Kevin Mitnick was once the world’s most wanted hacker. He broke into 40 major companies for the challenge of it, and he eventually got caught in a spectacular cat-and-mouse game. He did five years in prison, including a year in solitary confinement because the judge in his case was told that he might be able to launch nuclear weapons from a payphone.
But after he was released in 2000, he stayed out of trouble. He built a consulting business as a security expert, and he helps break into companies’ networks so they can figure out where their vulnerabilities are and patch them. He claims that Mitnick Security Consulting has a 100-percent success record in penetrating the security of any system he has been invited to attack.
Mitnick has written four books on his life and security topics, most recently The Art of Invisibility, which was published last year in an attempt to teach people how to be safe in the age of big data and Big Brother. He is also the chief technology officer of Olyseum, a sports social network that uses blockchain technology and matches fans with sports celebrities.
I talked to the “world’s most famous hacker” about his thoughts on Russian hackers influencing the 2016 presidential election, Donald Trump, the security issues around blockchain, his new book, his work at Olyseum, and other topics in the news. I’ve interview Mitnick a few times over the years, mostly when his new books come out.
June 5th: The AI Audit in NYC
Join us next week in NYC to engage with top executive leaders, delving into strategies for auditing AI models to ensure fairness, optimal performance, and ethical compliance across diverse organizations. Secure your attendance for this exclusive invite-only event.
Here’s an edited transcript of our interview.
Above: Kevin Mitnick is the world’s most famous hacker.
VentureBeat: What are you up to?
Kevin Mitnick: I’m working on a new book. We’re looking at a new one about penetration testing, telling stories about how the good guys simulate the bad guys breaking in. We’re in discussions with a publisher about it. It’s kind of an adventure story. Now that I do this stuff legitimately, it still has an air of adventure. We’re looking at the potential of putting this into a manuscript. We’ll see what happens.
VentureBeat: There’s always a lot happening in security. Blockchain is something new, and all the talk around Donald Trump and the Russians. I’m curious about what you think about that situation, and what you’ve learned about technology and security as a result.
Mitnick: Well, I’ve read the indictment. I thought it was fascinating, from the viewpoint that the government never releases these types of details. I’m not sure if they were releasing particular details from the Crowdstrike investigation. Crowdstrike is the third-party company that was hired by the DNC to investigate the intrusions. It almost looks like another nation-state was looking over the shoulders of, supposedly, the Dutch.
But in any event, if the facts are true, what was interesting is that the methodology the Russians used to hack the DNC is really no different from what civilians, whether crooks or people like us doing security testing—we use the same method of spearphishing. It’s social engineering. That seemed to give them the foothold in the DNC’s network, and then from there, because nation-states can afford to develop their own implants or malware, they were able to bypass the antivirus products or internal security products they were running at the DNC, if they were running any at all.
So what surprised me is the same tradecraft the Russians use, we use. That’s unbelievable. You’d figure that a nation-state has enough money, time, and resources to either have an internal team developing zero-days or purchasing zero-days. Why not use zero-days, instead of using phishing? Phishing is a pretexting attack. There’s always someone on the other side of that. There’s a high risk that the attack could be identified. You’d blow the entire operation. So why wouldn’t the Russians use zero-day exploits and avoid any email communication with anyone, given the risk of being caught? That’s the question that came to mind as I was reading the indictment.
VentureBeat: I was looking at a secondary story that pointed out one of the Russian agents supposedly logged in to a suspicious Twitter account without going through a VPN first. They got his exact location and office and everything from a failure to use basic security.
Mitnick: The same thing happened with LulzSec. If you recall Hector Monsegur, who went by the nickname Sabu, he was the leader of LulzSec, and he was caught through a similar error. He was connected to a VPN, but his connection dropped and his computer reconnected to something he was attacking without going through the VPN. That let his IP be identified.
You wonder why Russian operatives wouldn’t use burner devices. For instance, if I take my AT&T cell phone over to Moscow right now and I’m roaming on their network, my IP address is an American IP address. You can do this with other countries. When you’re roaming on a foreign network, it’s almost like you have a virtual connection to that country. It’s surprising that they didn’t use burner devices on the front end, before going through the VPN, to make it more difficult for any forensic investigators to make attributions.
If the facts are true, and they have dates and times about which Russian agent executed which command, who actually did the phishing attack, who installed the malware, at this level of detail, all that really leads me to believe that the Russians were compromised. Or their command and control server was compromised, and they were being monitored. It doesn’t make sense that a lot of these details could have been garnered just through forensic analysis of the victims’ machines.
