Famed hacker Mitnick greets former target

[InfoSec News <isn () c4i org>]

http://www.siliconvalley.com/mld/siliconvalley/2718380.htm

Feb. 21, 2002

SAN JOSE, Calif. (Reuters) - A decade ago Kevin Mitnick tricked a
Novell Inc. employee into giving him access to sensitive corporate
data. This week the legendary hacker and his unsuspecting target met
for the first time.

``This is ironic,'' Mitnick said as he and Shawn Nunley shook hands
and greeted each other like old pals at the RSA Conference on computer
security. The two laughed and swapped stories about the days when they
were antagonists.

Labeled a ``computer terrorist'' by the FBI, Mitnick kept frustrated
authorities on the hunt for three years as he hacked into the networks
of Novell, Sun Microsystems Inc. and Motorola Inc. among others in the
early 1990s.

Mitnick, who is now 38 and lives in the Los Angeles suburb of Thousand
Oaks, California, was finally arrested in February 1995. Held without
bail for nearly five years, he served eight months of it in solitary
confinement.

``I was the only person in U.S. history ever held without a bail
hearing,'' he said in an interview Wednesday.

Fearing he wouldn't get a fair trial, he pleaded guilty in March 2000
to wire fraud, computer fraud and intercepting communications. He was
released but is required to get government approval before traveling
and using any technology until his probation is up January 2003.

Although permitted to carry a cell phone, he still can't use e-mail or
surf the Web, and now authorities are trying to cut him off from the
hobby he's had for 25 years, ham radio.

'WE FELT VIOLATED'

Mitnick and Nunley's paths first crossed in 1992 when Nunley worked
for Novell. At the time, Mitnick was interested in getting access to
operating system source code to see how computer users were
authenticated.

``I was interested in log-in programs; to find out where I could place
back doors,'' he says.

Impersonating an employee who was on vacation, Mitnick called Novell's
wide area networking department asking for an account so he could dial
into the company's network as any legitimate employee using a laptop
would be able to do.

The engineer on duty referred Mitnick to Nunley, who was the only
employee at the time authorized to create dial-in accounts. So Mitnick
called Nunley at home.

Nunley agreed to do it but only if Mitnick first left a message on his
voice mail at work as proof of the request in case his boss questioned
it later. That voice mail was the evidence authorities eventually used
to nail Mitnick.

Knowing that Nunley would call the impersonated employee's voice mail
to verify his identity, Mitnick had already changed the employee's
voice mail using his own voice after convincing someone in Novell's
telecom department to surrender the password.

He also had earlier persuaded another engineer to move a compressed
copy of a file containing source code for the company's operating
system software to a different server in the network.

Nunley, satisfied with the voice mail verification, created the
account and within minutes Mitnick went to work transferring the
source code to a computer outside the company.

Nunley, who now works as director of technology development at
Netscaler in Santa Clara, California, says he quickly realized his
mistake after seeing Mitnick traverse the network, but it was too
late.

``At Novell, we felt violated and we wanted justice done,'' says
Nunley. ``We spent a lot of manpower cleaning up the mess he left.''

But then Nunley came to believe that prosecutors were exaggerating the
damage estimates and trying to ``make an example out of'' Mitnick, ``I
went from being happy about Kevin being punished'' to being angry
about it, he said.

So he called Mitnick's lawyer to offer his help. The two men have been
in telephone contact since.

'IT'S A DIFFERENT WORLD OUT THERE'

Of the security conference, Mitnick said it struck him how insecure
experts say wireless networks are.

``It's like the old days of war dialing,'' where hackers would use a
program to scan networks to get dial-up numbers from inside a company.

``Now you just sniff,'' or eavesdrop, he said. ``The new wireless
vulnerabilities are even worse than the old methods.''

Much has changed since he was hacking and phone phreaking, or breaking
into telephone networks, as a teenager.

``It's a different world out there,'' Mitnick says. ``When I started
there weren't even laws against it.''

While he is prohibited from consulting on security, Mitnick is allowed
to give speeches. His talk-radio show about the Internet was canceled
recently, but he's hoping to get another one going soon that will be
syndicated.

He got a gig playing a CIA agent in the ABC TV show ``Alias,'' but was
turned down for the part of a computer hacker for a TV commercial for
Internet Security Systems Inc.

Mitnick is barred from profiting from telling his story until 2010,
but can write about security if it's not a memoir. So he's writing a
book tentatively titled ``The Art of Deception.''

It is about a common hacker technique he was notorious for using -
social engineering - in which a hacker dupes people into giving out
information rather than using technology to get it, which he said is
much harder to do.

``A lot of businesses overlook social engineering attacks,'' he said.  
``Out of this whole whole conference there's not one session that
talks about it.''

Nunley, who saw Mitnick's skills as a trickster firsthand, said,
``It's a performance art.''



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.