This article doesn't seem to mention that penetration testing in general is a booming business, and there are many firms out there with the same success rate. Neither Mitnick nor his company are special in any way.
As someone who runs a security consultancy, I can agree. Strangely, the article seems to frame even Mitnick's admission that he's nothing special in a mysterious light:
> And here’s probably the most interesting fact: Mitnick and his constantly changing team of speciality hackers have a 100 percent success rate. That’s no legend. “It’s not even bragging,” he said. “It’s just a fact.”
Yes, me too. Same with almost every attack crew worth their salt. It's possible to be protected from known vulnerabilities and misconfigurations, and it's even possible to train your employees to never perform dangerous actions or disclose sensitive information... but it's very, very difficult.
The best defense, really, is just making your attack surface as small as possible.
We had a guest lecture from a visitor who worked for a penetration testing company. It was surprising how easy he described (in person) social engineering to gain access to privileged areas and information to be. I can imagine that's one of the hardest areas to defend, especially when some companies have so many potentially vulnerable members of staff.
When a pen-testing company has a contract in place with their client absolving them of any fault, it probably makes peoples confidence in carrying out social engineering (and not getting caught) much greater.
That makes total sense. I've read a few of Mitnick's "Art of" books and the l0pht story is really in line with that.
One technique that I found to be extremely useful, personally, is a "purposeful intellectual slowdown" with the express purpose of discovering just a couple personality traits that would lead to an exploitable route. As in, does this person like to laugh? Are they all business? It's a lot easier in person, but I've got tons of hours of phone practice through honest work that has honed the skill quite a bit. Once you find the "in" then it's easier to ramp-up the goal pursuit!
Usually, you will not get completely indemnified financially. Legally, though, yes. Having a green card to do physical testing is a lot of fun. Some of the time the police do get called or whatever, I have stories. But, the short version is.... nothing happens. You have contacts high up at the company. You have a contract. It spells out you will be doing these things. You usually get paid some amount up front. It's enough to not worry about it very much and just do your job.
I've always been curious how one applies as a social engineer or hybrid SE and tech guy for a security consultancy. It seems like something that I'd really enjoy doing (having never done it and also not having particular great people skills). I don't know how the business works at all but I'd love to be a plant at some company (or a fake customer) to test their security from the inside.
It's not something you can easily learn on your own (I'd guess).
Since I worked in ERP I'd also be pretty interested in security testing business software. I can see a myriad of issues both technically but also on a human and for lack of a better word "process exploitation" level.
If anyone has suggestions on writing a job application without any actual security testing skills I'd be interested in hearing them. Basically all I can think of is "I know some technology and can program, I have some business background (specifically ERP), I think I'm a quick learner and I'd probably work for very little assuming increased salary as I get more valuable"...sounds like something I'd instantly put in the trash if it hit my desk though :P
On the other hand though, I've had something like 10+ customer service jobs, along with formal education, a tried-and-true love of technology...and a deviant / mischevious streak wider than the Gulf of Mexico. Oh, also acting lessons...People are kind of my specialty...
To me, working customer service is very much a social engineering training ground. How? Little to no actual authority, frequently hostile / challenging engagements, and limited tools and techniques by which a solution or conclusion can be reached. There's a significant advantage to out-thinking one or more customers, staying just ahead of them thought process wise, which seems to align with turning the coin around.
One of the other things I learned through both customer service and in my white collar career(s) is how to dress for success. Self-presentation is one of the most important parts to get people to let down their defenses. Technicians look tech-y, consultants look business-y, security people project a certain firmness...well, anyway, that's been my experience as both service provider and dealing with people in power. I've always used my learned perspectives for good.
At the end of the day, it's absolutely amazing the results that one can get with a pleasant, persistent attitude, good appearance, and some patience.
This article is interesting. He isn't world famous because of his skill, he was world famous because he was caught. Being famous does not make you a good hacker, the best hackers will never be known.
I would be surprised if any pen testing group didn't have a 100% success rate. When you hire a pen tester or contract it out, the amount of information you get is absurd (but prioritized by severity).
Has a pen tester ever found a system that didn't have a vulnerability?
A lot of people don't know the history around him because it happened years ago. If you were following him at the time or if you've read his "ghost in the wires" book you'd see why he he's rightfully famous.
