Kevin Mitnick doesn't look like the kind of guy who could set off a nuclear missile just by whistling into a phone. But at one stage it was believed he might be capable of it.
So much so that the claim was successfully used to help keep him in solitary confinement for eight months during a five-year prison sentence he served in the late 1990s.
Arguably the most famous hacker the world has seen to date, Mitnick was in Dublin this week to perform a live hack at the BT Young Scientist Exhibition at the RDS.
“It’s impossible to ignore my past – it is a key part of who Kevin Mitnick is. But at the same time, I certainly don’t look at myself as though I was some type of super-sophisticated criminal who was trying to harm society,” he says.
“I may have pleaded guilty to felonies but in reality I was just a delinquent doing tons of misdemeanours.”
The 54-year-old, who these days seeks to stay on the right side of the law by working as a cybersecurity specialist, was just 13 when he started hacking into phone systems for fun. A few years later, though he was suspected of stealing valuable software and data from a number of companies such as IBM, Novell, Nokia . Mitnick quickly came to be was seen as such a threat to national security that the US department of justice described him as "the most wanted computer criminal in United States history".
Mitnick laughs as he recalls what happened after he was caught by the FBI in 1995 following a year-and-a-half-long pursuit. Having outwitted FBI agents to such a degree that he was able to wiretap the guys who were chasing him, they tried to throw the book at him – once they apprehended him.
Punished
There were many – both at the time and since – who felt that he was treated harshly. Mitnick himself says it was right that he should have been punished for his actions but adds that what he was doing at the time didn’t cause any real harm to anyone and wasn’t at that point illegal either.
“They didn’t know what to do [with me] was part of it. Maybe I pissed off the FBI so much by making them look so foolish that they decided to punish me by making my conditions as bad as possible. That’s one line of thought,” says Mitnick on what happened after he was apprehended.
“Another is that the federal judiciary was so naive that they really did believe I could launch nuclear weapons by whistling into a payphone, as was alleged. It is hard to believe anyone in their right mind would have believed that so I don’t know if the judge was stupid, or if the authorities simply wanted to throw the book at me to send a message out about what happens if you engage in the type of behaviour I was engaged in,” he adds.
Having been sentenced to five years after agreeing a plea bargain, the harsh treatment continued for Mitnick after he left prison with a ban on using any form of communications technology other than a landline telephone for a period.
Mitnick, who is from Los Angeles, says that when he started hacking, it wasn’t for the same reasons people do it now.
“The motivation for me was that it was fun and an intellectual challenge but for many hackers now it’s about fraud, espionage and so on. It has become a huge money-making venture.”
Magic
Mitnick says it was magic that led him into hacking. He loved fooling friends with tricks and when he was introduced to a fellow youngster who seemed to be able to do magic with phones, he wanted in.
That kid was into phone phreaking, an early form of hacking that involved individuals successfully tapping into telephone systems. Mitnick got into it as well and before long had progressed beyond the basics and was busy hacking into the early computer networks that companies were all adopting.
“It was all about pulling better pranks initially by doing stuff like changing a friend’s home phone so it would demand a payment each time their parent tried to make a call, that kind of thing. But then it got more serious where I started to want to understand how the technology worked. I then started targeting cell phone manufacturers and doing stuff like taking their source code offline so I could look at it. That’s when I got into a lot of trouble,” he says.
The New York Times once described Mitnick as someone who combined "technical wizardry with the ages-old guile of a grifter". The man himself prefers to describe his hacking techniques as social engineering tricks by which he could talk people into giving away critical information such as passwords.
As he makes clear, such tricks still lie at the heart of successful hacking attacks.
“Technology has changed but the tech itself doesn’t really matter. I mean it does to the extent that we have to practise our craft to be able to bypass current security methods, but the best hacks still rely on social engineering,” Mitnick says.
“I recently tested a big name client’s security systems and was able to get all their internal records in five minutes simply by finding out what cloud service they used for their human resources. The domain name hadn’t been registered so I did it and then set up a login page and called the company and convinced someone in there to enter their details. A lot of people still fall for these types of attacks. They are easy to do and really hard to defend,” he adds.
Live hacks
These days, Mitnick makes his living working as a penetration tester and security consultant, and also tours the world doing live hacks in front of audiences.
He still describes himself as a hacker and while he is usually seen as being a “white hat” one as he’s operating on the right side of the law, he has occasionally been accused of drifting over to the dark side.
Tech magazine Wired took him to task a few years ago, for instance, when it revealed he was involved in selling "zero-day" exploits: hacking tools that take advantage of software bugs for which no patch yet exists.
Mitnick defends his behaviour saying that he was very careful about who he did business with.
“We carefully controlled who we sold the bugs to and it was usually back to the vendors who were looking to see if they could be exploited security-wise. It certainly wasn’t a case of blackmail or anything like it and there was no dealing with any regimes,” he says.
Larger hacks
Given that most of us now live our lives through technology, it isn’t surprising to see that bigger hacks are taking place. Mitnick believes we haven’t seen anything yet however, citing how the recent Equifax breach, which exposed the personal information of 145 million Americans, was just the beginning in terms of attacks.
If there is one bright spot for the public, it may come from general data protection regulation (GDPR). The legislation, which comes into force in May, governs the privacy practices of any company handling EU citizens’ data, whether or not that company is located in the EU. There are potentially huge fines for firms that don’t abide by the new rules and Mitnick believes this will force organisations to take data protection seriously.
“With GDPR, companies really need to cover their butts otherwise it will cost them a lot of money so they have a financial interest to do something about it,” Mitnick says.
“But companies need to remember that it isn’t just about having good layered security to protect against hackers. They also need to train people not to fall for social engineering tricks.”