Software Integrity

 

Fault Injection Podcast: Kevin Mitnick discusses how to stay secure at security conferences

Fault Injection: Kevin Mitnick discusses how to stay secure at security conferences

Fault Injection is a podcast from Synopsys that digs into software quality and security issues. In this episode, host Robert Vamosi, CISSP and Security Strategist at Synopsys, interviews Kevin Mitnick about how to stay secure at security conferences. Kevin draws on tips from his latest book, The Art of Invisibility: The World’s Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data.

You can always join the discussion by sending us an email at faultinjection@synopsys.com.

Robert: Welcome to Fault Injection. I’m Robert Vamosi, CISSP and Security Strategist at Synopsys and I am here at Black Hat USA 2017. My co-host, Chris Clark, is still en route to Black Hat and so today I’m going to be doing it solo. My guest today is Kevin Mitnick, the world’s greatest hacker.

Kevin: Hello everybody.

Robert: And I just so happen to have written a book last year with him called The Art of Invisibility. It’s doing very well. Thank you.

Kevin: It actually is.

Robert: Good. Good. Before that, you wrote your life story. You wrote Ghost in the Wires.

Kevin: Correct. Bill Simon and I. Bill Simon worked on the project and did a lot of the heavy lifting on the writing, but there were so many versions of my story out there that it was really important for me to get the more accurate and completely accurate story. It’s like a Catch Me If You Can, but of the computer age rather than writing bad checks.

Robert: In that you talked about going undercover.

Kevin: Well, I went undercover because I was a fugitive.

Robert: Exactly.

Kevin: I had to get off the grid. I had to go underground and…

Robert: Set the time.

Kevin: Mid-1990s. And there was an informant that was working with the federal government to essentially put me back into jail. At one point in time in the story I learned that there was a warrant for my arrest for violating my probation so I decided hey I’m just going to get off the grid and worry about it later. So I had to create a new identities, cover stories, I had to develop comms with my family that would be very secure and some of my friends that I’d associate with. I worked a legitimate job, so I had to obviously set up the background in such a way that they were verifiable, verifiable degrees, and this sort of thing. And I kind of like lived undercover. So I worked legitimate jobs during the day and I was a hacker by night, hacker for the hobby. In other words breaking into systems really for the challenge, not to earn a profit.

Robert: So that was back in the 1980s.

Kevin: No, that was the 1990s.

Robert: 1990s, pre-internet to some degree.

Kevin: Correct. We didn’t… you’re right. The only fully internet site that I remember at that time was JPL. You could go look at Mars, that was pretty much it.

Robert: So, flash forward to near term, recent memory, you have Ross Ulbricht, you have people creating Silk Road and whatnot but in the internet age. How hard is it then to create a dual persona. He tried to create Dread Pirate Roberts but at some point put his legitimate gmail address in there.

Kevin: Correct. He was sloppy with his operations. And people usually do this in the beginning. Not only did he use his own email address kind of to advertise Silk Road in the beginning but also he obtained false identities and he was living under an alias name in San Francisco but the fake IDs were actually going to the home he was living in. Which his crazy because you want to separate yourself completely so I’m wondering why he didn’t use a mail drop. You can get a mail drop without using identification. They do require it but there’s always a pre-text, say you lost your wallet and you are waiting for your birth certificate to come and there’s always exceptions that allow you to use these mail services, especially ones that are not corporate like UPS and Mailboxes Etc.

Robert: We talk about that in Art of Invisibility, part of the idea how do you get off line in an internet age.

Kevin: And it is really tough. If you really want to be invisible from law enforcement or an intelligence agency you have to go the Nth degree and be very meticulous about your communication security. And it’s almost like being here at the DEF CON/Black Hat conference, you kind of have to do the same because recently there is a bug in the Broadcom chipset that was discovered by a security researcher that is actually going to be presenting a talk on it here at Black Hat. So you have to wonder who else has figured out this exploit and it doesn’t require that you do anything it is just simply if your WiFi is turned on your Android or iOS device you are exploitable. So, in this type of environment you have to be really careful about what you decide to bring into the conference and what technologies you use. Maybe I’ll bring my iPhone, but I won’t use WiFi or Bluetooth. I’ll just make calls. Of course, there are other types of exploits where people can intercept your communication kind of like what law enforcement uses, a StingRay, kind of what we call an IMSI catcher type of device. So there’s always that type of threat so the real question is are you trying to protect your security or your anonymity? If its really your security, rather than being anonymous, then on your device you can use a voice over IP app like Signal for example to protect the secrecy of your communication.

