Security threats Toolkit

Mitnick on hacking

Tags:
Social Engineering,
Software Security,
Hacker,
Kevin Mitnick

Joris Evers CNET News

Published: 04 Nov 2005 18:15 GMT

...an FTP server, mail server or DNS server, a lot of times you find those computers are not in the DMZ (De-Militarised Zone, a separate security area). Instead, they are on an internal network and the network is flat. So if you are able to compromise one, it is quite easy to spread access to other systems. Often times they even use the same passwords. Bottom line: More companies have to think of a defence-in-depth strategy, rather than just protecting the perimeter.

Over the past years we have seen a couple of arrests of virus writers, bot herders and others. Everybody knows you were arrested as well. Is law enforcement advancing? Are they doing the right thing and catching the right people or are a lot still going free?
I am sure there are a lot of people doing this they don't catch. Wireless networks are ubiquitous. It is very difficult for law enforcement if somebody goes and takes a laptop and changes their media access control address so you can't identify the machine. If you're out in a car or van or sitting in a restaurant next to a wireless access point and don't use the same access point all the time, it could be extremely difficult to track you.

So there is a big challenge for law enforcement. Do you think they are doing a good job, or could they do better?
I don't know. We need stats for that. We need metrics on how many criminals they are apprehending. It is a guess that they are getting better, because they are getting help from the private sector. They are probably better than they were 10 years ago, but I don't know their capabilities. I know their strengths are in forensics. So if they seize a computer of somebody thought to possess child pornography, they use Encase and can recover that contraband. That's what they are good at. In doing hacker investigations — I really don't know their capabilities.

So what about when it comes to virus writers, bot herders, phishers?
With virus writers, I don't believe the FBI is technically doing the analysis. They just farm it out to a Microsoft, Symantec or McAfee because it is easier. These companies are not going to turn down law enforcement because they are doing a public service.

Do you believe that more of these criminals should be caught?
They should try. But the bottom line is that there is so much hacking going on that they have to set a dollar limit. Unless there is a fraud or a loss that equals $50,000 (£28,000) — maybe $100,000 — they are not going to investigate. Small criminals knowing this can always stay under this threshold. That's at the federal level. Then there are states, which might have a different monetary threshold, but their competency is probably less than the feds.

Do you think if you were doing today what you did 10 years ago, would you be caught sooner?
If I knew what I know now and I could use what I know now back then, no. But if they had the technology that exists today, and I was doing the exact thing I was doing, yes. Law enforcement's capabilities for tracking communications are much greater than years ago.