Mitnick In The News
Hackers are no longer confined to their parents’ basements.
Transcript of video: Interview: Kevin Mitnick, Hacker and Cyber Security expert (Lateline)
Once upon a time, Kevin Mitnick was also considered a major security threat by governments: so much so that he spent years in prison.
These days, the world-famous hacker says he chooses to use his powers for good: consulting for the FBI and big business on how to stay secure in the digital age.
He's visiting Australia next month for a series of talks on cyber threats for Australian corporate leaders.
Kevin Mitnick joined me earlier from Washington to answer many of your questions on the future of hacking.
Kevin Mitnick, thanks for being with us.
You spent almost five years in jail and were also in solitary confinement for a while. Why solitary?
KEVIN MITNICK, HACKER AND CYBER SECURITY EXPERT: Well, back, you know, 20 years ago, when I went to court for what they call a bail hearing, a federal prosecutor had told the judge, "Not only do we have to hold Mr Mitnick without bail because he's such a grave danger to national security; but we have to make sure he can't get access to a phone." And the confused judge goes, "Why?"
And the prosecutor went on to say that, if I got access to a phone while in prison, I could dial up to NORAD (North American Aerospace Defense Command) using a dial-up phone number, connect to their modem, whistle into the modem and launch an ICBM.
So in open court I started laughing, because I'd never heard of something so ridiculous in my life. But the judge, being very technically challenged, must have believed the government.
So I ended up being held in what they call "the hole" for almost a year, based on the myth that I could whistle the codes to launch nuclear weapons.
MATT WORDSWORTH: So are mobile phones as easy to monitor and maybe manipulate?
KEVIN MITNICK: They're different. Back in the day, when I started this, you could basically use a scanner to eavesdrop on voice communications. And now, with the advent of technology, they make it more difficult.
But it's still possible. Mobile phones can be hacked, just like computers.
And what do I think the most secure mobile phone is? I believe it's iOS, which is an Apple product.
But what do I mean by "the most secure" is: if you have an adversary that has $1 million or more, they could exploit you. Right? With an Android phone, if your adversary has $200,000 or more, they could exploit you.
And why do I come up with these monetary figures: is because you could buy "exploits" - exploits are compromised vulnerabilities in software - you can purchase zero-day exploits for these platforms - Android and iOS - for, you know, $200,000 for Android and $1 million or more for iOS.
So your security really goes to: what is the resources, money and time, your adversary has to exploit you?
MATT WORDSWORTH: So just how easy is it for you to get into a mobile phone?
KEVIN MITNICK: Well... We do it, but we do it differently. We do it a legal way, because I run a company where we do security testing.
So companies from all around the world hire my company to try to break in to businesses by exploiting technological flaws, by manipulating people, by getting in physically and also by getting in through the mobile phones.
So during our (inaudible) testing exercises, we compromise these devices day-in and day-out.
MATT WORDSWORTH: So could you compromise my mobile phone?
KEVIN MITNICK: It's possible. I know what I can do: is...
What is social engineering? Social engineering is using manipulation, deception and influence to get a target to comply with a request.
Well, what I could do with mobile phones is: I could send you a text message and make it appear that it's anybody that I want.
So let's say somebody wants to steal the financials from a company. If an adversary - a hacker - sends a message to the CFO's executive assistant, pretending to be from the CFO: "When Kevin calls, please go ahead and release those third-quarter financials. By the way, don't text or call me because I'm in an important meeting."
What are the chances that that executive assistant is going to follow through and give me complete access?
So I could demonstrate to you that I could be anybody that I want when I'm using mobile communications. So what would you like to do?
MATT WORDSWORTH: Can you do that to me right now?
KEVIN MITNICK: Sure. What would you like? What do you want me to do: send you a text message?
MATT WORDSWORTH: Just show me what you were telling me just then.
KEVIN MITNICK: OK. What I'll do is: I'll send you a text message. One moment.
KEVIN MITNICK: You gave me your phone number earlier and another number. So what I'll do is: I'll send you a text message from your wife's number. How about that?
And I'm in America right now. I'm in Washington DC. I'm not even in Australia. So here we go. Let me go ahead and send it.
(Kevin looks down at his phone)
And momentarily you should be getting a text message, by the way - not from me, but from your wife.
MATT WORDSWORTH: Hang on, Kevin. Just one moment. I seem to have gotten a text from my wife. Better have a look: opening it up.
KEVIN MITNICK: All righty.
(Camera shows close-up of Matt's phone, with text message)
MATT WORDSWORTH: It says: "Please give Kevin all my passwords. Love, Stacey. xoxo"
KEVIN MITNICK (laughs): Well, there you go.