If you notice, it’s also interesting given Julian Assange’s issues. A couple of months ago they yanked his internet access at the embassy and are basically holding him incommunicado. Then this indictment comes out with allegations against WikiLeaks, as “Organization #1” or whatever. I’m really curious if the U.S. government went to Ecuador and said, “You’re assisting criminal activity. You’re harboring an individual who’s doing X, Y, and Z.” I wonder if the Ecuadorians got concerned that they might be accused of contributing to a conspiracy unless they did something with Assange. I have a feeling there’s not just a big coincidence to that timing.
VentureBeat: Speaking of some things that rise up as larger concerns, is there something to the government being able to track Bitcoin transactions better than previously thought?
Mitnick: It’s all public. All blockchain is, it’s a digitally encrypted ledger. It’s not some sort of magic. You have a company like Kodak that puts the word “blockchain” in something they’re developing and all of a sudden their stock goes up. All the blockchain is is a digital ledger. To prevent anyone from tampering with that ledger, it’s protected with encryption and it’s distributed publicly.
Now companies are leveraging this technology to do things like subcontracts. What can they put in the chain and encrypt? How can they leverage this technology to create new products? A company in Russia is using blockchain to create a multi-factor authentication product, where the second factor is encrypted in the chain. Since the chain is public, with a private key you could unlock that block and use it for two-factor authentication. A lot of innovative companies are leveraging that fundamental blockchain and trying to come up with new products.
VentureBeat: Going back maybe a year, a year and a half ago, some of the big names like McAfee saw a rise in ransomware cases where the perpetrators were demanding to be paid in Bitcoin. It was considered an untraceable way to get the ransom. Now that’s apparently not true.
Mitnick: At least with Bitcoin, the ledger is public. If you recall the case of Silk Road, they were able to trace all of those transactions eventually that went to the wallet on his machine, so they could be used as evidence in his trial. What some crooks try to do is launder transactions, going through exchange services that anonymize their wallets. You have a wallet out here with Bitcoin in it, and they spend their time and resources on making sure you can’t connect that wallet back to a person. They’re able to move the money into the physical realm through some sort of exchange and have that be anonymous.
But again, the ledger is public. The hard part is how a bad guy gets the money exchanged into real currency, real value. That’s where they come up with a bunch of different schemes.
VentureBeat: Both blockchain and AI seem like big topics related to security right now. Do you think these things are going to improve or change security in a big way?
Mitnick: It’s a double-edged sword. With AI, I’m the chief hacking officer of a company called KnowBe4, and we’re developing an AI product that works for both offense and defense. We help protect our clients against phishing attacks. We’re able to use machine learning in both ways.
Back in the ‘80s there was a guy named Henry Teng developing what he called an AI tool, written in LISP, to do offensive work on computers within DEC’s internal network. It was an automated hacking tool that I ended up getting access to back in the day. The way he was leveraging machine learning was through using it for offensive work. So I see as a double-edged sword. You can use machine learning for either good or ill.
Above: Kevin Mitnick’s books.
VentureBeat: On blockchain, how are you using that at Olyseum?
Mitnick: We’re using the Ethereum blockchain for the token coin, which people can earn through being part of the network. The user is responsible for managing their private key, or simply using our token through Ethereum. Individual users can use their tokens, their coins, outside Olyseum’s network. The security isn’t something that Olyseum has to build on. It’s really just using the Ethereum blockchain. The user has to manage their private key, and if that private key gets breached, of course, like anything else, somebody could gain access to their wallet and move currency. But the security isn’t something Olyseum is building in. We’re using an already-developed technology.
VentureBeat: Using this with athletes, then, you can create things like uniquely-identifiable memorabilia?
Mitnick: The sky’s the limit. It’s kind of like a publishing platform. The most interesting part, though—the whole idea of the network is to bring fans together with their idols, their sports stars. What the stars do is create communities, almost like followers on Twitter, and then—for example, maybe there’s a signed T-shirt, or another new type of memorabilia that the athlete wants to sell. They can sell it for coins. They can even sell virtual chats. They can market whatever they want to market through this digital network, or hold contests to give things away.
They’re building a community of people. What’s cool about this network, it’s really sports-centric. It’s putting these huge stars in closer contact with their fans. It’s more personal. It’s not just buying memorabilia, but also being able to have one-on-one virtual conversations.
