Kevin Mitnick – Social Engineering and Computer Hacking Mastermind

Shelby Descoteaux
Professor Kabay
IS 340 A
Nov. 22, 2013

Table of Contents Introduction 3 Kevin Mitnick 3 Hackers and Their Motives 3 The Early Years 4 Adolescence 5 Kevin in Trouble 6 Kevin’s Final Visit from the FBI 7 Hacker or Engineer? 8 Impact on Computer Security 8 Conclusion 9 Works Cited 10

Introduction
Most people today are aware of the detrimental risk that hackers pose to their computers. They might know about identity theft, viruses, Trojans and worms however what they fail to recognize is how these things are accomplished and if they have actually fallen victim to one of these horrible attacks. But what about attacks with even greater impacts…like someone hacking into the computer system of a car that controls the brakes? Perhaps penetrating the systems that control nuclear power plants? Although it seems unlikely that either of these extremely scary scenarios would ever happen, it is most definitely possible. One researcher for IBM’s Internet Security Systems told the owners of a nuclear power station that he could hack into their system through the Internet. The power station took this as a joke, responding to Scott Lunsford, the IBM researcher, with a laugh in his face saying that it was “impossible”. In response, Scott took up the power plant on their words and proved them wrong. In less than twenty-four hours, Scott’s team had infiltrated the system and in turn, had full control of the station. Scott made a statement after the infiltration saying that it was “one of the easiest penetration tests,” he ever performed (Murdock).
Kevin Mitnick
According to multiple sources, Kevin Mitnick is the world’s most notorious hacker. Although Kevin never hacked into anything that caused physical harm to a human, he did hack into numerous company systems to steal software, passwords, and other information that did not belong in his hands. Kevin’s final and last arrest got him thrown into federal prison for a total of five years, restricted him from using the Internet for three years, and also restricted him from profiting off of his story for seven years (Smith).
“I was indicted on twenty-three counts of access device fraud. Of these, twenty-one were related to calls made when my phone was cloned to someone else’s number. The other two counts were for possessing information, specifically the mobile phone number and electronic serial number pairs that could be used for cloning. The maximum sentence was twenty years for each free phone call. Twenty years for each call! I was facing a worst-case scenario of 460 years.” (K. D. Mitnick)
Hackers and Their Motives The connotation of “hacker” has evolved over time. There are many different types of hackers. Some hackers simply display a funny message across your screen each time you log on. This type of foolish hacker is not particularly common today. Other hackers might try to get access to a system and steal all of the victim’s bank and credit card information, or even worse, steal their identity. Hackers like Kevin gain access to company’s systems to steal things. Each hacker in these scenarios have different motives, and the number of these motives continues to grow. As time goes on, the extent of damage that hackers are capable of continues to grow and the FBI’s interest in these crimes grows with it.
The Early Years The first successful sneaky move Kevin accomplished took place when he was only about one and a half years old. Kevin’s mom had her first wakeup call when she found him on the other side of what was a once locked child gate door. She found him after she realized he escaped from his crib. Kevin and his mother moved around a lot throughout his child hood, but stayed in the Los Angeles area for the most part. At ten years old, Kevin found a passion for magic through his neighborhood friend’s father. In his book, Ghost in the Wires, Kevin explains his fascination with the magic tricks he saw his friend’s dad perform and the affect it had on his own future.
“He was an accomplished magician whose card tricks, coin tricks, and larger effects fascinated me. But there was something else, something more important: I saw how his audiences of one, three, or a roomful found delight in being deceived. Though this was never a conscious thought, the notion that people enjoyed being taken in was a stunning revelation that influenced the course of my life.” (K. D. Mitnick)
This fascination for deception that Kevin was still unaware of at the time was a huge driving force for many crimes he would commit later in life. Other people helped Kevin along the way as well. Being a young boy in the city with a mom who was always working meant that Kevin needed to use the buses to get around. It was on a bus that Kevin learned another sort of magic trick. Bob Arkow, a city bus driver, was a ham radio enthusiast who showed Kevin all the things he could do with these radios. Kevin was so intrigued that it only took a few weeks for him to receive his own ham radio operator license. He taught himself just about everything, Mr.Arkow was just the gateway. Kevin used the ham radios to make free phone calls through a service called an “auto patch”, which was provided on some of the ham radios. These radios are also referred to as amateur radios and they are used for recreational, non-commercial, wireless communications on designated radio frequencies. Learning more and more about what he could accomplish using ham radios became Kevin’s favorite hobby (K. D. Mitnick).
As stated earlier, Kevin used the city bus system a lot and obviously, bus rides aren’t fee. Kevin was a smart kid with a devious mindset. So, one day he had an ingenious thought: if he could punch his own transfers into the punch cards, the bus rides wouldn’t cost a thing! Accomplishing this would inspire one of Kevin’s first uses of social engineering. He was not shy and used all the resources he could find. Being so young gave him bit of an advantage when he asked a bus driver where he could buy the hole puncher used on the bus punch cards. The driver didn’t hesitate at all, thinking he was helping out a 12 year-old student with a school project. And the rest is history; Kevin had manipulated the system and eventually was carting himself and his friends around for free on the Los Angeles city buses. Obviously, everyone wanted to jump on the free ride and Kevin became quite the popular kid at school. Even his parents didn’t see any harm in Kevin’s acts. Maybe if people would have reacted how the FBI did later in his life, Kevin wouldn’t have kept going.
“My mom though it was clever, my dad thought it showed initiative, and bus drivers who knew I was punching my own transfers thought it was a big laugh. It was as though everyone who knew what I was up to was giving me attaboys.” (K. D. Mitnick)
It wasn’t long after Kevin figured out how to outsmart the bus system that he took on a new project of the same kind. This time, however, it required a bit more effort from the computing aspect.
Adolescence
Kevin’s next “accomplishment” came out of a friendship he made in high school. He became good friends with a boy named Steven Shalita. Steven’s car was covered in radio antennas, which acted as bait to reel Kevin. Once friends, Steven showed Kevin the many things he could do with the phone systems using ham radios and other sorts of antenna-oriented objects. It wasn’t long before Kevin knew how to do those same things and more. Kevin became very interested in a new “phone phreaking” phenomenon and learned everything he could about it. He learned to use the touch tones at the central switches and used them to look up a person’s address and unlisted phone numbers. Once the phone systems switched over to electrical systems, things got a bit more complicated. Kevin would have to become familiar with the computers that the companies adopted and how they worked with the automated systems that still existed.
There was a computer course offered at his high school, but Kevin didn’t meet the math and science courses to qualify. Fortunately for him, the teacher allowed him to enter the course, probably a decision the teacher regretted for the rest of his life. It wasn’t long before Kevin’s teacher realized what he got himself into when he allowed Kevin into the course. Kevin figured out the teacher’s password and outsmarted each and every attempt he made to prevent Kevin from obtaining it over and over again. Next, Kevin moved onto more telephone tricks, realizing there was a phone that sat in the classroom. First, Kevin resorted back to basic social engineering, fooling the school phone operators that he was Mr. Christ (the computer teacher) and that he needed an outside line.
Once Kevin got the outside line, he would dial into computer terminals at the University of Southern California and play games with their systems. The switch operator eventually realized that in fact it was not Mr. Christ calling for an outside line. Looks like Kevin had to resort back to his phone phreaking abilities. It did not take much effort for Kevin to dial into the phone company’s switch to turn off the restriction, enabling him to call an outside line whenever he desired. Eventually, Mr. Christ realized that Kevin was making unrestricted outgoing calls. Mr. Christ tried over and over again to restrict Kevin, even making his attempts public to the classroom, and Kevin found a way around it every single time (K. D. Mitnick).
Meanwhile, Kevin was teaching himself FORTRAN and Basic programming languages, coding out a program that stole people’s passwords. The program made it so that each time a student logged onto the lab computers, their account and password combination was recorded to a file. In an interview with CNET’S Elinor Mills, Kevin explains what his mindset was back then when he first started to do these sorts of things.
“It was like a reward of intellect back when I got started. Then they criminalized it later. I was so hooked into the adventure of the hacking game, doing it for a number of years even though it became illegal. It was thrilling, adventurous. It was all about solving the puzzle, using intellect to get around obstacles. It was like a huge game.” (K. Mitnick).
Unfortunately, the FBI really did not agree with this motive when Kevin started doing similar things later in life. Kevin did not realize at the time that these actions would eventually lead him into a prison cell.
