Mitnick: Leaving the Dark Side

Interview: Now that Kevin Mitnick is back online, the notorious hacker speaks out about his security consulting business and the state of enterprise security.

After serving 60 months in federal prison and an additional three years on probation following his conviction on wire fraud and other charges, notorious hacker Kevin Mitnick is now back online and back in business. Only this time Mitnick says hes trying to stop hackers. Hes founded a security consulting company, Defensive Thinking Inc., in Los Angeles, that he says is focused on providing security awareness training and vulnerability assessments to enterprises and government agencies. Recently, eWEEK Executive Managing Editor Jeff Moad spoke with Mitnick about where hes been and where hes going.

eWEEK: How have enterprises taken to the idea of hiring Kevin Mitnick as a security consultant?

Mitnick: For the people who hired me, it hasnt been an issue. The question is how many companies havent hired me or contacted Defensive Thinking based on my past. … I believe its 50-50. … Some people have taken the position that if you were involved in hacking in the past we wouldnt hire you. Other people have taken the position that maybe this guy would be good to go with because he brings a lot of skills to the table, and hes put his past behind him, and hes doing good things now.

It really comes down to an assessment of risk. If a company hires Defensive Thinking to do training, there is no risk because we are basically the messenger providing very valuable information that companies could use to protect their information assets. [On the vulnerability assessments] it depends on the scope. If your vulnerability assessment is from the external side or from the point of view of the client not giving any information to us, there is no risk because theyre not giving us the keys to the kingdom. If we go inside the organization and do a vulnerability assessment … or we look at business processes and procedures, theres some risk.

But, at least in my background—and my background has been pretty well published—Ive never done anything to steal money, to profit or to intentionally cause harm. What my transgressions were—which Im sorry for—was I accessed many different large companies in an effort to look at source code to become better adept at circumventing security. My goal was to be the best at circumventing security, and I used socially unacceptable methods to gain access to this information, which was illegal. I think people who have knowledge of the true facts of my case are in a much better position to assess what risk I pose to them … rather than a lot of the media hyperbole about Kevin Mitnick. …

Another thing is that Im going to be running the company from a management point of view, so as we get more capital and more revenue coming into the organization, Ill be hiring a team of people who do the work anyway.

eWEEK: So far have you been doing more training-focused work or more internal vulnerability assessment work?

Mitnick: Dont forget that my supervised release [from prison] had expired on Jan. 21, so most of the stuff that Ive been involved is more training and external vulnerability assessments. We havent had a client come on board and say, Hey, we want you to look at our entire enterprise as an attacker would. Of course I offer that. But, to be honest, a lot of our clients want a one-time … test to satisfy an auditor. Its not like theyre very concerned to use a vulnerability assessment process. Its mostly to satisfy auditors or to get management buy-in to get a security budget. … But what I encourage all of my clients to do is to use our service on a recurring basis. Or, if you dont want to go with us, at least go with somebody else because security assessments are kind of like health assessments. If youre experiencing chest pain, you might go get the EKG that day. And your EKG is fine. But tomorrow you can have a heart attack.