Virtually everyone in technology knows about Kevin Mitnick, who in the 1970s, ‘80s and ‘90s was a notorious fugitive hacker on the run from the FBI.
(If you’re not familiar with the details of Mitnick’s exploits, I recommend his book, Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker.)
Most experts also know that he’s made his living since being released from prison as a security consultant. But did you know that he still hacks for a living?
Mitnick has always emphasized the importance of social engineering for hacking, an emphasis that’s lacking in most security advice. He also focuses on how to get through to a public that struggles to appreciate the risks.
So he gets through to his public by hacking them (with their permission). Corporate training can make the eyes glaze over. So Mitnick drives his points home by actually hacking his clients, then showing them how they could be easily victimized in the future by a malicious hacker.
Mitnick, the Chief Hacking Officer for a company called KnowBe4, is working on a new book called The Art of Invisibility, which will be a master class in securing one’s privacy against a world of hacks and exploits.
In the meantime, he’s got some easy tips for securing mobile devices.
I sat down with Mitnick at last week’s RSA conference in San Francisco, and he rattled off advice that everyone can use. (You can hear the full interview on my FATcast podcast, which will be posted on March 10.)
Minick specializes in making clients think about things they hadn’t thought of before. For example, some people seeking privacy might buy a “burner phone”—a phone purchased without a contract for privacy. But Mitnick points out that even buying a secure device can compromise your privacy, given that the purchase can be identified and tracked down because of the Uber you took or the rental car you rented. (Transportation can lead to the store, which could provide identifying information about the phone.)
At KnowBe4, Mitnick helps companies prevent and deal with the most pernicious and difficult hack, which is a phishing attack.
Phishing is a form of social engineering that involves tricking someone into believing an email or other message is coming from a trustworthy source—for example, an email that appears to come from PayPal or from someone claiming to be an executive in the company the victim works for. Once trust is gained, the target might open an application, download a file, reply with password or other information, or visit a website that delivers its own malicious payload.
Mitnick told me that “it’s much easier to hack a human than a computer because computers follow instructions, they don’t vary—humans go by emotion, by what’s happening in their day… so it’s not hard” to socially engineer someone—“especially if they haven’t been burned before.”
Mitnick says that “people are lazy,” and that’s a huge advantage for hackers. Even at the RSA conference, he can simply watch security experts attending the show unlock their phones and he can tell that they’re using the weaker four-digit unlock code for their phone, rather than a longer password. For starters, that’s one way to identify a target—anyone wanting to break into a phone will have a big advantage with a four-digit unlock code.
The best defense against phishing isn’t anti-virus or firewall software per se, but training, education and awareness.
You might expect that Mitnick would use one of the new secure phones, such as theBlackphone 2 or the Turing phone.
But Mitnick told me he uses a standard iPhone. It’s secure because of his choices and behaviors, he says, which seem to be more important than the equipment.
For example, he uses an alphanumeric long passcode (rather than the 4 digit password most of us use). And if thinks he might be ordered to unlock his phone (such as when he returns to the United States from traveling abroad), he reboots the phone so touch ID stops working (only the passcode can unlock a phone immediately after a reboot). He pointed out that in the United States, “a court can force you to unlock your phone with your thumb, but they can’t force you to reveal your code.”
Mitnick prefers the iPhone because most mobile phone hack attacks go after Android phones. But he does say the iPhone is crackable and that no device is 100% secure.
Laptops and desktops
Mitnick told me how he secured his own mother’s computer by taking advantage of Apple’s code signing model for security.
He said his mother used to call him every week to fix her Windows PC because the machine was constantly getting infected. His mother would “fall hook, line and sinker… for social engineering attacks” and he had to re-install Windows every week.
So he bought her an iMac, installed an anti-virus utility. And then he locked down the device.
In the “Security & Privacy” settings in OS X, there’s a “General” tab. At the bottom, there’s a setting labeled “Allow apps downloaded from.” The default setting is: “Mac App Store and identified developers.” For his mother’s Mac, Mitnick changed that setting to “Mac App Store,” which means she can download only apps approved by Apple.
Mitnick points out that the default setting isn’t very secure because “it’s a hundred bucks to become a developer.”
“Just getting her a Mac and changing that setting” solved the problem of malicious downloads. He quickly noted that while that simple solution protected her against everyday phishing attacks, it wouldn’t protect her from the NSA or other more skilled, determined hackers.
Thumbdrives and other attack vectors
Mitnick hacks as a kind of performance art in keynotes and talks at security conferences around the world. At CeBIT in Germany this year, for example, he performed several hacks including a demonstration showing how simply plugging in a thumb drive could give a hacker total control of your machine, including the ability to activate and monitor the camera and microphone or launch any program. In the hack, the USB thumbdrive tricks the laptop or PC into thinking it’s a keyboard, rather than a storage device. That enables the hacker to inject keystrokes, which means he can do anything to your device that he could do by typing on your keyboard.
Mitnick demonstrates this hack because “people think USBs are safe now, because they turn off ‘auto-run.’” He wants the public to know that thumbdrives are not safe.
The lay public also believes that PDFs are safe. So Mitnick demonstrates with visual tools how a hacker can use a PDF file to take control of a target machine.
Another hack he demonstrates involves a malicious hacker who can go to a coffee shop where there’s a public Wi-Fi router, and instruct the router to boot all the users off the network. When they reconnect, the hacker can then offer a fake Wi-Fi network with the same name. Once users connect, a malicious payload can be delivered.
Just knowing this information might change your behavior. I know it’s changing mine.
The bottom line is that you really, really don’t want to plug in a thumb drive or download a PDF file to your laptop, even if you feel comfortable about the source. (Social engineering exists to make you feel comfortable.) And you should avoid public Wi-Fi hotspots.
While people in the security community focus on the code side of hacking, Mitnick emphasizes the social engineering side. Because that’s how hackers gain access.
In other words, security and privacy is not a set-it-and-forget-it process. Above all, it’s important to learn not only from security experts, who know the tools, but also from hackers, who know how to socially engineer their way into your phone or laptop.
Be smart. Be paranoid. And good luck.