MATT WORDSWORTH: Now, you've sparked a lot of interest from our audience. They've submitted a lot of questions.
So firstly, Shelle Kennedy asks, "Is any security program unbreakable or unhackable?" So things like WhatsApp or Skype: anything you can't get into?
KEVIN MITNICK: Nothing is unhackable.
It really goes to the time: well, actually, the money, time and resources of your adversary.
It's actually good - well, if you want to do secure communications, there is an app you can download to your Android device or your Apple device called Signal. And Signal uses what we call end-to-end encryption.
So basically, the encryption keys are on your device and the person that you're communicating with. The provider doesn't have it: like, Telstra wouldn't have it, for example.
So that way, if a hacker or law enforcement, the Australian intelligence agency wanted to intercept those communications, what they would actually have to do is actually get malware onto your device. But they couldn't actually be monitoring the communications and decrypt it.
So if you want to have the safest voice and text communications, you could download the Signal app: and it's absolutely free.
MATT WORDSWORTH: On that topic, one of our viewers, Bruce, wants to know: "How secure is email?"
KEVIN MITNICK: Well, I don't know what email provider he's using. I suspect he is not encrypting his email.
And basically, when email is sent through the internet it's usually in the clear: meaning if it's going through other servers to get to its destination, to get into that recipient's email inbox, it can be read by anybody in between.
So the only way to secure your email is to encrypt your email. And there are some tools to do so. One of the most common tools that security experts use is a tool called PGP (Pretty Good Privacy), created by Phillip Zimmerman.
There's also a freeware version of PGP called GPG. It's complicated to set up, but it would give you the most secure email communications available today.
There's a plug-in, I believe, for Chrome called Mailvelope and it makes it simpler to use PGP. So if you want to have secure email, take a look at GPG and Mailvelope.
MATT WORDSWORTH: Now, a few have asked us about our Census attack: the distributed "denial of service" attack. IBM and the Bureau of Statistics were quite confident in the integrity of their online platform. Was that just begging for an attack?
KEVIN MITNICK: Yeah. I mean, while you could have a belief in the integrity of your platform, you still have to exercise due diligence and set up the security layers necessary to fend off an attack.
And in this particular case, it didn't appear that IBM did their job at mitigating or preventing what we call the "denial of service" attack. What's a denial of service attack? That's where you have an attacker that has access to a bunch of computers, that has a lot of bandwidth and basically has a bunch of computers send to the Census website just trying to access the website.
And what happens: it overloads it so nobody else could use it. So that's what we call a denial of service attack: is where the attack makes it unavailable to anybody else.
MATT WORDSWORTH: And to your knowledge, did they do enough to protect that information behind the platform?
KEVIN MITNICK: Well, the word on the street - and I haven't vetted this personally - is the data that they had on Australian citizens was actually in a back-end database. But it wasn't encrypted: it was in the clear, which means if their computers got hacked and the bad guy was to obtain access to the database, they can get all the data that Australian citizens are submitting to the Census bureau - which is pretty scary.
MATT WORDSWORTH: Now, I just want to throw to a video question from Nich. He's one of the hosts of our gaming show, Good Game:
NICH 'NICHBOY' RICHARDSON, PRESENTER, GOOD GAME: Hey, Nich from Good Game here. My question for Kevin is: what do hackers find appealing by doing mass DDOS (distributed denial of service) attacks against big gaming networks? There's big ones that have happened to Sony and Microsoft over the Christmas period and I'm just wondering what joy they find in just ruining kids' Christmastime?
MATT WORDSWORTH: So, Kevin, how would you respond to Nich?
KEVIN MITNICK: Yeah, I think it's a sad thing that people actually do this. And I think it's to get media attention about their hack, so they could read about it in the press or watch some TV reporter mention it on the nightly news.
Or they do it for purposes of "hacktivism": and that's where hackers are motivated not by money, not by the challenge, but simply to send a political message about something they don't like.
So what they do is, to try to create attention to a problem is: they'll create another problem, just to get the media play. So it's definitely a thing that other hackers like myself - legitimate hackers - really look down upon.
MATT WORDSWORTH: What about the recent hack of Australia's Bureau of Meteorology by foreign intelligence services? Why would they go after the weather bureau?
KEVIN MITNICK: Well, that's interesting and you have to wonder on the weather bureau: do they have... Is there any interconnectivity with other Australian government agencies?
What I suspect: you know, I can't think of a reason right off the top of my head why that would be interesting. But what they probably wanted to do was get a foothold inside a government network of Australia and use it to laterally move to maybe another network that was accessible.