I just worded this incorrectly. I'm sure Kevin is skilled. Being famous for hacking doesn't mean you are a skilled hacker. This is the way the article was phrased. Then they went on to say pen testing and have 100% finding vulnerabilities makes you good. Again, another false point. Thanks for your view of the article though, I'm always curious on other peoples views :)
> He isn't world famous because of his skill, he was world famous because he was caught.
You're wrong. He's famous for a number of reasons, including a penchant for notoriety and the spotlight, but he was also a prolific pioneer of social engineering since before there was a term for it. He is/was amongst the best of the best of known social engineers.
I'd argue that social engineering is the most important skill for a hacker. And when he was "operational", he wasn't a "known", which leads me to...
> Being famous does not make you a good hacker, the best hackers will never be known.
This line may or may not be true, but it's tiring and obvious at this point.
“The most effective way to carry out an attack is to get the client — a person — to do something stupid,” he said."
I created a startup and a significant patented technology in the multifactor authentication space (now owned by Equifax). The main goal at the time of its creation wasn't to prevent dangerously stupid/naive human actions - that turned out to be impossible - but rather to nullify the potential consequences of them. As engineers we have a responsibility to design systems in ways that minimize the effects of human error.
It seems that Kevin has made a career out of pointing out systems that don't embrace this design principle. I suspect he will be very busy for a long time.
You're obviously anti-patent, but the answer to your question is that I was trying to build a business. If you ever sit down with potential investors or acquirers, two of the most common questions you will hear are these: "What barriers to entry are there for your competitors?" and "What assets do you have?". A patent is both of these things.
Whatever your feelings on the subject, as the system stands today, patents are valuable and necessary for many technology businesses. Google, Apple, Samsung, etc. all have thousands of patents.
Can't comment for anyone else, but for me at least the iffiness is not the concept but the execution.
Current patent durations may be fine for its original purpose, mechanical and chemical processes, as there is likely to have been significant expense involved.
But software is a massive gray area, even if one ignore the whole problem of it being pretty much lawyers into place (code as a form of applied math etc). 20 years is a damn long time in the computing world.
Never mind the whole issue of software being the only area where you can both patent the idea and copyright the specific implementation.
Heck, i think Bill Gates pretty much admitted that it would be virtually impossible to start Microsoft today because of the change in patent law.
Never mind patenting in medicine, where often the production process is downright cheap but the medicine is expensive because of patent licensing. Resulting in various nations pretty much giving pharmacorps the middle finger and allowing local companies to violate the patent to solve immediate national health issues.
I don't think the question asked makes the asker anti-patent.
In your comment, you wrote: As engineers we have a responsibility to design systems in ways that minimize the effects of human error.
That's more than a little didactic and preachy. It looks to me like you're trying to tell everyone that they have a moral duty to design systems in particular ways. That's well and good, another design principle for all of us to observe. But you also write that you got a patent on an idea or method of how to actually implement that design principle. It makes it seem like you've got a profit motive for prescribing the design principle: you've got a patent on the way to implement that principle. We've got a moral obligation to implement that principle, hence we should pay you (or your assignee) for the idea.
The question isn't anti-patent, it just gets at the motive for prescribing such a design principle.
I would also add that "If the other guy has patents, it helps to have a few of your own." Eventually the system will be fixed, but we're not there yet.
Doing social engineering / penetration testing for a living sounds like a great gig. I've been day dreaming about working for or starting a company like that. Didn't realize it was a booming industry for companies that also do physical penetration which is normally going to be the weakest link.
Depends on your definition of "great". If you are really good at it there are a lot of things that might give you prolonged periods of stress. I'd pick a comparatively more boring career any time.
Things that can happen:
- you manage to break some stuff during pen test that nobody expects and learn things that make you become a liability for that company
- you might learn some things about company whose stock price can drasticaly change and you will need to answer questions to SEC (or a similar institiution)
- if you are really good, it's quite possible that government agencies will try to recruit you, and if you say YES, it's a one way street.
- you may learn some things about world you wish you never learned about, and you wouldn't be able to watch the world with the same eyes ever again - even if you wish you could
It really isn't a one way street. People of people come from TLA and go on to work in the private industry as information security consultants. I have many friends that have taken this path.
I have been doing this for 8 years. I have found plenty of things like that and none of those scenarios have come up.
