A Golden Age for Hackers?
We're on the phone with the man who dubs himself the world's most famous hacker. We've reached him at his office in Las Vegas, where he's trying to answer a few questions. "Hello, Mr. Mitnick, can you hear me?" The connection breaks up.
Mitnick calls back. "Is this better?" he asks. "No, I can barely hear you. What's wrong?" He doesn't want to give away any details, but he's taken security precautions – after all, you never know who might be listening. "You have to assume that every telephone conversation is being monitored. We've learned that the NSA stops at nothing," says the hacker, who once specialized in telephone eavesdropping himself. He thinks it's foolish to make calls on a landline or mobile phone. "If you want to speak freely, the only way to do it is over an internet connection with end-to-end encryption."
No one can blame Kevin Mitnick for being paranoid about his communication security. The FBI hunted him across America for three years before finally apprehending him in 1995, and he was sentenced in 1999. Mitnick served five years in prison – four and a half years pre-trial and eight months in solitary confinement.
"The federal prosecutor was able to convince the judge that I could start a nuclear war from prison by whistling into a payphone," Mitnick says. "Of course it wasn't true. My draconian sentence was supposed to send a message."
Now, sixteen years after his release, Mitnick runs Mitnick Security – a company that is thriving, he reports, by consulting with large corporations and government authorities on security matters. Judging by his calendar, he travels almost nonstop, giving presentations and leading training sessions all over the world. His Facebook page reveals that he enjoys sampling exotic cocktails on his countless trips. His books are bestsellers, and his hacker career was the basis of a Hollywood film ("Takedown") as well as numerous documentaries.
Not Just Criminals Anymore
Just a few years ago, most security managers would never have considered inviting in a convicted hacker to secure their computer systems from attack. But hackers – or "security investigators," as they prefer to call themselves – are living in a golden age.
They are cashing in as software and hardware manufacturers search for ways to defend against ever bolder attacks. Merijn Terheggen, CEO of the agency HackerOne, which acts as an intermediary between hackers and companies seeking their services, says: "The performance of the chips in our devices doubles every two years. The complexity of the applications on those devices doubles every few months. Together, this means that the number of security vulnerabilities is growing exponentially. No one can contain them anymore."
His conclusion: "In 18 to 24 months, all of the world's large companies will have programs to harness the creativity of hackers for their own protection."
Kevin Mitnick is 52 years old – about 35 years older than the typical hacker sitting in front of a screen somewhere in Pakistan or Bolivia, browsing the internet for security vulnerabilities. Mitnick is enjoying the new era: "The greatest difference from when I was young is that hackers aren't inherently seen as criminals anymore. If these opportunities had existed back then, I would have had a legal outlet for my curiosity and desire to experiment."
His career began with harmless pranks when he was 13 or 14 years old. Later on he broke into the systems of all the large telecommunications companies in the US, eavesdropped on conversations, and stole source codes – a company's digital DNA. He even outwitted the FBI.
Mitnick found the investigators' mobile phone numbers and developed a warning system that alerted him whenever an agent was coming close. Mitnick kept up this game of cat and mouse across North America for nearly three years. It helped that nature had provided him with a thoroughly average face. His glasses, hair, voice – two minutes after meeting him, you'd be pressed to remember anything about how he looks.
He insists that the authorities mercilessly exaggerated his crimes. His favorite hack was breaking in to the intercom system at a local McDonald's drive-thru. "A police car drove up, and the officers were about to order. I hacked into the speaker and yelled, 'Get rid of the cocaine! Get rid of the cocaine!' The employees panicked. The cops just looked confused." Mitnick still laughs today when he tells anecdotes from his youth.
Back then, no one could imagine a world where everything is digitally connected – banking, dating, buying and selling weapons. The film "Hackers" recently celebrated its 20th anniversary, but its romantic image of the hacker has little in common with hackers today. "What we're seeing more and more are small groups and individual criminals who are developing capabilities that were previously accessible only to government institutions," says Michael V. Hayden, former director of the National Security Agency. "It's obvious what kinds of problems arise from this."
The Internet as the Next Battleground
In October, the Washington Post reported that a group of Albanian hackers called Kosova Hackers Security (KHS) stole personal data from 100,000 customers, including 1,351 military and other government personnel, in a cyberattack on an American online retailer.
KHS then sold this data to the highest bidder – Islamic State (ISIL). Junaid Hussain, a British citizen of Pakistani descent who was a member of ISIL, shared the information, including addresses and telephone numbers, on Twitter, threatening that "our soldiers will strike at your necks in your own lands." The FBI arrested the KHS leader in Malaysia, and Hussain was killed by a drone strike in Syria.
A world war is raging online on invisible battlefields. All systems are under attack at all times. Every network is constantly being tested. But the victims only usually notice the attacks when it's too late. The retail giant Target discovered the security breach in its internet-connected heating, ventilation, and air conditioning (HVAC) systems only after hackers had stolen data from forty million customers.
Sony and the US Department of Defense, the American subsidiary of Deutsche Telekom and Fiat Chrysler – all have fallen victim to spectacular hacks. Companies find themselves in a constant state of siege, but they don't know where the attacks are coming from or how serious they might be.
The telecommunications group Verizon analyzed 2,122 hacks from the past year and determined that in almost two-thirds of these attacks, the damage occurred within just minutes. Are the attacks coming from North Korea or the NSA? From the competition or a co-worker? Or just from a teenager in South Africa? Technological progress appears to be giving hackers a huge step up. Have companies, unwilling to give up their Internet connections, lost the innovation race from the start?
18 Million Active Hackers
Kevin Mitnick advises his clients to work together with hackers even during software development, allowing them to look for vulnerabilities throughout the process. "Many companies, especially in the tech sector, are already doing this," he says. He also calls for more digital security training for employees.
Mitnick doesn't think much of the "bug bounty" programs, popular right now, which reward hackers for each bug they find. "It might work in the majority of cases. But there's a risk that a criminal can blend in with well-intentioned hackers and then sell what he discovers on the black market." Eighteen million hackers are active worldwide, according to HackerOne, which links companies with hackers' services. How can we monitor them?
Even Mitnick operates an exchange on his website for potential "zero-day exploits," i.e. vulnerabilities that haven't yet been fixed. But participation in his exchange is by invitation only.
Discovering and selling a security vulnerability isn't illegal in itself. Only the people who use the information maliciously can be prosecuted. The global trade in security vulnerabilities, the so-called "vulnerability economy," is booming. On the defensive side of the market, there are agents who purchase system errors in order to offer them to affected companies. These can be brokers who acquire certain market information and work on the companies' behalf. Bug bounty programs also fall into this category. Payment is usually between 500 and 20,000 dollars per hack. In exceptional cases, Microsoft and Facebook have paid more than 100,000 dollars.
The offensive market primarily involves states and organized crime. Mitnick says that here the prices for a bug can reach seven figures. Participants are interested in keeping system errors away from the defensive market as long as possible, so that they can profit from these errors for longer. Spectacular hacks – involving government authorities, corporations, and schools – are constantly being exposed.
Can Mitnick imagine a system that guarantees total security? "Of course," he says. "You have to hide the really important data behind a so-called air gap." In other words, the only way to be 100% secure is to unplug from the internet.