Computer Crime Research Center


Kevin Mitnick and the art of intrusion - Part 1

Date: March 25, 2005
By: Tim Phillips

Following the launch of his new book, reformed hacker Kevin Mitnick spoke to about his work as a security consultant

Between 1995 and 2000, Kevin Mitnick was in Federal prison in the US for his hacking exploits. It was a career that made the front page of newspapers across the globe, and frightened the US authorities so much that he was denied the use even of a telephone while he was behind bars, in case he somehow compromised national security.

Now free, Mitnick is reformed: he has a busy career as co-founder of Defensive Thinking, a consultancy that helps companies test and improve their security, and has also published books, and even spent time as radio show host in Los Angeles.

When he was released, Mitnick wasn't even allowed to use a computer. Today the only restriction the US government still places on him is a ban on profiting from his own story until January 2007.

In the meantime, Mitnick and his co-author William Simon have kept busy by compiling The Art of Intrusion (Wiley Publishing), a compilation of real hacking stories told to Mitnick by fellow hackers.

In the week that the book is published in the UK, caught up with Mitnick in Milan where he was speaking to a group of chief information officers on computer security.

While the stories in The Art of Intrusion have not been told before, is there really anything new in the hacking world?

The book is really for a general business audience. What I wanted to show is how attackers are working today, the most common attack points, what their objectives are and how they cover their tracks.

Is there some new form of attack? No. Computer security used to be war dialling, now it's war driving. It used to be dialling numbers and trying to find modems. It's just the same today but different: you go and find wireless networks. Everything is the same, it doesn't really change.

Do you have favourite stories in the book?

The Vegas hack [where a group of hackers built a device to predict the outcome of video poker machines]. It's an attention-getter, even though it didn't offer much technical 'take-back-to-the-office-and-implement-now'.

I like the ingenuity of the hackers compared to the gullibility of the people who are supposed to be in the know. In the Texas hack [where two prisoners gained access to the jail's computers to teach themselves networking and pass the time], it was just interesting that these guys set up a whole internet network under the eyes of the authorities.

They had the capability to pull off a lot of frauds, but chose to take this experience and use it in a positive way when they got out. Both these guys now have careers in the computer business and are clean. It's kind of a success story.

How do you know that the stories in your book are true? If you're a hacker, it would be quite a coup to fool Kevin Mitnick.

A lot of stories we rejected because we couldn't do the fact-checking properly. It's extremely difficult in the hacking world to do fact-checking because anybody could falsify logs.

I say 'provide the logs' and they go into Notepad and make them. There could be a story in there that is totally false - it's possible - but I used my gut instinct and re-questioned people. It is possible that I was conned, but I did the best due diligence that I could possibly do to try to verify the authenticity of the stories.

You change the names in the book and don't identify the targets, so some readers are going to be sceptical.

In one story in the book, the two guys are security professionals today. When they took me aside and told me the story, I said: 'How many years ago is this?' because I didn't want any dates. And they said: 'Oh no, this is recent.'

I'm like 'Huh? Are you nuts? Especially for telling me.' Even though they trust me, it's a big leap of faith to admit to criminal activity. They could be in serious jeopardy if anyone finds out what they did.

Do the stories of incompetence that the hackers report match your experience?

My girlfriend started at this Fortune 50 construction company and they issued passwords and the last four digits were the last four numbers of your social security number.

What was strange was that you couldn't change them, and they always wanted someone else in your group to have your password in case you got sick and they wanted to get to your email or your Lotus Notes.

This is how businesses really operate, because on the inside they're thinking about their core competency: making money. Everything becomes about uptime; using the computing resources to get the job done. That's what is high priority, not thinking about security.

In the book, easy-to-guess passwords are often the point of entry for hackers.

Password management at a lot of my clients doesn't seem to be adequate. When users change complex passwords they write them down, and people store passwords in their email all the time.

When I did this penetration test recently, and got admin rights, I simply searched for passwords in all the documents. I found that the IT department had an Excel spreadsheet that even had the combinations to their safes, because when people are putting in information they think: 'Can someone get to this later?'

Almost every company I assess keeps plain-text passwords stored in a file somewhere. What does a hacker do? Goes right to the system admins, to the IT department, right to those people's directories, looks at their bash history, and you have SQL passwords in there.

By now, you would assume that CIOs would be taking notice of the flaws you point out.

I recently did a security assessment. I'd done it last year, compiled a report, and the same company hired me this year because it had to comply with Sarbanes-Oxley. They gave me permission to start at 5pm and I had complete access over their entire domain with administrator rights in three hours, and they freaked.

The shame on them was that I used the same way to get in as I did the previous year, and they hadn't listened to my advice. A lot of these companies are not really concerned about shoring up their defences. They are satisfying regulations or auditing. If I was in their position I'd actually want to hire a consulting firm to do the fixes as well.

Do you find the same basic errors when you hack?

To really have a meaningful security policy, you have to have the processes set up: you have to train the people, and you need to have all these components. People spend a lot of money buying firewalls and intrusion detection systems. They install them and think they are going to self-manage, so they don't even configure them properly. And even in businesses where I find they have configured them properly, they don't take the time to read the activity log.

In another company, I identified that all their router passwords were a simple dictionary word. And when you have control over the routers, you can take down a whole company. Usually system administrators use one password across all systems. They are lazy.

What advice would you give to a system administrator who wants to improve security today?

Think about wireless, if they deploy wireless networks. And don't forget the physical security. In the book, there's a story of how a hacker walked right into a conference room and simply plugged in a wireless access point.

Also, don't have a false sense of security and just protect the perimeter. Like the bank I just assessed when I was penetration testing, the whole network was 'flat', which means all I had to do was to get into one machine. Then for all the other computers on the network, I could talk to every port.

Also use the technology - firewalls and intrusion detection systems - something like a tripwire: think about detection as well as protection.
Original article

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2005-11-22 12:16:48 - Kevin is right in assessing that many... Former govermental security crime fighter
2005-09-02 08:38:32 - Good blog Mira
Total 2 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo