March 8, 2006
Famed ‘Computer Terrorist’ Teaches Anti-Hacking
By Rebecca Harrison
JOHANNESBURG -- He can find George Bush senior's social security number and Leonardo DiCaprio's mother's maiden name in under 15 seconds, and led the FBI on a three-year manhunt as he hacked his way into the world's biggest firms.
"Computer terrorist" Kevin Mitnick is one of the world's most famous computer hackers and became a cause celebre after breaking into networks and stealing software at companies including Sun Microsystems and Motorola.
Now Mitnick, from the United States, travels the world teaching companies how to guard against people just like him.
He argues that while sophisticated technology can help keep networks clean from viruses, it is useless if hackers can con a company's employees into handing over passwords by posing, for example, as colleagues.
"Hackers find the hole in the human firewall," Mitnick told an information technology security conference on Wednesday in Johannesburg, South Africa. "What's the biggest hole? It's the illusion of invulnerability."
"Social engineering" -- as hackers call tricking people -- formed the main thrust of his career, in which he penetrated some of the world's most sophisticated systems often by persuading unwitting staff to hand over top-secret information.
Mitnick, now in his early 40s, started hacking phone systems in his teens before moving on to computers, but says he never stole money or caused deliberate damage and hacked just for the thrill of it.
The hobby earned him a place on the FBI's most wanted list and an almost five-year stint in U.S. jail in the 1990s.
On his release he was initially banned from surfing the Web, and has since written two books about hacking and started an IT security consulting firm.
Now the companies he once stole secrets from pay him to hack into their systems and show them how to improve security.
Mitnick said hackers conduct meticulous research into companies and their staff, even swotting up on the hobbies of target employees to better win their trust.
And firms underestimate how easily hackers can get hold of personal information -- like driver's license numbers, social security numbers and mothers' maiden names -- which are often used by banks or other companies to screen customers.
To prove it at the conference, he found former U.S. President George Bush's social security number, driver's license number and the maiden name of Hollywood actor DiCaprio's mother within 15 seconds.
"The problem is that it is a good human quality to give people the benefit of the doubt, and unless you've been burned, or you're paranoid, then you will probably trust them," he said.
Companies must guard against smooth-talking hackers by making their staff aware of the risks, developing simple company policies on data protection, and getting the best technology, which will at least "raise the bar" for hackers.
"It's not about being paranoid, but it's about being very aware, and very alert," he said.