Mitnick In The News
From schoolboy hacker to FBI’s most wanted, now Kevin Mitnick advises businesses
Aug 21, 2016 - FINANCIAL REVIEW, by Yolanda Redrup
When 53-year-old Kevin Mitnick was in high school, he was asked by his computing teacher to write a program in the Fortran language to find the first 100 Fibonacci numbers. Little did his teacher know this assignment would kickstart a fascination, which led Mitnick to eventually become one of the FBI's most wanted hackers.
Rather than complete the assignment, Mitnick, who to that point had never learned how to write a computer program, decided to play a prank on his teacher.
He worked out how to use the programming language to make a fake login screen and steal the teacher's password.
"Fast forward a week and he asked the class to hand in their assignments," Mitnick said. "When he got to my desk I had nothing. He asked where my assignment was... I told him I wrote a better program and said 'isn't your password johnco?'
Mitnick says he was always inspired to hack by mischief and curiosity.
"He was really impressed and he shared it with all the class, so that was the ethics that were taught to me as a kid, that it was cool to hack."
After his first experience writing a computer program, Mitnick says he became "the guy who pushed the envelope", but he never saw himself as malicious. Rather, he believes he was mischievous, hacking into companies not to steal their data, but for the challenge.
One of his favourites was one he pulled off as a teenager – taking control of a McDonald's drive-through ordering system just to watch the surprise of the McDonald's employees.
However, throughout the 1980s and '90s things got serious and Mitnick became notorious in law enforcement circles.
Mitnick was captured in 1995 after eluding federal agents since November 1992.
He penetrated the systems of more than 40 corporations, with some of his most well known victims including Nokia, Sun Microsystems, Digital Equipment Corporation, Motorola, and Netcom.
Even in the closing stages of the legal pursuit, he says he was still having fun ... realising the FBI was onto him he wire tapped the agents on his case, setting up a warning system that alerted him whenever a call was placed to the officers in the vicinity of his office.
In a middle finger to the FBI, Mitnick cleared out his equipment and left a box of donuts waiting for them.
But it all came to an end in 1995 when he was arrested on numerous charges including wire fraud and he served five years in prison.
He was released from the Federal Correction Institute in Lompoc, California in January 2000.
Bizarrely he says he spent a year in solitary confinement after a judge was persuaded that he could launch a nuclear attack just by whistling into a pay phone.
Life after prison
After he was released on parole in January 2000 the world had changed.
"The internet was born and it was a huge shift. When I was arrested the only thing you could do on the ARPANET... was see pictures of Jupiter," he says.
"There was no such thing about security. Companies had their own IT people to do it, but there was no such thing as penetration testing."
But Mitnick was not allowed to engage in this new era of computing. Part of his parole conditions stipulated that he could not use a fax machine, cell phone or computer, let alone the internet.
"The only thing I could use was a landline phone. It was like I couldn't even have a nine volt battery and duct tape," he said.
But when his probation ended in January 2003, Mitnick decided he wanted to put his notoriety to good use and use his hacking skills legitimately. He formed a penetration testing company, now known as Mitnick Security.
He breaks into companies both physically and electronically by manipulating their security flaws, and to date says he has a 100 per cent success rate whenever social engineering techniques have been allowed.
He also makes a good living on the speaking tour, and is speaking to The Australian Financial Review ahead of appearances in Sydney and Melbourne in late November for his Mitnick Live tour.
It's the playful nature of hacking that still resonates with Mitnick today, as he talks about how easy it is to find security flaws in websites.
"That way I could order negative five meals, and that would manipulate the shopping price."
More seriously he says that while he has witnessed a rise in malware attacks, he believes Australian organisations are particularly susceptible to social engineering, which involves human interaction – tricking people into giving away valuable information.
"Australia is at a very high risk of social engineering attacks. It's a very trusting culture here and from what I hear from colleagues in the area … it works very well and people fall for it hook, line and sinker," he says.
"It's basically conning someone over the phone or via email to do something that will reveal information. There's an education component where companies need to consider educating their people about these sorts of [attacks]."
Locally, businesses have become more aware of the risks of cyber security attacks, significantly increasing their spending on IT security.
The 2015 Australian Cyber Security Centre study of major Australian businesses found 56 per cent had increased their expenditure on cyber security in the past 12 months, a significant jump from 2013, when only 27 per cent of respondents reported an increase.
Mitnick says the threat landscape has never been more appetising for hackers, particularly because of the ubiquity of mobile devices.
"Every businessman on the street has one of these devices. Exploits for iOS are very expensive, so if someone discovers one they could sell it for about $1 million, but Android is a lot less because it's a much less secure platform," he says.
Because of the difficulty of infiltrating iOS devices and the increasing focus companies are giving to cyber security, Mitnick believes the next evolution of attacks will come from cyber criminals targeting hardware.
"They will start attacking the actual hardware, not the software, and back-dooring these devices or compromising the software on a chip in the hardware that companies buy," he said.
"Let's say Westpac, for example, had a Cisco router, I could either get access to it remotely or have a back door in the firmware. An attacker could look at who is doing acquisitions in the supply chain and if they order five Macs from Apple they could cancel the order and then send five Macs with a firmware back door."