business news in context, analysis with attitude

One in a series of previews of the upcoming FMI MarkeTechnics Show…

So who is Kevin Mitnick and why does he know so much about computer security?

Well, Mitnick has the distinction of being the poster boy for the federal government's attitude about hackers. He spent five years in prison, charged by prosecutors with causing millions of dollars in damages by tampering with corporate and university computer systems. When he was released in January 2000, it was on the condition that he avoid computers, modems, cell phones and all Internet access for the next three years.

Mitnick steadfastly defended himself against the charges, conceding that he was a hacker but saying that he had committed what he called "simple crimes of trespass" and had not profited from his actions.

In a chapter that was not included in his book, "The Art of Deception," Mitnick wrote:

    "Despite the media-created myth of Kevin Mitnick, I'm not a malicious hacker. What I did wasn't even against the law when I began, but became a crime after new legislation was passed. I continued anyway, and was caught. My treatment by the federal government was based not on the crimes, but on making an example of me. I did not deserve to be treated like a terrorist or violent criminal: Having my residence searched with a blank search warrant; being thrown into solitary for months; denied the fundamental Constitutional rights guaranteed to anyone accused of a crime; being denied not only bail but a bail hearing; and being forced to spend years fighting to obtain the government's evidence so my court appointed attorney could prepare my defense."

Sounds like someone the government was afraid of.

Now, however, Mitnick is on the side of the angels, helping businesses deal with what he calls the threat of "social engineering," or the techniques that hackers use to deceive companies into revealing sensitive information that can do damage to the companies where they work.

In a phone conversation with Mitnick yesterday, he said that when he speaks to the General Session at the Food Marketing Institute (FMI) MarkeTechnics Show in San Francisco later this month, his goal will be that when "people walk away, they will realize how vulnerable they are." That's an important epiphany, he said, because many executives see computer security as a liability from which "they don't see much return on investment. And on the human side, people think they are invulnerable. My goal is to dismiss the illusion of invulnerability."

There are, Mitnick said, examples of how retailers can be targeted. Lowe's, the home improvement retailer, recently experience the shutdown of its computer network when someone tried to tap in and modify the flow of information so that customer credit card numbers could be acquired. The FBI set up a stakeout operation, and discovered the hackers sitting outside a Lowe's store in their car trying to hack in using a wireless Internet connection.

The recent virus that has wreaked havoc on so many computer systems is a perfect example, Mitnick said, of how human flaws create big security problems. The virus has only spread because people open attachments sent to them via email, attachments that spread through systems and cause enormous, fast-spreading problems.

Mitnick said that a lot of this "social engineering" is insidious and hard to detect. Hr said that during his session at MarkeTechnics, he'll demonstrate a program that can deceive a called ID system into believing that a call originates from some other phone, even the White House. Bad guys can use this program to convince people that a call is coming from inside their companies, and that they should provide more information than they would to an outsider.

"The businesses that have the most sensitive information" are then ones that are most vulnerable - especially big retailers that maintain customer databases with credit card information. "That's the information the bad guys want," he said, and the information that retailers have to know how to protect.

Sometimes the bad guy will be interested in creating mischief, and other times he'll have a specific profit motive; sometimes attacks will be broad, and other times they will be focused. But according to Mitnick, "in both cases they are going to cause a loss," and businesses need to be vigilant and aggressive in preventing such problems. The interesting thing - and the piece of the puzzle that will surprise many people - is that defenses have to be both technological and human.

Mitnick is scheduled to speak at MarkeTechnics on Sunday, February 29 at 10:30 a.m.

To find out more about the show, go to: http://www.fmi.org

And to get a copy of Mitnick's book, go to: http://www.amazon.com/mitnick
KC's View: