From: Davew@cris.com (Dave Harrison) Newsgroups: comp.dcom.telecom Subject: Mitnick article Date: 8 Feb 1997 08:45:15 GMT Organization: Concentric Internet Services Lines: 113 [TELECOM Digest Editor's Note: Please note that since this article was submitted, Mitnick has been tried, found guilty and sent to prison, as of July, 1997. PAT] Here's an article I came across in one of our online magazines... I thought it may be of interest to Digest readers. Note that in a week, Kevin will have been in custody for *two* years and hasn't had a trial date set. The Feds also plan on dragging this out by prosecuting Kevin in multiple jurisdictions because he wouldn't sign a plea bargain. As a sidenote, a few weeks ago, Mitnick was throw in solitary for a weekend and his Walkman was confiscated -- the Feds actually thought he was going to modify it in to a walkie talkie. They also believe he can whistle commands over the phone to remote modems. ----------------------------------------------------------------------- Hacked, Cracked and Phreaked All these idiots," Kevin Mitnick told me when I was researching a book about his notorious network infiltrations. "They put their workstations on the Internet and then they run their [encryption] software on their Unix box, and I just backdoor it [for] their pass phrase." With all their bravado, hackers can make you skeptical about the latest advances in computer security. Sure, encryption, firewalls, intrusion detection programs and digital IDs are all helpful tools, but I'm not one of those expecting a miracle cure. As another former cracker recently told me, "Using encryption doesn't make people smart." Two guys named Kevin with eight years of jail between them--and counting--have taught me how the other side thinks. I started getting late-night calls on a pay phone from Kevin Mitnick more than two years ago, when he was on the run from the FBI and a little-known security whiz named Tsutomu Shimomura. Kevin Poulsen may be less notorious, but he's no less intriguing. Charged with everything from espionage to hacking radio giveaways--he won two Porsches--Poulsen recently finished a five-year stint in federal jail. Last fall, Mitnick's crimes were hinted at in a federal indictment. Since then I've tracked down some of his purported corporate victims and uncovered a clearer picture. The hacker's real targets were industry giants such as Motorola and NEC. Was their computer security bad? Not really. Did Mitnick teach these multinational corporations some very important lessons? Yes. The major alleged offenses against Mitnick are the misappropriation of the proprietary software of a Who's Who of the high-tech world--Motorola, Nokia, Fujitsu, Novell and NEC. Eighty million bucks is what these companies lost, the government privately says. Some of the companies say the government is exaggerating, arguing that Mitnick seemed to be in it largely for the thrill. But the danger is clear. A hacker with his skills, hired by competitors or foreign governments, could have easily used his intrusions to steal millions of dollars' worth of secrets. How did Mitnick do it? A source at Motorola alleges Mitnick installed what now seems a dated technique--a packet sniffer to suck up passwords. He did a little "social engineering," allegedly phoning the company and impersonating executives to trick Motorola out of the information he needed to complete his theft. "He did move a block of code," confirms a Motorola official. "He stole source code." Now, the company has new policies for information given out over the phone. Fortunately for Motorola, the company found "no pattern of abuse or fraud." Mitnick, in other words, didn't damage their computers, and as far as they could discern, had no plan to sell their code. In Motorola's defense, sniffers were still new at the time, and Mitnick was a gifted social engineer. The subsequent victims had fewer excuses. Months later, another major cellular phone maker was hit. "By then everybody knew about packet sniffers," says one of the victims. Everybody, it seemed, except for the victimized corporation. Again, they were lucky. Although Mitnick swiped the source code that operates their cellular phone and other wireless products, he didn't seem interested in money or wreaking havoc. Technically, there was no excuse for the success of Mitnick's attacks, because products to combat them were already widely available. But there's frequently a time gap between the latest hacking methods and how quickly companies respond with fixes. Countless Internet mailing lists and World Wide Web sites are posted weekly, highlighting new operating system bugs that could provide access. Staying secure is a fast-moving target. Hackers study and share the vulnerabilities more thoroughly than most security professionals. If you don't patch it in days, you may be the next victim. It's tempting to think that prepacked encryption and other technical innovations will eliminate these risks. But then I remember Mitnick telling me how frequently companies make mistakes in deploying such tools, things as simple as forgetting to delete decrypted messages. And there's another, more subtle problem. Often, the more technology corporations buy, the more they develop an aura of invincibility, an aura the Kevin Mitnicks of the world love to pierce. Pressure to join the Internet and the Web creates another dilemma. The Web may be the future, but its general absence of security is spinning us back into a hacker's Wild West. In the last few months, Web sites for the Air Force, the Department of Justice and the CIA have been hacked and plastered with graffiti. Topless pics of "Friends" TV stars aren't the images the Justice Department wants to portray to the public. Imagine the worst that might show up on your company's window to the public. It's tempting to think technology and the government's tough line on hacking will rid our networks of crime. But consider what the CIA recently told Congress: Hacker terrorists, warned the CIA's director, could execute a strike against our telecommunication and information infrastructure with the destructive force of a nuclear attack. Remember Kevin Poulsen? He wrote a program that ran on Pacific Bell's computers and tipped him off to nearly every FBI wiretap in the state of California. He found mob taps, DEA taps and national security taps. And he could wiretap whomever he wished. Just a kid with no high school diploma, without a political agenda. Imagine what the really scary criminals are doing. Jonathan Littman is a free-lance writer in Mill Valley, Calif., who writes and speaks about computer security. He is the author of "The Fugitive Game" and the upcoming "The Watchman: The Twisted Life and Crimes of Serial Hacker Kevin Poulsen."