Cybersecurity advice from the Houdini of hackers: An interview with Kevin Mitnick
Kevin Mitnick’s adventures as the world’s most wanted hacker are notorious.
Intellectual curiosity and a love of trickery propelled him from dumpster diving for bus transfer slips at the age of 12, to taking over a McDonald’s Drive-Thru speaker with a radio at 16 (his favorite hack), to successfully wiretapping the NSA at 17.
His desire to “learn everything” extended the electronic joyride into his 20s. After a brief stint in prison for breaking into the network of Digital Equipment Corporation (DEC), he hacked into Pacific Bell and spent two and a half years on the run, using Harry Houdini’s real name — Eric Weiss — as an alias.
The FBI finally caught up with him in February 1995, after a frenetic game of cat and mouse that ended with a box of donuts. He spent five years in prison, including over a year in solitary confinement after prosecutors convinced a judge he had the ability to “whistle into a telephone and launch a nuclear missile from NORAD.”
On the straight and narrow
Mitnick regrets his past misdeeds. Since 2000, he’s been getting his endorphin rush by hacking with the approval of the companies he targets. He is a public speaker, author, and CEO of his own security consultancy. His clients include Fortune 500 companies and — perhaps not surprisingly — the FBI and the NSA. He is also the Chief Hacking Officer and part owner of security awareness training provider KnowBe4.
In an experience best described as one part comedy, two parts security education, and all parts entertainment, we met with the amiable expert to gather his thoughts on social engineering, security awareness, and insider threats.
There are always spikes in social engineering campaigns around major events like the pandemic, and remote work has led to increased risk. What are the top techniques you’ve seen malicious actors using since the crisis began?
Anything to do with COVID. There was a phishing attack that used a Google Doc when President Trump tested positive for the virus. They tried to get people to click on a malicious link by offering more details about his health.
Whenever there’s a natural disaster or other major event, we see this same type of behavior as a way to gain compliance.
The FBI recently warned that cybercriminals have been working together on vishing campaigns targeting employees at large firms. In your experience, is this a particularly successful technique?
Yes. The most successful social engineering attacks start with pretext phone calls; emails are secondary. The reason is the threat actor who calls, for example, someone’s cell phone in a work-at-home environment gets some instant credibility, because they have that person’s phone number.
Think of what happened with Twitter: A teenager from Tampa called Twitter employees working at home and said he was with IT, and he was working on a VPN issue. It made sense; it was during business hours when people are home and using VPN. I’m sure Twitter had to expand their VPN connectivity in the wake of COVID for remote work, and that probably created issues.
This kid took advantage of that. He was able to get the person on the other end of the line to go to a different URL— supposedly to log into the VPN — and the user gave up their credentials. This is the power of pretext phone calls. If the attacker is comfortable lying to people on the phone and has a good story, it’s probably going to work. And knowing the lingo and terminology used within the organization creates trust. Knowing who to call, what that person does, etc.
And if they use a hybrid attack that combines email and phone pretexting, that’s extremely powerful.
It’s a common understanding that relying on technology alone isn’t an effective security strategy for organizations. How important is security awareness training to countering the tactics, techniques, and procedures being used by threat groups?
Let’s rewind to Y2K. After I was released from prison, I was sent an invitation from Senators Fred Thompson and Joe Lieberman to testify about how the federal government could better protect computer systems from adversaries. During my testimony, I focused on social engineering. I advised Congress that the methods that would most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Because even with oversight, policies and procedures may not be effective. My access to many of the organizations I targeted depended upon the willingness of people to bypass policies and procedures that had been in place for years before I compromised them successfully.
I go on to say later in my recommendations that employee training to recognize sophisticated social engineering attacks is of paramount importance, and I stand by that today. It hasn’t changed in the last 20 years; what’s changed are the ruses used by attackers.
There’s been some debate about conducting simulated phishing attacks on staff as part of an awareness program. Some don’t think it’s an effective way of promoting good behaviors, and a couple of organizations recently made headlines for using emails promising bonuses as lures. What are your thoughts on testing?
It is absolutely critical to train employees, but you have to do it smart. Each company should advise new hires and existing employees that we do testing from time to time, but you shouldn’t feel we’re trying to deceive you; we’re trying to help you build better security hygiene and secure the business.
