Kevin Mitnick was once the world’s most wanted hacker. He broke into 40 major companies for the challenge of it, and he eventually got caught in a spectacular cat-and-mouse game. He did five years in prison, including a year in solitary confinement because the judge in his case was told that he might be able to launch nuclear weapons from a payphone.
But after he was released in 2000, he stayed out of trouble. He built a consulting business as a security expert, and he helps break into companies’ networks so they can figure out where their vulnerabilities are and patch them. He claims that Mitnick Security Consulting has a 100-percent success record in penetrating the security of any system he has been invited to attack.
Mitnick has written four books on his life and security topics, most recently The Art of Invisibility, which was published last year in an attempt to teach people how to be safe in the age of big data and Big Brother. He is also the chief technology officer of Olyseum, a sports social network that uses blockchain technology and matches fans with sports celebrities.
I talked to the “world’s most famous hacker” about his thoughts on Russian hackers influencing the 2016 presidential election, Donald Trump, the security issues around blockchain, his new book, his work at Olyseum, and other topics in the news. I’ve interview Mitnick a few times over the years, mostly when his new books come out.
Here’s an edited transcript of our interview.
VentureBeat: What are you up to?
Kevin Mitnick: I’m working on a new book. We’re looking at a new one about penetration testing, telling stories about how the good guys simulate the bad guys breaking in. We’re in discussions with a publisher about it. It’s kind of an adventure story. Now that I do this stuff legitimately, it still has an air of adventure. We’re looking at the potential of putting this into a manuscript. We’ll see what happens.
VentureBeat: There’s always a lot happening in security. Blockchain is something new, and all the talk around Donald Trump and the Russians. I’m curious about what you think about that situation, and what you’ve learned about technology and security as a result.
Mitnick: Well, I’ve read the indictment. I thought it was fascinating, from the viewpoint that the government never releases these types of details. I’m not sure if they were releasing particular details from the Crowdstrike investigation. Crowdstrike is the third-party company that was hired by the DNC to investigate the intrusions. It almost looks like another nation-state was looking over the shoulders of, supposedly, the Dutch.
But in any event, if the facts are true, what was interesting is that the methodology the Russians used to hack the DNC is really no different from what civilians, whether crooks or people like us doing security testing—we use the same method of spearphishing. It’s social engineering. That seemed to give them the foothold in the DNC’s network, and then from there, because nation-states can afford to develop their own implants or malware, they were able to bypass the antivirus products or internal security products they were running at the DNC, if they were running any at all.
So what surprised me is the same tradecraft the Russians use, we use. That’s unbelievable. You’d figure that a nation-state has enough money, time, and resources to either have an internal team developing zero-days or purchasing zero-days. Why not use zero-days, instead of using phishing? Phishing is a pretexting attack. There’s always someone on the other side of that. There’s a high risk that the attack could be identified. You’d blow the entire operation. So why wouldn’t the Russians use zero-day exploits and avoid any email communication with anyone, given the risk of being caught? That’s the question that came to mind as I was reading the indictment.
VentureBeat: I was looking at a secondary story that pointed out one of the Russian agents supposedly logged in to a suspicious Twitter account without going through a VPN first. They got his exact location and office and everything from a failure to use basic security.
Mitnick: The same thing happened with LulzSec. If you recall Hector Monsegur, who went by the nickname Sabu, he was the leader of LulzSec, and he was caught through a similar error. He was connected to a VPN, but his connection dropped and his computer reconnected to something he was attacking without going through the VPN. That let his IP be identified.
You wonder why Russian operatives wouldn’t use burner devices. For instance, if I take my AT&T cell phone over to Moscow right now and I’m roaming on their network, my IP address is an American IP address. You can do this with other countries. When you’re roaming on a foreign network, it’s almost like you have a virtual connection to that country. It’s surprising that they didn’t use burner devices on the front end, before going through the VPN, to make it more difficult for any forensic investigators to make attributions.
If the facts are true, and they have dates and times about which Russian agent executed which command, who actually did the phishing attack, who installed the malware, at this level of detail, all that really leads me to believe that the Russians were compromised. Or their command and control server was compromised, and they were being monitored. It doesn’t make sense that a lot of these details could have been garnered just through forensic analysis of the victims’ machines.
If you notice, it’s also interesting given Julian Assange’s issues. A couple of months ago they yanked his internet access at the embassy and are basically holding him incommunicado. Then this indictment comes out with allegations against WikiLeaks, as “Organization #1” or whatever. I’m really curious if the U.S. government went to Ecuador and said, “You’re assisting criminal activity. You’re harboring an individual who’s doing X, Y, and Z.” I wonder if the Ecuadorians got concerned that they might be accused of contributing to a conspiracy unless they did something with Assange. I have a feeling there’s not just a big coincidence to that timing.
VentureBeat: Speaking of some things that rise up as larger concerns, is there something to the government being able to track Bitcoin transactions better than previously thought?
