VentureBeat: What do you think about the security of our upcoming elections in the United States?
Mitnick: The DNC was clearly hacked in 2016. I don’t think the election itself was hacked. It was influenced, is a better word for it, strongly influenced, and not through just hacking the DNC. That’s one part of a big puzzle. There was also a lot of social engineering. The Russians were obviously using social networking to influence people’s opinions. The election, in my mind, was definitely manipulated. Were voting machines hacked? I haven’t seen any evidence of that.
VentureBeat: It’s funny that the Republicans are usually thought of as tough on security. Now the Democrats are mad about it.
Mitnick: I can tell you a story about that. In 1980, the Republican National Committee was running an old machine from DEC, a big TOPS-20 mainframe. This was in the ‘80s when I was active as a black hat. I compromised that mainframe and had access to everything. Ronald Reagan even had an account on that machine. It was just a placeholder for him, though. There was nothing there.
I didn’t really care that it was the RNC. What I was doing, I was just targeting TOPS-20 organizations that were reachable via the ARPAnet that were running a particular operating system. They happened to be an unlucky one that was running that operating system, so I had access to everything on that machine. But it wasn’t interesting at the time. I didn’t even look around it much.
VentureBeat: You didn’t have the vision of a Vladimir Putin at the time.
Mitnick: [laughs] I was still doing all of this for challenge and entertainment. TOPS-20 was one of my targets because USC in Los Angeles used TOPS-20, and I wanted to get better at compromising those machines. I’d just look for random ones on the ARPAnet.
I bring this up because it’s funny to see Trump coming out and saying he can’t believe what shoddy security the DNC had, but the RNC is rock solid and hasn’t been hacked. Of course, flash back 30 years earlier, I did hack them. [laughs] It’s all just posturing, of course. In all likelihood the RNC was hacked as well. They just don’t know, or it wasn’t exploited.
It’s really not hard these days, especially given the pretexting or phishing methods that are being used. We’re still really good, in offensive work, at bypassing products that detect implants or malware. The security industry hasn’t developed a product that works really well. When we’re doing security testing, we bypass these products all the time. EDRs, like Carbon Black or Crowdstrike, those are much harder to bypass. It’s much harder to stay in the network without being detected, but we can still do it.
If we can do it, as security testers, then the bad guys can do it, and of course nation-states can do it. They have unlimited money, time, and resources. If you look at the Shadow Brokers, when they released Fuzzbunch, which is allegedly the NSA’s framework for exploitation, they also had tool sets in there for bypassing what they call PSPs, the antivirus tools or EDRs, what they label as “personal security products.” It’s an entire framework for bypassing Kaspersky and others. Of course the Russians are going to have the same tools. It’s a no-brainer.
The problem is, you’re dealing with the social side and you’re dealing with the vulnerabilities of tech. The hack did not surprise me at all. I really think that they could do it again. And I think that a lot more has been compromised than what we know of.
It’s a race. We have Internet of Things, and that’s becoming the wild west. It’s like going back to 1980 with the IBM PC just coming out. Or when the ARPAnet became the internet and everything was open. That’s what IOT is today. They’re obviously trying to improve this, but devices come out with default passwords or no passwords, no way to update firmware. Consumers don’t even know what firmware is. Device manufacturers don’t want to spend money on security updates.
And these IOT devices just sit in everybody’s home. You can use them to store malware or gain persistent access to home networks. Even businesses are using IOT, especially cameras. You can compromise a camera from the outside, whether with default credentials or buffer overflow or some other sort of attack. Then, from the camera, you launch an attack on the internal network.
VentureBeat: Going back to your book from last year, how can someone try to stay invisible in this kind of world?
Mitnick: I discussed it all from the perspective of a person who’s trying to hide from an attorney who wants to serve them a subpoena, or a dissident journalist that’s a target. It depends on the level of privacy and the level of threat. But at the highest level, let’s say you’re trying to evade law enforcement or an intelligence agency because you’re a dissident. I go through the whole process of op sec, starting with a burner device.
It’s a complex set of steps, but essentially you’re building anonymity from your first connection to the internet. You have to do it in such a way that you use that device in locations that aren’t associated with you. You don’t have electronic devices using cellular networks that are turned on at the same time. Then, from that network, using a VPN provider in a foreign country, you can jump over to Tor. You’re layering anonymity in such a way that makes it difficult for anyone to track you back.
VentureBeat: I saw that video of the Chinese police finding a journalist within about seven minutes in a big city. Just through live security cameras.
Mitnick: You have to have serious op sec. If you’re not meticulous and you make one mistake, it can give you away. But that’s at extreme levels. For the average law-abiding person in the street who just wants to maintain personal privacy, I talk about—it’s a little bit under the hood, but mostly from a non-technical perspective. I go into end-to-end encryption, the tools like Signal out there that you can use to protect your communications against a criminal adversary. If you just want to protect your privacy from your bosses and teachers, that sort of thing, that’s 80 percent of what it is. But I go into a lot more depth and a lot more different tools.
I just did a segment on CBS in New York where we talked about anonymous shopping. I told the producers, “Well, we could just use Tor from home to do this, because we’re not hiding from a government agency. Marketeers can’t get information from an IP address. They’re not going to use a subpoena. We just want to mask our IP. If you want to do private shopping, that activity can be correlated.” For the segment, we went out and bought a Chromebook and a wireless hotspot, and through the Chromebook in the CBS offices we were able to purchase items on the web.
Really, that’s overkill, because all a consumer really needs to protect their privacy against marketers and advertisers on the internet is using Tor. You can’t just use incognito mode. But again, that has its down sides. Tor is slow. There are other options. You have all these different levels of threats, and I try to cover a bit of them all.
VentureBeat: Is there anything else interesting on your radar right now?
Mitnick: I partnered up with Olyseum because Carlos is a friend of mine. He asked me two years ago in Spain if I would help out. Now the network is becoming more mature, so I’m giving Carlos advice on how to manage any security risks. In my other work I’m at KnowBe4. We’re up to about 500 employees in Clearwater, Florida, doing security work. Then I have my own company doing penetration testing. Companies hire us to do offensive work. And then I’m on the public speaking circuit. I’m pretty busy with all the stuff I do.
VentureBeat: You have to keep up the reputation as the world’s most famous hacker.
Mitnick: [laughs] I’ll have to do another book. I love adventure, right? I liked doing Ghost in the Wires because it was a kind of catch-me-if-you-can story. I liked doing Art of Deception because with a fictionalized story you can build some adventure into it. It becomes a fun story to read. That’s what I’m looking to do in the next book. I want to use real penetration testing stories. We have to look at the legal issues around NDAs, how we can fictionalize it to keep from tying anything to a particular company. But hopefully we can create an interesting adventure book that reveals the tactics and techniques and protocols of the bad guys.
Updated 9:39 a.m. Pacific time on 8/23/18 : Olyseum offered corrections to misstatements about its business.
VentureBeatVentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more