I have compromised very large organizations as deeply as you can imagine, easily covering things that would permit insider trading etc. The truth is we operate at the highest levels of discretion and it just isn't an issue.
The SEC is very far from my radar, and, like anyone else with privileged knowledge about things a company might due that would impact their stock price, you just don't act on it. It really isn't hard to avoid.
Government agencies will not beat down your door, but they will definitely hire you if you have the right skills. It isn't a one way street, though you can encumber yourself. (For reference, look at famous guys like Charlie Miller, who came from the NSA).
You don't learn one thing about the world. You learn how brittle software is and how terribly insecure most things are. And along the way, if you let it, this can make you a bit cynical. Breaking software becomes like breaking a child's toy in many cases. It is still a lot of fun to break things.
I run a small information security consulting shop. I went from full time software developer to information security consultant about 8 years ago and I have not looked back. Consulting in particular is very challenging, and fun.
We don't focus as much on physical penetration testing, but if it has bits, we will assess it and break it.
Good software developers make the best information security consultants.
I have conducted a couple of physical pen tests. It is a mixed bag. It is more liberating in some ways than banging bits, but it is also a little more boring for me. It is almost too easy once you get down to it, there isn't a lot of challenge in it like banging bits with big rocks :)
(We are also, almost always, interviewing people for jobs as consultants, if you are really interested).
I really enjoyed Ghost in the Wires (basically Mitnick's bio). I had first read Takedown by Tsutomo Shimomura which told of Mitnick's pursuit by the guy who ended up help to catch him. "Wires" was the other side - what Mitnick did when he was on the run - and his side of how he was finally caught. Really interesting stuff. It was like the Rashomon effect[1].
Kevin's side of the story has been told by him, by Littman in 'The Fugitive Game' and by Eric Corley. Any reasonably broad-minded person who wants to see the law deal evenhandedly with the accused can find places in these accounts to sympathize with Kevin.
'Takedown' is AFAICT the extent of what TS wants to say about the matter. We can presume he comes off in it the way he wanted to come off.
Though I do wonder about the tone of the book, and if John Markoff had more than a little influence on how the story was told, and what details were kept in or left out, and how the persons at the focus of the true-crime narrative being presented were portrayed.
I felt while reading Takedown that maybe, for some reason, there were details being elided that readers interested in a careful piece of investigative journalism might appreciate-especially if they had a deeper understanding of the technology than the mass NYT audience. Maybe someday someone will take that up.
More well-known to whom? Most non-technical people I know have never heard of Linus Torvalds, or Linux. Kevin Mitnick is a name that has been in the media in much more prominent positions. As far as the "hacking" vs "cracking" debate, that fight has been lost for many years.
Honestly, without Kevin Mitnick and the like, I wouldn't be a computer scientist nor a specialist in computer security. He (and other hackers covered by the media of the '90s) brought awareness to the common American of this field right when I was at an impressionable age.
"In 1999, Mitnick pleaded guilty to four counts of wire fraud, two counts of computer fraud and one count of illegally intercepting a wire communication,...
He was sentenced to 46 months in prison plus 22 months for violating the terms of his 1989 supervised release sentence for computer fraud."
I would have SERIOUS trust issues with a company run by a convicted hacker.
Once upon a time, it was difficult or impossible to attain certain skills without committing acts which might have been ambiguous then, but are now clearly "breaking the law".
It's all different today, but Mitnick is old school.
The rest of the security company founders who were active in that era but do not have felony records...by and large, they just didn't get caught.
Which sounds like it might be a reasonable criterion for judging skill, but the scene was so tight and inbred back then that getting caught often had more to do with who your friends (or enemies) were, than with your own skills.
“I still had access to their network so I left a copy of the report on his PC’s desktop,” Mitnick said. “It was more secure to do it that way than email it. He thought that was a nice touch.”
60 comments
[ 2.0 ms ] story [ 136 ms ] thread> And here’s probably the most interesting fact: Mitnick and his constantly changing team of speciality hackers have a 100 percent success rate. That’s no legend. “It’s not even bragging,” he said. “It’s just a fact.”
Yes, me too. Same with almost every attack crew worth their salt. It's possible to be protected from known vulnerabilities and misconfigurations, and it's even possible to train your employees to never perform dangerous actions or disclose sensitive information... but it's very, very difficult.
The best defense, really, is just making your attack surface as small as possible.
One technique that I found to be extremely useful, personally, is a "purposeful intellectual slowdown" with the express purpose of discovering just a couple personality traits that would lead to an exploitable route. As in, does this person like to laugh? Are they all business? It's a lot easier in person, but I've got tons of hours of phone practice through honest work that has honed the skill quite a bit. Once you find the "in" then it's easier to ramp-up the goal pursuit!
It's not something you can easily learn on your own (I'd guess).
Since I worked in ERP I'd also be pretty interested in security testing business software. I can see a myriad of issues both technically but also on a human and for lack of a better word "process exploitation" level.
If anyone has suggestions on writing a job application without any actual security testing skills I'd be interested in hearing them. Basically all I can think of is "I know some technology and can program, I have some business background (specifically ERP), I think I'm a quick learner and I'd probably work for very little assuming increased salary as I get more valuable"...sounds like something I'd instantly put in the trash if it hit my desk though :P
On the other hand though, I've had something like 10+ customer service jobs, along with formal education, a tried-and-true love of technology...and a deviant / mischevious streak wider than the Gulf of Mexico. Oh, also acting lessons...People are kind of my specialty...
To me, working customer service is very much a social engineering training ground. How? Little to no actual authority, frequently hostile / challenging engagements, and limited tools and techniques by which a solution or conclusion can be reached. There's a significant advantage to out-thinking one or more customers, staying just ahead of them thought process wise, which seems to align with turning the coin around.
One of the other things I learned through both customer service and in my white collar career(s) is how to dress for success. Self-presentation is one of the most important parts to get people to let down their defenses. Technicians look tech-y, consultants look business-y, security people project a certain firmness...well, anyway, that's been my experience as both service provider and dealing with people in power. I've always used my learned perspectives for good.
At the end of the day, it's absolutely amazing the results that one can get with a pleasant, persistent attitude, good appearance, and some patience.
I would be surprised if any pen testing group didn't have a 100% success rate. When you hire a pen tester or contract it out, the amount of information you get is absurd (but prioritized by severity).
Has a pen tester ever found a system that didn't have a vulnerability?
He became famous when he was on the run from the FBI for a few years. This was one of my favorite stories: http://news.softpedia.com/news/Watch-Kevin-Mitnick-Explainin...
A lot of people don't know the history around him because it happened years ago. If you were following him at the time or if you've read his "ghost in the wires" book you'd see why he he's rightfully famous.
You're wrong. He's famous for a number of reasons, including a penchant for notoriety and the spotlight, but he was also a prolific pioneer of social engineering since before there was a term for it. He is/was amongst the best of the best of known social engineers.
I'd argue that social engineering is the most important skill for a hacker. And when he was "operational", he wasn't a "known", which leads me to...
> Being famous does not make you a good hacker, the best hackers will never be known.
This line may or may not be true, but it's tiring and obvious at this point.
After reading the interesting article, I commend him for the creativity and sheer audacity of his social and sometimes-technical exploits.
He is, obviously, a very smart and talented individual...my hat's off to him for not allowing a prison stint to wreck a very lucrative career.
That was perhaps his best hack of all.
[edits]
I created a startup and a significant patented technology in the multifactor authentication space (now owned by Equifax). The main goal at the time of its creation wasn't to prevent dangerously stupid/naive human actions - that turned out to be impossible - but rather to nullify the potential consequences of them. As engineers we have a responsibility to design systems in ways that minimize the effects of human error.
It seems that Kevin has made a career out of pointing out systems that don't embrace this design principle. I suspect he will be very busy for a long time.
Whatever your feelings on the subject, as the system stands today, patents are valuable and necessary for many technology businesses. Google, Apple, Samsung, etc. all have thousands of patents.
Current patent durations may be fine for its original purpose, mechanical and chemical processes, as there is likely to have been significant expense involved.
But software is a massive gray area, even if one ignore the whole problem of it being pretty much lawyers into place (code as a form of applied math etc). 20 years is a damn long time in the computing world.
Never mind the whole issue of software being the only area where you can both patent the idea and copyright the specific implementation.
Heck, i think Bill Gates pretty much admitted that it would be virtually impossible to start Microsoft today because of the change in patent law.
