It is growing because security technologies are getting more resilient. There are better technologies to protect information assets and the attacker is going to go after the weaker link in the security chain. Social engineering is always going to be here. The more difficult it is to exploit the technology, the easier it becomes to go after people.
If you look at the folks who attack vulnerabilities in technology today and compare that to when you were first starting out, what trends do you see?
Mitnick: Back then, a lot of the holes in technology were not readily available and published like they are today on the Internet. Nowadays anybody with a browser could pretty much purchase commercial hacking tools like Canvas or go to a Web site where a lot of exploits are readily available. Ten years ago, if you were hacking you had to develop your own scripts. Today is like a point-and-click hacking world. You don't have to know how the engine is working, you just know to get in the car and drive. It is easier.
What would you say is the single biggest threat out there?
Mitnick: It is pretty much a blended threat. I think social engineering is really significant because there is no technology to prevent it. Companies normally don't raise awareness about this issue to each and every employee. It is at the end of the priority list in the security budget.
There will continue to be software vulnerabilities. In a lot of companies that I tested, if you are able to breach a perimeter machine, like an FTP server, mail server or DNS server, a lot of times you find those computers are not in the DMZ (De-Militarised Zone, a separate security area). Instead, they are on an internal network and the network is flat. So if you are able to compromise one, it is quite easy to spread access to other systems. Often times they even use the same passwords. Bottom line: More companies have to think of a defence-in-depth strategy, rather than just protecting the perimeter.
Over the past years we have seen a couple of arrests of virus writers, bot herders and others. Everybody knows you were arrested as well. Is law enforcement advancing? Are they doing the right thing and catching the right people, or are a lot still going free?
Mitnick: I am sure there are a lot of people doing this they don't catch. Wireless networks are ubiquitous. It is very difficult for law enforcement if somebody goes and takes a laptop and changes their media access control address so you can't identify the machine. If you're out in a car or van or sitting in a restaurant next to a wireless access point and don't use the same access point all the time, it could be extremely difficult to track you.
So there is a big challenge for law enforcement. Do you think they are doing a good job, or could they do better?
Mitnick: I don't know. We need stats for that. We need metrics on how many criminals they are apprehending. It is a guess that they are getting better, because they are getting help from the private sector. They are probably better than they were 10 years ago, but I don't know their capabilities. I know their strengths are in forensics. So if they seize a computer of somebody thought to possess child pornography, they use Encase and can recover that contraband. That's what they are good at. In doing hacker investigations -- I really don't know their capabilities.
So what about when it comes to virus writers, bot herders, phishers?
Mitnick: With virus writers, I don't believe the FBI is technically doing the analysis. They just farm it out to a Microsoft, Symantec or McAfee because it is easier. These companies are not going to turn down law enforcement because they are doing a public service.
Do you believe more of these criminals should be caught?
Mitnick: They should try. But the bottom line is that there is so much hacking going on that they have to set a dollar limit. Unless there is a fraud or a loss that equals $50,000 -- maybe $100,000 -- they are not going to investigate. Small criminals knowing this can always stay under this threshold. That's at the federal level. Then there are states, which might have a different monetary threshold, but their competency is probably less than the feds.
Do you think if you were doing today what you did 10 years ago, would you be caught sooner?
Mitnick: If I knew what I know now and I could use what I know now back then, no. But if they had the technology that exists today, and I was doing the exact thing I was doing, yes. Law enforcement's capabilities for tracking communications are much greater than years ago.
1%
8%
This guy was a crook and is nothing more than a con man spreading fear these days.