Man on the Run
Well, not anymore. These days, reformed computer hacker
extraordinaire
Kevin Mitnick works for The Man.
My cell phone is ringing.
I pick it up off the table of a busy
Los Angeles restaurant and
look to see who is calling. Weird. The caller ID flashes my home
phone number, but I know for certain that nobody is there. ¶ Across
the table from me,
Kevin Mitnick is smiling. Once the most
notorious computer hacker in the country - he was the FBI's
most-wanted hacker and a fugitive for three years - Mitnick has
more than a passing knowledge about using technology for devious,
deceptive purposes. Using his own cell phone, Mitnick takes just a
few seconds to demonstrate how he accomplished this telephonic
sleight of hand known as caller ID spoofing, a particularly
effective trick for identity thieves and con artists. (Think about
it: How likely would you be to withhold personal or financial
information from someone who your caller ID says is from your
bank?). Equally as quickly, Mitnick pulls upGeorge H.W. Bush's
driver's license number and then offers to retrieve mine, but I
demur.
On the day we meet, Mitnick, 43, certainly doesn't look like much
of a threat. Wearing a dark T-shirt and jeans, he is engaging and
self-deprecating; he bemoans his latest doctor's visit because his
physician was pestering him about losing weight. These days,
Mitnick - who served five years in federal prison for breaking
into the computer systems of large companies like
Motorola and
Nokia and then fleeing from prosecution - has very much gone legit.
Instead of covertly, and illegally, breaking into corporate
computer systems, Mitnick - through his Las Vegas-based company,
Mitnick Security Consulting - uses those same skills to protect
companies. "I get paid to do what they call ethical hacking," he
says. "Companies call me mostly to do security assessments, which
is when they want someone to evaluate their technical, physical,
and human-based security to find out if they have any holes in
their infrastructure that bad guys can break through."
The short answer is, yes, there are holes. "There has never been a
client who has hired us that we couldn't break," he says.
Once Mitnick and his colleagues find security lapses, they work
with companies to fix them - a process called "hardening" - and
train employees to thwart hackers. Mitnick insists that, although
it's commonly thought to be largely a technical issue, true company
security involves a variety of elements, people being the most
important. That's because social engineering, a fancy term for
manipulating people to get information, is so effective.
In some of his classes, which are held over two days, Mitnick
demonstrates how social engineering works by way of a little ploy
the night before the first session. Students in the class will get
a call at one a.m. in the hotel where they're staying from someone
claiming to be from the front desk. The person on the phone tells
the sleepy guest that his credit card didn't go through and that he
needs to come down and sort the matter out. Naturally, most people
don't want to do that. No problem. The front desk generously offers
to send someone right up to get new credit card information and a
signature. Just like that, an identity thief has all the
information he needs - a fact that class members are made aware of
when they're handed their own signature and credit card info the
next day in class.
In Mitnick's view, defending against social engineering - which
takes building both awareness and resistance to all of the common
scams - is every bit as important as installing the very best
technology; indeed, if an employee decides to use his own name as
a password to get into a company's computer system, or simply
writes it down and tapes it to his screen, there's not going to be
much protection. "If you have all the best technology in the world
but your users are giving out their authentication credentials, all
that money is wasted," says Mitnick.
Magical Mischief
It's hardly an exaggeration to say that Mitnick has been preparing
his whole life for the work he does now, albeit in a somewhat
unusual way. It all started with a fascination with magic. "On
weekends, I would just hang out at the magic store because I wanted
to learn how to do illusions, and I wanted to learn the secrets
about how they worked," says Mitnick, who spent his childhood in
various locales around Southern California.
As Mitnick got older, he became interested first in CB radio and
later in telephone systems. With telephones, he found a less
traditional but certainly effective way to perform magic. By
learning how telephone switching systems work, Mitnick pulled off
some pretty ingenious pranks: He rigged it so that whenever a
friend's family would pick up their home phone, it would ask them
to deposit 10 cents; later, he learned how to intercept calls
placed to
Rhode Island's directory assistance.
Mitnick was first introduced to computers when telephone companies
began using them as their front ends. It wasn't long before he
became a full-fledged hacker. To hear Mitnick describe it, computer
systems at big companies gave him the opportunity to be the
ultimate magician. "Houdini was the best at breaking out of jail
cells and handcuffs. I wanted to be the best at picking the lock,"
he says. The reason for his ventures into corporate operating
systems, Mitnick insists, was never personal enrichment; it was
just to get better at breaking in. "The goal was not to steal the
software to develop a competing company or to sell it or to use it
for profit. It was more of a cheat sheet for a game, to use it to
become better at getting in."
Law enforcement officials didn't see it so benignly, though, and
Mitnick was caught in 1988 and sent to prison for a year on a
computer-fraud charge. Prosecutors alleged that Mitnick could
somehow start a nuclear war by hacking into the NORAD computer
system and whistling into the phone - a charge Mitnick calls
laughable - so he wasn't allowed to use the prison telephone, and
he was placed in solitary confinement. After he was released,
Mitnick learned that the government was planning to charge him with
supervised-release violations, so he fled
.
Mitnick managed to elude his pursuers for three years. He moved
across the country - sometimes under the alias Eric Weiss, a
variation on Houdini's real name - and chose his new homes based on
Money's rankings of the best places to live. Eventually, he
was caught in
North Carolina, where he copped a plea deal and was
put back in prison for five years, from 1995 to 2000.
According to the U.S. Department of Justice, Mitnick admitted that
he broke into computer systems and stole proprietary software. As
part of his scheme, the Department of Justice said in its news
release announcing the plea deal, Mitnick acknowledged that he
tampered with college computer systems, stole e-mails, monitored
computer systems, and tried to obtain software by posing as a
company employee. The Department of Justice said the victims of
Mitnick's hacking lost millions of dollars in damages from lost
licensing fees, marketing delays, lost research and development,
and repairs made to compromised computer systems.
Government Payback
After his release from prison, Mitnick had few prospects - he
wasn't allowed to use a computer for three years - and no real
ideas of how he could make an honest living. Out of the blue, Joe
Lieberman, the Democratic senator from
Connecticut, and Fred
Thompson, then a Republican senator from
Tennessee, invited him to
testify before their committee on how to improve the government's
computer security. Though usually they are very dry, sober affairs,
Mitnick made his appearance before the Senate panel entertaining,
engaging in friendly and humorous exchanges with the senators.
People must have been watching C-SPAN that day. "People saw that
and said, 'Hey, I want this guy to speak.' And that's how I started
my career, thanks to the U.S. government," he says. Mitnick began
giving lectures all around the world and has since written two
books (
The Art of Intrusion and
The Art of Deception)
and become a much-sought-after security consultant. His checkered
background doesn't seem to deter employers. "If you think about it,
a guy like that has everything to lose. He's already under a
microscope, so if he does something stupid, he's done forever,"
says Connor Haggerty, controller for Food Industry Services, a
consortium of Midwestern grocery stores that hired Mitnick to do
some security work and give a speech.
Mitnick is looking forward to releasing his memoir in 2007,
something he hadn't been able to do before because one of the
conditions of his release from prison was that he not be allowed to
profit from his life story for seven years. And in case there's any
doubt whether Mitnick has fully joined the ranks of regular folks,
there is this: The great hacker himself had his identity stolen a
couple of years ago. "The only thing that went through my mind was,
'Why didn't they steal my identity 10 years ago?'?" he says. "That
would have been poetic."