The hacker's tale: An interview with Kevin Mitnick

He has since written a book on the art of social engineering and is starting a consultancy to advise companies on the best way to protect IT infrastructures.

Firstly, to set the record straight, are you a hacker or a cracker?

Definitely a hacker. Crackers go into systems for financial gain or to deliberately cause damage. My motivations were those of the prankster and explorer.

When I went into systems I was usually just looking around or on the search for specific software for personal use. I’ve served my time and those days are now over.

How did you first get interested in computers?

Actually it was magic that was my first love. I was a member of the Junior Magic Club from an early age and I’m still fascinated by the power of illusion.

Then when I was 13 I got my amateur radio licence and got into electronic communication. Finally I saw a computer and swept floors at a Radio Shack so that I could use it.

Was your experience and notoriety a help or a hindrance in prison?

There have been hackers in jail who were threatened in order to get them to work for criminals, but fortunately I wasn’t one of them.

The main problem was the myths that were flying around. I was held for four and a half years without bail, eight months of those in solitary, because the authorities believed their own hype and were afraid I’d start World War Three from the nearest phone box.

I’ve been accused of a lot of things, including hacking the Pentagon and the North American Aerospace Defense Command. Why would I want to go there? They’re heavily guarded and there was no interesting software to check out.

I’ve also been accused of being the inspiration for the film WarGames but when I met the scriptwriter a few years later he said he’d never heard of me.

So now you’ve published a book on social engineering. What is it and why is it so important?

Social engineering is the side of hacking that seldom gets mentioned. It’s using people to subvert technology.

You can have the best computer set-up in the world but, if someone can convince a member of staff to let them in, all that is useless. The weakest link in any security chain is always human.

The skills of social engineering are used by hackers to replace genuine technical knowledge. Today’s script kiddies may not be able to code but, if they can convince instead, they don’t need to.

Surely it can’t be as simple as just asking for a password?

Sometimes that’s all it takes. In practice it usually takes several calls using different personae before you can get all the keys you need for access.

People like to help each other and, by establishing rapport and building trust, the determined individual can get what they want.

Other techniques include setting up a situation so that the mark, or target, comes to you for help. You can even use intimidation, although it’s use is very limited.

If someone calls needing to get a report to your boss and verbally bullies a staff member by threatening to make them lose their job they might let something slip that could give access.

Is it ever possible to achieve total security in business without losing custom?

While no system is ever going to be totally secure, companies need to establish a balance between maintaining proper security and giving good customer service. You can’t shut yourself away and stay in business but, with the right tools, you can get an acceptable level of security.

It’s really a process of education. Think about how much money companies spend on IT hardware and software protection and compare that to the training budget for teaching staff how to deal with social engineers. It’s pounds to pennies.

Teach all the staff, not just the IT department, and you’ll get a much better return on investment than by buying another firewall.

What’s the single most important rule for anyone with access to company secrets who wants to avoid being the victim of social engineering?

To paraphrase Jefferson, the price of computer security is eternal vigilance. Always ask yourself what proof you have that the person at the other end of the phone is who they say they are.

If they’re legitimate they won’t mind you checking. If they’re not, you’ve just saved your company large amounts of time and money.

Is this the rationale behind the new consultancy?

Well I’ve bills to pay like anyone else so the consultancy seemed to be the best way to use my skills and help companies avoid being attacked by hackers and crackers.

By combining technical expertise with social engineering training you can offer a more complete security package.

You’re still under heavy restrictions until the end of your parole in 2003. How has this affected you, and what are your plans when the restrictions are lifted?I was banned from touching mobile phones, computers or accessing the internet which meant I couldn’t use my skills effectively to support myself.

My parole officer has since allowed me access to a laptop and mobile so that I could write my book, but the internet is still off limits. Once I’m free to travel again there’s a host of places I want to go, but CeBIT and COMDEX look very interesting.

• The Kevin Mitnick website: www.kevinmitnick.com
• Defensive Thinking consultancy: www.defensivethinking.com