Kevin Mitnick and the human hacking business

Every industry has rockstars. For hackers and infosec, there's probably no one more famous, or perhaps infamous, than Kevin Mitnick…

After spending five years in a federal prison in the US for various hacking offences, he turned his skills to white-hat hacking. In a recent visit down under, Mitnick spoke and performed a series of live hacks on stage at a series of event in Auckland, Sydney and Melbourne.

I had the opportunity to interview Mitnick on stage in Melbourne. Throughout the interview, Mitnick interspersed the discussion with live demonstrations of various exploits and hacks. He also explained how he could carry out a hack, while in prison, during his eight-month confinement in solitary.

There’s no doubt Mitnick is a skilled security practitioner. But perhaps the most important lesson from all his exploits was that his greatest successes didn’t come by brute-forcing his way into systems. In the 16 years since his release from prison and working as a penetration tester, he has never failed to break into a company’s systems when he has had access to people.

Some of the hacks he perpetrated on stage were simple. He sent a text message to my phone, asking for some information, that looked exactly like it had come from my partner.

He has convinced individuals to hand over personal data by convincing them to complete questionnaires.

Mitnick’s greatest tool is his quick mind and, as he puts it, the gift of the gab.

Of all the hacks Mitnick described, the one that most amazed me was perpetrated from solitary confinement. Prisoners in federal prisons are only allowed to make phone calls to five designated numbers. One of the people Mitnick wanted to be able to call was his partner. However, her number was not on the list.

Prison guards watched Mitnick very closely while he was on the phone. During one of Mitnick’s court proceedings, a prosecutor told a judge Mitnick could launch an ICBM by calling NORAD and whistling into the phone.

Over time, Mitnick socially engineered the guards by scratching his back against the wall adjacent to the phone he had to use for his calls. He also determined there was an 18-second window between when he hung the phone up and when the dead line would be detected.

Eventually, Mitnick was able place his back against the phone, hang the call up with one hand behind his back and then dial a number – behind his back – within the 18-second window. All while being closely guarded.

If there was a single take-home message from Mitnick’s presentation through the day it was this: people are your weakest link and you should never trust anyone you can’t see.

And even then, be cautious.

Source: iStart

Topics: Social Engineering, solitary confinement, Speaking Engagements, federal prison hack, cybersecurity expert, security awareness training, Melbourne, Sydney, weakest link, Auckland, Kevin Mitnick, live hacks

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

Bypassing Key Card Access: Shoring Up Your Physical Security

As you build additional layers of defense into your cybersecurity framework, it's important to implement physical security strategies as well.

Read more ›

How to Prioritize Your Pentesting Report’s Remediation Recommendations

If you recently received a penetration test, you’re on the right track to improving your cybersecurity posture. However, you may be wondering what the..

Read more ›

Understanding Post-Inoculation Cybersecurity Attack Vectors

If you’ve recently improved your cybersecurity posture, you should know that the work to protect your company’s data is not over.

Read more ›