Mitnick: Leaving the Dark Side

By eweek  |  Posted 2003-02-26

Mitnick: Leaving the Dark Side

After serving 60 months in federal prison and an additional three years on probation following his conviction on wire fraud and other charges, notorious hacker Kevin Mitnick is now back online and back in business. Only this time Mitnick says hes trying to stop hackers. Hes founded a security consulting company, Defensive Thinking Inc., in Los Angeles, that he says is focused on providing security awareness training and vulnerability assessments to enterprises and government agencies. Recently, eWEEK Executive Managing Editor Jeff Moad spoke with Mitnick about where hes been and where hes going.

eWEEK: How have enterprises taken to the idea of hiring Kevin Mitnick as a security consultant?

Mitnick: For the people who hired me, it hasnt been an issue. The question is how many companies havent hired me or contacted Defensive Thinking based on my past. … I believe its 50-50. … Some people have taken the position that if you were involved in hacking in the past we wouldnt hire you. Other people have taken the position that maybe this guy would be good to go with because he brings a lot of skills to the table, and hes put his past behind him, and hes doing good things now.

It really comes down to an assessment of risk. If a company hires Defensive Thinking to do training, there is no risk because we are basically the messenger providing very valuable information that companies could use to protect their information assets. [On the vulnerability assessments] it depends on the scope. If your vulnerability assessment is from the external side or from the point of view of the client not giving any information to us, there is no risk because theyre not giving us the keys to the kingdom. If we go inside the organization and do a vulnerability assessment … or we look at business processes and procedures, theres some risk.

But, at least in my background—and my background has been pretty well published—Ive never done anything to steal money, to profit or to intentionally cause harm. What my transgressions were—which Im sorry for—was I accessed many different large companies in an effort to look at source code to become better adept at circumventing security. My goal was to be the best at circumventing security, and I used socially unacceptable methods to gain access to this information, which was illegal. I think people who have knowledge of the true facts of my case are in a much better position to assess what risk I pose to them … rather than a lot of the media hyperbole about Kevin Mitnick. …

Another thing is that Im going to be running the company from a management point of view, so as we get more capital and more revenue coming into the organization, Ill be hiring a team of people who do the work anyway.

eWEEK: So far have you been doing more training-focused work or more internal vulnerability assessment work?

Mitnick: Dont forget that my supervised release [from prison] had expired on Jan. 21, so most of the stuff that Ive been involved is more training and external vulnerability assessments. We havent had a client come on board and say, Hey, we want you to look at our entire enterprise as an attacker would. Of course I offer that. But, to be honest, a lot of our clients want a one-time … test to satisfy an auditor. Its not like theyre very concerned to use a vulnerability assessment process. Its mostly to satisfy auditors or to get management buy-in to get a security budget. … But what I encourage all of my clients to do is to use our service on a recurring basis. Or, if you dont want to go with us, at least go with somebody else because security assessments are kind of like health assessments. If youre experiencing chest pain, you might go get the EKG that day. And your EKG is fine. But tomorrow you can have a heart attack.

Page Two

eWEEK: Now that youve been back online, whats your sense of whats changed in terms of how enterprises are dealing with security? Are they more or less savvy?

Mitnick: Savvy? I would think so because security technologies have advanced tremendously since 1995. Back in those days, the Internet was just starting to become commercial. In fact, when I was last using the Internet … years ago, there was no e-commerce. It was just sharing information. The world has completely changed to where companies are doing business on the Internet and rely on the Internet to not only sell their services and products to clients and to connect with business partners and suppliers … I think that more organizations are taking a proactive approach and treating information security like insurance, and they are investing some budget to managing their vulnerabilities.

But I also see enterprises using crisis management as a tool. So that, when something bad happens, they are concerned about their security. But I think security today is more proactive than it was back in 1995.

eWEEK: But perhaps across the board not as proactive as it should be?

Mitnick: Unfortunately, some organizations dont see return on investing [in security], and they look at security as a liability. I believe that many businesses in the private sector and many government agencies have to take a hard look at the harm that could be caused if they suffer a security incident.

eWEEK: Shouldnt that be self-evident given the steady stream of attacks we continue to see? What will it take for more enterprises to take a proactive approach to security?

Mitnick: The sad thing is [that it will probably take] being attacked and to suffer some humiliation and some damage. Then theyre forced to act, or theyre educated as to what the threat is out there, that the threats are changing on a daily basis, and that security is really analogous to insurance. And, once companies buy into that idea, companies are more likely to treat security seriously.

eWEEK: In your time as a hacker, you took advantage of a lack of education in order to engage in social engineering. Whats the most common source of vulnerability youre seeing today?

Mitnick: Education. And I believe unpatched systems and misconfigured systems are obviously the greatest vulnerabilities out there. And the people. … As a previous attacker, I used to analyze the target from all sides: their physical security, their host, their network security and their people, and look for the quickest way that was the least costly and the least amount of risk to me. And, unfortunately, a lot of enterprises believe that buying a firewall or an [intrusion detection system] is all they need to do. And theyre lulled into a false sense of security. You really have to look at securing the enterprise from the perspective of how the bad guys are going to break in. What vulnerabilities, what access points exist and where the most critical, sensitive and valuable information assets reside, and really focus on those issues.

eWEEK: Since you were in it, do you think the nature of hacking has changed from exploration to something more sinister?

Mitnick: I consider hacking a skill set. And people from all walks of life use the skill set to advance their own personal agendas. In todays world you have [everything from] benign hacking to very serious criminal activity. From the kid down the street who wants to hack into their neighbors cable or wireless network just for the fun of it to people like Robert Hanssen, who was actually looking at internal government intelligence systems like at the FBI to see if they were doing any countersurveillance when he was spying against the United States.

eWEEK: In your own history, the government obviously wanted to make an example of you, which is why they want after you in the way they did. Do you think that example dissuaded anyone else from hacking?

Mitnick: Look at how hacking has grown today. Go to CERT and you can see the trend, and its rising upward. Unfortunately, the government is treating hacking like terrorism, and theyre trying to impose these ridiculous penalties for what I consider a serious crime. But its being taken out of context. … There have been changes to the federal statute to allow life imprisonment for anybody who uses a computer to recklessly or intentionally cause serious injury or death. Life without the possibility of parole. But if anyone takes their car out on the freeway and recklessly, negligently or intentionally seriously injuries somebody or kills them, how come they dont get the same penalty? Why is using a computer so much more serious?

Read more security stories:

Search for more stories by Jeff Moad.
Find white papers on security.

Rocket Fuel