Kevin Mitnick was once one of the most wanted cybercriminals in America. Though he never stole a dime, he infiltrated the security systems of everyone from Sun Microsystems to Motorola to the California DMV. He also spent several years on the lam, living under carefully crafted false identities—until 1995, when he was arrested and sentenced to five years in federal prison. Now that the embargo on profiting from his story is up, Mitnick dissects his obsession in a new memoir, Ghost in the Wires. Dave Morris asked the hacker-turned-security-expert what businesses can learn from a guy like him.
Hacking was seen as innocent mischief when you started in the '80s... The first programming assignment I had in high school was to find the first 100 Fibonacci numbers. Instead, I thought it would be cooler to write a program to get the teacher's password and all the other students' passwords. And the teacher gave me an A and told the class how smart I was. I grew up in an era where the ethics were totally different.
Given the amount of business done online today—Canadians spent $15 billion online in 2009—has hacking become more of a criminal enterprise? The hacking trend has definitely turned criminal because of e-commerce. Now, organized crime firms—not only in the United States but all around the world—leverage hackers, and it makes it very difficult to track the origins of the attacks if you're very good at anonymizing how you're connecting to the Internet. And if you're caught, the punishments aren't as severe as, say, drug trafficking. If you get caught with a kilo of coke, you're going away for 10 years. You steal 500 grand from a bank, you're going to get 18 months in a minimum-security prison camp.
Story continues below advertisement
Would you say that so-called hacktivists like Anonymous are the minority now? You have some factions of Anonymous that are true activists—angry with MasterCard, angry with Visa, angry with PayPal for making it impossible to make WikiLeaks donations—and they cause disruptions for the services and their websites. But I think the higher number of these factions are in it for the media attention. Groups like LulzSec [which allegedly took down the Sony PlayStation Network for weeks, costing the company millions]want to prove how smart they are. I think it's to gain exposure—they have a Twitter feed, they set up a website, they were doing interviews with the media. I mean, come on.
How can companies mitigate against "social engineering" tricks, like hackers who pose as a fellow employee to get passwords over the phone? What you do is, you use technology wherever possible to take away the employee's decision-making. That's one method. The other is education. That's what I do—I travel the world giving seminars on social engineering to Fortune 500 companies and government agencies to help educate their employees on the tricks that hackers use to get in. Mind you, spearfishing [official-looking e-mails that activate malicious data-stealing programs]is a different form of social engineering. That's how Google was hacked, that's how RSA was hacked, that's how Lockheed Martin was hacked.
The hacking environment is very different now, and young people are realizing there are other outlets for their curiosity. Today, I encourage kids I speak with in colleges and high schools to use ethical programs like Backtrack and Metasploit's framework where they can learn to test security systems without violating a company's property rights. I don't want anyone to go through what I did, and I think, today, the punishments would be even worse because we're in a post-9/11 world.