Surprising tips from a super-hacker

I asked the world's most famous hacker, Kevin Mitnick, how to secure a smartphone and laptop; here's his advice

Virtually everyone in technology knows about Kevin Mitnick, who in the 1970s, '80s and '90s was a notorious fugitive hacker on the run from the FBI.

(If you're not familiar with the details of Mitnick's exploits, I recommend his book, Ghost in the Wires: My Adventures as the World's Most Wanted Hacker.)

Most experts also know that he's made his living since being released from prison as a security consultant. But did you know that he still hacks for a living?

Mitnick has always emphasized the importance of social engineering for hacking, an emphasis that's lacking in most security advice. He also focuses on how to get through to a public that struggles to appreciate the risks.

So he gets through to his public by hacking them (with their permission). Corporate training can make the eyes glaze over. So Mitnick drives his points home by actually hacking his clients, then showing them how they could be easily victimized in the future by a malicious hacker.

Mitnick, the Chief Hacking Officer for a company called KnowBe4, is working on a new book called The Art of Invisibility, which will be a master class in securing one's privacy against a world of hacks and exploits.

In the meantime, he's got some easy tips for securing mobile devices.

I sat down with Mitnick at last week's RSA conference in San Francisco, and he rattled off advice that everyone can use. (You can hear the full interview on my FATcast podcast, which will be posted on March 10.)

Minick specializes in making clients think about things they hadn't thought of before. For example, some people seeking privacy might buy a "burner phone" -- a phone purchased without a contract for privacy. But Mitnick points out that even buying a secure device can compromise your privacy, given that the purchase can be identified and tracked down because of the Uber you took or the rental car you rented. (Transportation can lead to the store, which could provide identifying information about the phone.)

At KnowBe4, Mitnick helps companies prevent and deal with the most pernicious and difficult hack, which is a phishing attack.

Phishing is a form of social engineering that involves tricking someone into believing an email or other message is coming from a trustworthy source -- for example, an email that appears to come from PayPal or from someone claiming to be an executive in the company the victim works for. Once trust is gained, the target might open an application, download a file, reply with password or other information, or visit a website that delivers its own malicious payload.

Mitnick told me that "it's much easier to hack a human than a computer because computers follow instructions, they don't vary -- humans go by emotion, by what's happening in their day... so it's not hard" to socially engineer someone -- "especially if they haven't been burned before."


Mitnick says that "people are lazy," and that's a huge advantage for hackers. Even at the RSA conference, he can simply watch security experts attending the show unlock their phones and he can tell that they're using the weaker four-digit unlock code for their phone, rather than a longer password. For starters, that's one way to identify a target -- anyone wanting to break into a phone will have a big advantage with a four-digit unlock code.

The best defense against phishing isn't anti-virus or firewall software per se, but training, education and awareness.

You might expect that Mitnick would use one of the new secure phones, such as the Blackphone 2 or the Turing phone.

But Mitnick told me he uses a standard iPhone. It's secure because of his choices and behaviors, he says, which seem to be more important than the equipment.

For example, he uses an alphanumeric long passcode (rather than the 4 digit password most of us use). And if thinks he might be ordered to unlock his phone (such as when he returns to the United States from traveling abroad), he reboots the phone so touch ID stops working (only the passcode can unlock a phone immediately after a reboot). He pointed out that in the United States, "a court can force you to unlock your phone with your thumb, but they can't force you to reveal your code."

Mitnick prefers the iPhone because most mobile phone hack attacks go after Android phones. But he does say the iPhone is crackable and that no device is 100% secure.

Laptops and desktops

Mitnick told me how he secured his own mother's computer by taking advantage of Apple's code signing model for security.

He said his mother used to call him every week to fix her Windows PC because the machine was constantly getting infected. His mother would "fall hook, line and sinker... for social engineering attacks" and he had to re-install Windows every week.

So he bought her an iMac, installed an anti-virus utility. And then he locked down the device.

In the "Security & Privacy" settings in OS X, there's a "General" tab. At the bottom, there's a setting labeled "Allow apps downloaded from." The default setting is: "Mac App Store and identified developers." For his mother's Mac, Mitnick changed that setting to "Mac App Store," which means she can download only apps approved by Apple.

Mitnick points out that the default setting isn't very secure because "it's a hundred bucks to become a developer."

"Just getting her a Mac and changing that setting" solved the problem of malicious downloads. He quickly noted that while that simple solution protected her against everyday phishing attacks, it wouldn't protect her from the NSA or other more skilled, determined hackers.

Thumbdrives and other attack vectors

Mitnick hacks as a kind of performance art in keynotes and talks at security conferences around the world. At CeBIT in Germany this year, for example, he performed several hacks including a demonstration showing how simply plugging in a thumb drive could give a hacker total control of your machine, including the ability to activate and monitor the camera and microphone or launch any program. In the hack, the USB thumbdrive tricks the laptop or PC into thinking it's a keyboard, rather than a storage device. That enables the hacker to inject keystrokes, which means he can do anything to your device that he could do by typing on your keyboard.

Mitnick demonstrates this hack because "people think USBs are safe now, because they turn off 'auto-run.'" He wants the public to know that thumbdrives are not safe.

The lay public also believes that PDFs are safe. So Mitnick demonstrates with visual tools how a hacker can use a PDF file to take control of a target machine.

Another hack he demonstrates involves a malicious hacker who can go to a coffee shop where there's a public Wi-Fi router, and instruct the router to boot all the users off the network. When they reconnect, the hacker can then offer a fake Wi-Fi network with the same name. Once users connect, a malicious payload can be delivered.

Just knowing this information might change your behavior. I know it's changing mine.

The bottom line is that you really, really don't want to plug in a thumb drive or download a PDF file to your laptop, even if you feel comfortable about the source. (Social engineering exists to make you feel comfortable.) And you should avoid public Wi-Fi hotspots.

While people in the security community focus on the code side of hacking, Mitnick emphasizes the social engineering side. Because that's how hackers gain access.

In other words, security and privacy is not a set-it-and-forget-it process. Above all, it's important to learn not only from security experts, who know the tools, but also from hackers, who know how to socially engineer their way into your phone or laptop.

Be smart. Be paranoid. And good luck


Join the CSO newsletter!

Error: Please check your email address.

More about AppleApple.CeBITFBINSAPayPalRSATransportationUber

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mike Elgan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place