Mitnick on Mitnick: 'Why I'm going legit' (part two)

Farber: What is your relationship with the hacker community?

Mitnick: Fortunately, I am respected in the hacker community. I have contacts in the computer underground and stay abreast of security vulnerabilities and things that are under wraps. I use the information for my own personal curiosity and to gather intelligence about what really is going on out there to help protect our clients at Defensive Thinking. At the same time, it's a delicate balance. I don't want to share the information in ways that compromise a relationship, but I will use it to protect our clients.

Farber: What is the most common type of con that companies fall prey to?

Mitnick: Giving out internal telephone numbers. People have a desire to help fellow workers. When a caller masquerades as someone in the company, and the victim fears reprimand and desire to help, they will likely comply with a request from an unauthorised party.

The magic of social engineering is psychological triggers, which are methods used to influence or persuade people. In the corporate environment, people are unlikely to evaluate a request thoroughly, so they take a mental shortcut, such as feeling a need to reciprocate if someone does a favour for them. For example, an attacker calls a target, or mark, and says that they are fixing a problem, which really doesn't exist. The target is made to believe that the requester is helping them solve a problem. When the attacker asks for information, the target feels obligated to reciprocate.

Farber: What is most admired con or hack that you know about?

Mitnick: One that really comes to mind involved a security researcher in the UK, who had a fantastic aptitude for finding vulnerabilities in Digital Equipment's [DEC] VMS operating system. When I compromised DEC's systems, I was able to learn about security holes and that the researcher who discovered the holes was a student at University of Leeds.

Eventually the researcher found out that I was trying to compromise him, and we played cat and mouse game. I called him on the telephone and pretended to be someone on the VMS development team. I knew he had a huge interest in working for DEC. During our conversation I made a mistake. I thought he had talked to an engineer in the past, so I said "good talking to you again." That phrase triggered something, so right way the researcher called another person and played a tape of my voice. At that point I could tell that he knew I wasn't from DEC.

I let a few months go by and then sent him an email. I had found out that he had an account on a VMS computer system at his university and was communicating with a DEC engineer. I had full access privileges to the system and played the man in the middle. In the email I told him about a security vulnerability and sent him the working vulnerability that he didn't know about, so we developed relationship over email.

Subsequently, I told him I was worried about having our communications intercepted and brought up that I was worried about Mitnick intercepting communications. So, I sent him a PGP key, and gained his full trust by sending him information, not by asking for anything and by talking negatively about myself.

Eventually he sent me all his research work and vulnerabilities. About three or four months later he asked me about an encryption algorithm in a yes or no question. Instead of researching to get the right answer by querying a DEC engineer, I just guessed the answer was no. When he found out that my answer was incorrect, he got suspicious and realised the whole elaborate scheme was a big con.