|
On March 2, 2000, the U.S. Senate Committee on Governmental Affairs held a
hearing on the security of federal information systems. Kevin Mitnick, who has
been called the most notorious hacker of all time, spoke before the committee.
In 1995 Mitnick was arrested for stealing computer code from a number of
high-tech companies including Sun Microsystems, Nokia, and Motorola
Corporation. He pled guilty, and spent almost five years in jail. Some estimate
that his illegal forays into private networks cost the companies involved
nearly $300 million. He was released in January 2000, and now considers
himself "reformed." He is serving a further three years of probation, during
which he may not use a computer or act as a consultant in any computer-related
activity without permission. In these excerpts from his testimony, he talks
about how, and why, he hacked.
My name is Kevin Mitnick. . . . I have 20 years' experience circumventing
information security measures and can report that I've successfully compromised
all systems that I targeted for unauthorized access except one. I have two
years' experience as a private investigator, and my responsibilities included
finding people and their money, primarily using social engineering techniques.
. . .
The average American's confidence in the public telephone system is misplaced,
here's why. If I decided to target a computer system with a dial-in modem, my
first step would be to use social engineering techniques to find the number of
the modem. Next I would gain access to the telephone switch that controls the
number assigned to the modem line. Using that control, I would re-direct the
modem number to a log-in simulator that would enable me to capture the
passwords necessary to access the target machine. This technique can be
performed in real-time to capture dynamic passwords that are changed once per
minute. All of the actions I just described would be invisible to anyone
monitoring or auditing the target computer security.
What's important here is to consider the big picture: People use insecure
methods to verify security measures. The public's confidence in the telephone
system as secure is misplaced, and the example I just described demonstrates
the reason why. The human side of computer security is easily exploited and
constantly overlooked. Companies spend millions of dollars on firewalls,
encryption, and secure access devices and it's money wasted because none of
these measures address the weakest link in the security chain: the people who
use, administer, operate and account for computer systems that contain
protected information. . . .
I'd like to bring to this committee's attention how I successfully breached
information security at the IRS and the Social Security Administration using
social engineering techniques before 1992, which so happens to be beyond the
applicable statute of limitations. I called employees within these agencies and
used social engineering to obtain the name of the target computer system and
the commands used by agency employees to obtain protected taxpayer information.
Once I was familiar with the agency's lingo, I was able to successfully social
engineer other employees into issuing the commands required to obtain
information for me, using as a pretext the idea that I was a fellow employee
having computer problems. I successfully exploited the security measures for
which this committee has oversight authority. I obtained confidential
information in the same way government employees did. And I did it all without
even touching a computer.
Let me emphasize for the committee the fact that these breaches of information
security are ongoing, even as I stand before you today, and that agency
employees are being manipulated using social engineering exploits, despite the
current policies, procedures, guidelines and standards already in place at
these agencies. . . . .
In closing, I'd be happy to offer my knowledge and expertise to the committee
regarding methods that may be used to counteract the weakest link in the
security chain: the human element of information security. . . .
[Ed. Note: After his opening statement, Mitnick took questions from
members of the Committee.]
U.S. SENATOR FRED THOMPSON (R-TN): . . . It seems, in essence, what you're
telling us is that all our systems are vulnerable, both government and private.
MITNICK: Absolutely. . . .
THOMPSON: And you also point out that the key to all of this--we sit here
and think of systems and programs and all, but you point out the key is
personnel--that that is the weakest link, no matter what kind of system you
have . . . . Can you explain on the importance of the personnel aspect to this,
and what you think we might can do about it?
MITNICK: Well, in my experience when I would try to get into these systems, the
first line of attack would be what I call a social engineering attack, which
really means trying to manipulate somebody over the phone through deception.
And I was so successful in that line of attack that I rarely had to go toward a
technical attack. . . .
The problem is people could do what they call information mining. It's where
you call several people within an organization and you basically ask questions
that appear to be innocuous but it's really intended to gain intelligence.
For instance, a vendor might call a company and ask them what software, what
are you currently using, what computer systems do you have to sell them a
particular product because they need to know that information. But the intent
of the caller might be to gain intelligence or try to target their computer
systems.