Everything is public, so there’s nothing to compromise security-wise. One of the biggest advantages to the social network is that people can actually earn [rewards] money by their activities. The more activity they have, they can earn a percentage of the profits in the coin. One attack that an outside entity might do is create a bot that becomes a member of Olyseum and tries to generate activity to earn [tokens] coins. If users are earning profit as a percentage of the overall pie, that reduces real users’ profit. The bot is stealing from everyone. So that’s a security risk. But with respect to, say, how Facebook works, where you have your private circle of friends, or your direct messages on Twitter, and other private channels of communication that need to be protected, that doesn’t exist on Olyseum.
VentureBeat: Do you think that, as everybody moves things over to blockchain—for one example, I wrote about sports event tickets moving over to blockchain. Do you think we’ll see a wholesale improvement in security as a result of that, or will bad guys just figure out how to adjust?
Mitnick: Well, the bad guys will attack anything, whether it’s digital or standard currencies. I think it’s a great idea. Anything that can leverage creating an encrypted ledger and enabling public distribution of that, or even creating a private blockchain—see, that can be a problem as well. You have different types of implementations of blockchain. What companies or even individuals could do is create a different version of their own blockchain that might create weaknesses. But talking about the standard blockchain used in Bitcoin, that’s a good thing.
I actually believe that the world is going toward digital currency entirely. Eventually paper and coins will be a thing of the past. But that’s concerning as well. If everything is digital, what are the security risks when someone steals your private key? How does the government collect taxes or enforce laws around money laundering? There are lots of different challenges that come with digital currencies. Again, it’s a double-edged sword. You have benefits, and you have challenges to handle.
Above: Kevin Mitnick says he never hacked for money.
VentureBeat: What do you think about the security of our upcoming elections in the United States?
Mitnick: The DNC was clearly hacked in 2016. I don’t think the election itself was hacked. It was influenced, is a better word for it, strongly influenced, and not through just hacking the DNC. That’s one part of a big puzzle. There was also a lot of social engineering. The Russians were obviously using social networking to influence people’s opinions. The election, in my mind, was definitely manipulated. Were voting machines hacked? I haven’t seen any evidence of that.
VentureBeat: It’s funny that the Republicans are usually thought of as tough on security. Now the Democrats are mad about it.
Mitnick: I can tell you a story about that. In 1980, the Republican National Committee was running an old machine from DEC, a big TOPS-20 mainframe. This was in the ‘80s when I was active as a black hat. I compromised that mainframe and had access to everything. Ronald Reagan even had an account on that machine. It was just a placeholder for him, though. There was nothing there.
I didn’t really care that it was the RNC. What I was doing, I was just targeting TOPS-20 organizations that were reachable via the ARPAnet that were running a particular operating system. They happened to be an unlucky one that was running that operating system, so I had access to everything on that machine. But it wasn’t interesting at the time. I didn’t even look around it much.
VentureBeat: You didn’t have the vision of a Vladimir Putin at the time.
Mitnick: [laughs] I was still doing all of this for challenge and entertainment. TOPS-20 was one of my targets because USC in Los Angeles used TOPS-20, and I wanted to get better at compromising those machines. I’d just look for random ones on the ARPAnet.
I bring this up because it’s funny to see Trump coming out and saying he can’t believe what shoddy security the DNC had, but the RNC is rock solid and hasn’t been hacked. Of course, flash back 30 years earlier, I did hack them. [laughs] It’s all just posturing, of course. In all likelihood the RNC was hacked as well. They just don’t know, or it wasn’t exploited.
It’s really not hard these days, especially given the pretexting or phishing methods that are being used. We’re still really good, in offensive work, at bypassing products that detect implants or malware. The security industry hasn’t developed a product that works really well. When we’re doing security testing, we bypass these products all the time. EDRs, like Carbon Black or Crowdstrike, those are much harder to bypass. It’s much harder to stay in the network without being detected, but we can still do it.
If we can do it, as security testers, then the bad guys can do it, and of course nation-states can do it. They have unlimited money, time, and resources. If you look at the Shadow Brokers, when they released Fuzzbunch, which is allegedly the NSA’s framework for exploitation, they also had tool sets in there for bypassing what they call PSPs, the antivirus tools or EDRs, what they label as “personal security products.” It’s an entire framework for bypassing Kaspersky and others. Of course the Russians are going to have the same tools. It’s a no-brainer.
The problem is, you’re dealing with the social side and you’re dealing with the vulnerabilities of tech. The hack did not surprise me at all. I really think that they could do it again. And I think that a lot more has been compromised than what we know of.
It’s a race. We have Internet of Things, and that’s becoming the wild west. It’s like going back to 1980 with the IBM PC just coming out. Or when the ARPAnet became the internet and everything was open. That’s what IOT is today. They’re obviously trying to improve this, but devices come out with default passwords or no passwords, no way to update firmware. Consumers don’t even know what firmware is. Device manufacturers don’t want to spend money on security updates.
And these IOT devices just sit in everybody’s home. You can use them to store malware or gain persistent access to home networks. Even businesses are using IOT, especially cameras. You can compromise a camera from the outside, whether with default credentials or buffer overflow or some other sort of attack. Then, from the camera, you launch an attack on the internal network.
Above: Kevin Mitnick was once the world’s most wanted hacker.
VentureBeat: Going back to your book from last year, how can someone try to stay invisible in this kind of world?
Mitnick: I discussed it all from the perspective of a person who’s trying to hide from an attorney who wants to serve them a subpoena, or a dissident journalist that’s a target. It depends on the level of privacy and the level of threat. But at the highest level, let’s say you’re trying to evade law enforcement or an intelligence agency because you’re a dissident. I go through the whole process of op sec, starting with a burner device.
It’s a complex set of steps, but essentially you’re building anonymity from your first connection to the internet. You have to do it in such a way that you use that device in locations that aren’t associated with you. You don’t have electronic devices using cellular networks that are turned on at the same time. Then, from that network, using a VPN provider in a foreign country, you can jump over to Tor. You’re layering anonymity in such a way that makes it difficult for anyone to track you back.
VentureBeat: I saw that video of the Chinese police finding a journalist within about seven minutes in a big city. Just through live security cameras.
Mitnick: You have to have serious op sec. If you’re not meticulous and you make one mistake, it can give you away. But that’s at extreme levels. For the average law-abiding person in the street who just wants to maintain personal privacy, I talk about—it’s a little bit under the hood, but mostly from a non-technical perspective. I go into end-to-end encryption, the tools like Signal out there that you can use to protect your communications against a criminal adversary. If you just want to protect your privacy from your bosses and teachers, that sort of thing, that’s 80 percent of what it is. But I go into a lot more depth and a lot more different tools.
I just did a segment on CBS in New York where we talked about anonymous shopping. I told the producers, “Well, we could just use Tor from home to do this, because we’re not hiding from a government agency. Marketeers can’t get information from an IP address. They’re not going to use a subpoena. We just want to mask our IP. If you want to do private shopping, that activity can be correlated.” For the segment, we went out and bought a Chromebook and a wireless hotspot, and through the Chromebook in the CBS offices we were able to purchase items on the web.
Really, that’s overkill, because all a consumer really needs to protect their privacy against marketers and advertisers on the internet is using Tor. You can’t just use incognito mode. But again, that has its down sides. Tor is slow. There are other options. You have all these different levels of threats, and I try to cover a bit of them all.
Above: Kevin Mitnick does penetration testing to test company defenses.
VentureBeat: Is there anything else interesting on your radar right now?
Mitnick: I partnered up with Olyseum because Carlos is a friend of mine. He asked me two years ago in Spain if I would help out. Now the network is becoming more mature, so I’m giving Carlos advice on how to manage any security risks. In my other work I’m at KnowBe4. We’re up to about 500 employees in Clearwater, Florida, doing security work. Then I have my own company doing penetration testing. Companies hire us to do offensive work. And then I’m on the public speaking circuit. I’m pretty busy with all the stuff I do.
VentureBeat: You have to keep up the reputation as the world’s most famous hacker.
Mitnick: [laughs] I’ll have to do another book. I love adventure, right? I liked doing Ghost in the Wires because it was a kind of catch-me-if-you-can story. I liked doing Art of Deception because with a fictionalized story you can build some adventure into it. It becomes a fun story to read. That’s what I’m looking to do in the next book. I want to use real penetration testing stories. We have to look at the legal issues around NDAs, how we can fictionalize it to keep from tying anything to a particular company. But hopefully we can create an interesting adventure book that reveals the tactics and techniques and protocols of the bad guys.
Updated 9:39 a.m. Pacific time on 8/23/18 : Olyseum offered corrections to misstatements about its business.
