Well, not anymore. These days, reformed computer hacker extraordinaire Kevin Mitnick works for The Man.
My cell phone is ringing.
I pick it up off the table of a busy Los Angeles restaurant and look to see who is calling. Weird. The caller ID flashes my home phone number, but I know for certain that nobody is there.
Across the table from me, Kevin Mitnick is smiling. Once the most notorious computer hacker in the country - he was the FBI's most-wanted hacker and a fugitive for three years - Mitnick has more than a passing knowledge about using technology for devious, deceptive purposes. Using his own cell phone, Mitnick takes just a few seconds to demonstrate how he accomplished this telephonic sleight of hand known as caller ID spoofing, a particularly effective trick for identity thieves and con artists. (Think about it: How likely would you be to withhold personal or financial information from someone who your caller ID says is from your bank?). Equally as quickly, Mitnick pulls up George H.W. Bush's driver's license number and then offers to retrieve mine, but I demur.
On the day we meet, Mitnick, 43, certainly doesn't look like much of a threat. Wearing a dark T-shirt and jeans, he is engaging and self-deprecating; he bemoans his latest doctor's visit because his physician was pestering him about losing weight. These days, Mitnick - who served five years in federal prison for breaking into the computer systems of large companies like Motorola and Nokia and then fleeing from prosecution - has very much gone legit. Instead of covertly, and illegally, breaking into corporate computer systems, Mitnick - through his Las Vegas-based company, Mitnick Security Consulting - uses those same skills to protect companies. "I get paid to do what they call ethical hacking," he says. "Companies call me mostly to do security assessments, which is when they want someone to evaluate their technical, physical, and human-based security to find out if they have any holes in their infrastructure that bad guys can break through."
The short answer is, yes, there are holes. "There has never been a client who has hired us that we couldn't break," he says.
Once Mitnick and his colleagues find security lapses, they work with companies to fix them - a process called "hardening" - and train employees to thwart hackers. Mitnick insists that, although it's commonly thought to be largely a technical issue, true company security involves a variety of elements, people being the most important. That's because social engineering, a fancy term for manipulating people to get information, is so effective.
In some of his classes, which are held over two days, Mitnick demonstrates how social engineering works by way of a little ploy the night before the first session. Students in the class will get a call at one a.m. in the hotel where they're staying from someone claiming to be from the front desk. The person on the phone tells the sleepy guest that his credit card didn't go through and that he needs to come down and sort the matter out. Naturally, most people don't want to do that. No problem. The front desk generously offers to send someone right up to get new credit card information and a signature. Just like that, an identity thief has all the information he needs - a fact that class members are made aware of when they're handed their own signature and credit card info the next day in class.
In Mitnick's view, defending against social engineering - which takes building both awareness and resistance to all of the common scams - is every bit as important as installing the very best technology; - indeed, if an employee decides to use his own name as a password to get into a company's computer system, or simply writes it down and tapes it to his screen, there's not going to be much protection. "If you have all the best technology in the world but your users are giving out their authentication credentials, all that money is wasted," says Mitnick.