Never mind patenting in medicine, where often the production process is downright cheap but the medicine is expensive because of patent licensing. Resulting in various nations pretty much giving pharmacorps the middle finger and allowing local companies to violate the patent to solve immediate national health issues.
In your comment, you wrote: As engineers we have a responsibility to design systems in ways that minimize the effects of human error.
That's more than a little didactic and preachy. It looks to me like you're trying to tell everyone that they have a moral duty to design systems in particular ways. That's well and good, another design principle for all of us to observe. But you also write that you got a patent on an idea or method of how to actually implement that design principle. It makes it seem like you've got a profit motive for prescribing the design principle: you've got a patent on the way to implement that principle. We've got a moral obligation to implement that principle, hence we should pay you (or your assignee) for the idea.
The question isn't anti-patent, it just gets at the motive for prescribing such a design principle.
Things that can happen:
- you manage to break some stuff during pen test that nobody expects and learn things that make you become a liability for that company
- you might learn some things about company whose stock price can drasticaly change and you will need to answer questions to SEC (or a similar institiution)
- if you are really good, it's quite possible that government agencies will try to recruit you, and if you say YES, it's a one way street.
- you may learn some things about world you wish you never learned about, and you wouldn't be able to watch the world with the same eyes ever again - even if you wish you could
This is the most terrifying item on your list. Saying no, however, is generally the best way to avoid such a one-way street ;)
When a TLA offers you a job, or a contract, you can decline. There are no hard feelings.
I have compromised very large organizations as deeply as you can imagine, easily covering things that would permit insider trading etc. The truth is we operate at the highest levels of discretion and it just isn't an issue.
The SEC is very far from my radar, and, like anyone else with privileged knowledge about things a company might due that would impact their stock price, you just don't act on it. It really isn't hard to avoid.
Government agencies will not beat down your door, but they will definitely hire you if you have the right skills. It isn't a one way street, though you can encumber yourself. (For reference, look at famous guys like Charlie Miller, who came from the NSA).
You don't learn one thing about the world. You learn how brittle software is and how terribly insecure most things are. And along the way, if you let it, this can make you a bit cynical. Breaking software becomes like breaking a child's toy in many cases. It is still a lot of fun to break things.
We don't focus as much on physical penetration testing, but if it has bits, we will assess it and break it.
Good software developers make the best information security consultants.
I have conducted a couple of physical pen tests. It is a mixed bag. It is more liberating in some ways than banging bits, but it is also a little more boring for me. It is almost too easy once you get down to it, there isn't a lot of challenge in it like banging bits with big rocks :)
(We are also, almost always, interviewing people for jobs as consultants, if you are really interested).
http://www.amazon.com/Ghost-Wires-Adventures-Worlds-Wanted/d...
http://www.amazon.com/Takedown-Pursuit-Capture-Americas-Comp...
[1] http://en.wikipedia.org/wiki/Rashomon_effect
Why?
'Takedown' is AFAICT the extent of what TS wants to say about the matter. We can presume he comes off in it the way he wanted to come off.
Though I do wonder about the tone of the book, and if John Markoff had more than a little influence on how the story was told, and what details were kept in or left out, and how the persons at the focus of the true-crime narrative being presented were portrayed.
I felt while reading Takedown that maybe, for some reason, there were details being elided that readers interested in a careful piece of investigative journalism might appreciate-especially if they had a deeper understanding of the technology than the mass NYT audience. Maybe someday someone will take that up.
Linus Torvalds is a more well-known hacker, for instance.
Hacking is not only about criminal social engineering practices. Mostly, it's not about that.
2. pay him a large sum to test your flawed security
3. ???
4. CTO get's a huge bonus for impenetrable security. 90's celebrity get's a fat check (with his name on it, for a change)
"In 1999, Mitnick pleaded guilty to four counts of wire fraud, two counts of computer fraud and one count of illegally intercepting a wire communication,...
He was sentenced to 46 months in prison plus 22 months for violating the terms of his 1989 supervised release sentence for computer fraud."
I would have SERIOUS trust issues with a company run by a convicted hacker.
It's all different today, but Mitnick is old school.
The rest of the security company founders who were active in that era but do not have felony records...by and large, they just didn't get caught.
Which sounds like it might be a reasonable criterion for judging skill, but the scene was so tight and inbred back then that getting caught often had more to do with who your friends (or enemies) were, than with your own skills.
And that, folks, is what we call class.