CLEARWATER (FOX 13) - I’m sitting across from a man who was once on the FBI’s Most Wanted List for hacking into the communication systems of major corporations -- a man who later served time in prison for those same crimes.
Kevin Mitnick, now a sought-after security expert, wants to show me how much of my personal information is up for grabs for those who know where to look.
“If I have your name, I can get all your personal information in about 30 seconds,” he says.
"I've taken measures to be careful, so I'd be interested to see..." I say with confidence.
Mitnick has heard it before. "I'm sure those measures won't do anything," he says.
I offer up a few basic biographical details. He starts typing. In less than a minute, without looking up, he says a name. “That’s your mother’s middle name, right? And your middle name is…”
Just as I’m trying to process where he found it he has more: nine familiar numbers. My entire Social Security number.
He found it on a commercial database that charges 50 cents for an individual’s private information.
“So, how many bank accounts do they ask for the last four of your social or your mother's maiden name. A lot of people do that, right?” he says. “Imagine a crook gets this information. They could pretend to be you, which is scary.”
Mitnick is speaking from experience. In the mid-1990s, his public persona was one of part legend, part infamy, as federal agents tried to track him down for hacking into dozens of corporations. His exploits came to an end when the feds caught up with him and he was put behind bars for five years.
Since his release from prison in 2000, the same knack for security challenges has made him a busy “ethical hacker,” whose mission is to warn people how vulnerable information systems are, both in terms of human error and technical vulnerabilities. Databrokers who turn an individual’s private information into a commodity, is just one example of how we’ve lost control, he says.
PAID TO HACK
In the 1990s, he combined his technical expertise with deception to get key pieces of information that allowed him to break into systems -- pretending he was someone he was not in order to get a password, for instance.
He says the same principle is at play in many phishing attacks today.
“Social engineering is when you use manipulation, deception and influence to convince a target to comply with a request,” he explains. “So, a lot of it is clicking on a link, opening an attachment.”
He’s “Chief Hacking Officer” at KnowBe4, an internet security company based in Clearwater that helps companies identify potential vulnerabilities in their computer systems. Corporations essentially pay KnowBe4 to try to hack into their systems and train their employees how to avoid taking the bait.
One of the ways they do that is by sending cleverly disguised emails to employees at those corporations, using the same types of deception used by would-be hackers, to teach them what not to do.
“We train people to not to fall for phishing attacks, because when they do click on a link, a thing comes up that says, ‘Hey, you made a mistake.’”
Real-life consequences for downloading malware disguised as an attachment mean data-theft and private information sold or exposed.
And that’s a big difference between Mitnick’s misadventures and the threats facing corporations and individuals today: Mitnick says he didn’t sell the data he accessed, but did it for the thrill of the challenge.
TRADING PRIVACY FOR CONVENIENCE
Mitnick knows that building a more secure infrastructure takes work, on a macro and micro scale.
“People can increase their privacy but at the same time, decrease their convenience,” he says as he lists the things we can all do to make our phones and computers more secure, like using VPN, two-factor authentication, encrypted messaging apps. “It makes it harder.”
He says a lot of the damage has already been done.
Two months after he was released from federal prison, the hacker formerly known as one of the FBI’s “Most Wanted” was called on by the feds once again -- this time, to testify before Congress.
He offered his security insights and a prescient warning.
“It seems, in essence, what you're telling us is that all our systems are vulnerable, both government and private,” observed Sen. Fred Thompson (R-TN).
“Absolutely,” he said at the March 2000 hearing.
More than 15 years later, we’re sitting in KnowBe4’s Clearwater offices, watching live visualizations of attempted attacks on computer systems around the country.
“The old saying is, there’s no such thing as privacy, so get over it,” Mitnick tells me.
He’s referring to what the Sun Microsystems chief Scott McNealy infamously said about privacy back in 1999: “You have zero privacy anyway. Get over it.”
McNealy later told a reporter that he meant so much information was already out there: Doctors have medical records, Visa has your financial records. Someone knows everything about you.
Of course, both statements were before electronic records became the norm, and we all discovered to the point of numbness how scarily vulnerable the institutions that store our information
Still, there’s something about Kevin Mitnick reading your mother’s maiden name and your Social Security Number to you that can shake you out of that numbness.
“See what I mean about privacy?” he asks.
KEVIN MITNICK’S TIPS
1. Beware of Free WiFi
To avoid eavesdroppers who can capture your information on a shared network, Mitnick recommends connecting to your own virtual private network as soon as you connect to free WiFi. A VPN encrypts information sent over public WiFi by creating a secure “tunnel.”
“For about five bucks a month, you can find a good VPN provider that has a good company that's reputable,” he said.
2. Rethink that 1-2-3-4 PIN
An easy PIN, or no PIN, leaves your information vulnerable to prying eyes or even someone who wants to install malware, he said.
“I go to security conferences where some of the leading security experts in the world speak. They have iPhones and I see them unlock them with a four-digit code,” he said. “I just scratch my head. OK, they feel invincible.”
3. Two-Step Authentication
If you want to be really safe, don’t sync private photos to iCloud unless you use two-step authentication. Better yet -- don’t save private photos on your phone to begin with.
4. Be Suspicious
Mitnick often does demonstrations showing how “man in the middle” attacks work. A person gets an email to call their bank, for instance. It looks like an email from the company and when they call the phone number, they reach the company. They follow the prompts and it works. But the number on the email was a “middle man” phone number that captured information, like a Social Security number, entered into the phone.
Just like a landline can be tapped, cell phone communications can be intercepted by devices that mimic a cell tower or base radio.
“Basically what I do is trick your phone that... when I'm close, you connect to mine,” he said. “So now, any phone calls or text messages that go through my system I can intercept.”
He mentioned apps like Signal, Red Phone, and Text Secure that encrypt messages and phone calls. In general, end-to-end encryption makes it really difficult for someone to intercept messages, he added.