Five Things Kevin Mitnick Has Learned About Computer Security
Legendary former hacker on hacking, being hacked, and companies that turn a blind eye to security
Mon, July 14, 2008
CIO — Reformed hacker-turned-security-consultant Kevin Mitnick served five years in federal prison for breaking into phone and software company networks. He talks about his past hacking exploits, computer security, and how he turned an illegal hobby into a useful career.
Hacking wasn't always illegal. I started off in what they call "phone phreaking" in the late 70s. This is the same hobby Apple founders Steve Jobs and Steve Wozniak had. At this time, 1978, there were no laws against hacking. The first law that criminalized hacking was passed in 1980 in California. I was doing this before it was illegal. And my interest was entertainment—the pursuit of knowledge, challenge and the trophy of the stolen information. There was no motive for money or malicious intent to use, disclose or destroy the data.
Learn the rules before you play the game. I knew hacking was sneaky when I started, but I didn't think it would get me into trouble. Back in my day, they didn't teach us about ethics in respect to hacking or using computers. Now, I tell kids to not follow in my footsteps. As computers become more accessible, there are more ethical ways to learn about computer security. Plus, there are laws now.
Not everyone takes security seriously. I've been testing a company—a financial institution—and they are governed by Sarbanes-Oxley and other regulations. I've done their security assessments for the last four years and each time I get in the same way. It's surprising that these companies do security audits to find their vulnerabilities but don't do much about them. They are required by law to do the audits so you'd think the auditors would require them to fix the issues, but in a lot of cases they don't.
Use your powers for good, not evil. When I was released from custody in 2000, the U.S. government asked for my help. U.S. senators Fred Thompson and Joseph Lieberman invited me to testify before Congress about the government's computer security vulnerabilities. Once the restrictions of my release were up, I went into full-fledged security work, such as training, security assessments and product evaluations. It's a reversal of fortune. Before, I was doing something exciting—but it was unauthorized and illegal. Now, I do the same thing that got me in trouble, except I do it with authorization. Clients hand me their network and tell me to break in so they can fix security vulnerabilities. To me, it's the same act but it helps my clients and it's legal and ethical, so it's a win-win situation. It's interesting that you can take a criminal activity like hacking and make it into a legitimate enterprise. I can't think of any other illegal activity you can do that with.
Even hackers get hacked. Attackers found a way onto my Web server. However, my website is hosted by a third-party hosting company, so when my site gets hacked it's the hosting service's security shortcomings, not my own. Of course it's embarrassing and I don't like it. Fortunately, I don't have any proprietary information on my public-facing servers. The downside is that people think my company was hacked, but it was really this hosting company's network and not my own site that was breached.