Kevin Mitnick on hacking's evolution
Reformed criminal takes the measure of today's hackers and the current state of software security. Photos: Mitnick on the job
Today, Mitnick is a computer security consultant and has written two books, including one on social engineering, his forte. He is a celebrity, especially at events such as the annual Defcon gathering of hackers in Las Vegas, where attendees ask him to sign their badges.
Mitnick spends much of his time on the road at speaking engagements. CNET News.com caught up with Mitnick after a gig at a San Francisco user event for SupportSoft, a maker of call center software, and talked to him about software security, the evolution of hacking and social engineering, and law enforcement's action against hacking.
What do you think of the state of software security these days? Is it getting better?
Mitnick: Software is always going to have bugs because there are human beings behind it doing the development. Hopefully,
Do you believe that the state of software security is better today than five or 10 years ago?
Mitnick: No, though it depends on what software you are talking about and what the company has done. I can't make one statement for the whole industry. Take Microsoft, for example. I think their current code base is more secure than Windows NT was.
Would you say Microsoft is a leader and the rest of the industry is still catching up to that?
Mitnick: It is whatever the market demands--and Microsoft is up there, front and center, because they have such a broad user base. Maybe you can call them a leader, but I am sure there are other companies who are taking security seriously. I am waiting for a case where a software maker gets sued for releasing buggy code, but they will probably cover their ass with the long license agreements that nobody ever reads.
We've been talking about weaknesses in technology, not weaknesses in humans, which can also be a threat. You're one of the social engineering gurus. Do you see it evolving?
Mitnick: They are always coming up with new scams. A year ago it was Nigerian scams. Now callers purport to be from the MasterCard or Visa fraud department, calling you to try to trick you into revealing your CVV (Cardholder Verification Value) number on the back of your card. The human mind is very innovative and the attacker will build trust and confidence to gain cooperation.
Are the social engineers or the people who do such attacks becoming more criminal, like computer hackers are becoming more criminal?
Mitnick: You can have a teenage kid who is using social engineering to get into his friend's AOL screen name or you can have a military spy using it to try to break in somewhere, and everyone else in between. Social engineering is simply a tool used to gain access.
Do you see a difference between social engineers today and when you were doing it?
Mitnick: When I got started, when I learned about social engineering, it was during the phone phreaking era, the predecessor to the hacking era. That was more about calling different departments at phone companies to gain an understanding of their processes and procedures and then being able to pretend to be somebody at the phone company and having somebody do something for you.
Social engineering happens quite frequently now. It happened with Network Solutions, it happened with Paris Hilton. These are the attacks you hear about. There are many social engineering attacks you never hear about because they are not detected or because the person who was attacked doesn't want to admit it.
It is growing because security technologies are getting more resilient. There are better technologies to protect information assets and the attacker is going to go after the weaker link in the security chain. Social engineering is always going to be here. The more difficult it is to exploit the technology, the easier it becomes to go after people.
If you look at the folks who attack vulnerabilities in technology today and compare that to when you were first starting out, what trends do you see?
Mitnick: Back then, a lot of the holes in technology were not readily available and published like they are today on the Internet. Nowadays anybody with a browser could pretty much purchase commercial hacking tools like Canvas or go to a Web site where a lot of exploits are readily available. Ten years ago, if you were hacking you had to develop your own scripts. Today is like a point-and-click hacking world. You don't have to know how the engine is working, you just know to get in the car and drive. It is easier.
What would you say is the single biggest threat out there?
Mitnick: It is pretty much a blended threat. I think social engineering is really significant because there is no technology to prevent it. Companies normally don't raise awareness about this issue to each and every employee. It is at the end of the priority list in the security budget.
There will continue to be software vulnerabilities. In a lot of companies that I tested, if you are able to breach a perimeter machine, like an FTP server, mail server or DNS server, a lot of times you find those computers are not in the DMZ (De-Militarized Zone, a separate security area). Instead, they are on an internal network and the network is flat. So if you are able to compromise one, it is quite easy to spread access to other systems. Often times they even use the same passwords. Bottom line: More companies have to think of a defense-in-depth strategy, rather than just protecting the perimeter.
Over the past years we have seen a couple of arrests of virus writers, bot herders and others. Everybody knows you were arrested as well. Is law enforcement advancing? Are they doing the right thing and catching the right people, or are a lot still going free?
Mitnick: I am sure there are a lot of people doing this they don't catch. Wireless networks are ubiquitous. It is very difficult for law enforcement if somebody goes and takes a laptop and changes their media access control address so you can't identify the machine. If you're out in a car or van or sitting in a restaurant next to a wireless access point and don't use the same access point all the time, it could be extremely difficult to track you.
So there is a big challenge for law enforcement. Do you think they are doing a good job, or could they do better?
Mitnick: I don't know. We need stats for that. We need metrics on how many criminals they are apprehending. It is a guess that they are getting better, because they are getting help from the private sector. They are probably better than they were 10 years ago, but I don't know their capabilities. I know their strengths are in forensics. So if they seize a computer of somebody thought to possess child pornography, they use Encase and can recover that contraband. That's what they are good at. In doing hacker investigations--I really don't know their capabilities.
So what about when it comes to virus writers, bot herders, phishers?
Mitnick: With virus writers, I don't believe the FBI is technically doing the analysis. They just farm it out to a Microsoft, Symantec or McAfee because it is easier. These companies are not going to turn down law enforcement because they are doing a public service.
Do you believe that more of these criminals should be caught?
Mitnick: They should try. But the bottom line is that there is so much hacking going on that they have to set a dollar limit. Unless there is a fraud or a loss that equals $50,000--maybe $100,000--they are not going to investigate. Small criminals knowing this can always stay under this threshold. That's at the federal level. Then there are states, which might have a different monetary threshold, but their competency is probably less than the feds.
Do you think if you were doing today what you did 10 years ago, would you be caught sooner?
Mitnick: If I knew what I know now and I could use what I know now back then, no. But if they had the technology that exists today, and I was doing the exact thing I was doing, yes. Law enforcement's capabilities for tracking communications are much greater than years ago.