If you need a working definition of ironic, you could do worse than this. Last summer, Kevin Mitnick, the one-time hacker who was on the FBI's "10 Most Wanted" list of fugitives, was himself the victim of a scam just like he used to work on people. It's a technique Mitnick, 39, calls social engineering: getting access to information, including computer data, by talking to people rather than by accessing computers. "I practised it for 15 years. I would think I would be the most aware of when it was being done," he says.
But in June he got a call on his mobile phone from a reporter from the Associated Press. The reporter knew that Mitnick had written a book about social engineering, and he was keen to talk about it.
"How did you get this number?" asked Mitnick, suspicious. The reporter explained that he had called the book publishers who had given him the number. Mitnick agreed to an interview and talked at length. When the interview appeared, his publishers were aghast. "Why did you talk to him?" they asked. Too late, Mitnick realised his mistake: "He misrepresented the facts," he says. "And even I fell for it. Because I didn't verify the authenticity of what he was telling me."
That's precisely the weakness that Mitnick, when he was a hacker (he insists he's reformed now), would exploit: "Human nature, that we live in a world where we presume that people are much like ourselves, mostly honest and open, and we give people the benefit of the doubt."
Mitnick didn't get much benefit of the doubt in 1995. That was when he was on the FBI's most wanted list; though Hannibal Lecter he wasn't. He went on the run, having broken his parole on an earlier hacking-related offence, before being arrested in February of that year.
The image you may have of him is of a superskilled computer hacker who broke into dozens of networks, stole details of thousands of credit cards, scammed his way all over the US, finally got caught and then served a long prison sentence. Some of that's true. Precisely what is hazy; he disputes many allegations, and the criminal charges were in the end quite narrowly drawn. In August 1999 Mitnick received a 46-month sentence on fraud charges, and was ordered to pay $4,125 in costs. In March 2000 he was convicted of wire fraud, computer fraud and intercepting communications. Before these convictions, he was on remand, often in solitary confinement, for four years, the longest period that anyone has been held without a trial in the US.
The effects of the sentence still linger: he wasn't allowed to use a computer until January this year (he used it to write his new book, with co-author William Simon, a very able co-author of business works). He won't be allowed to use a computer that is connected to the internet until 21 January 2003. What's he looking forward to most? "Instant messaging, e-mail... the usual communications media." At the moment, friends can read him the e-mails sent to him, though it's never the same as doing it yourself.
But that's not what Kevin Mitnick has got up on this California morning to tell me about. Instead, it's to promote his new book, The Art Of Deception (subtitled Controlling the Human Element of Security ), which should put a shiver into anyone responsible for looking after valuable computer data. Not because it makes Mitnick look dangerous; but because it makes everyone look vulnerable to anyone with the right personality and approach.
The Art of Deception is not about the sort of hacking that involves exploiting strange scripting vulnerabilities in this version of Windows or that version of Linux. The book is about the art of hacking peoples' heads.
The exploits are almost all fictional, but realistic, and enough to make anyone wonder if their bank details might be given up as easily as in the book. It's arguable that in the UK (which Mitnick says has rather better banking security than the US) people would be more careful about giving out data. But never underestimate the creeping effect of staff cuts and reductions in training budgets – especially for security – on people's willingness to believe what they're told by a convincing voice on the other end of the telephone.
"Government and businesses and you and I are targeted by people who want our information for identity theft or lawsuits," he says. Everyone else, surely, but would anyone dare target Kevin Mitnick? "I have been targeted," he says suddenly. "Somebody stole my identity to get cellphone service in Colorado. But I've lived in California for three years. They used my social security number and date of birth, to misrepresent themselves as me. So yes, I was a victim of ID theft."
The Art of Deception has in its pages many scenarios, all of people in companies being subverted by weaknesses in procedure. "These [scenarios] really didn't happen," Mitnick says. "But I hope that the readers don't think that they can't happen. The details can, and would, happen."
Some exploits in the book are true: he describes how in 1981 he and a friend cracked the allegedly uncrackable protection on a new computer at a trade fair, for which the prize was $300.
Social engineering played a key part there. Mitnick and his colleague realised that the protection stemmed from the keyboards on show all being plugged into a particular port on the computer. So while his colleague distracted the person manning the stand over lunch, he used his lockpicking skills to undo the plug and put it into the administration socket. When the people who had written the protection system came back from lunch, Mitnick was printing out the program code for their system – on their printer.
Mitnick has now started a security consultancy company called Defensive Thinking, which provides conferences and seminars as well as staff training in how to avoid getting turned over. Isn't a criminal record a slight problem? "I never abused a position of trust in any work environment I was in," he says. "Although I was convicted of computer hacking, a lot of people know that the motivations weren't to cause harm. My motivation at the time was the intellectual challenge. Now I have matured – I went to that special place [prison] – and five years later I have decided to come out and expose the methods that people use to do this."
In some ways, Mitnick is having the last laugh. The book tour will take him to eight major cities. He's got a job, he's well-known, his life is stable. "It's going to be exciting," he says. "At last I'll get to meet people. It's good because of the demonisation there was of me. It's good that people meet me and know who I am, rather than some character on a page."
Reply With Quote
