returnreturn
Follina a silent Client-Side

By:
Rocío Benigar
(Cybersecurity Project Analyst)

SHARE

Twitter Facebook linkedin

Remembering Kevin Mitnick: Master of Social Engineering

Kevin Mitnick is an iconic figure in the world of computer security. He is known as much for his notorious cyberattacks in the 1980s and 1990s as for his transformation into a respected security consultant. Often dubbed the "world's most famous hacker," he captured worldwide attention not only for his ability to breach highly protected systems, but also for the controversy and mystery surrounding his life and activities.

His unauthorized raids on systems at companies such as Nokia, Motorola and Sun Microsystems revealed major vulnerabilities and sparked intense debate about computer system security and privacy. After his arrest and conviction, he reinvented his career. He used his knowledge and experience to help organizations defend against the very threats he represented. His career provides a unique perspective on the evolution of computer security and underscores the importance of understanding and mitigating cyber threats.

Today marks one year since his passing and this article explores his life, his most notorious activities, his arrest and subsequent transition to computer security, as well as his legacy and contributions to the practice of cybersecurity.

The beginning

Mitnick was born in August 1963 in Van Nuys, California. From an early age, his fascination with computer systems, telecommunications and his interest in magic tricks marked the beginning of his extraordinary journey. Raised by a working mother, he demonstrated an innate curiosity and an exceptional ability to solve problems on his own. At age twelve, he discovered how to travel for free throughout the Los Angeles area by deciphering the unique pattern of bus tickets and learning how to manipulate them to his advantage. His ability to observe and deduce allowed him to obtain and personalize blank tickets from bus terminal trash cans, while his exceptional memory helped him remember bus schedules throughout the city. In parallel, his fascination with magic taught him the pleasure of acquiring secret knowledge and mastering new skills, thus demonstrating his persistence and creativity in finding ingenious solutions to complex problems. Illusion and the manipulation of human perception fascinated him, which was reflected in his approach to systems intrusion: seeing beyond the obvious and exploring hidden possibilities.

During his high school years, Kevin had his first encounter with what would later become known as social engineering through a hobby known as "phone phreaking". This type of hacking allowed him to explore and exploit the phone system and phone company employees. A schoolmate showed him some tricks, such as obtaining information about any phone company customer and making long-distance calls at no cost. These calls, in reality, did have a cost, only they were charged to the accounts of unsuspecting companies. Intrigued and excited, he immersed himself in this world. His fellow "phone phreakers" taught him how to make pretext calls to the phone company, using language and procedures that made them sound credible. It wasn't long before Mitnick began making these calls on his own, honing his skills and surpassing his early mentors.

One of his favorite high school pastimes was to hack into the telephone exchange and change the phone service of other "phone phreakers" to make it look like they were calling from a pay phone. This prank caused them to receive a message asking them to deposit a coin when they attempted to make a call, as if they were using a pay phone.

Mitnick became obsessed with all aspects of the telephone system, including electronics, switches, computers, corporate organization, procedures and terminology. His knowledge came to surpass that of many telephone company employees. In his teens, he had developed his social engineering skills to the point where he could convince most telephone company employees to do almost anything, either in person or over the phone.

At the age of 16, the self-described "Ghost in the Wires" gained his first unauthorized access to a computer system by logging into his high school network. This event marked the beginning of his foray into exploring computer systems, motivated primarily by curiosity and a desire to understand the structure and operation of these networks, as well as to learn about potential vulnerabilities that might exist in them.

He employed a variety of innovative techniques for his time, including social engineering, exploitation of technical vulnerabilities through the use of advanced penetration software, and the ability to manipulate complex security protocols. He managed to breach the security of some of the companies mentioned below. His methods reflected a deep understanding of computer systems and an exceptional ability to bypass cyber defenses, setting a precedent in the evolution of cybersecurity.

Its most outstanding technological transgressions

Empleando una variedad de técnicas innovadoras para su época, que incluían ingeniería social, explotación de vulnerabilidades técnicas mediante el uso de software de penetración avanzado, y la habilidad para manipular protocolos de seguridad complejos. Logró vulnerar la seguridad de algunas empresas que mencionaremos a continuación. Sus métodos reflejaban un profundo conocimiento de los sistemas informáticos y una capacidad excepcional para eludir las defensas cibernéticas, estableciendo un precedente en la evolución de la ciberseguridad.

Invasion of Pacific Bell COSMOS (1981): Together with two friends, they physically entered Pacific Bell's COSMOS offices. This raid enabled them to obtain security keys, door combinations and system manuals, estimated to be valued at approximately $200,000. This incident marked the beginning of their significant criminal activities.

