Every industry has rockstars. For hackers and infosec, there's probably no one more famous, or perhaps infamous, than Kevin Mitnick…
After spending five years in a federal prison in the US for various hacking offences, he turned his skills to white-hat hacking. In a recent visit down under, Mitnick spoke and performed a series of live hacks on stage at a series of event in Auckland, Sydney and Melbourne.
I had the opportunity to interview Mitnick on stage in Melbourne. Throughout the interview, Mitnick interspersed the discussion with live demonstrations of various exploits and hacks. He also explained how he could carry out a hack, while in prison, during his eight-month confinement in solitary.
There’s no doubt Mitnick is a skilled security practitioner. But perhaps the most important lesson from all his exploits was that his greatest successes didn’t come by brute-forcing his way into systems. In the 16 years since his release from prison and working as a penetration tester, he has never failed to break into a company’s systems when he has had access to people.
Some of the hacks he perpetrated on stage were simple. He sent a text message to my phone, asking for some information, that looked exactly like it had come from my partner.
He has convinced individuals to hand over personal data by convincing them to complete questionnaires.
Mitnick’s greatest tool is his quick mind and, as he puts it, the gift of the gab.
Of all the hacks Mitnick described, the one that most amazed me was perpetrated from solitary confinement. Prisoners in federal prisons are only allowed to make phone calls to five designated numbers. One of the people Mitnick wanted to be able to call was his partner. However, her number was not on the list.
Prison guards watched Mitnick very closely while he was on the phone. During one of Mitnick’s court proceedings, a prosecutor told a judge Mitnick could launch an ICBM by calling NORAD and whistling into the phone.
Over time, Mitnick socially engineered the guards by scratching his back against the wall adjacent to the phone he had to use for his calls. He also determined there was an 18-second window between when he hung the phone up and when the dead line would be detected.
Eventually, Mitnick was able place his back against the phone, hang the call up with one hand behind his back and then dial a number – behind his back – within the 18-second window. All while being closely guarded.
If there was a single take-home message from Mitnick’s presentation through the day it was this: people are your weakest link and you should never trust anyone you can’t see.
And even then, be cautious.