So I really have a firm belief that there has to be extensive training and
education to educate the users and the people who administer and use these
computer systems that they can be victims of manipulation over the telephone.
Because, like I said in my prepared statement, companies could spend millions
of dollars towards technological protections and that's money wasted if
somebody could basically call somebody on the telephone and either convince
them to do something on the computer which lowers the computers defenses or
reveals the information that they're seeking.
THOMPSON: So you can compromise a target without even using the computer?
MITNICK: Yes. For example, personally, with Motorola, I was working at a law
firm in Denver. And I left work that day and just on an impulse I used my
cellular telephone and called Motorola, their 800-number, and without getting
in details of how this because of the time constraints, by the time I left work
and by the time I walked home, which was about a 15-to-20- minute period,
without any planning or anything, by the time I walked to the front door, I had
the source code to the firmware which controlled the Motorola ultra-light
telephone sitting at a server in Colorado. Just by simply making pretext
telephone calls, within that 15-to- 20 minute period, I had the software. I
convinced somebody at Motorola to send the software to a particular server. . .
.
U.S. SENATOR JOSEPH LIEBERMAN (D-CT): Mr. Mitnick, thanks for your
testimony. My staff lifted up some clips in preparation, and one of them
described you as, and I quote, "arguably the most notorious computer hacker in
the world." And I thought I would ask you if you would be comfortable, as we
confront this problem, helping us to answer the question of why?
... If a foreign government as the Serbs did during the Kosovo conflict
or some sub-national group of terrorists tries to break into our computer
system, that's pretty clear why. But this is not like most crime waves. To a
certain extent, as I've read about your story and hear about others, and the
kind of daily breaking of government computer systems, it seems to me that
there's a different sort of motivation here. And in some sense, it almost seems
to be the challenge of it. If you would, just talk about why you, or if you
want to third-personize it, why people generally become hackers.
MITNICK: Well the definition of the word hacker, it's been widely distorted by
the media. But . . . my motivation was the quest for knowledge, the
intellectual challenge, the thrill and also the escape from reality--kind of
like somebody who chooses to gamble to block out things that they would rather
not think about. My hacking involved pretty much exploring computer systems and
obtaining access to the source code of telecommunication systems and computer
operating systems, because my goal was to learn all I can about security
vulnerabilities within these systems.
My goal wasn't to cause any harm, it wasn't to profit in any way. I never made
a red cent from doing this activity. And I acknowledge that breaking the
computers is wrong, and we all know that. I considered myself a trespasser, and
my motivation was more of--I felt kind of like as an explorer on these
computer systems.
It really wasn't towards any end. What I would do is, I would try to obtain
information on security vulnerability which would give me greater ability at
accessing computers and accessing telecommunications systems. Because ever
since I was a young boy, I was fascinated with communications. I started with
CB radio, ham radio, and eventually went into computers. And I was just
fascinated with it. And back then, when I was in school, computer hacking was
encouraged. It was an encouraged activity. . . . In fact, I remember one of the
projects my teacher gave me was writing a log-in simulator. A log-in simulator
is a program to trick some unknowing user into providing their user name and
password. And of course I got an A.
(LAUGHTER)
But it was encouraged back then. We're talking about the '70s. And now it's
taboo.
And a lot of people in the industry today, like Steve Jobs and Steve Wozniak ,
they started out by manipulating the phone system. And I think even went to the
point of selling blue boxes on Berkeley's campus. And they're well recognized
as computer entrepreneurs. They were the founders of Apple Computer.
LIEBERMAN: So that the fork in the road went in different directions, in
their case.
(LAUGHTER)
MITNICK: Just slightly.
LIEBERMAN: Just slightly. Well, maybe there's still time. Well, you're
young, so there is still time. Your answer is very illuminating. Part of what
you're saying has struck me, which is unlike other forms of trespass or crime,
you didn't profit at all.
MITNICK: I didn't make a single dime. One of the methods how I would try to
avoid detection in being traced was to use illegitimate cellular phone numbers
and electronic serial numbers to mask my location. I didn't use this to try to
avoid the costs of making a phone call, because most of the phone calls were
local. I could have picked up a phone at home and it would have been a flat
rate. I did it to avoid detection. But at the same time, it was cellular phone
fraud because I was using air time without paying for it.
