Mitnick Warns Other 'Scapegoats'

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/print/0,1294,47354,00.html

By Michelle Delio 
2:00 a.m. Oct. 8, 2001 PDT 

The world's most notorious hacker says the government should focus on
securing its computer systems rather than snooping on citizens.

Kevin Mitnick, who spent four-and-a-half years behind bars for
breaking into the computer systems of telephone companies, stresses
that hackers should take extreme care these days given the sensitive
political environment and the new laws defining many hacks as acts of
terrorism.

He also warned that any hacker could win the "scapegoat sweepstakes"
at any time, receiving a harsh sentence to serve as an example to
other hackers.

Mitnick, who has testified before a Senate committee on the dangers of
politically motivated hack attacks, thinks cyber terrorism is a
credible -- but not particularly critical -- threat that could be
headed off by strengthening security at government agencies and
private corporations.

He firmly believes the newly proposed Patriot Act is just an excuse
for law enforcement to further its own agenda.

The act, approved on Wednesday by the House Judiciary Committee and
slated for a full vote this week, gives wide-ranging surveillance
powers to the police, including extensive scrutiny of electronic
communications.

"The Patriot Act is ludicrous," Mitnick said. "Terrorists have proved
that they are interested in total genocide, not subtle little hacks of
the U.S infrastructure, yet the government wants a blank search
warrant to spy and snoop on everyone's communications."

If anyone has a right to what some might see as paranoia, Mitnick
would be that man. He's been portrayed in newspapers, books and movies
as the all-powerful evil programmer, a brilliant hacker able to launch
a nuclear war with a mere whistle into a cell phone, able to bring
down government computer systems on a whim.

For the record, Mitnick denies many of the crimes that have been
credited to him and said the government and the mainstream media
created the myth of Mitnick for their own profit.

"I am not innocent but I certainly didn't do most of what I was
accused of," he said. "Basically, I won the scapegoat sweepstakes."

Mitnick agreed to be interviewed as part of the publicity for his role
in an episode of a new ABC spy drama, Alias, in which Mitnick plays a
CIA computer expert. Mitnick's episode, "Doppelganger," is scheduled
to air Sunday, Oct. 28.

Arrested in February 1995 for hacking into the computer networks of
communications providers such as Digital Equipment, Pacific Bell, Bell
Atlantic and Internet service provider The Well, Mitnick was held
without bail for four and a half years.

He served eight months of that time in solitary confinement as
authorities apparently feared he could still manage to hack into some
device and cause the end of the world. He pleaded guilty to entering
computer systems without authorization, served another eight months,
and was released in January 2000.

Mitnick is banned, until January 2003, from using computers, acting as
a technical consultant, or writing about computers without permission
from his probation officer. Mitnick recently was given permission to
carry a cell phone so that he could be in touch with family during his
father's terminal illness.

Mitnick was allowed to keep the phone after his father died five
months ago but believes it's so authorities can keep track of him.

Mitnick testified before the Senate Governmental Affairs Committee in
Washington on March 2 and outlined a comprehensive plan that would
secure computer systems against most hack attacks.

He believes that the government should be hardening their systems now,
although he's not totally convinced that cyber terrorism is the worst
threat.

"Yes, a coordinated team of hackers could take down the communications
systems, the power system, perhaps the financial markets," he said.
"But all of those systems would be back online pretty quickly; you
can't really knock them out for an extended period. You could use
those outages as a decoy though, to draw attention from what you are
really planning."

But he believes that increased surveillance powers aren't going to
help win the war against terrorism and he thinks the government knows
it.

"The government does things like insisting that all encryption
programs should have a back door. But surely no one is stupid enough
to think the terrorists are going to use encryption systems with a
backdoor. The terrorists will simply hire a programmer to come up with
a secure encryption scheme."

Mitnick defines a hacker as someone who has a passion for technology,
someone who is possessed by a desire to figure out how things work.
Sometimes, he said, that passion may lead a hacker into the shadowy
places where the law and hacker ethics conflict.

