[ISN] Mitnick Warns Other 'Scapegoats'

From: InfoSec News (isnat_private)
Date: Tue Oct 09 2001 - 04:23:21 PDT

  • Next message: InfoSec News: "[ISN] Linux Security Week - October 8th 2001"

    By Michelle Delio 
    2:00 a.m. Oct. 8, 2001 PDT 
    The world's most notorious hacker says the government should focus on
    securing its computer systems rather than snooping on citizens.
    Kevin Mitnick, who spent four-and-a-half years behind bars for
    breaking into the computer systems of telephone companies, stresses
    that hackers should take extreme care these days given the sensitive
    political environment and the new laws defining many hacks as acts of
    He also warned that any hacker could win the "scapegoat sweepstakes"
    at any time, receiving a harsh sentence to serve as an example to
    other hackers.
    Mitnick, who has testified before a Senate committee on the dangers of
    politically motivated hack attacks, thinks cyber terrorism is a
    credible -- but not particularly critical -- threat that could be
    headed off by strengthening security at government agencies and
    private corporations.
    He firmly believes the newly proposed Patriot Act is just an excuse
    for law enforcement to further its own agenda.
    The act, approved on Wednesday by the House Judiciary Committee and
    slated for a full vote this week, gives wide-ranging surveillance
    powers to the police, including extensive scrutiny of electronic
    "The Patriot Act is ludicrous," Mitnick said. "Terrorists have proved
    that they are interested in total genocide, not subtle little hacks of
    the U.S infrastructure, yet the government wants a blank search
    warrant to spy and snoop on everyone's communications."
    If anyone has a right to what some might see as paranoia, Mitnick
    would be that man. He's been portrayed in newspapers, books and movies
    as the all-powerful evil programmer, a brilliant hacker able to launch
    a nuclear war with a mere whistle into a cell phone, able to bring
    down government computer systems on a whim.
    For the record, Mitnick denies many of the crimes that have been
    credited to him and said the government and the mainstream media
    created the myth of Mitnick for their own profit.
    "I am not innocent but I certainly didn't do most of what I was
    accused of," he said. "Basically, I won the scapegoat sweepstakes."
    Mitnick agreed to be interviewed as part of the publicity for his role
    in an episode of a new ABC spy drama, Alias, in which Mitnick plays a
    CIA computer expert. Mitnick's episode, "Doppelganger," is scheduled
    to air Sunday, Oct. 28.
    Arrested in February 1995 for hacking into the computer networks of
    communications providers such as Digital Equipment, Pacific Bell, Bell
    Atlantic and Internet service provider The Well, Mitnick was held
    without bail for four and a half years.
    He served eight months of that time in solitary confinement as
    authorities apparently feared he could still manage to hack into some
    device and cause the end of the world. He pleaded guilty to entering
    computer systems without authorization, served another eight months,
    and was released in January 2000.
    Mitnick is banned, until January 2003, from using computers, acting as
    a technical consultant, or writing about computers without permission
    from his probation officer. Mitnick recently was given permission to
    carry a cell phone so that he could be in touch with family during his
    father's terminal illness.
    Mitnick was allowed to keep the phone after his father died five
    months ago but believes it's so authorities can keep track of him.
    Mitnick testified before the Senate Governmental Affairs Committee in
    Washington on March 2 and outlined a comprehensive plan that would
    secure computer systems against most hack attacks.
    He believes that the government should be hardening their systems now,
    although he's not totally convinced that cyber terrorism is the worst
    "Yes, a coordinated team of hackers could take down the communications
    systems, the power system, perhaps the financial markets," he said.
    "But all of those systems would be back online pretty quickly; you
    can't really knock them out for an extended period. You could use
    those outages as a decoy though, to draw attention from what you are
    really planning."
    But he believes that increased surveillance powers aren't going to
    help win the war against terrorism and he thinks the government knows
    "The government does things like insisting that all encryption
    programs should have a back door. But surely no one is stupid enough
    to think the terrorists are going to use encryption systems with a
    backdoor. The terrorists will simply hire a programmer to come up with
    a secure encryption scheme."
    Mitnick defines a hacker as someone who has a passion for technology,
    someone who is possessed by a desire to figure out how things work.
    Sometimes, he said, that passion may lead a hacker into the shadowy
