Kevin Mitnick Bares All

[William Knowles <wk () C4I ORG>]

http://www.thestandard.com/article/display/0,1151,18946,00.html

September 28, 2000
By Elinor Abreu

LOS ANGELES Kevin Mitnick once made a hobby out of breaking into
computer systems, causing many network administrators not to mention
the FBI a lot of grief in the process. He spoke to the public
Wednesday for the first time since being released from prison in
January, telling a group of corporate managers in the
computer-security field how to keep hackers like him out of their
networks.

The 37-year-old was surprisingly polished, confident and good-humored.
Wearing a dark suit and red tie, Mitnick told attendees at Giga
Research's Infrastructures for E-Business conference that educating
employees about good security practices will do more to protect a
company than any technology.

Malicious hackers don't need to use stealth computer techniques to
break into a network, he said. Often, they just trick someone into
giving them passwords and other information a practice known among
hackers as social engineering.

"People are the weakest link," Mitnick said. "You can have the best
technology, firewalls, intrusion-detection systems, biometric devices
and somebody can call an unsuspecting employee. That's all she wrote,
baby. They got everything."

Mitnick, who lives in Thousand Oaks, Calif., a suburb of Los Angeles,
was arrested in February 1995 and held without bail for
four-and-a-half years. He served eight months of that time in solitary
confinement. In March of this year, he pleaded guilty to wire fraud
and computer fraud for accessing information on company networks. In
an unrelated earlier case he had pleaded guilty to possessing and
using an unauthorized access device for a clone cell phone.

He felt his chances of getting a fair trial were small. "There was too
much risk," he said. "When you're in that position, you'll plead out
to anything just to get out of jail."

He suspects the FBI made an example of him because he embarrassed the
agency, which spent three years hunting him down. "When they were
watching me and surveilling my movements, I was watching them," he
said.

Mitnick is on parole until January 2003, under what he says are the
"most restrictive parole-release conditions of anyone." His parole
officer has allowed him to use a cell phone (which Mitnick suspects
might be used to track his whereabouts), but he is prohibited from
using a computer. He had to have someone else create the power-point
presentation he prepared for the Giga conference and fax it to him.

As a condition of his supervised release, he also is barred from
discussing the specifics of his case or from making any profit from
telling his story for seven years. He paid just over $4,000 in
restitution, down from the $80 million the government originally
sought.

"I deserve to be punished for the illegal transactions, but not to the
degree that I was," he said during a dinner interview.

In the meantime, he's getting a lot of job offers: Brill's Content
magazine has hired him to write for its Contentville site, a security
consulting firm wants him to serve on its board, and he might do a
radio show about the Internet. Paramount wanted him to serve as a
technical consultant on a movie about cyberspace, but a deal was never
reached. An agent at United Talent Agency represents him. Mitnick's
options are severely limited by the fact that he can't use a computer
or travel outside central California.

Prior to being imprisoned, Mitnick worked as a private investigator, a
systems administrator for Passkey Systems in Las Vegas and as a
programmer in training at GTE before they realized he was a phone
phreaker someone who breaks into telephone networks. He was a ham
radio operator at age 13 and became a phone phreaker at 16.

In addition to the advice he gave out Wednesday, Mitnick defended
hackers, pointing out that they are a group whose skill set can be
used for good or evil, like lock pickers. Hackers, even "mischievous"
ones like he was, are motivated by intellectual curiosity and
challenge and are attracted to the element of danger, he said.

Mitnick also noted that he didn't have criminal intent and never
profited from his hacking.

"I used to be a prankster. I used to be a pretty good one," Mitnick
said. "When I was into phone phreaking when I was a kid, we figured
out how to intercept directory assistance for Rhode Island."

"Albert Einstein, in my mind, was a hacker," Mitnick added during a
lunchtime Q&A session. "[He stretched] the technology to make things
better."

Although the FBI was less than pleased that Giga executives invited
Mitnick to deliver Wednesday's keynote speech, conference attendees
found value in it.

"I had mixed emotions about listening to a guy" who was imprisoned for
hacking into systems, said Alex Vance, director of systems performance
at RaiLink in Raleigh, N.C., a subsidiary of the American Association
of Railroads. "On the other hand, he has an expert perspective that
could only come from one who has done it. And his point was well-taken
that we probably as businesses don't have as much to fear from the
traditional teenage hacker as we do from those who have done a
cost-benefit analysis" to hacking into our systems.

Mitnick also discussed the ease with which people can get passwords
and other information that help them gain access to networks without
authorization through dumpster diving and other means.


His recommendations:

* Confirm that someone is who they say they are before giving out
information.

* Don't pick easy passwords or ones that are real words
(password-cracking tools can easily figure them out).

* Don't write passwords on Post-it Notes affixed to computers or other
easy-to-find locations.

* Change passwords frequently.

* Use different passwords for different systems.

* Use shredders that destroy documents so they can't be reassembled.

* Physically destroy CDs and diskettes, because deleted or erased data
can be recovered.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".