Mitnick: It’s all public. All blockchain is, it’s a digitally encrypted ledger. It’s not some sort of magic. You have a company like Kodak that puts the word “blockchain” in something they’re developing and all of a sudden their stock goes up. All the blockchain is is a digital ledger. To prevent anyone from tampering with that ledger, it’s protected with encryption and it’s distributed publicly.
Now companies are leveraging this technology to do things like subcontracts. What can they put in the chain and encrypt? How can they leverage this technology to create new products? A company in Russia is using blockchain to create a multi-factor authentication product, where the second factor is encrypted in the chain. Since the chain is public, with a private key you could unlock that block and use it for two-factor authentication. A lot of innovative companies are leveraging that fundamental blockchain and trying to come up with new products.
VentureBeat: Going back maybe a year, a year and a half ago, some of the big names like McAfee saw a rise in ransomware cases where the perpetrators were demanding to be paid in Bitcoin. It was considered an untraceable way to get the ransom. Now that’s apparently not true.
Mitnick: At least with Bitcoin, the ledger is public. If you recall the case of Silk Road, they were able to trace all of those transactions eventually that went to the wallet on his machine, so they could be used as evidence in his trial. What some crooks try to do is launder transactions, going through exchange services that anonymize their wallets. You have a wallet out here with Bitcoin in it, and they spend their time and resources on making sure you can’t connect that wallet back to a person. They’re able to move the money into the physical realm through some sort of exchange and have that be anonymous.
But again, the ledger is public. The hard part is how a bad guy gets the money exchanged into real currency, real value. That’s where they come up with a bunch of different schemes.
VentureBeat: Both blockchain and AI seem like big topics related to security right now. Do you think these things are going to improve or change security in a big way?
Mitnick: It’s a double-edged sword. With AI, I’m the chief hacking officer of a company called KnowBe4, and we’re developing an AI product that works for both offense and defense. We help protect our clients against phishing attacks. We’re able to use machine learning in both ways.
Back in the ‘80s there was a guy named Henry Teng developing what he called an AI tool, written in LISP, to do offensive work on computers within DEC’s internal network. It was an automated hacking tool that I ended up getting access to back in the day. The way he was leveraging machine learning was through using it for offensive work. So I see as a double-edged sword. You can use machine learning for either good or ill.
VentureBeat: On blockchain, how are you using that at Olyseum?
Mitnick: We’re using the Ethereum blockchain for the coin, which people can earn through being part of the network. The user is responsible for managing their private key, or simply using our token through Ethereum. Individual users can use their tokens, their coins, outside Olyseum’s network. The security isn’t something that Olyseum has to build on. It’s really just using the Ethereum blockchain. The user has to manage their private key, and if that private key gets breached, of course, like anything else, somebody could gain access to their wallet and move currency. But the security isn’t something Olyseum is building in. We’re using an already-developed technology.
VentureBeat: Using this with athletes, then, you can create things like uniquely-identifiable memorabilia?
Mitnick: The sky’s the limit. It’s kind of like a publishing platform. The most interesting part, though—the whole idea of the network is to bring fans together with their idols, their sports stars. What the stars do is create communities, almost like followers on Twitter, and then—for example, maybe there’s a signed T-shirt, or another new type of memorabilia that the athlete wants to sell. They can sell it for coins. They can even sell virtual chats. They can market whatever they want to market through this digital network, or hold contests to give things away.
They’re building a community of people. What’s cool about this network, it’s really sports-centric. It’s putting these huge stars in closer contact with their fans. It’s more personal. It’s not just buying memorabilia, but also being able to have one-on-one virtual conversations.
Everything is public, so there’s nothing to compromise security-wise. One of the biggest advantages to the social network is that people can actually earn money by their activities. The more activity they have, they can earn a percentage of the profits in the coin. One attack that an outside entity might do is create a bot that becomes a member of Olyseum and tries to generate activity to earn coins. If users are earning profit as a percentage of the overall pie, that reduces real users’ profit. The bot is stealing from everyone. So that’s a security risk. But with respect to, say, how Facebook works, where you have your private circle of friends, or your direct messages on Twitter, and other private channels of communication that need to be protected, that doesn’t exist on Olyseum.
VentureBeat: Do you think that, as everybody moves things over to blockchain—for one example, I wrote about sports event tickets moving over to blockchain. Do you think we’ll see a wholesale improvement in security as a result of that, or will bad guys just figure out how to adjust?
Mitnick: Well, the bad guys will attack anything, whether it’s digital or standard currencies. I think it’s a great idea. Anything that can leverage creating an encrypted ledger and enabling public distribution of that, or even creating a private blockchain—see, that can be a problem as well. You have different types of implementations of blockchain. What companies or even individuals could do is create a different version of their own blockchain that might create weaknesses. But talking about the standard blockchain used in Bitcoin, that’s a good thing.
I actually believe that the world is going toward digital currency entirely. Eventually paper and coins will be a thing of the past. But that’s concerning as well. If everything is digital, what are the security risks when someone steals your private key? How does the government collect taxes or enforce laws around money laundering? There are lots of different challenges that come with digital currencies. Again, it’s a double-edged sword. You have benefits, and you have challenges to handle.