Mitnick In The News
Former FBI wanted hacker demos the dangers of public Wi-Fi
Many of us are tethered to our cell phones, our tablets, our laptops and we utilize free Wi-Fi on the go, but in a matter of seconds, that network you hop on for free may be what steals your personal information.
News 3 spoke to a man who was once the most wanted hacker in the world about how easy it is to get your personal information.
"It happens quite frequently," said Kevin Mitnick. "People using open wireless networks at restaurants and at coffee shops get compromised all the time."
Mitnick is the CEO of Mitnick Security Consulting, LLC. He is known for his high-profile 1995 arrest for computer and communications-related crimes. He was once one of the FBI's Most Wanted because he hacked into 40 major corporations just for the challenge. After he served prison time, he began working as a security consultant to test companies' security strengths and weaknesses. He now is a trusted security consultant to the Fortune 500 and governments worldwide.
He showed News 3 a demonstration of just how easy it is for hackers to obtain your personal information when you hop onto public Wi-Fi.
He says it doesn't take much for a hacker to set up a portable device that will pretend to be a Wi-Fi connection your devices trust and believe have used before. The bad guys trick your devices into connecting into the malicious wireless network.
"What this device does is it pretends to be AT&T Wi-Fi," he said. "A bad guy can set this up in a backpack and conceal it," said Mitnick.
Mitnick showed News 3 what can happen when someone logs onto that malicious network. The hacker can see on his laptop exactly what the victim is typing, including bank account usernames and passwords. And that's not all.
"They can inject fake updates like Adobe or Java. What the update is, it's fake, and once you install it, the bad guy takes complete control over your computer," he said. "Imagine if you get an update notice every minute. What would you do eventually? Update it. It would appear to be from Adobe but it's really not from Adobe. It's from this pineapple Wi-Fi device that's been programmed to inject a fake update. It looks exactly like it. Basically, what happens is as soon as the victim installed the update, it created a connection to the victim's computer to the bad guy. Basically now, I could steal and access all the files that Kevin has. Kevin is the guy logged into the computer. So right now, this computer has complete control under the context of the Kevin account on this mac because the person was fooled to install the update, and the update was annoying."
Mitnick says there's a simple solution to protecting your information. It's called a Virtual Private Network, or VPN.
"You can sign up for a VPN service for about 60 bucks a year. So, $60 is a cheap price to pay to protect your communications. So again, whenever you're using open wireless networks whether it's on your phone, tablet or a laptop, use a VPN," he said. "What it does is it creates an encrypted tunnel so when you're using, for example, a wireless network at Starbucks, it creates an encrypted tunnel to the VPN provider so the hacker cannot interfere with the data that's going over that connection."
He also notes, when you log into a hotel network and it requires your room and name in the login, that doesn't mean it's a secure network. He says the rules should be, if you're not at home or at work, use VPN to communicate with the internet.
Mitnick also says a common mistake for people that makes it easier for the hackers to break into your system is your password choices. Many people choose one password and use the same or similar ones on different systems. He suggests you look into a password manager like LastPass or KeePass.
"The manager will randomly generate a password, save it for you and your entire database of passwords are protected with a master password. So, all you have to do is remember a long sentence, one master password, to unlock everything. That way, if a hacker breaks into a site and somehow obtains your password, what they are likely going to do is try that password at a bank or company and so on. If you're using password managers, that strategy won't work," he said.