Kevin in Trouble Kevin’s first serious hacking incident occurred in 1981 when he was only 17 years old. He and a friend hacked into a COSMOS (Computer System for Mainframe Operations) system which belonged to Pacific Bell in Los Angeles. Once Kevin and his friend got into the system, they played around with the phone lines. They intercepted all the calls going through the exchange and the interceptions were not going unnoticed by subscribers. Kevin sometimes even answered the calls himself and cracked jokes to whoever was on the other end of the line. The pair didn’t stop and on Memorial Day weekend in 1981, Kevin and two friends decided they wanted to gain physical access to the COSMOS. The group used social engineering techniques to walk past a security guard and gain access to the actual location where the system sat. Once inside, they stole lists of computer passwords, door lock combinations at Pacific Bell offices, and a whole series of operating manuals for the COSMOS system. They also planted some phone numbers and fake names into a rolodex that was sitting on a desk in the labs. The group did this to help facilitate any later attacks that they wanted to perform. It all seemed well and good until a company manager soon discovered the suspicious phone numbers and reported them to the local police. An investigation was started but it went unsolved until someone threw them under the bus. The girlfriend of Kevin’s accomplice must have been upset about something because she went and told the police who did all of the illegal activities in the COSMOS labs. Kevin and his friends were soon arrested and charged with destroying data and stealing operator’s manuals from the company. Kevin himself was a bit lucky and got away with only 3 months in the Los Angeles Juvenile Detention Center and a year of probation (Shimomura and Markoff). Most bright kids, like Kevin sure was, would have stopped once they got arrested. Instead, Kevin ran into more and more issues with the police. His next incident happened 1982 at the USC. Before this incident, Kevin also had a minor altercation with campus police for using a university computer to gain illegal access to the Arpanet. In 1982 however, Kevin was found sitting at yet another university computer breaking into a Pentagon computer over the Arpanet. For this incident, he was sentenced to six months at a juvenile prison in Stockton, California. (Shimomura and Markoff). After this happening, Kevin was accused of tampering with a TRW credit reference computer. An arrest warrant was issued, but he had gone underground for several years so the warrant eventually vanished. It seemed as though Kevin was cured of his “computer hacking addiction”, until 1987. Kevin was drawn back into his addiction and got arrested in December of 1987. He was convicted of stealing software from the Santa Cruz Operation. This time, he was sentence to 36 months’ probation. Maybe if the police were to place a more strict punishment on him, Kevin would have stopped there (Shimomura and Markoff). Next on the list of Kevin’s victims: DEC (Digital Equipment Corporation) Palo Alto research laboratory. Kevin and his long time hacking friend Lenny DiCicco decided they wanted a copy of the VMS minicomputer operating system source code. Initially, the operation was a success and they got away from DEC, along with local authorities and the FBI. Kevin was manipulating the network’s switches to disguise the source of the phone calls he used to gain access to DEC. Time after time law enforcement officials thought they had successfully tracked Kevin down. Kevin would set up two computer terminals to conduct his attacks, one for his access into DEC and another that scanned the telephone company computers to see if law enforcement was getting close. One time, he had fooled the FBI into thinking he was sitting at a terminal inside a Malibu apartment. Kevin was really sitting in his hideout apartment in Calabasas.
This whole time, Kevin was still working with Lenny DiCicco. Kevin not only liked to play pranks with phones and computers, but he also enjoyed messing around with his friend Lenny. Kevin would use his social engineering techniques to call Lenny’s boss and claim to be a Government Agent. He would tell the boss that Lenny owed the IRS money and was in trouble for it. Lenny became overwhelmed with these claims and the frustration built up so high that he couldn’t handle it anymore. He ended up throwing Kevin under the bus because of the taunting.
Lenny confessed everything that was happening with Kevin to his boss, who then notified DEC and the FBI. Soon after, Kevin was in Los Angeles federal court. In December of 1989, Kevin pleaded guilty to one count of computer fraud and one count of possessing illegal long-distance access codes. His punishment: one year in prison and six months in a counseling program for his addiction to computer hacking. This punishment drew a lot of attraction from the press because the judge compared Kevin’s hacking addiction to a drug addiction (Shimomura and Markoff).
Kevin’s Final Visit from the FBI After his sentence, Kevin moved to Las Vegas and worked as a low-level computer programmer. From there he moved back to the San Fernando Valley in 1992 and briefly worked for his father in construction. After working with his dad he took a job at Tel Tec Detective Agency, which would be his last job before his most notorious sentencing. Not long after he got the job at the Agency, someone was discovered illegally using a commercial database system on the agency’s behalf. All signs pointed to Kevin. On February 14, 1995 at his apartment in Raleigh, North Carolina, the FBI had finally found Kevin after a 2 and a half year period of repeated computer crimes and hide outs from the authorities. Kevin had an idea that he was getting caught, but he thought he had some time. He explains this in his book.
“The Feds worked very slowly. Even if a call of mine had been traced, it would usually take them days or weeks to investigate. Someone appeared to be hot on my trail, but I still had plenty of time. Or so I thought.” (K. D. Mitnick).
On this Valentine’s evening, Kevin had a sick feeling in his stomach that something bad was going to happen, but he just ignored it. The FBI showed up and after a few words were exchanged through the door of his apartment, the Feds entered and searched the whole place. They found tons of evidence and it was game over for Kevin. This all happened late at night and he was actually arrested on February 15th. His trial took place in 1999 where he confessed to four counts of wire fraud, two counts of computer fraud, and one count of illegally intercepting a wire communication. In the end, Kevin served five years in prison and spent about a year of that in solitary confinement (K. D. Mitnick). The time spent in solitary confinement drew a lot of controversy and Kevin voiced his opinion on the matter during his interview with Ms. Mills. “I served five years, and I ended up in solitary confinement for a year because a federal prosecutor told the judge that if I got to a phone I could connect to NORAD (North American Aerospace Command) and somehow launch an ICBM (Intercontinental Ballistic Missile). So the judge, reflecting on the movie War Games, put me in solitary confinement. I think it was a strategy they used to get me to plead out or cooperate. I was held for four and a half years without a trial. I spent a lot of time focused on the defense and reading cases and serving as assistant to my attorney. At the end of the day I realized justice is economic; unless you have enough money to properly mount an effective defense you always lose.” (K. Mitnick).
