Tips from a super hacker
Mike Elgan asks the world’s most famous hacker, Kevin Mitnick, how to secure a smartphone and laptop. Here’s his advice
Virtually everyone in the technology world knows about Kevin Mitnick, who in the 1970s, 80s and 90s was a notorious fugitive hacker on the run from the FBI. If you’re unfamiliar with the details of his exploits, read his book, Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker. Since being released from prison, he’s worked as a security consultant, making his living from explaining the risks of hacking.
Mitnick has always emphasised the importance of social engineering for hacking, an emphasis that’s lacking in most security advice. He also focuses on how to get through to a public that struggles to appreciate the risks, driving home his points home by hacking his clients (with their permission), then showing them how they could be easily victimised in the future by a malicious hacker.
He’s currently working on a new book called The Art of Invisibility, which will be a master class in securing one’s privacy against a world of hacks and exploits. In the meantime, he’s got some easy tips for securing mobile devices.
Mitnick specialises in making clients think about things they hadn’t thought of before. For example, some people seeking privacy might buy a ‘burner phone’ – a phone purchased without a contract for privacy. But he points out that even buying a secure device can compromise your privacy, given that the purchase can be identified and tracked down because of the Uber taxi you ordered or the rental car you hired. (Transportation can lead to the store, which could provide identifying information.)
At KnowBe4, where Mitnick works as Chief Hacking Officer, he helps companies prevent and deal with the most pernicious and difficult hack – a phishing attack. This is a form of social engineering that involves tricking someone into believing an email or other message is coming from a trustworthy source – for example, an email that appears to come from PayPal or from someone claiming to be an executive in the company the victim works for. Once trust is gained, the target might open an application, download a file, reply with a password or other information, or visit a website that delivers its own malicious payload.
Mitnick explained that “it’s much easier to hack a human than a computer because computers follow instructions, they don’t vary – humans go by emotion, by what’s happening in their day… so it’s not hard” to socially engineer someone, “especially if they haven’t been burned before.”
Mitnick told us that “people are lazy,” which is a huge advantage for hackers. Even at the RSA security conference, he can simply watch experts attending the show unlock their phones and he can tell that they’re using the weaker four-digit unlock code for their handset, rather than a longer password. For starters, that’s one way to identify a target – anyone wanting to break into a phone will have a big advantage with a four-digit unlock code.
The best defence against phishing isn’t anti-virus or firewall software per se, but training, education and awareness.
You might expect that he would use one of the new secure phones, such as the Blackphone 2 or the Turing phone. However, he uses a standard iPhone. It’s secure because of his choices and behaviours, he revealed, which are much more important than the equipment.
For example, he uses an alphanumeric long passcode (rather than the four-digit password most of us use). And if thinks he might be ordered to unlock his phone (such as when he returns to the United States from travelling abroad), he reboots the phone so that touch ID stops working (only the passcode can unlock a phone immediately after a reboot). He pointed out that in the United States, “a court can force you to unlock your phone with your thumb, but they can’t force you to reveal your code.”
Mitnick prefers the iPhone because most mobile phone hack attacks go after Android phones. But he added it’s crackable and that no device is 100 percent secure.
Laptops and desktops
Mitnick told us how he secured his own mother’s computer by taking advantage of Apple’s code signing model for security. He said his mother used to call him every week to fix her Windows PC because the machine was constantly getting infected. She would “fall hook, line and sinker... for social engineering attacks” and he had to reinstall Windows every week. So he bought her an iMac, installed an anti-virus utility. And then he locked down the device.
In the Security & Privacy settings in OS X, there’s a ‘General’ tab. At the bottom, there’s a setting labelled ‘Allow apps downloaded from’. The default setting is: ‘Mac App Store and identified developers’. For his mother’s Mac, Mitnick changed that setting to ‘Mac App Store’, which means she can download only apps approved by Apple.
He pointed out that the default setting isn’t very secure because “it’s a hundred bucks to become a developer.”
“Just getting her a Mac and changing that setting” solved the problem of malicious downloads. He quickly noted that while that simple solution protected her against everyday phishing attacks, it wouldn’t protect her from the NSA or other more skilled, determined hackers.
Thumbdrives and other attack vectors
Mitnick hacks as a kind of performance art in keynotes and talks at security conferences around the world. At this year’s CeBIT in Germany, for example, he performed several hacks, including a demonstration showing how simply plugging in a thumb drive could give a hacker total control of your machine, including the ability to activate and monitor the camera and microphone or launch any program. In the hack, the USB thumbdrive tricks the laptop or PC into thinking it’s a keyboard, rather than a storage device. That enables the hacker to inject keystrokes, which means he can do anything to your device that he could do by typing on your keyboard.
Mitnick demonstrated this hack because “people think USBs are safe now, because they turn off ‘auto-run.’” He wants the public to know that thumbdrives are not safe.
The general public also believes that PDFs are safe. So he demonstrated with visual tools how a hacker can use a PDF file to take control of a target machine.
Another hack involved a malicious hacker, who can go to a coffee shop where there’s a public Wi-Fi router, and instruct the router to boot all the users off the network. When they reconnect, the hacker can then offer a fake Wi-Fi network with the same name. Once users connect, a malicious payload can be delivered.
Just knowing this information might change your behaviour. It’s changing ours.
The bottom line is that you really, really don’t want to plug in a thumbdrive or download a PDF file to your laptop, even if you feel comfortable about the source. (Social engineering exists to make you feel comfortable.) And you should avoid public Wi-Fi hotspots.
While people in the security community focus on the code side of hacking, Mitnick emphasises the social engineering side. Because that’s how hackers gain access. In other words, security and privacy is not a set-it-and-forget-it process. Above all, it’s important to learn not only from security experts, who know the tools, but also from hackers, who know how to socially engineer their way into your phone or laptop.
Be smart. Be paranoid. And good luck.
Kevin Mitnick’s business card