Tips from a su­per hacker

Mike El­gan asks the world’s most fa­mous hacker, Kevin Mit­nick, how to se­cure a smart­phone and lap­top. Here’s his ad­vice

Tech Advisor - - CONTENTS -

Vir­tu­ally ev­ery­one in the tech­nol­ogy world knows about Kevin Mit­nick, who in the 1970s, 80s and 90s was a no­to­ri­ous fugi­tive hacker on the run from the FBI. If you’re un­fa­mil­iar with the details of his ex­ploits, read his book, Ghost in the Wires: My Ad­ven­tures as the World’s Most Wanted Hacker. Since be­ing re­leased from prison, he’s worked as a se­cu­rity con­sul­tant, mak­ing his liv­ing from ex­plain­ing the risks of hack­ing.

Mit­nick has al­ways em­pha­sised the im­por­tance of so­cial engi­neer­ing for hack­ing, an em­pha­sis that’s lack­ing in most se­cu­rity ad­vice. He also fo­cuses on how to get through to a pub­lic that strug­gles to ap­pre­ci­ate the risks, driv­ing home his points home by hack­ing his clients (with their per­mis­sion), then show­ing them how they could be eas­ily victimised in the fu­ture by a ma­li­cious hacker.

He’s cur­rently work­ing on a new book called The Art of In­vis­i­bil­ity, which will be a mas­ter class in se­cur­ing one’s pri­vacy against a world of hacks and ex­ploits. In the mean­time, he’s got some easy tips for se­cur­ing mo­bile de­vices.


Mit­nick spe­cialises in mak­ing clients think about things they hadn’t thought of be­fore. For ex­am­ple, some peo­ple seek­ing pri­vacy might buy a ‘burner phone’ – a phone pur­chased with­out a con­tract for pri­vacy. But he points out that even buy­ing a se­cure de­vice can com­pro­mise your pri­vacy, given that the pur­chase can be iden­ti­fied and tracked down be­cause of the Uber taxi you or­dered or the ren­tal car you hired. (Trans­porta­tion can lead to the store, which could pro­vide iden­ti­fy­ing in­for­ma­tion.)

At KnowBe4, where Mit­nick works as Chief Hack­ing Of­fi­cer, he helps com­pa­nies pre­vent and deal with the most per­ni­cious and dif­fi­cult hack – a phish­ing at­tack. This is a form of so­cial engi­neer­ing that in­volves trick­ing some­one into be­liev­ing an email or other mes­sage is com­ing from a trust­wor­thy source – for ex­am­ple, an email that ap­pears to come from PayPal or from some­one claim­ing to be an ex­ec­u­tive in the com­pany the vic­tim works for. Once trust is gained, the tar­get might open an ap­pli­ca­tion, down­load a file, re­ply with a pass­word or other in­for­ma­tion, or visit a web­site that de­liv­ers its own ma­li­cious pay­load.

Mit­nick ex­plained that “it’s much eas­ier to hack a hu­man than a com­puter be­cause com­put­ers fol­low in­struc­tions, they don’t vary – hu­mans go by emo­tion, by what’s hap­pen­ing in their day… so it’s not hard” to so­cially en­gi­neer some­one, “es­pe­cially if they haven’t been burned be­fore.”


Mit­nick told us that “peo­ple are lazy,” which is a huge ad­van­tage for hack­ers. Even at the RSA se­cu­rity con­fer­ence, he can sim­ply watch ex­perts at­tend­ing the show un­lock their phones and he can tell that they’re us­ing the weaker four-digit un­lock code for their hand­set, rather than a longer pass­word. For starters, that’s one way to iden­tify a tar­get – any­one want­ing to break into a phone will have a big ad­van­tage with a four-digit un­lock code.

The best de­fence against phish­ing isn’t anti-virus or fire­wall soft­ware per se, but train­ing, ed­u­ca­tion and aware­ness.

You might ex­pect that he would use one of the new se­cure phones, such as the Black­phone 2 or the Tur­ing phone. How­ever, he uses a stan­dard iPhone. It’s se­cure be­cause of his choices and be­hav­iours, he re­vealed, which are much more im­por­tant than the equip­ment.

For ex­am­ple, he uses an al­phanu­meric long pass­code (rather than the four-digit pass­word most of us use). And if thinks he might be or­dered to un­lock his phone (such as when he re­turns to the United States from trav­el­ling abroad), he re­boots the phone so that touch ID stops work­ing (only the pass­code can un­lock a phone im­me­di­ately af­ter a re­boot). He pointed out that in the United States, “a court can force you to un­lock your phone with your thumb, but they can’t force you to re­veal your code.”