Or maybe it was gaining access to the comms - meaning emails of people in the weather bureau - that they could pretend to be to get access to other government agencies.
I really think it was an initial access or initial foothold to get lateral movements somewhere else in the Australian government.
MATT WORDSWORTH: One of our viewers, Rob Fleischer, asks: "What is the true scale of international cyber warfare? And what advantage do these attacks deliver?"
KEVIN MITNICK: Well, pretty much every country has cyber defence and they have cyber network exploitation - especially 'Five Eyes', which Australia is part of: Canada, United States, New Zealand, GCHQ (United Kingdom's Government Communications Headquarters): you know, the 'Five Eyes'.
And what we do collectively and individually is: we try to exploit other government networks to get access to intelligence. And other governments do it to us. And it's been going on for years and it will continue.
MATT WORDSWORTH: This is your business. Has the Australian Government approached you?
KEVIN MITNICK: No, but I was recently... Somebody from a third-party contractor reached out to our company, seeking out what we call "zero-day exploits".
What are zero-day exploits? Those are security flaws in software that haven't been fixed and which software manufacturers that developed the software have no idea is there, too.
And they reached out to us to buy pretty much cyber weapons that they could use for their purposes. But we don't deal with foreign entities when we're dealing with zero-day exploits. And it's something that I really don't discuss, but we don't deal with foreign entities at all.
MATT WORDSWORTH: But it was an Australian government contractor?
KEVIN MITNICK: Well, right. So... yeah. So we basically told them we can't help them.
MATT WORDSWORTH: So going to where you are, hacking is front-and-centre of the US presidential election. States are reporting attempts to breach voter registration databases. Hillary Clinton's campaign manager has been hacked. How big is the risk here?
KEVIN MITNICK: Well, it's substantial. And today Australian citizens, Australian businesses can't depend on government to protect them.
What they have to do is basically take the rein into their own hands and start exercising due diligence and, rather than being reactive, be proactive: layer their defences and make it really hard for a hacker or any other type of adversary to get into the network. And that's what's important.
MATT WORDSWORTH: How routine do you think hacking is going to become during elections?
KEVIN MITNICK: Well, it's already routine. In this particular case, the United States Government has pointed the finger at Russia for hacking into the Democratic National Committee.
It's a bad thing to be compromised. Governments, private and public sector businesses need to have better security - and that's really the bottom line.
And you know, most companies are getting hacked - and it starts with just an email. Then the bad guy gets full control over that computer. And then at that point they could laterally move inside the network.
In fact, I'll be travelling to Australia on November 22nd, to Sydney. I believe I'll be in Melbourne on November 24th. And I'm doing key note presentations there. And during those presentations I'm actually going to show how this stuff works: how an attacker could send a target a PDF file and gain full control of their computer; and what I did for you earlier, where I was able to send you a spoofed SMS message, amongst other cool demonstrations.
So this type of stuff hopefully will raise awareness in, again, public and private sector, to encourage them that they really need to re-think their defences and do something, again, proactively to prevent becoming the next victim.
MATT WORDSWORTH: Well, Danny John Palmer has the question for you: is "white hat" hacking a skill that technology teachers should be teaching kids at high school?
KEVIN MITNICK: I believe - I think that would be actually a pretty good idea: is to teach information security from even elementary school. Now, do they teach in public schools these days hacking or ethical hacking? I don't think so. I think that's more at the university level.
But I think in grade school and in high school what they could do is teach students fundamentals of network administration, network engineering, system administration, database administration, all about TCP/IP, which is the protocol that the internet is built on.
And really get students to understand the fundamentals. And by the time they reach the university level, then teach them how hacking works and how again to act as a defender, or to act as an offender - but in a way to find security vulnerabilities so their clients could shore up their defences.
MATT WORDSWORTH: And finally: Pagan Maven wants to know: is it true that all cyber hackers' car bumper stickers say, "My other computer is your computer?"
KEVIN MITNICK (laughs): I like that bumper sticker. I've actually seen it before. But I don't think... You know, there's hackers that are overt and most of them are covert - especially the ones that are "black hats" or doing it illegally.
But I like the bumper sticker. It's a lot better than a bumper sticker I'm very familiar with: and that was the "Free Kevin" bumper sticker that people had everywhere when I was actually sitting in federal custody during the early 1990s.
MATT WORDSWORTH: All right. Kevin Mitnick, we are out of time. It's been fascinating. I won't trust another text from my wife again. But thanks for being with us.
KEVIN MITNICK: Well, thank you for having me on your show.