Kevin Mitnick was once the world’s most wanted hacker. He broke into 40 major companies for the challenge of it, and he eventually got caught in a spectacular cat-and-mouse game. He did five years in prison, including a year in solitary confinement because the judge in his case was told that he might be able to launch nuclear weapons from a payphone.
But after he was released in 2000, he stayed out of trouble. He built a consulting business as a security expert, and he helps break into companies’ networks so they can figure out where their vulnerabilities are and patch them. He claims that Mitnick Security Consulting has a 100-percent success record in penetrating the security of any system he has been invited to attack.
Mitnick has written four books on his life and security topics, most recently The Art of Invisibility, which was published last year in an attempt to teach people how to be safe in the age of big data and Big Brother. He is also the chief technology officer of Olyseum, a sports social network that uses blockchain technology and matches fans with sports celebrities.
I talked to the “world’s most famous hacker” about his thoughts on Russian hackers influencing the 2016 presidential election, Donald Trump, the security issues around blockchain, his new book, his work at Olyseum, and other topics in the news. I’ve interview Mitnick a few times over the years, mostly when his new books come out.
Here’s an edited transcript of our interview.
VentureBeat: What are you up to?
Kevin Mitnick: I’m working on a new book. We’re looking at a new one about penetration testing, telling stories about how the good guys simulate the bad guys breaking in. We’re in discussions with a publisher about it. It’s kind of an adventure story. Now that I do this stuff legitimately, it still has an air of adventure. We’re looking at the potential of putting this into a manuscript. We’ll see what happens.
8/28/2018 8:02 PM There’s always a lot happening in security. Blockchain is something new, and all the talk around Donald Trump and the Russians. I’m curious about what you think about that situation, and what you’ve learned about technology and security as a result.
Mitnick: Well, I’ve read the indictment. I thought it was fascinating, from the viewpoint that the government never releases these types of details. I’m not sure if they were releasing particular details from the Crowdstrike investigation. Crowdstrike is the third-party company that was hired by the DNC to investigate the intrusions. It almost looks like another nation-state was looking over the shoulders of, supposedly, the Dutch.
But in any event, if the facts are true, what was interesting is that the methodology the Russians used to hack the DNC is really no different from what civilians, whether crooks or people like us doing security testing—we use the same method of spearphishing. It’s social engineering. That seemed to give them the foothold in the DNC’s network, and then from there, because nation-states can afford to develop their own implants or malware, they were able to bypass the antivirus products or internal security products they were running at the DNC, if they were running any at all.
So what surprised me is the same tradecraft the Russians use, we use. That’s unbelievable. You’d figure that a nation-state has enough money, time, and resources to either have an internal team developing zero-days or purchasing zero-days. Why not use zero-days, instead of using phishing? Phishing is a pretexting attack. There’s always someone on the other side of that. There’s a high risk that the attack could be identified. You’d blow the entire operation. So why wouldn’t the Russians use zero-day exploits and avoid any email communication with anyone, given the risk of being caught? That’s the question that came to mind as I was reading the indictment.
VentureBeat: I was looking at a secondary story that pointed out one of the Russian agents supposedly logged in to a suspicious Twitter account without going through a VPN first. They got his exact location and office and everything from a failure to use basic security.
Mitnick: The same thing happened with LulzSec. If you recall Hector Monsegur, who went by the nickname Sabu, he was the leader of LulzSec, and he was caught through a similar error. He was connected to a VPN, but his connection dropped and his computer reconnected to something he was attacking without going through the VPN. That let his IP be identified.
You wonder why Russian operatives wouldn’t use burner devices. For instance, if I take my AT&T cell phone over to Moscow right now and I’m roaming on their network, my IP address is an American IP address. You can do this with other countries. When you’re roaming on a foreign network, it’s almost like you have a virtual connection to that country. It’s surprising that they didn’t use burner devices on the front end, before going through the VPN, to make it more difficult for any forensic investigators to make attributions.
If the facts are true, and they have dates and times about which Russian agent executed which command, who actually did the phishing attack, who installed the malware, at this level of detail, all that really leads me to believe that the Russians were compromised. Or their command and control server was compromised, and they were being monitored. It doesn’t make sense that a lot of these details could have been garnered just through forensic analysis of the victims’ machines.
If you notice, it’s also interesting given Julian Assange’s issues. A couple of months ago they yanked his internet access at the embassy and are basically holding him incommunicado. Then this indictment comes out with allegations against WikiLeaks, as “Organization #1” or whatever. I’m really curious if the U.S. government went to Ecuador and said, “You’re assisting criminal activity. You’re harboring an individual who’s doing X, Y, and Z.” I wonder if the Ecuadorians got concerned that they might be accused of contributing to a conspiracy unless they did something with Assange. I have a feeling there’s not just a big coincidence to that timing.
VentureBeat: Speaking of some things that rise up as larger concerns, is there something to the government being able to track Bitcoin transactions better than previously thought?
Mitnick: It’s all public. All blockchain is, it’s a digitally encrypted ledger. It’s not some sort of magic. You have a company like Kodak that puts the word “blockchain” in something they’re developing and all of a sudden their stock goes up. All the blockchain is is a digital ledger. To prevent anyone from tampering with that ledger, it’s protected with encryption and it’s distributed publicly.
Now companies are leveraging this technology to do things like subcontracts. What can they put in the chain and encrypt? How can they leverage this technology to create new products? A company in Russia is using blockchain to create a multi-factor authentication product, where the second factor is encrypted in the chain. Since the chain is public, with a private key you could unlock that block and use it for two-factor authentication. A lot of innovative companies are leveraging that fundamental blockchain and trying to come up with new products.
VentureBeat: Going back maybe a year, a year and a half ago, some of the big names like McAfee saw a rise in ransomware cases where the perpetrators were demanding to be paid in Bitcoin. It was considered an untraceable way to get the ransom. Now that’s apparently not true.
Mitnick: At least with Bitcoin, the ledger is public. If you recall the case of Silk Road, they were able to trace all of those transactions eventually that went to the wallet on his machine, so they could be used as evidence in his trial. What some crooks try to do is launder transactions, going through exchange services that anonymize their wallets. You have a wallet out here with Bitcoin in it, and they spend their time and resources on making sure you can’t connect that wallet back to a person. They’re able to move the money into the physical realm through some sort of exchange and have that be anonymous.
But again, the ledger is public. The hard part is how a bad guy gets the money exchanged into real currency, real value. That’s where they come up with a bunch of different schemes.
VentureBeat: Both blockchain and AI seem like big topics related to security right now. Do you think these things are going to improve or change security in a big way?
Read the full interview and other cool things on the beat at the source.