March 2005

The Talented Mr. Mitnick

A notorious hacker turns security guru.

By Gregory T. Huang

From hijacked PCs that spew spam to denial-of-service attacks that crash Web servers, cyber-crime means billions of dollars a year in lost revenues and productivity. And no computer user is safe. "It's not if," says Kevin Mitnick, "it's when are you going to get hacked."

Mitnick should know. The former hacker perpetrated a series of high-profile corporate break-ins in the 1990s -- and served five years in federal prison for it. Once the FBI's most-wanted cyber-criminal, Mitnick is now one of the world's most sought-after tech security consultants. "A few years back, companies spent more on coffee than on security," he says. Now, they make security their top priority, hiring Mitnick to break into their systems, expose their weaknesses, and teach them how to protect themselves.

Hacking has been Mitnick's priority ever since his teenage years in southern California. First telephone networks, then the Pentagon -- then Nokia, Novell, and seemingly every other big company. Today's laws on cyber-crime were practically invented because of Mitnick. His pranks earned him the respect of hackers as well as numerous arrests, culminating in his five-year prison stint. Mitnick spent eight months of that time in solitary confinement, he says, because the judge was told that Mitnick could start a nuclear war by calling up NORAD on a payphone and whistling modem tones into the receiver. His radio was seized for fear that he would turn it into a cell phone. Even using an electric typewriter in the prison library got him handcuffed and whisked away. "These guys were watching too much MacGyver," he quips.

That was the turning point in his career. Since his release from prison in 2000, Mitnick has chosen to use his considerable skills to improve network security. Now 41 and sporting a decidedly buttoned-down look, Mitnick has made a guest appearance on the TV show Alias and earned honorable mentions in many other media outlets. Though he is often recognized as "that hacker guy" in airports and hotels, he says he registers under a fake name only at hacker conventions. But he doesn't give out his private e-mail address or his city of residence; one can't be too careful.

Indeed, the current pace of cyber-crime amazes even Mitnick. Last fall, he and Avantgarde, a tech marketing and design firm in San Francisco, hooked up six  computer platforms to the Internet via broadband DSL and recorded the cyber-attacks that occurred over a two-week period. It took less than four minutes for an automated attack to successfully break through the security defenses of one newly connected PC; most machines without an active firewall (a filter that screens suspicious code) faced more than 300 attacks per hour, while those with firewall protection faced fewer than four per hour. But  firewalls don't protect against "social engineering," a fancy term for conning users out of such sensitive information as passwords and PINs. The  idea that humans are the weak link in any security system was famously exploited by Mitnick in his glory days; he comes across as personable and authoritative, so it's easy to see why people would give him information.

Mitnick's case highlights a point that's increasingly critical as more and more sensitive information and money change hands over the Internet: in his words, "Hacking is a skill set -- how you use it is up to your ethics and morals." And the arms race between malicious hackers and security experts will only escalate. "Computer systems are complex," Mitnick says. "There will always be ways to break in." Which means that no matter which side he is on -- let's hope it's ours -- Mitnick will always be in demand.