    places where the law and hacker ethics conflict.
    "A hacker doesn't deliberately destroy data or profit from his
    activities," he said. "I never made any money directly from hacking. I
    wasn't malicious. A lot of the unethical things I did was to cover my
    own ass when I was a fugitive."
    Mitnick does not justify all of his hacks. He admits he broke into
    computer systems to peek at code that powers cellular phone systems.
    He didn't destroy data or sell it. But he copied proprietary software.
    He did have long lists of customer records from major corporations --
    including customer credit card numbers -- but said he used the
    information to "social engineer" his way into systems.
    Social engineers hack people instead of computers, coercing
    information out of people by pretending they have a right to that
    information. Mitnick said he used those corporate billing records to
    assume customers' identities.
    "The companies would ask address, credit card information, things like
    that to confirm that you were who you said you were. That's why I
    needed the customer databases. Everyone always wondered why I had all
    those credit cards and never used them or sold the numbers," he said.
    Mitnick believes Dmitry Sklyarov, the Russian software programmer
    currently awaiting trial in the U.S. on charges he violated the
    Digital Millennium Copyright Act, may have also won the so-called
    sweepstakes. He warns young hackers to pull back and be very careful
    "I hope Dmitry puts up a good fight," Mitnick said. "He's got a great
    lawyer. I had a public defender. He's innocent, I wasn't. All the
    right people are supporting him. I pissed a lot of the right people
    off by hacking into The Well."
    The Well is an online service that, in its heyday, was the online
    community of choice for anybody who considered themselves a
    technophile. Mitnick used The Well's servers as a sort of storage
    locker for data he'd pilfered from other places, which angered many
    users who assumed he'd crawled all over the system and violated their
    "I was on the run, and didn't have any place to store this data I was
    collecting. So I hid it all over the Net like it was Easter eggs."
    Mitnick does admit to reading the e-mail of New York Times reporter
    John Markoff, who reported on Mitnick for The Times, and then
    co-authored Tsutomu Shimomura's book, Takedown: The Pursuit and
    Capture of America's Most Wanted Computer Outlaw -- By The Man Who Did
    "I read their e-mail because they were discussing how the FBI was
    going to catch me. I didn't read it all, just searched for a
    combination of letters that's in my name, and words like "trap,"
    "trace" things like that. Again, this is something I had to do to
    cover my ass, total self-preservation."
    Mitnick hosts a radio show, and is currently working on a book on
    social engineering and how people can protect themselves against it.
    The book will be published next year.
    Many in the hacking community believe Mitnick is an outstanding social
    engineer but just a so-so hacker with limited programming skills.
    "I'd say I'm equally skilled in both areas," Mitnick said, "but no, my
    programming skills aren't stellar. Yes, I'd rather hack people's
    brains than code. If I needed to know about a security exploit, I
    preferred to get the information by accessing the companies' security
    teams' files, rather than poring over lines of code to find it on my
    own. It's just more efficient."
    Mitnick gave an interesting example of the power of social
    engineering. Enlisting a co-worker to demonstrate, he proved that it
    is easy to spoof caller ID information by placing calls to Wired News
    that appeared to come from other destinations such as the White House.
    The information that appeared on the incoming caller ID information
    identified the calls as coming from the spoofed addresses, instead of
    the phone number that was used to place the call.
    "Imagine what a malicious hacker could do with this trick, which, by
    the way, is a perfectly legal feature of the phone system," Mitnick
    said. "Imagine if your caller ID identified a call as coming from your
    credit card company, or your bank."
    Mitnick said the best way to avoid social engineering scams is to
    trust nothing.
    And yes, he is bitter over the way his life has been "twisted and torn
    out from underneath me." But knowing he'll be free to use computers
    again in 2003 keeps him going.
    He cautions young hackers not to take any chances now.
    "Set up a network with your friends and try to hack into it. I know
    it's not the big challenge you're looking for. You don't get the
    thrill of entering into forbidden territory, but now is not the time
    to be hacking. Trust me, you do not want to be the next big winner of
    the scapegoat sweepstakes."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Oct 09 2001 - 07:09:38 PDT