NORAD Access (1982): : Using a modem, he illegally accessed the North American Air Defense Command (NORAD) system in Colorado. Before gaining entry, he manipulated the program that tracked calls, diverting the trace of his connection. This event demonstrated his ability to bypass advanced security systems.

ARPANET and Pentagon Intrusion (1983): During his time as a student at the University of Southern California, Mitnick attempted to illegally access ARPAnet and the Pentagon's computer. This incident resulted in his arrest and sentencing to six months in juvenile jail, marking one of the first documented cases of high-impact computer security breaches.

MCI and Digital Equipment Corporation (1988): Together with associate Lenny DiCicco, they carried out an elaborate plan to infiltrate the systems of MCI Communications and Digital Equipment Corporation (DEC). They watched the email of the security department of both companies to obtain information about their security systems. They succeeded in obtaining 16 security codes from MCI and gained access to DEC's research lab, Easynet, in search of the VMS operating system. This incident sparked an international manhunt and the FBI intervened to arrest Mitnick, who was charged with causing $4 million worth of damage.

Intrusion into Tsutomu Shimomura's computer (1994-1995): One of the most notorious episodes was the computer intrusion of Tsutomu Shimomura, a security expert at the San Diego Supercomputer Center. During this intrusion, he obtained software used to control cell phones, as well as various Internet security tools. Shimomura, upon becoming aware of the attack, initiated a personal manhunt to apprehend him, working closely with the authorities until he was arrested.

Arrest and conviction

In a coordinated operation with the FBI, Shimomura arrived in Raleigh and received an urgent call from InterNex, an Internet provider in California. The report was alarming: Mitnick had penetrated their system, manipulating accounts and altering security keys. Using a cellular frequency location antenna, the equipment was covertly tracking the signal from Mitnick's cell phone, even when it was not in use. This device allowed the cell phone to act as a transmitter without the user's knowledge. Meanwhile, he continued his intrusion, changing passwords and creating new accounts on key systems such as InterNex, The Well and Netcom. With the tracking operation underway, the FBI, Shimomura and the Sprint team prepared for the arrest. Shimomura tried to quietly alert the Netcom manager of the impending arrest, but a misunderstanding led the manager to delete evidence, forcing the FBI to act quickly.

Cautiously, the FBI and Shimomura approached Mitnick's apartment, aware of the devastating potential of his computer skills. They announced their presence at the door and, after a few tense moments, he opened the door without resistance. He was arrested and all relevant devices were confiscated: disks, computers, cell phones, manuals and more. In the subsequent trial, Mitnick faced multiple charges including: computer fraud, illegal possession of access devices, illegal interception of communications, identity theft, damage to computer systems, resulting in a five-year prison sentence. This period behind bars marked a turning point in both his personal and professional life, moving away from computing devices, encouraging him to continue training and driving his career in a new direction.

During his time in prison, he faced harsh and controversial conditions. Isolated for long periods of time, he experienced strict restrictions on communication and social activities due to his reputation in computer security. This situation not only affected his emotional and mental well-being, but also raised concerns about his constitutional rights. However, he took advantage of the time to study and educate himself, especially on cybersecurity issues, demonstrating consistent dedication despite the difficult circumstances.

The "Free Kevin" movement, which emerged during his incarceration, sought to raise awareness of Mitnick's conditions and challenge the restrictions imposed. It attracted significant media attention and support from the technology community, highlighting debates about ethics in computer security and individual rights in the digital age.

Transition to IT security

His release came in January 2000, after almost 5 years of imprisonment. Soon after, he appeared before the U.S. Congress to propose initiating debate on legislation to ensure the future security and reliability of information systems used by the federal government. For this, he said he was "ready, willing and able to help" and offered his 20 years of experience and expertise. In a speech that was short, but powerful, he stated "Companies spend millions of dollars on firewalls, encryption and secure access devices and it is money wasted because none of these measures address the weakest link in the security chain which are the people who use, manage, operate and are responsible for the computer systems that contain protected information.", launching his career as a cybersecurity consultant.

In 2003, Mitnick became the CEO of Mitnick Security Consulting LLC, a company that provides a wide range of security services to assess its clients' technical, operational and management security controls. His team, known as The Global Ghost Team, ensures that their clients' security is consistent with industry best practices, but can also put it to the test. Today, Mitnick Security is a leading global provider of information security training and services to governments, organizations and enterprises around the world.

In addition, since 2008, he has been a member of several advisory boards of both public and private organizations. In November 2011, he joined KnowBe4 as Chief Hacking Officer and co-owner.

Contributions to the computer security community

Convinced that years of experience had given him a level of wisdom that needed to be shared, he decided to start writing. His goal was that people who read his books could use them to protect themselves from the techniques he had used at some point. To achieve this, he joined forces with the writer William L. Simon who accompanied him in most of his publications, helping him to capture the ideas and make the reading of each of the publications educational and at the same time entertaining for the reader.