LIEBERMAN: Were you aware, as you went through this pattern of behavior,
that you were violating law?
MITNICK: Of course, yes, I was aware of it.
LIEBERMAN: You were. And were you encouraged or at least not deterred by the
fact that you had some confidence that there were few or no consequences that
attached to it? I mean, there are occasions where people know that they're
doing something illegal, but they think that the prospects of them being
apprehended and charged are so slight that they go forward nonetheless.
MITNICK: Well that's true. Because as you're doing some illegal activity,
you're not doing a cost-benefit -- well, at least I wasn't doing a cost-benefit
analysis. And I didn't think of the consequences when I was engaging in this
behavior. I just did it and I wasn't thinking about, well, if I were to get
caught I'd have these consequences. I was just focusing on the activity at hand
and just doing it.
LIEBERMAN: Because of what you described before as the thrill of it, or
the challenge of it, the adventure.
MITNICK: It was quest for knowledge, it was the thrill, and there was the
intellectual challenge. And [with] a lot of the companies I targeted, to get
the software was simply a trophy. I'd copy the code, store it on the computer
and go right on to the next without even reading the code.
LIEBERMAN: Interesting.
MITNICK: And that's a completely different motivation of somebody who's really
out for financial gain or foreign country or competitor trying to obtain
information, like economic espionage, for instance. . . .
LIEBERMAN: You've talked about the prominent role of what you described as
social engineering, which is to kind of manipulate unwitting employees. I know
this is hard to state a percentage on this, but would you guess that most of
the hacking done is being done in that way by the manipulation of the cultural
weaknesses, the human weaknesses? And how much does hacking depend on
successful human penetration of a system, as opposed to technological
penetration of a system without any assistance from anybody inside? . . . .
MITNICK: Well in my experience, most of my hacking involved the social
engineering exploitations. But I think that most of the hacking out there is
really the weaknesses that are exploited in the operating systems and the
software applications. Because if you go on the internet, you can simply
connect to computer sites that basically have scripts of the exploit codes so
anybody that has access to a computer and modem can download these exploits and
exploit these vulnerabilities that are in the operating systems developed by
the software manufacturers. And that's why . . . I think it's important for the
software manufacturers to be committed to thoroughly testing their software to
avoid these security flaws from from being released to the marketplace. . . .
U.S. SENATOR JOHN EDWARDS (D-NC): In answering one of Senator Lieberman's
questions about why you got involved in hacking to begin with, I was listening
to the words you were using. And they sounded very much to me like a
description of addictive behavior. Do you believe that addictive behavior is
involved with folks who are habitually involved in hacking like you were?
MITNICK: I'm not sure I'd consider it addictive behavior. It was just an
activity I was intensely interested and focused on because ever since I was a
young boy I was interested in telecommunications and computers. And that was
just my calling, just like somebody who is very interested in sports and every
day they go out and practice. I'm not sure that you could really equate it to
like a physical addiction. But then again, I'm not a health services
professional so I wouldn't know.
EDWARDS: I understand. But did you feel like you yourself were addicted
to this hacking behavior?
MITNICK: I enjoyed it. I would say it was a distinct preoccupation, but I don't
think I could label it as an addiction per se.
EDWARDS: Did you ever try to stop?
MITNICK: I did stop for a while and then at that time that I wasn't engaging in
that behavior, the Department of Justice, specifically the FBI, sent this
informant to target me. And basically, I got hooked back into computer hacking
because of the enticements that this fellow that they sent to target me kind of
enticed me back into that arena.
EDWARDS: What advice would you give to other hackers, or probably more
importantly, potential hackers?
MITNICK: That's hard to say, I'd have to really think about that. I don't
encourage any activity which maliciously destroys alters or damages computer
information. Breaking into computer systems is wrong. Nowadays--which was not
possible for me when I was younger, as computer systems are now more
affordable--if somebody wants to hack they can buy their own computer system
and hack the operating system and learn the vulnerabilities on their own system
without affecting anybody else with the potential for causing any type of harm.
So what I would suggest if people are interested in the hacking aspect of
computers, they can do it with their own systems and not intrude upon and
violate other personal or corporation's privacy, or government.
home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online
some photos copyright ©2001 photodisc
web site copyright WGBH educational foundation | |