World's greatest computer hacker raises alarm
Kevin Mitnick may have been the greatest computer hacker the world has ever known. At least, the FBI treated him that way. In the 1980s, Mitnick allegedly broke into computer systems belonging to Pacific Bell, Digital Equipment, and the North American Air Defense Command. In the 1990s, Mitnick became the subject of a nationwide manhunt by the FBI. The New York Times ran a front-page story about his alleged attempts to steal cellular telephone software on July 4, 1994. He was finally apprehended by computer expert Tsutomu Shimomura on Feb. 15, 1995.
Mitnick was held in jail for four years without facing trial because his attorney never had a chance to review the government's evidence against him. It was repeatedly withheld on the grounds that releasing it would compromise national security.
Meanwhile, three books were published on Mitnick's capture including one by Shimomura and John Markoff, The New York Times reporter who many say stepped over ethical lines and participated in the investigation. Disney and Miramax produced a movie on the caper. It premièred in France but was shut down by a combination of protests and a lawsuit.
In the meantime, Mitnick's case became a cause célèbre among many in the shadowy world of the computer underground. When The New York Times website was hacked in September 1998, the hacker's message was that Mitnick had been unfairly targeted. Dozens of websites devote themselves to the treatment that Mitnick has received. Many others debunk the government's assertion that he was personally responsible for more than $80 million in corporate losses.
This backstory is critically important for understanding Kevin Mitnick's first book, "The Art of Deception," in which the reformed hacker- turned-security-consultant explains in painstaking detail how the reliance on modern communications technology has made US businesses more vulnerable to 19th-century style cons and swindles.
His book contains roughly two dozen case studies of "social engineering" in which a hacker successfully identifies a piece of information, gets it, and then vanishes.
One such story describes how a man named Rick Daggot showed up one day at a small startup robotics company for a meeting with the company's founder and vice president. Daggot was friendly and well-dressed and claimed to be joining the company's team. There was just one problem: The founder wasn't in town; Daggot had inadvertently come on the wrong day.
Trying to make the most of a bad situation, Daggot offered to take the company's receptionist and a few engineers out for lunch. Over drinks they talked about what else the company's top-secret project. A few days later, Daggot called back, saying that he was in touch with the founder, and that copies of several key documents should be sent to the founder's new e-mail account, the only one he could get working while he was traveling.
Of course, the whole thing was a ruse. The founder was traveling, but Daggot worked for the competition. Having gained the trust of a few engineers and gotten the documents he needed, Daggot disappeared. When the founder returned, he called in the police, but was told that no crime had taken place. A few months later, the competitor announced a product that was nearly identical to the one described by the stolen documents.
Daggot's story is a good one, and there are a lot of them in "The Art of Deception." But alas, all of these stories have the same problem: None of them is true. Under the terms of Mitnick's plea bargain, he's prohibited from selling his story for 10 years. As a result, this book shines no light on the crimes that Mitnick allegedly perpetrated or on the government's alleged excesses in prosecuting him.
Ironically, it's Mitnick's reputation as a deceiver that gives him the credibility and even the moral authority to write this book. In interviews, Mitnick has confirmed that many of these stories are based on exploits from his past.
Although some will accuse Mitnick of creating a handbook that teaches crooks how to break into organizations, the truth is that we all need to understand these con games to protect against them. To stress this point, his last two chapters contain policies, procedures, and training that companies can implement to further protect themselves. In keeping with his premise that the most damaging security penetrations are the result of deceit not technical penetration almost none of Mitnick's suggestions is technical in nature.
The most important recommendation is that when somebody contacts you claiming to be from your organization, you need to verify that they are working for your organization no matter whether they are asking for your help, offering to help you, or just trying to be friendly.
A more controversial suggestion is that organizations should launch simulated "social engineering attacks" on their own employees. Although the training would be invaluable, Mitnick acknowledges that some companies might not want to intentionally lie to their employees.
"Nine out of every 10 large corporations and government agencies have been attacked by computer intruders," states Mitnick, basing his analysis on the Computer Security Institute's annual survey. Let's hope that if they implement the strategies in this book, companies that are attacked won't be so easily penetrated.
Simson Garfinkel is a graduate student at the MIT Laboratory for Computer Science, and the author of numerous books on computers, security, and privacy.