Hacker or Engineer?

Kevin ultimately became so famous because of all the computer crimes he committed over the years. He is indeed a very intelligent man when it comes to using technology, but what made him even more successful during his hacking days, was his use of social engineering. Kevin describes what social engineering is during an interview with CNN. “Social engineering is using manipulation, influence and deception to get a person, a trusted insider within an organization, to comply with a request, and the request is usually to release information or to perform some sort of action item that benefits that attacker. It could be something as simple as talking over the telephone to something as complex as getting a target to visit a Web site, which exploits a technical flaw and allows the hacker to take over the computer.” (CNN).
Without social engineering, Kevin would not have got very far with his attacks. He needed the key to the door or a gateway in order to initially gain access into all the systems he wanted to steal software from, read code, or do anything else he desired. Most of the time, he got these keys through social engineering.
Impact on Computer Security People are always asking what they can do to make their computers more secure, but maybe they should also be asking what they can do to prevent social engineering. This is one aspect of computer security that Kevin really brought into the picture. Training employee’s on how to avoid social engineering attacks is just as important as implementing firewalls on system networks. When Kevin’s name is looked up on a search engine, one of the first hits is the website for his security consulting firm, Mitnick Security LLC. On the list of products that his company offers, Social Engineering Assessments appears. His assessments expose “what is often the weakest link in the information security apparatus: the human element,” (Mitnick Security Consulting, LLC.). The product description states that once the consultants identify where the weaknesses are, they follow up with recommendations on procedures that are designed to ensure all employees know how to handle any human exploits. They are taught to not divulge information that could compromise company assets. If anyone is good at teaching people how to NOT give in to these attacks, it would be the person who is most notorious for performing them: Kevin Mitnick. Kevin also started a security awareness training program called KnowBe4. The program is based off Kevin’s first hand hacking experience and also teaches its users how to avoid any techniques around today that were not around when Kevin was in the ‘illegal’ field. This program has a strong emphasis on preventing phishing attacks. It starts with an initial PST (Phishing Security Test) which gives KnowBe4 an idea of how many people and systems are prone to phishing attacks. The company then brings all the employees through their Internet Security Awareness Training. The company will then, “Follow up with regular PSTs that continue to keep them on their toes. All graphs start out high on the left (baseline), and drop dramatically over time,” (KnowBe4).
Conclusion

Now that Kevin is out of jail and seems to be cured of his hacking addiction, it is clear he is doing positive things to the world of computer security using what he learned in his past. One could look at his last and final arrest as a silver lining for the computer security field. Kevin pushed a lot of buttons and caused a lot of problems for many businesses, but he taught them many valuable lessons. By studying his past and taking his advice, computer users and professionals can learn that no matter how secure you think your firewalls are or how locked up your systems are, everything can go down the drain with a little bit of social engineering.

Works Cited
Associated Press. Los Angeles Times. 26 April 1989. Article. 14 November 2013. <http://articles.latimes.com/1989-04-26/business/fi-1843_1_cellular-service-tac-personal-telephone-pocket-size-cellular-phone>.
CNN. CNN. 5 October 2005. Interview. 10 November 2013.
KnowBe4. KnowBe4. 2013. 13 November 2013.
Mitnick Security Consulting, LLC. Mitnick Security Consulting. 2013. Tom Pimental. 15 November 2013.
Mitnick, Kevin D., Simon, William L. Ghost in the Wires: My Adventures as the World's Most Wanted Hacker. New York: Little Brown and Company, 2011.
Mitnick, Kevin. Q&A: Kevin Mitnick, from ham operation to fugitive to consultant Elinor Mills. Ed. CNET. CBS, 22 June 2009. Interview.
Murdock, Collin. 8 Things You Won't Believe Can Be Hacked. 7 September 2011. Demand Media Inc. 29 October 2013. <http://www.cracked.com/article_19412_8-things-you-wont-believe-can-be-hacked.html>.
Shimomura, Tsutomo and John Markoff. Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw - By the Man Who Did It. New York: Hyperion, 1996. Book.
Smith, Gerry. Huffington Post. Vers. 2. 11 January 2013. The Huffington Post Inc. 29 October 2013. <http://www.huffingtonpost.com/2011/08/16/kevin-mitnick-hacker-book_n_928107.html>.