One of the most infamous hackers in cyberspace, turned security adviser, tells Edwin Smith that no technology is completely secure
Kevin Mitnick’s story is the classic tale of poacher turned gamekeeper – rewritten for the digital age.
A teenage fixation with “phone phreaking” – also an adolescent pursuit of Apple founders Steve Jobs and Steve Wozniak – developed from hacking telephone systems to computer networks that saw him use a combination of technical skills and “social engineering” to gain illegal access to information, systems and companies.
After being convicted of copying software from DEC’s network in 1988, the LA-born Mr Mitnick was sentenced to 12 months in prison, followed by three years of supervised release. However, during this time he hacked into the voicemail system of telecoms company Pacific Bell, an event that prompted the issue of a warrant for his arrest.
He became a fugitive and acquired notoriety as “the most wanted hacker in the world” before eventually being tracked down after two-and-a-half years on the run. He was again convicted of hacking-related crimes and served five more years’ prison.
But since his release in 2000, he’s gone straight and, as well as talking at cyber security conferences all over the world, now uses his expertise to help Fortune 500 companies protect themselves from security threats.
In more than a decade, he says, there has been no company that has stood up to the rigours of his “penetration testing”. There are some isolated pieces of code that, on their own, remain secure. But when granted permission by a client to use social engineering methods, such as researching employees through LinkedIn, before posing as a trusted organisation and encouraging them to click on a link or open a file, he has a 100 per cent success rate.
“It’s much easier to break a system than it is to protect it,” he says, speaking over the phone from San Francisco. “Don’t forget that as an attacker I only have to find one person and convince them to make a bad decision. The larger the company, the more facilities they have and so the easier it is.”
The best thing businesses can do is mitigate the risk so the bad guys will go after another target
Mr Mitnick describes social engineering as a “timeless art”, whereas the technical element of the process, hacking, is constantly becoming more sophisticated. “Vulnerabilities are identified, patched and fixed, then more are discovered. It’s a cycle that will continue until new technology or a trusted operating system comes along that could break that cycle,” he says.
One of the most sophisticated and notorious hacks in recent times has been Stuxnet, a virus widely thought to have been the manifestation of an attack by the US and Israeli governments on the Iranian nuclear programme.
The malware, which was discovered in 2010, was designed to spread through Microsoft Windows before targeting only Siemens industrial control systems, the type of systems that were used to regulate centrifuges at the Natanz uranium enrichment facility at the time.
The worm made adjustments to the operating programmes of the centrifuges, while simultaneously replaying recorded system values that gave the impression they were functioning as normal.
So, is this type of activity – cyber warfare enacted by governments – a good example of state-of-the-art, sophisticated hacking techniques? It’s quite sophisticated,” says Mr Mitnick. “It bypassed all the anti-virus software; it was military-precision malware. But I’m kind of surprised they got caught, that they allowed the code or the malware to venture out into the wild where people were able to pick it up as something malicious and analyse it to find out what happened.
“I’m sure it’s the tip of the iceberg; I’m sure there is malicious software, which has been developed by nation states, that we don’t know about – that we haven’t discovered.”
It makes sense, then, that the Stuxnet hack, which Mr Mitnick views as the most sophisticated to have become widely known, is one that was always designed to become public. “Edward Snowden had clearance,” he says. “But getting four hard drives of information out of the NSA [US National Security Agency] without any help or being noticed shows he really understood the logging.”
When asked about Wikileaks founder Julian Assange’s recently published comments that Snowden was the ninth best hacker in the world, while Assange himself was the third, Mr Mitnick is politely dismissive: “[Assange] is so busy with Wikileaks, I doubt he is still practised at getting into companies like I do.”
In leaked extracts of his upcoming book, Google’s executive chairman Eric Schmidt describes China as the most “sophisticated and prolific” hacker of foreign companies. But Mr Mitnick, again, isn’t impressed by the claim, pointing out that it would be difficult for Mr Schmidt to have the first-hand knowledge needed to establish this.
Mr Mitnick does say, however, that any major nation would have the means to compromise the security of a company such as Google. “If I’m the Chinese government and I want to hack into Google, do you know how I would do it?” he asks. “I would have a sleeper agent at Stanford [University] and just have them get a job at Google [after graduation]. Easy.”
But for most companies it’s criminals, not governments, that are the main threat to cyber security. Organised crime outfits have considerable budgets, Mr Mitnick says, but they are unlikely to invest in paying talented hackers unless there is a significant return on investment.
“There’s no silver bullet,” he says. “The best thing businesses can do is mitigate the risk so the bad guys will go after another target. You do not want to be the low-hanging fruit. You want to make yourself a hard target, build protection and have the ability to detect when hackers have compromised your network so you can do damage control.”
He adds: “No tech in the world can protect you 100 per cent.”
But perhaps, one day, that could change. Mr Mitnick is loath to make predictions about the future of hacking and cyber security beyond its constant evolution. But, when pushed, he does offer something.
“Maybe there will be a different internet created,” he says, “one for more secure communications that would make stuff hard to steal, with new protocols, a new network. It would basically be ‘internet number two’, to solve all the problems of internet number one.
“Maybe that’s what’s on the horizon: a new internet for commerce and finance that’s not really susceptible to the same type of attacks that have developed in the wild, wild West.”
It’s an intriguing thought, certainly. But it’s obvious why Mr Mitnick would be reluctant to discuss it; it might just mean he’d have to retire.