When I first heard of Kevin Mitnick, I was intrigued by his explanation of a phenomenon I was previously unfamiliar with: social engineering. When I read his first book, The Art of Deception: Controlling the Human Element of Security, I quickly became a fan. For those who are unfamiliar, social engineering is a non-technical form of breaching security by manipulating people. By employing a variety of methods, a skilled social engineer can trick people into giving away confidential information and granting access to private servers or, even, to secure areas.
It was on an episode of Triangulation that I learned that Kevin Mitnick has recently published a new book titled Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker. I quickly ordered the book (the first I read on my new Kindle) and found myself amazed at Mitnick’s story.
It seems like Kevin Mitnick was born to hack. When he was twelve years old, he successfully used social engineering to bypass the punch card system used by the Los Angeles bus system. After that time, Mitnick would go on to become the world’s most wanted hacker. He successfully social engineered some of the world’s most prominent companies, including: Motorola, Nokia, Sun Microsystems, and the Digital Equipment Corporation. His motive was simple: he had an insatiable drive to figure out how his target systems worked. Unlike some other hackers, Mitnick was motivated purely by the challenge; he wasn’t seeking to steal money or cause damage to the systems that he penetrated.
Eventually, after about two years on the run, Mitnick was arrested by the Federal Bureau of Investigation at an apartment in Raleigh, North Carolina. He served five years in prison, including a stint in solitary confinement because authorities feared that he was able to whistle launch codes into a telephone and activate missiles at NORAD. After his release, Mitnick became a computer security consultant, which enabled him to continue hacking with the permission of his clients.
Mitnick’s story is engaging both to the technical reader and to the non-technical reader. Although Mitnick does share specific details about his technical exploits, an inexperienced computer user could still follow his story and understand the basic strategies Mitnick used to gain unauthorized access to computer systems and telephone switches. Mitnick’s primary means of gaining access to such systems was not technical; he used social engineering to gain the access he was seeking. Social engineering, as a tactic, is distinguishable from other types of security breaches by its reliance on the human element of security. The formula is simple: people generally trust those who have rational explanations for their requests. The chief goal for the social engineer is to build trust between the engineer and his target. This trust might be built by fabricating plausible stories, appropriating the identity of legitimate employees, learning the vocabulary unique to the target’s work environment, and using all of these tactics to build an exploitative relationship where the target then voluntarily gives the social engineer what he wants.
Mitnick’s story serves as a cautionary tale. By demonstrating how easily he was able to hack into computer systems by manipulating people, Mitnick’s story encourages us to become more vigilant about the seemingly innocuous requests people may make of us in the future. Though Mitnick’s motives were not to harm other people, it can be easy to see how other people may try to use social engineering to facilitate acts of terrorism. Mitnick’s story also shows us the level of ignorance society had back in the 1990s toward all aspects of technology – a level of ignorance that has likely only marginally decreased in more recent decades. While Mitnick’s actions were certainly illegal, it’s easy to root for the pre-arrestee hacker while reading the book. There is a level of ingenuity and determination that Mitnick had in those days that is admirable despite the fact that his actions were criminal. It’s that ingenuity and determination that many in the world of tech have come to admire about Kevin. It has, indeed, made him the world’s most famous (former) hacker and a credible computer consultant.
For more info about Mitnick and his book, I suggest you consult the following sources: