Mitnick Unplugged: Building a business on the art of deception - TechUpdate

Tech Update

Mitnick Unplugged: Building a business on the art of deception

By Dan Farber
October 3, 2002

Add your opinion

Forward in

Format for

Kevin Mitnick is ready to get on with his life. While still under court supervision for the next few months, Mitnick is publishing a book and starting a new security company. ZDNet's Dan Farber spoke with Mitnick this week about his new ventures and his expectations for the future.

Tech Update: In addition to the publication of The Art of Deception, you are also starting a company called Defensive Thinking, Inc. What is the goal of the company--besides to make a living?

Mitnick: We want to take the ideas from the last part of the book and to provide a world-class security consulting service, focusing on awareness training, seminars, videos, film, and Web-based content. We will also have a vulnerability assessment side of business, looking at weaknesses in technology as well as in business processes. We will do penetration testing to look at the network from outside and the inside to look for weakness in both technology and operations.

The key is to find out what would be most cost-effective safeguards to mitigate security risks. There is always a certain level of risk. Our company will look to find an acceptable level of risk and the appropriate response.

Tech Update: What is your role in the new company?

Mitnick: I will be managing the company. We will retain professional testers using my methodology along with their own [methodologies] to look for weak points in networks. I will work more hands-on when my supervised release conditions expire in four months. We currently have one corporate client for whom we will be doing a security assessment of a USB drive that uses encryption and has built-in e-mail and a Web-based client.

Tech Update: How many people are in the company?

Mitnick: We are just starting to build the company. We are currently two people, including myself. I have talked to several other people to be involved on contractor basis. On the training side of the company, we have developed a screenplay for a training video. We need to raise funds-about $250,000 to develop the product. We hope to get sponsors like Microsoft for the project, and we will offer pre-orders of the film on our Web site. We've looked at competitors in the market and the amount of dollars that companies budget for security and awareness training, and we expect it to be successful venture.

Tech Update: The book jacket says that you are redeeming your former life of crime by providing specific guidelines for helping companies become more secure. What makes you think that your customers will trust someone who has been called the most feared hacker by the U.S. Department of Justice?

Mitnick: The point is now I am taking my knowledge and experience to help educate government and industry on how to protect their assets, instead of using my former hobby to create grief. Hacking is now looked at as a serious crime. I want to be a successful person and to help people, so it is a natural area for me to be involved with. I know there will be a lot of critics. All I can really say is that I am older and wiser, and hopefully people can forgive for my past transgressions.

Tech Update: How do you respond to the notion that your book is not just a practical guide for corporations, but also a manual for budding hackers?

Mitnick: It's the same issue with full disclosure around security vulnerabilities. When you find a flaw, do you disclose it or keep a secret? I am a proponent of exposing the vulnerabilities rather than keeping them secret. Social engineering exploits peoples' poor awareness. People become more skeptical of cons and swindles because they are made more aware through media, family or friends. My book is designed to raise awareness by showing them how it's done, so they can recognize different tactics and methods.

Tech Update: What is your relationship with the hacker community?

Mitnick: Fortunately, I am respected in the hacker community. I have contacts in the computer underground and stay abreast of security vulnerabilities and things that are under wraps. I use the information for my own personal curiosity and to gather intelligence about what really is going on out there to help protect our clients at Defensive Thinking. At the same time, it's a delicate balance. I don't want to share the information in ways that compromise a relationship, but I will use it to protect our clients.

Tech Update: What is the most common type of con that companies fall prey to?

Mitnick: Giving out internal telephone numbers. People have a desire to help fellow workers. When a caller masquerades as someone in the company, and the victim fears reprimand and desire to help, they will likely comply with a request from an unauthorized party.

The magic of social engineering is psychological triggers, which are methods used to influence or persuade people. In the corporate environment, people are unlikely to evaluate a request thoroughly, so they take a mental shortcut, such as feeling a need to reciprocate if someone does a favor for them. For example, an attacker calls a target, or mark, and says that they are fixing a problem, which really doesn't exist. The target is made to believe that the requester is helping them solve a problem. When the attacker asks for information, the target feels obligated to reciprocate.

Tech Update: What is most admired con or hack that you know about?

Mitnick: One that really comes to mind involved a security researcher in the UK, who had a fantastic aptitude for finding vulnerabilities in Digital Equipment's [DEC] VMS operating system. When I compromised DEC's systems, I was able to learn about security holes and that the researcher who discovered the holes was a student at University of Leeds.

Eventually the researcher found out that I was trying to compromise him, and we played cat and mouse game. I called him on the telephone and pretended to be someone on the VMS development team. I knew he had a huge interest in working for DEC. During our conversation I made a mistake. I thought he had talked to an engineer in the past, so I said "good talking to you again." That phrase triggered something, so right way the researcher called another person and played a tape of my voice. At that point I could tell that he knew I wasn't from DEC.

I let a few months go by and then sent him an e-mail. I had found out that he had an account on a VMS computer system at his university and was communicating with a DEC engineer. I had full access privileges to the system and played the man in the middle. In the e-mail I told him about a security vulnerability and sent him the working vulnerability that he didn't know about, so we developed relationship over e-mail.

Subsequently, I told him I was worried about having our communications intercepted and brought up that I was worried about Mitnick intercepting communications. So, I sent him a PGP key, and gained his full trust by sending him information, not by asking for anything and by talking negatively about myself.

Eventually he sent me all his research work and vulnerabilities. About three or four months later he asked me about an encryption algorithm in a yes or no question. Instead of researching to get the right answer by querying a DEC engineer, I just guessed the answer was no. When he found out that my answer was incorrect, he got suspicious and realized the whole elaborate scheme was a big con.

TECH UPDATE TODAY DAILY:
Dan Farber and David Berlind deliver daily insights on the business and technology news that matters to enterprise IT.

	Enterprise Alerts
	Surveys
	Computers: Desktops & Laptops
	IT Management
	Security
	IT Professionals

Manage My Newsletters

Help | Advertisements | Feedback | Reprints | Newsletters

New site: Monitor all the tech news at Technology.Updates.com

CNET.com | CNET Download.com | CNET News.com | CNET Reviews | CNET Shopper.com

About CNET Networks