I knew I was going to have a busy week this week, so I had already penned many of this weeks posts and had them scheduled for publication. However, on hearing of the death of Kevin Mitnick yesterday, I had to push back the last few posts for this week to write a tribute to a man who was the “World’s most wanted hacker“
A hackers life in the making
Kevin David Mitnick was born on August 6, 1963 in Van Nuys in California and by the age of 12 had already started down the path of what would eventually make Mitnick one of the most well-known names in the field of cyber security.
1960’s America was a world away from what it is today, and at a young age, Mitnick was left to his own devices to roam Los Angeles which a great degree of freedom.
By the age of 12, Mitnick started to show the signs of what was to come – he realised that there was a pattern to the holes punched in his bus tickets that somehow translated to the time and day of the journey.
Using skills which he would later use to become a wanted-fugitive, Mitnick convinced one unsuspecting bus driver to reveal where he could get hold of one of the machines used to validate the bus tickets.
Mitnick knew where to obtain blank tickets – dumpster-diving behind the terminus gave a plentiful supply of blanks, so armed with virgin tickets and his own punch, Mitnick spent his days travelling the length and breadth of Los Angeles completely for free.
Learning a trade
With the gift-of-the-gab, Mitnick was destined to become a master at social engineering – tricking others to do his bidding.
At school, he became friends with another student who was already into a new scam – phone phreaking. This new friend was a member of a small group of phreakers who used their skills to sow chaos and confusion in the telephone systems of the day.
By calling phone service companies, Mitnick and his friends managed to convince satffers that they were employees and by doing so, managed to obtain insider knowledge (corporate lingo, procedures, staff names, office location, etc.) which allowed them to further their activities and fool the telephone system into giving them free calls to anywhere in the states.
They regularly took control of the local directory assistance and would intercept peoples calls to be connected to a company or individual, and they would route the calls to unsuspecting other users.
Another trick they played was to use their skills to make the telephone system inform a customer that they had to insert more money to continue the call – even if the caller was not using a payphone.
In 1981, Mitnick and two friends decided to physically enter Pacific Bell’s Computer System for Mainframe Operations (COSMOS) phone center in downtown Los Angeles.
COSMOS was a database used by many phone companies for controlling the system’s basic record keeping functions.
The trio social engineered their way past a security guard and found the room where the COSMOS system was located. Once inside they took lists of passwords, a series of operating manuals for the COSMOS system, and the combinations to the door locks at nine Pacific Bell central offices and .
To facilitate later social engineering attacks they also planted pseudonyms and phone numbers in a rolodex sitting on one of the desks in the room.
A telephone company manager soon discovered the fake Rolodex entries and reported them to the local police, who started an investigation. The case was actually solved however, when a jilted girlfriend of one of the two others went to the police, and Kevin and his friends were soon arrested.
The three were charged with destroying data over a computer network and with theft of the operator’s manuals
Mitnick was sentenced to three months in the Los Angeles Juvenile Detention Center, followed by a year’s probation.
In 1983, Mitnick was arrested once more after breaking into a Pentagon computer over the ARPAnet – a crime for which he served six months in a juvenile detention center.
Hacking spree
The late 1980’s saw Mitnick and his friends hack in to multiple systems using various social engineering and technical attacks.
In 1988, Mitnick gained access to “The Ark” – A system at Digital Equipment Corporation (DEC) which was being used to design and build the RSTS/E operating system software.
His phreaker friends had access to the DEC network, but they did not have the credentials to access the computer system at the other end of the modem line.
Claiming to be Anton Chernoff, one of the project’s lead developers, Mitnick called the system manager with the pretext that he couldn’t log into one of his accounts, and was convincing enough to convince the manager to give him access.
The manager also allowed Mitnick to select a new password of his choice, but not only that – he had the access of a delevoper, not an ordinary user.
When Mitnick told his friends he had full access, the did not believe him, so they challenged him to prove it, and so, sat at a keyboard, Mitnick logged into The Ark, and showed his level of access.
Taking this information, his so-called friends later logged into the system, downloaded all the development data, and promptly told the authorities that it was Mitnick who did it.
Mitnick was arrested and sentenced to 12 months in prison followed by 3 years supervised release.
This was a harsh lesson learned by Mitnick, but one which ultimately served him well in later years.
On the run
Towards the end of his 3 years of supervised release from prison, Mitnick hacked into the IT systems of Pacific Bell – a crime for which another arrest warrent was served, but one which would not be satisfied for nearly two and a half years.
Mitnick evaded arrest fo so long partly due to his ability to stay anonymous, but also due to the fact that he was actively hacking into the systems used by the FBI and other law enforcement agencies to see what knowledge they had about him, and so he could always stay one step ahead of any officers sent to hunt him down.
Capture & sentencing
Eventually Mitnick was arrested on February 15th 1995 in North Carolina. At the time of his arrest, Mitnick was found to have over 100 cloned mobile phones and multiple fake ID’s.
Mitnick was charged with 14 counts of wire fraud, 8 counts of possesison of unauthorised access devices, interception of wire or electronic communications, unauthorized access to a federal computer, and causing damage to a computer.
In 1999, Mitnick pleaded guilty to 4 counts of wire fraud, 2 counts of computer fraud, and 1 count of illegally intercepting a wire communication, as part of a plea agreement with the United States District Court for the Central District of California in Los Angeles.
He was sentenced to 46 months in prison for those crimes, plus a further 22 months for violating the terms of his 1989 supervised release sentence for computer fraud.
Ability to start WWIII
Mitnick ultimately served five years in prison – eight months of which were in solitary confinement because law enforcement officials convinced a judge that Mitnick had the ability to “start a nuclear war by whistling into a pay phone”.
During his trial, law enforcement officers told the judge that Mitnick could somehow dial into the NORAD modem via a payphone from prison and communicate with the modem by whistling to launch nuclear missiles.
This was a misunderstanding by the officers about the concept of phreaking, but it shows how law at that time did not understand the world of I.T. and computer networks.
Release from prison
Mitnick was released from prison in 2000, and became a paid security consultant, public speaker, and author.
Mitnick formed his own security company – Mitnick Security Consulting LLC and was co-owner of KnowBe4 – a platform for security awareness training and simulated phishing attacks.
As a public speaker, Mitnick toured the world delivering security talks at placess such as Defcon, Blackhat and many others. Known for his notorious life as a hacker, Mitnick was a sought-after speaker at such events and had an audience of fans ranging from ethical and non-ethical hackers, law enforcement reps, as well as many others interested in the world of computer security. A fan base which will greatly miss his presence.
Publications
Mitnick published five books about his life as a hacker, all of which are interesting reads for anyone wanting to learn more about how Mitnick evaded capture for so long.
In 2002 his first book was published – The Art of Deception – where he told the tales of the social engineering tricks he used in his career.
In 2005, he published the sister book to the Art of deception – The Art of Intrusion, where he talks about the technical attacks he ran.
In 2011, he published his autobiography – Ghosts in the wires, where he tells the true stories behind his life as the World’s most wanted hacker.
In 2017, he published The Art of Invisibility, where he talks about how to remain anonymous in the face of ever increasing online profiling and surveillance.
Illness and death
Mitnick was diagnosed with pancreatic cancer a few years ago – complications from which ultimately cost him his untimely death at the age of 59 at his home in Las Vegas.
He is survived by his wife Kimberley and their unborn child.