An autobiography of sorts, this story is about the life of infamous hacker Kevin Mitnick. I was drawn to the book as soon as I heard about it because I had heard of his story growing up. I was one of those kids with a "Free Kevin" link on my websites. However, I'd lost track of the story over the years. Then I heard this was released and immediately picked it up.
I thought I knew the whole story, but was interested in reading about it directly from the source. This book went fast. In part it went fast because I grew up in the world Kevin described. While I was really young at the time that Mitnick was pursuing his exploits and on the run, I was learning as much as was possible about that world. It fascinated me then, and although I've since shifted my attention it still fascinates me. So, let's dive in.
Some of the Details
Kevins life has been fairly interesting to say the least- starting out "hacking" the LA bus system through to hacking the largest companies of the time. As hackers do, he was always on the lookout for weaknesses in "systems". This wasn't always just a computer or a network. Systems are anything, how a person operates, how a computer network tries to block people out, or how a company runs its daily operations. Kevin was great at this.
Kevin spent years honing his craft as a juvenile, learning how city and state agencies operated. Early in his youth he learned how to exploit the phone system to make free long distance phone calls. Someone who exploits the phone systems is called a Phreak or phone hacker. He was hooked.
Mitnick enjoyed the challenge that this kind of behavior provided and it would be the driving force behind both the best and worst times of his life. The challenges weren't in just getting into the systems, they were in not getting caught. Hackers often cover their tracks by deleting log files, installing modified versions of the tracking software that doesn't track their behavior, or using commands in a way that aren't tracked. Kevin was usually very careful to cover his tracks.
However, one approach that Mitnick used to get into places that he wasn't authorized to be was to "social engineer" his was in. This usually means contacting a person through email or the phone and manipulating them into doing what you need. Sometimes that means getting them to give you their password and other times it means giving you permissions to access a server while at other times it means giving you access to a part of a building that only certain people should have access to. Ultimately, the goal is to exploit the trusting part of people to mean some end result, and Kevin did a lot of that. He was so successful at this that he was able to obtain DMV records for FBI informants, source code for operating systems, chips for cell phones, and was able to steal identities of individuals without ever stealing from those people directly.
The book is fairly comprehensive detailing not just what he did but also how. My curious nature found this exhilarating because there is so much that I don't know. But, it also helped to satisfy the "ok, he's for real" factor because of the parts that I do.
Ultimately, in the end, Kevin Mitnick was captured by a team of agents and one pissed of security researcher. Mitnick again details how he was tracked down to that apartment in North Carolina. And yet, the only real reason he wasn't able to bail again was because he forgot to clean out an old ski jacket. Oops. 😄
Take Away
Honestly, I've never been one to place a ton of weight in social engineering. While I think it's interesting, I never gave enough credence to the amount of access you can get just by placing a phone call and knowing some of the terminology. I often try to remind others that you shouldn't trust people, but that's mostly a habit rather than my fear of social engineering. Clearly people social engineer their way to information, but that's "usually for suckers", right? The sheer amount of exploitation that occurred purely because of his talent at social engineering people was wildly alarming. This wasn't just about your non-security minded individuals, it was everyone from the untrained to people specifically trained in this kind of thing. So, my biggest take away is to be ever more vigilant in not implicitly trusting and requiring proper verification.
I thought the book was a good read. Kevin's ability to be likable oozes through the pages even with some of the arrogance that comes with the position he found himself in. I was impressed with his abilities and the story telling. It's easy for this kind of story to get dry, and it wasn't.