Internet hacker and now Cyber security expert Kevin Mitnick is in Australia in November for a conference in Sydney and Melbourne with business leaders where Kevin will talk about security risks and issues in the modern day business environment and how to best manage and combat such risks.
What is your view of Open Source and the development of open source white hat communities? Do you see the need for these to be developed better, faster or with higher reward components as we move towards the Internet of Things.
Kevin Mitnik (KM) I do like Open Source, and I do believe that these communities should be expanded, but there is no management of these things as they are run on a completely voluntary basis. As far as moving faster and increasing rewards on open source projects, no one is really getting paid per say, so the reward is really just being a contributor. Maybe by creating additional incentives, it might make that particular community grow faster.
We’re not seeing the notoriety of black hat hackers as we once did, rather, we see the rise of particular hacker groups, such as Anonymous – can you explain why this might be? Is it the complexity of systems limits, individual hacker capabilities or is the risk of capture greater?
KM – We do actually hear stories about individual hackers in the press all the time. We may not necessarily know their names but we do see their actions, usually for fraud or theft for example. Individuals from Russia have recently been indicted in cases. Anonymous is really a kind of idea, rather than an organised group, and people will jump on the bandwagon because they believe in a particular cause, and I think because Anonymous have had a lot of press due to some of its stunts, like hacking into police stations and hacking some of its officers. They have done a lot of brazen type of attacks, so it garners a lot of press. I also see an equal amount of press on other types of hacking activity as well.
What can law enforcement do to better prevent and detect cybercrime, rather than the traditional approach o fwaiting for a report to be made and responding to a cybercrime report?
KM - The problem is it's not that law enforcement can't do anything, or if a government starts regulating private sector businesses and become the watchman so to speak, I really don't see that happening. It is really just individual businesses that have to develop and mature their security programmes well enough, so that they become a difficult target, so that the attackers then go after the easier targets. The government could imporve in their investigations by using diffferent tools and techniques to track the perpetrators down. Nowadays attackers could use TOR, which is a system designed by the US Naval services to anonymise Internet searching to protect journalists and dissidents and that sort of thing. It is also used by hackers to mask their IP address. For example, what we call the "darkweb" and what exists in the dark is a lot of criminal activity. The silk road site is an example of this; it ws an online drug emporium, and eventually the FBI got its man. The details of how they did this has not been made public, but it could have been by a vulnerability in TOR. It is actually hard to track down the perpetrators if they really know what they are doing, if they are sloppy and unsophisticated then it is quite easy.
Do you see law enforcement and government security services developing their cybersecurity skills at the necessary pace to stay ahead of the curve or do you think they will always be a few degrees (or more) beind the curve - how much of a gap to you currently see?
KM - The problem is that the government and public sector do not pay as well as the private sector, so it is difficult to attract talent into this area. This will only change if governments pay enough to attract the right people.
How do you view the moral implications of your background, given your criminal activities have been turned towards making a profit and how do you think we can turn younger people to the white hat community before they start black hat activities?
KM - Well, I do have a unique past. I am not profiting off my criminal activity now; I am profiting off all the good things I am doing today. I run a company that performs system vulnerabilities, before the bad guys do. I am also the owner of a company where we do security awareness training and automated phisshing against our clients so that they can better protect their businesses against social engineering attacks. I did illegal stuff back 20 years ago, but now my notoriety is resulting from the good things that I am doing. Today it's a lot different to hack than in the 80's and 90's when I started. Now there is cyber security taught in schools and universities, so it's a better environment now to teach and instruct students that will hopefully become cyber security professionals. Nowaddays there is coursework and available programmes to help those people do it in a moral and ethical way.
Source: Australian Security Magazine
