Kevin Mitnick expresses his ideas on the state of security nowadays, discussing some real-world engagements he undertook and new projects coming up.
Shannon Morse: Given that this book is kind of a look at your past days and hacking, is there anything you regret from the past days?
Kevin Mitnick: Yeah, you know, I manipulated and conned a lot of people, that’s not cool, right? It’s not a nice thing to do, even though my objective was hacking. So I feel bad if I caused anyone to lose their job. Well, it’s not that I was a kid – I was doing this till I was 31. I don’t know if anyone lost their job, I don’t know what harm I caused to the individual. So I regret hurting anybody or causing any company’s loss, because to me cyber space was my playground, and I wasn’t trying to hurt somebody, I was just trying to be the Houdini of hackers.
– Now, how would you define black hats, and grey hats, and white hats? Is there any kind of line between them, and if there is, what place do you think you’re at?
– I don’t know who came up with that definition. I guess once you’re a black hat, you can never get that black out, right? So I’m probably grey, meaning that I did things illegally. I mean, where can you take an illegal activity, like computer hacking, and legitimize it? It’s really cool, because I do the same thing today: clients pay me a lot of money and I get to break into their systems, and it’s fun, and I help them. But it’s kind of like Pablo Escobar becoming a pharmacist, you know. I mean, where can this happen, right?– That’s a terrible way to look at it. Now, what kind of techniques have you developed over the past years to hone your craft as kind of a social engineer?
– Well, I love Dave Kennedy’s social engineering toolkit. I mean, he’s taken that toolkit and made it easier, before it’s doing it by hand, using tools like Metasploit, it’s a fantastic tool, but a lot of it is: simply by having access to the tool doesn’t get you in. You have to really be meticulous at creating the situation where you’re going to get somebody to fall for it and not realize after they click or if they give you information over the phone that they made a mistake.
– You kind of have to be an actor, almost?
– Yeah, exactly, like one of the attacks in my book. This was actually a pentest, and what ended up happening is I bought an HP printer and created a CD, had somebody do the art and basically created drivers with a Trojan. I packaged it all up and called one of the executives at this company and told him I’m with the HP Early Adopter program: “We’d love to have you on the program, would you like a free printer?”
– And, of course, they’re not going to say no?
– They’re not going to say no, and I reminded them that it was very important because of debugging. I asked them what operating system they were using; it was Windows. If you’re using Windows, make sure you install the CD. He did it, and it’s coming up with the ideas, because the attacker wants to get software or malicious code on the box; usually that’s it. Like, all attacks today are using social engineering to drive a client-side exploit in Adobe Flash or in Office documents and stuff like that; or getting somebody to make a mistake, like plugging in the USB drive, installing a piece of software.
So you kind of think of a situation where somebody wants something, and it seems so reasonable. You open an HP printer and you see the CD, and it looks exactly like HP’s. You’re not looking at it for a counterfeit. That’s reasonable and it works. So, in both technical and social engineering pentesting that we’ve been doing since 2003 – we never failed. So, does that tell you that we’re really good or does that tell you security is really bad?
– In my opinion, security’s really bad.
– I agree. There is a lot of low-hanging fruit out there.
– Do you have any new projects coming up?
– Well, I finished my book. Right now we have a potential TV series – a huge network sent the book to the writers. It’s a shot in the dark – you know, that’s Hollywood. So, if the writers want to do it, then they’ll probably green-light a pilot, and we might have a TV series based on the book. I don’t know, I’m praying. So I’m really looking forward to that.
And I joined this company, it’s not announced yet, but this company develops Internet security awareness training about how you prevent social engineering in corporate environments. You have to simulate attacks on the users to inoculate them; it’s like having a flu shot – you don’t want to get the H1N1, so they give you a little bit of the virus so that your body builds that immunity. It’s the same psychological idea with social engineering: as you attack the users over a period of time, you inoculate them. Now, when the real attack comes, they reject it. So I just joined this company in an executive position to help create this product that will help companies prevent the future Kevin Mitnicks from getting in.
– Oh, the future Kevin Mitnicks, all the little 10 year-olds with the bus punch? So, for the 12 year-olds with a bus punch, the budding hackers, do you have any kind of best traits that you think they should have?
– Well, think fast on your feet. And, to me, hacking was all about the passion. It was just something I loved to do. I mean, it’s like sports: a guy who plays soccer goes out and practices 8 hours a day because he wants to be the best soccer player; well, I wanted to be the best hacker at circumventing security, because to me it was like magic. Because I actually started it, and I mentioned it in the ‘Ghost in the Wires’ that how I started hacking was wanting to perform magic tricks.
And then I met this kid in high school that could perform magic with the telephone: he was a phone phreaker. So I got involved in this hobby, and one to my first phone phreaker hacks – this was funny – was to change my friend’s home phone, another phone phreaker, to a payphone, so whenever he or his parents were trying to make a call, you know what they would hear? They’d hear this: “The call you have made requires a 10-cent deposit. Please hang up momentarily, listen for dial tone, deposit 10 cents and dial your call again.”
They hear this recording, my friend would call me: “Put it back, my parents are going to kill me!” So, what I did is I changed it into a prison phone so that they only can make collect calls. So I was just, like, playing with the system, I was a prankster.
– That’s so funny. So, if you could talk to your 12 year-old self now, what would you say to him?
– Wow! I mean, the world has changed from when I was 12. I mean, right now everybody has access to tools, like your favorite one is Metasploit; they have access to technology – this did not exist. You know, my first computer was in high school; it was an Olivetti terminal. A VT100 terminal and a modem would have cost you $3000-4000. It was unaffordable for me to learn about technology. So, what I used to do was roam through radio shacks in the San Fernando Valley and the college campuses, trying to hijack computer time so I could learn about technology.