"A hacker doesn't deliberately destroy data or profit from his
activities," he said. "I never made any money directly from hacking. I
wasn't malicious. A lot of the unethical things I did was to cover my
own ass when I was a fugitive."

Mitnick does not justify all of his hacks. He admits he broke into
computer systems to peek at code that powers cellular phone systems.
He didn't destroy data or sell it. But he copied proprietary software.

He did have long lists of customer records from major corporations --
including customer credit card numbers -- but said he used the
information to "social engineer" his way into systems.

Social engineers hack people instead of computers, coercing
information out of people by pretending they have a right to that
information. Mitnick said he used those corporate billing records to
assume customers' identities.

"The companies would ask address, credit card information, things like
that to confirm that you were who you said you were. That's why I
needed the customer databases. Everyone always wondered why I had all
those credit cards and never used them or sold the numbers," he said.

Mitnick believes Dmitry Sklyarov, the Russian software programmer
currently awaiting trial in the U.S. on charges he violated the
Digital Millennium Copyright Act, may have also won the so-called
sweepstakes. He warns young hackers to pull back and be very careful
now.

"I hope Dmitry puts up a good fight," Mitnick said. "He's got a great
lawyer. I had a public defender. He's innocent, I wasn't. All the
right people are supporting him. I pissed a lot of the right people
off by hacking into The Well."

The Well is an online service that, in its heyday, was the online
community of choice for anybody who considered themselves a
technophile. Mitnick used The Well's servers as a sort of storage
locker for data he'd pilfered from other places, which angered many
users who assumed he'd crawled all over the system and violated their
privacy.

"I was on the run, and didn't have any place to store this data I was
collecting. So I hid it all over the Net like it was Easter eggs."

Mitnick does admit to reading the e-mail of New York Times reporter
John Markoff, who reported on Mitnick for The Times, and then
co-authored Tsutomu Shimomura's book, Takedown: The Pursuit and
Capture of America's Most Wanted Computer Outlaw -- By The Man Who Did
It.

"I read their e-mail because they were discussing how the FBI was
going to catch me. I didn't read it all, just searched for a
combination of letters that's in my name, and words like "trap,"
"trace" things like that. Again, this is something I had to do to
cover my ass, total self-preservation."

Mitnick hosts a radio show, and is currently working on a book on
social engineering and how people can protect themselves against it.
The book will be published next year.

Many in the hacking community believe Mitnick is an outstanding social
engineer but just a so-so hacker with limited programming skills.

"I'd say I'm equally skilled in both areas," Mitnick said, "but no, my
programming skills aren't stellar. Yes, I'd rather hack people's
brains than code. If I needed to know about a security exploit, I
preferred to get the information by accessing the companies' security
teams' files, rather than poring over lines of code to find it on my
own. It's just more efficient."

Mitnick gave an interesting example of the power of social
engineering. Enlisting a co-worker to demonstrate, he proved that it
is easy to spoof caller ID information by placing calls to Wired News
that appeared to come from other destinations such as the White House.

The information that appeared on the incoming caller ID information
identified the calls as coming from the spoofed addresses, instead of
the phone number that was used to place the call.

"Imagine what a malicious hacker could do with this trick, which, by
the way, is a perfectly legal feature of the phone system," Mitnick
said. "Imagine if your caller ID identified a call as coming from your
credit card company, or your bank."

Mitnick said the best way to avoid social engineering scams is to
trust nothing.

And yes, he is bitter over the way his life has been "twisted and torn
out from underneath me." But knowing he'll be free to use computers
again in 2003 keeps him going.

He cautions young hackers not to take any chances now.

"Set up a network with your friends and try to hack into it. I know
it's not the big challenge you're looking for. You don't get the
thrill of entering into forbidden territory, but now is not the time
to be hacking. Trust me, you do not want to be the next big winner of
the scapegoat sweepstakes."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.