it's a bit of something that the US Government is saying about cyber security: "China is bad, the Russians are evil." But I'm sure Americans are hurting them too.
Of course. It's a "spy game", every country hits the other, no matter what. So I do not like the approach that "this is good, that's bad".
So they will continue in the game, who is the most skilled spy. They did it before computer time and they would do it after it.
No addiction, just ordinary fun
You used to be hiding before the FBI. Would something like this be much harder nowadays?
The way they catch you is visibility. If they showed me, for example, in America's Most Wanted , I might catch up quickly because it would have been the number of eyes I was looking for.
In today's Internet and content world, the authorities can find information about the search to get a much wider audience. There is, of course, a higher risk that the refugee will end up - just by using social media and similar mechanisms, not a super-technical way the government can trace you.
Gift for the FBI
Mitnick really did a great deal in the 90's and likes to talk about various events. One of them is the way he "fouled" FBI agents for his time.
While he was on the run, he was able to find the phone numbers of the investigators who tried to track him down. Subsequently, he set up a so-called "early warning system" that could detect these numbers within a radius of about one kilometer of his apartment.
One day he found out that early morning agents were in his neighborhood, but they did not come to arrest him. Mitnick learned that it was a survey for the need for a home order order. On that day, he discarded any compromising materials and electronics - computers, as well as disks.
The investigators arrived the next morning. In addition to the hacker, they only found a box with the inscription "FBI donuts," the "FBI cones".
Mitnick indicated to them that he was one step ahead of them. The agents scolded it so much they did not fuck with the ...
What led to hacking? You said that you got to know about the various weaknesses in your network. Have they been too tempting not to "examine them"?
No, no, it all started with phreaking on the phone (public phone networks, editors). I wanted to gain more control over the phone network, flush it and control the phone exchanges. First in Los Angeles and later across the United States.
My first goals were operators, so I wanted to learn more about the art of hacking to get them to know. And why did I want to bust over them? Because if I had access to the switchboard, I could do whatever I wanted.
Hear how we signed the most famous hacker:
Watch this video!!
Could it be that hacking was just addiction or just a hobby?
Hobby, hobby, fun. I did not want it for any purpose. I did not want to make a profit. Everything I wanted was a source code - for example, phones like Nokia, Motorola, and so on. And I wanted him to study and understand how he works. Not to sell or have a free call.
Then it was really about understanding the code. I would say that only after I started having fun with penetration and stealing the code, it all became a trophy for me. I was a trophy hunter. The elegance of hack was more interesting to me than the fruits of the hack.
Do you still have some "things", say, from the 90's that still do not know about you?
Yes, there are things that have remained unspoken.
Will you give us an example? (Laughter)
No. (naughty laughter)
For more cool articles like this please visit the source.