Computer Crime Research Center


Reformed Hacker Looks Back

Date: August 23, 2008

There was a time when the name Kevin Mitnick represented everything that the world's chief security officers feared most: a reckless geek with the power to break any network in the world.

In the mid 1990s, Mitnick became the world's poster boy for the "hacker threat" when he was identified as the guy sneaking into and stealing code from networks including those belonging to Sun Microsystems (nasdaq: JAVA - news - people ), Motorola (nyse: MOT - news - people ), Novell (nasdaq: NOVL - news - people ) and Fujitsu (other-otc: FJTSY.PK - news - people ).

Prosecutors and journalists, including the New York Times' John Markoff, further aggrandized his cybercrime exploits, claiming he was a criminal hacker mastermind who had wiretapped the FBI to stay ahead of his pursuers, hacked into Pentagon computers and could launch nuclear weapons simply by whistling tones into a pay phone.

Mitnick wound up serving five years in prison--four before his conviction and eight months in solitary confinement. He got out in 2000. Now Mitnick, 45, has reinvented himself as a security consultant. In his second career, he performs the same cyber-intrusions he once used to steal data to suss out flaws in companies' defenses. That means Mitnick has to convince major corporations and even government agencies that he's a trustworthy professional--rather than a cyberpunk.

But Mitnick isn't hiding his hacker background. In fact, he says the notoriety of his criminal past has only boosted his business. And last month, at the HOPE hacker conference in New York, Mitnick announced that a lapsed statute of limitations will allow him to publish a book detailing his exploits as a cybercriminal and a fugitive. The book won't be ready for about a year but talked with Mitnick about telling all, the state of cybersecurity and why true hackers make the best security professionals. What can we expect in the book?

Kevin Mitnick: It's pretty much my autobiography, the story of my years as a hacker and a fugitive told from my point of view--starting out from my younger years in telephone phreaking when I was 11-years-old, to my arrest, to my post-arrest career as a security professional. There's going to be a lot of information revealed about hacks I pulled off. The statute of limitations has lifted on a lot of that stuff, so now I can talk about it publicly.

Can you give us a preview of the exploits you're going to recount in the book?

I'm trying to save that all for the book. What I can tell you is what won't be in the book--I won't be whining about my trial or my mistreatment by the government or [Mitnick-chronicling] John Markoff.

This book is going to be a kind of Catch Me if You Can in cyberspace. It's going to be what's real in my history and what isn't, what I did and how I did it and how I've since turned my life around.

What are some of the myths about Kevin Mitnick that just aren't true?

I never wiretapped the FBI, though I did wiretap an informant who was working with the FBI and chasing me for the bureau. Some other myths: that I hacked into the National Security Agency, that I hacked into NORAD.

And some things you did do?

Well, I compromised all the phone companies, essentially. Even when I was a kid I had the capability to disrupt the telephone systems for entire states.

I hacked into the systems of all the major software companies at the time: Digital Equipment, Sun Microsystems, IBM (nyse: IBM - news - people ), Silicon Graphics (nasdaq: SGIC - news - people ). Also most of the companies that made cellular phones at the time, like Nokia (nyse: NOK - news - people ), Motorola, Fujitsu.

What do you see as the biggest threats to cybersecurity today?

Cybersecurity used to be about the network or operating system. Now it's more at the application layer. Companies and their contractors build their own applications hosted on a public Web site, and the people who write them aren't trained in secure coding. The mistakes they make can be leveraged to break the system.

A report last month from the Identity Theft Resource Center showed that data theft by employees has more than doubled since the year before. Are insider data breaches a problem that can be solved?

I help my customers monitor what information is going into and coming out of their organization, to monitor where employees are going on the network and if someone is handling a lot of information they're not supposed to.

But if you have a legitimate employee with a clean record who accesses information in their normal course of duties, then how can you stop it? If someone really wants to steal from you, they're going to.
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo