For Kevin Mitnick, hacking started out as a way to play pranks on friends, but it transformed the course of his life.
Kevin Mitnick is probably one of the most well-known figures in the world of cybersecurity. He rose to fame when he was arrested in 1995 for offences including breaking into the networks of major firms such as Nokia, Motorola and IBM, among others.
While his time on the run from authorities was high-stakes, Mitnick originally became interested in computers due to his curious nature and need to figure out how things worked. It didn’t hurt that he was also very mischievous with a penchant for magic tricks.
“Back when I was a young kid, I was fascinated with magic and I met another kid in high school who could do magic with the phone system – it was called phone phreaking.”
A natural curiosity
Mitnick soon realised he would need to gain more expertise as technology advanced. “To be a better prankster, I would need to get better access to the phone company’s networks, and they were moving from electromechanical switching to electronic switching controlled by front-end computers, so I started my foray into hacking by hacking the phone company.”
His curiosity and sense of adventure saw him taking a computer class in school, and, despite missing a number of prerequisites, he impressed the teacher with his existing skills. “He gave the first assignment, which was to write a Fortran program to find the first 100 Fibonacci numbers. I thought that was quite boring, not interesting, so instead I wrote a program to steal the teacher’s password.”
The teacher’s reaction to this was awe rather than annoyance, which Mitnick said only incentivised him to push boundaries. “He gave me a bunch of ‘attaboys’ and patted me on the back, so this was the ethics taught to young Kevin Mitnick, that it’s cool to hack.”
Mitnick’s past catches up with him
His interest grew over the ensuing years and, while his intrigue was never about profit or harm, it landed him in hot water in the 1990s. “The government was chasing me for hacking a bunch of cellphone companies because I was fascinated with how the cellphone worked.
“I wanted to understand how it worked; made a stupid and regrettable decision to hack into these cellular manufacturers like Nokia, Motorola, and get the source code to the firmware on the chip inside, so I could study and understand how it worked.”
Eventually, it did start to become more of a trophy-hunting mission, Mitnick admitted. “I got a mobile magazine and I just went down the list of different cell phone manufacturers that existed back in the day, and hacked all of them as a trophy.”
From black hat to white
Mitnick served five years in prison and was released in 2000. Little did he know, he would end up working with the very people he had been on the run from all those years previous. “I was released from custody and senators Joseph Lieberman and Fred Thompson invited me to Congress to testify on how the federal government could better protect their computer systems.
“I never thought that would be, kind of, the jump-start to a career in security consulting but, naturally, I fell into it because the difference between black hat hacking and ethical hacking is simply authorisation from the client. Plus, I never had the motivation to make money or to harm anybody.
“When I started this, it was all about the ‘pranksterism’ and the knowledge so, naturally, when ethical hacking started to exist and companies started to use ethical hackers to test their security controls, I fell into that like Pablo Escobar becoming a pharmacist.”
The most common dangers are the simplest
In terms of modern cybersecurity, Mitnick said the most common vulnerabilities companies deal with are the simplest. “When we’re doing security testing, we’re focused on external/internal network, wireless web application, social engineering – not these fancy attacks that I think are super-cool.”
Major mistakes he sees companies making in his work as a security consultant include leaving cloud servers unsecured or having web apps that can access a back-end sequel database.
“Companies are making these configuration errors, not updating. There are a lot of companies that are still vulnerable to internal old bugs because they are using legacy technology,” Mitnick noted.
One factor that is still as important as it was in Mitnick’s early days is social engineering or, as he described it, “the human factor”. The attacker has to get the victim to comply with a request and once they do, it has to be able to pass their endpoint security controls and other layered defences.
He noted that in the 20 years he has been in the industry as a consultant, he has “never not been able to compromise a company using this tradecraft, not once”.