[ISN] Famed hacker Mitnick greets former target

From: InfoSec News (isnat_private)
Date: Fri Feb 22 2002 - 00:52:42 PST

  • Next message: InfoSec News: "[ISN] Bush Push for Stiffer Hack Fines"

    http://www.siliconvalley.com/mld/siliconvalley/2718380.htm
    
    Feb. 21, 2002
    
    SAN JOSE, Calif. (Reuters) - A decade ago Kevin Mitnick tricked a
    Novell Inc. employee into giving him access to sensitive corporate
    data. This week the legendary hacker and his unsuspecting target met
    for the first time.
    
    ``This is ironic,'' Mitnick said as he and Shawn Nunley shook hands
    and greeted each other like old pals at the RSA Conference on computer
    security. The two laughed and swapped stories about the days when they
    were antagonists.
    
    Labeled a ``computer terrorist'' by the FBI, Mitnick kept frustrated
    authorities on the hunt for three years as he hacked into the networks
    of Novell, Sun Microsystems Inc. and Motorola Inc. among others in the
    early 1990s.
    
    Mitnick, who is now 38 and lives in the Los Angeles suburb of Thousand
    Oaks, California, was finally arrested in February 1995. Held without
    bail for nearly five years, he served eight months of it in solitary
    confinement.
    
    ``I was the only person in U.S. history ever held without a bail
    hearing,'' he said in an interview Wednesday.
    
    Fearing he wouldn't get a fair trial, he pleaded guilty in March 2000
    to wire fraud, computer fraud and intercepting communications. He was
    released but is required to get government approval before traveling
    and using any technology until his probation is up January 2003.
    
    Although permitted to carry a cell phone, he still can't use e-mail or
    surf the Web, and now authorities are trying to cut him off from the
    hobby he's had for 25 years, ham radio.
    
    'WE FELT VIOLATED'
    
    Mitnick and Nunley's paths first crossed in 1992 when Nunley worked
    for Novell. At the time, Mitnick was interested in getting access to
    operating system source code to see how computer users were
    authenticated.
    
    ``I was interested in log-in programs; to find out where I could place
    back doors,'' he says.
    
    Impersonating an employee who was on vacation, Mitnick called Novell's
    wide area networking department asking for an account so he could dial
    into the company's network as any legitimate employee using a laptop
    would be able to do.
    
    The engineer on duty referred Mitnick to Nunley, who was the only
    employee at the time authorized to create dial-in accounts. So Mitnick
    called Nunley at home.
    
    Nunley agreed to do it but only if Mitnick first left a message on his
    voice mail at work as proof of the request in case his boss questioned
    it later. That voice mail was the evidence authorities eventually used
    to nail Mitnick.
    
    Knowing that Nunley would call the impersonated employee's voice mail
    to verify his identity, Mitnick had already changed the employee's
    voice mail using his own voice after convincing someone in Novell's
    telecom department to surrender the password.
    
    He also had earlier persuaded another engineer to move a compressed
    copy of a file containing source code for the company's operating
    system software to a different server in the network.
    
    Nunley, satisfied with the voice mail verification, created the
    account and within minutes Mitnick went to work transferring the
    source code to a computer outside the company.
    
    Nunley, who now works as director of technology development at
    Netscaler in Santa Clara, California, says he quickly realized his
    mistake after seeing Mitnick traverse the network, but it was too
    late.
    
    ``At Novell, we felt violated and we wanted justice done,'' says
    Nunley. ``We spent a lot of manpower cleaning up the mess he left.''
    
    But then Nunley came to believe that prosecutors were exaggerating the
    damage estimates and trying to ``make an example out of'' Mitnick, ``I
    went from being happy about Kevin being punished'' to being angry
    about it, he said.
    
    So he called Mitnick's lawyer to offer his help. The two men have been
    in telephone contact since.
    
    'IT'S A DIFFERENT WORLD OUT THERE'
    
    Of the security conference, Mitnick said it struck him how insecure
    experts say wireless networks are.
    
    ``It's like the old days of war dialing,'' where hackers would use a
    program to scan networks to get dial-up numbers from inside a company.
    
    ``Now you just sniff,'' or eavesdrop, he said. ``The new wireless
    vulnerabilities are even worse than the old methods.''
    
    Much has changed since he was hacking and phone phreaking, or breaking
    into telephone networks, as a teenager.
    
    ``It's a different world out there,'' Mitnick says. ``When I started
    there weren't even laws against it.''
    
    While he is prohibited from consulting on security, Mitnick is allowed
    to give speeches. His talk-radio show about the Internet was canceled
    recently, but he's hoping to get another one going soon that will be
    syndicated.
    
    He got a gig playing a CIA agent in the ABC TV show ``Alias,'' but was
    turned down for the part of a computer hacker for a TV commercial for
    Internet Security Systems Inc.
    
    Mitnick is barred from profiting from telling his story until 2010,
    but can write about security if it's not a memoir. So he's writing a
    book tentatively titled ``The Art of Deception.''
    
    It is about a common hacker technique he was notorious for using -
    social engineering - in which a hacker dupes people into giving out
    information rather than using technology to get it, which he said is
    much harder to do.
    
    ``A lot of businesses overlook social engineering attacks,'' he said.  
    ``Out of this whole whole conference there's not one session that
    talks about it.''
    
    Nunley, who saw Mitnick's skills as a trickster firsthand, said,
    ``It's a performance art.''
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Feb 22 2002 - 04:41:30 PST