You need to make people inside the organization comfortable that through the testing, they’re not being singled out or made fun of. You need to educate staff that we do this to better our controls.
It reminds me of a story that has nothing to do with training: I was doing a security test of this company and was given permission to compromise anything I could to get their keys to the kingdom. I was able to use tunneling to connect to an employee’s MacBook Pro, which was sitting in his home on a Sunday. I waited until 10 p.m. and logged into his machine. I was dumping his browser credentials, and he happened to be in the room. He was absolutely livid! He went to HR and the CTO; the CTO pointed out that he’d been the one to hire me to do this, and the company owned the laptop.
Even so, the guy was really angry. You can alleviate this situation by being up front and explaining to them that we do this testing from time to time to strengthen our security controls; it’s not to harm or embarrass you. Get buy-in before you do the testing, or they may be very resistant or upset about it.
That story seems to validate the need for penetration testing as a good way to find weaknesses.
Absolutely. I know I’m biased, but it’s a great way to simulate an adversary and find weaknesses in your security controls, so you can compensate those controls. I believe 100% that companies should undergo this testing. Otherwise, you’re never going to know if you’re going to be compromised.
We’ve talked about training users and guarding against mistakes made by well-meaning employees. What’s the best defense against malicious insiders?
Malicious insider threats are tough. What you really need is to implement good access and authentication controls. Another area that companies should focus on is threat hunting. Having a team — or outsourcing it to a qualified professional team — to look for threats in the network and identify malicious implants, if you will, and unauthorized exfiltration of data so it can be detected on the inside is important.
Because external controls aren’t going to be effective against a true insider. Case in point: In August, a serious vulnerability in the cryptography of Microsoft’s Netlogon process was published called Zerologon. When the developer was working on cryptographic code, he set the initialization vector to all zeros instead of using random numbers. That created a situation that enabled attacks on Microsoft Active Directory domain controllers. A threat actor could use a pass-the-hash attack to change the passwords and access all IT resources.
It’s something a disgruntled insider could easily take advantage of. The only way you’re going to catch that attack is by looking for certain characteristics in the event logs that are fed into a SIEM, and you need talented threat hunters to detect that malicious activity.
Budgetary concerns may lead 2021 to be the year of trying to secure “more with less” for a lot of companies. Do you have any other recommendations as far as key cybersecurity focus areas?
Employees need to be trained, regardless of 2021 budget constraints. The risk of getting hit with a business email compromise (BEC) attack and losing millions makes it worth it. But you also need technical controls like logging/SIEM, and a decent endpoint detection and response (EDR) platform. You need to put solutions to the test to find the right one.
Another area of focus should be password management. We need to do a lot to help people choose and manage passwords better. It’s a good idea to have a company policy that doesn’t allow passwords to be stored in browsers, and use something like Lastpass instead. Use an enterprise-wide solution.
That’s a great transition to our last question: Where do you stand in the debate between complex passwords vs. passphrases?
I had a big debate about this with a colleague of mine — a great guy named Roger Grimes — who’s written a lot of books on information security. He was taking the original NIST position on eight-character, random passwords and I said, ‘That’s ridiculous!’ With my GPU cracker, I can crack any eight-character password, no matter how many symbols you use or how random you try to make it, inside of a day. I get more than a trillion tries a second.
I vigorously recommend using passphrases or pass-sentences. You only have to remember the sentence; you don’t have to remember gibberish. You should have a master password containing a passphrase or sentence and use a password manager for everything else so you don’t have to deal with it.
And where do I think this is going to go? Toward a no-password world where companies adopt technologies like Trusona, which is basically a way to authenticate using your mobile device and driver’s license. You’re reading a QR code and authenticating, and then using a barcode on the back of your license. In that case, there’s no password for anyone to steal. In the future, we’re going to see companies moving away from passwords.
Hacker knows best
Threat actors are constantly conjuring up new ways to breach our defenses, exploiting both technical and human vulnerabilities. Whether you consider him famous or infamous, Kevin Mitnick is a master hacker.
His advice to bolster security awareness, penetration testing, threat hunting capabilities, technical controls, and password management should be carefully considered as we face down the cyber threats of 2021.
To learn more about implementing these cybersecurity solutions and strategies, contact your SHI account executive.
Anne Grahn contributed to this post.