His first work, The Art of Deception: Controlling the Human Element of Security, was published in 2001. It explores the need to understand how the human factor can be the weakest link in the information security chain. It provides fictitious examples of how social engineering techniques can be applied in different scenarios to obtain information. But, more importantly, it also offers advice on how to avoid becoming a victim of such techniques. This book is a clear demonstration of the phrase 'It takes a thief to catch a thief'. With a foreword by Steve Wozniak that puts Mitnick as a crucial guide in the field of cybersecurity, it is certainly a must-read for anyone who is starting out on the path of Social Engineering.

Then, in 2005, he published The Art of Intrusion: The real stories behind the Exploits of Hackers, Intruders & Deceivers. This book seeks to tell the real stories of hackers and their methods of penetrating security systems, providing crucial lessons in cyber defense. In Mitnick's own words, "We wanted to write a book that was both a crime thriller and an eye-opening guide to help companies protect their valuable information and IT resources." As with his previous installment, he offers educationally unique parts of each chapter to provide the reader with a clear and detailed understanding of a specific technical concept or method used in hacking or social engineering, with their respective countermeasures.

In 2011, he released his autobiography, Ghost in the Wires, which details his life, escape and capture. It is a story of intrigue and suspense that highlights Mitnick's creativity and persistence, and offers insight into the importance of computer security.

Finally, in 2017, he published The Art of Invisibility ('The Art of Invisibility'), in this case he seeks to reach the common citizen, the one who may not have as much expertise as people who are dedicated to training or working in the field of Cybersecurity. It offers practical strategies to protect online privacy and avoid digital surveillance in the modern era.

Kevin Mitnick, also known as 'Condor', visited our country in 2005. He was the keynote speaker at the Security Management Regional Congress held in Buenos Aires. He spoke about the need to take into account Social Engineering as a security risk for companies. But our country was not the only one, he became a speaker and lecturer at major events around the world and for world-renowned companies.

Much of his articles and news can currently be found on the Mitnick Security Consulting website.

Lessons learned and best practices.

Throughout his career, Kevin Mitnick has imparted valuable lessons and fundamental practices in the field of computer security. His knowledge is highly valued by those seeking to strengthen their defenses.

But what are the most important tips he has left? It is important to note that he has written not only for managing the security of large enterprise systems, but also for citizens in their daily lives.

If you need to apply best practices in the professional environment, some of them are: make your users aware of phishing and social engineering tactics, keep an updated inventory of devices that are components of the enterprise network, use a password manager at enterprise level, keep patched and updated workstations and internal and external servers (not forgetting firewalls, routers and IoT devices), among others.

For the general public, a series of behavioral tips are available on the Mitnick Security website, such as: do not reuse complex passwords, use multi-factor authentication and be careful with public Wi-Fi networks.

It also reminds us of the four basic principles of social engineering which are:

 • We all want to help.
 • The first movement is always one of trust towards the other.
 • We don't like to say No.
 • We all like to be praised.

He also shares his top tips on social engineering:

 • Authority: People tend to obey authority figures without question.

 • Compassion: People are often more likely to help if they are emotionally appealed to.

 • Curiosity: Human curiosity can lead people to disclose sensitive information or perform unauthorized actions.

 • Trust: Building a trusting relationship with someone can facilitate access to valuable information..

 • Need for approval:Many people seek approval from others and may be manipulated through praise or false validation.

 • Urgency: Creating a situation of urgency can cause people to act quickly without proper questioning.

 • Ignorance: Taking advantage of a lack of knowledge or awareness of security procedures to deceive people.

 • Intimidation: Using intimidation or threat to force someone to take action or disclose information.

Legacy and Final Reflection

Kevin Mitnick left a profound legacy in the cybersecurity community. Born with an insatiable curiosity and an innate talent for detailed observation, he combined these qualities with a prodigious memory and tireless determination to master virtually any computing device. Motivated by his thirst for knowledge, he delved beyond the technologies he mastered in his student years, always seeking to broaden his horizons. He demonstrated how the human aspects are often the weakest link in the security chain, achieving unthinkable feats by impersonating someone else through the use of the telephone. His books, such as "The Art of Deception" and "Ghost in the Wires," have educated generations on social engineering tactics and methods to mitigate risks in the digital age.

His impact on public perception evolved from being seen as a computer criminal to being respected as a cyber defense expert. Through lectures, consulting and writing, he continues to influence how organizations and individuals approach security in an increasingly complex and threatening digital world. He was a pioneer who transformed challenges into lessons and captivated with his tireless pursuit of knowledge. He will continue to inspire all those dedicated to cybersecurity toward a more robust and aware society and information systems, even a year after his departure.