Mit­nick prefers the iPhone be­cause most mo­bile phone hack at­tacks go af­ter An­droid phones. But he added it’s crack­able and that no de­vice is 100 per­cent se­cure.

Lap­tops and desk­tops

Mit­nick told us how he se­cured his own mother’s com­puter by tak­ing ad­van­tage of Ap­ple’s code sign­ing model for se­cu­rity. He said his mother used to call him ev­ery week to fix her Win­dows PC be­cause the ma­chine was con­stantly get­ting in­fected. She would “fall hook, line and sinker... for so­cial engi­neer­ing at­tacks” and he had to re­in­stall Win­dows ev­ery week. So he bought her an iMac, in­stalled an anti-virus util­ity. And then he locked down the de­vice.

In the Se­cu­rity & Pri­vacy set­tings in OS X, there’s a ‘Gen­eral’ tab. At the bot­tom, there’s a set­ting la­belled ‘Al­low apps down­loaded from’. The de­fault set­ting is: ‘Mac App Store and iden­ti­fied de­vel­op­ers’. For his mother’s Mac, Mit­nick changed that set­ting to ‘Mac App Store’, which means she can down­load only apps ap­proved by Ap­ple.

He pointed out that the de­fault set­ting isn’t very se­cure be­cause “it’s a hun­dred bucks to be­come a de­vel­oper.”

“Just get­ting her a Mac and chang­ing that set­ting” solved the prob­lem of ma­li­cious down­loads. He quickly noted that while that sim­ple so­lu­tion pro­tected her against ev­ery­day phish­ing at­tacks, it wouldn’t pro­tect her from the NSA or other more skilled, de­ter­mined hack­ers.

Thumb­drives and other at­tack vec­tors

Mit­nick hacks as a kind of per­for­mance art in keynotes and talks at se­cu­rity con­fer­ences around the world. At this year’s CeBIT in Ger­many, for ex­am­ple, he per­formed sev­eral hacks, in­clud­ing a demon­stra­tion show­ing how sim­ply plug­ging in a thumb drive could give a hacker to­tal con­trol of your ma­chine, in­clud­ing the abil­ity to ac­ti­vate and mon­i­tor the cam­era and mi­cro­phone or launch any pro­gram. In the hack, the USB thumb­drive tricks the lap­top or PC into think­ing it’s a key­board, rather than a stor­age de­vice. That en­ables the hacker to in­ject key­strokes, which means he can do any­thing to your de­vice that he could do by typ­ing on your key­board.

Mit­nick demon­strated this hack be­cause “peo­ple think USBs are safe now, be­cause they turn off ‘auto-run.’” He wants the pub­lic to know that thumb­drives are not safe.

The gen­eral pub­lic also be­lieves that PDFs are safe. So he demon­strated with vis­ual tools how a hacker can use a PDF file to take con­trol of a tar­get ma­chine.

An­other hack in­volved a ma­li­cious hacker, who can go to a cof­fee shop where there’s a pub­lic Wi-Fi router, and in­struct the router to boot all the users off the net­work. When they re­con­nect, the hacker can then of­fer a fake Wi-Fi net­work with the same name. Once users con­nect, a ma­li­cious pay­load can be de­liv­ered.

Just know­ing this in­for­ma­tion might change your be­hav­iour. It’s chang­ing ours.

The bot­tom line is that you re­ally, re­ally don’t want to plug in a thumb­drive or down­load a PDF file to your lap­top, even if you feel com­fort­able about the source. (So­cial engi­neer­ing ex­ists to make you feel com­fort­able.) And you should avoid pub­lic Wi-Fi hotspots.

While peo­ple in the se­cu­rity com­mu­nity fo­cus on the code side of hack­ing, Mit­nick em­pha­sises the so­cial engi­neer­ing side. Be­cause that’s how hack­ers gain ac­cess. In other words, se­cu­rity and pri­vacy is not a set-it-and-for­get-it process. Above all, it’s im­por­tant to learn not only from se­cu­rity ex­perts, who know the tools, but also from hack­ers, who know how to so­cially en­gi­neer their way into your phone or lap­top.

Be smart. Be para­noid. And good luck.

Kevin Mit­nick’s busi­ness card

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.