Robert: And it does so by …

Kevin: By using end-to-end encryption.

Robert: End-to-end encryption being the important part.

Kevin: At each endpoint. So if we’re using Signal, you have your key and I have my key.

Robert: And no one in the middle.

Kevin: And nobody in the middle. But, if you have sophisticated researchers like we have here at Black Hat, the best in the world, what if theirs is an iOS exploit where they can gain access to the endpoint, compromise the endpoint and extract the key. That’s what we have to be worried about. That’s kind of how law enforcement and intel agencies work. They don’t try to compromise the communications on the network side, they go after the endpoint.

Robert: Like EternalBlue.

Kevin: Well, EternalBlue is an exploit that was used on the Windows operating system.

Robert: Correct.

Kevin: That exploited a vulnerability in SMB.

Robert: But it allowed remote access to that Windows environment.

Kevin: So if you had a key on that Windows device, a key that was used in end-to-end encryption then that could be actually pilfered.

Robert: Right.

Kevin: By the attacker.

Robert: Right.

Kevin: So, you have to think about when you are using end-to-end encryption, it’s not the end all and be all unless you can really protect the endpoints and we’re dealing with law enforcement, nation states, Black Hat researchers. You have to think about can you really protect that endpoint.

Robert: Right.

Kevin: so I prefer when I’m in the hotels here, I actually bring my own hotspot. I kind of use it away from everybody else, where I am out of range, and I try not to use my computer in front of people when using my hotspot. Like I’m taking a class, my friend is teaching a class here at Black Hat, I’m using their network but I’m not connecting using a local VM and their network to connect to their infrastructure.

Robert: Right.

Kevin: I’m not logging into my email. I’m not logging onto to conduct business because here we are dealing with such a substantial threat.

Robert: Any other tips that you would offer.

Kevin: Consider getting a burner device. Let’s say you go get a burner device. So nobody know that this device belongs to Rob Vamosi or Kevin Mitnick but then somebody is able to compromise that device by using some unknown exploit so no when you log onto your email or do whatever you do on that device that can be intercepted then the anonymity is breached.

Robert: Right.

Kevin: What we talk about in Art of Invisibility to have really the level of privacy that privacy activists would want we talk about using burner-type of devices but a way from acquiring that device. Doing it in a secure way where I’m not going to be one camera buying a phone or buying an internet hotspot, buying a SIM card or buying data. We talk about essentially trying to put cutouts in front of that.

Robert: Right.

Kevin: But more importantly, when we’re suing the device, we are away from work, friends, school, we don’t have our other devices with us that are using cellular, those devices are somewhere else so the anonymity of obtaining the device and when you’re using the device makes it harder for an attacker to compromise you.

Robert: Right.

Kevin: But not impossible.

Robert: And one of the things that resonated with me when you brought it up in the book was when you buy a burner laptop, don’t power it on in your home network. Or your work network. Because as soon as you do …

Kevin: What I’m concerned about is, let’s say you are being monitored by whatever threat actor and you power up a device and it has a WiFi NIC card, well the local network gets the MAC address and maybe the internet service provider like Time Warner, Cox, maybe somehow that’s logged because a lot of those providers have access to your internal infrastructure in a lot of cases. So I always wonder, because this would be a great thing for law enforcement and intel agencies, if they have a target’s MAC address, that’s the real MAC address that was used in that hardware and they somehow trace that MAC address to a particular computer and then trace that purchase to an individual. Because if I was the NSA, I would do that. I would somehow set it up because they are not, maybe they are random at the manufacturer but maybe the manufacturer kept track, if you buy these cards from China and Apple puts them into their MAC books, or they say this NIC card with this MAC address went into this MAC Book with this serial number. Now if someone goes to the store, orders a MAC Book, now you have serial number tracked to buyer. So you have to always think about how you can potentially be tracked. It’s really, again, a complex and meticulous operation to maintain privacy today because it is so easy for a threat actor to breach your anonymity and breach your communications.

Robert: And that’s one thing we do talk about in the book is changing your mindset. Just thinking of all the different ways that you are leaving evidence, leaving fingerprints, anything that could trace back to you, if that is something of a concern to you because it’s not just terrorists, as you said there are also rights activists, there are legitimate reasons why, as you bring up divorce lawyers in the book.

Kevin: What I’m thinking about when I’m thinking about evading intelligence agencies, I’m thinking more about a Julian Assange type of character.

Robert: But not all of us are in that position.

Kevin: Right. So not everyone’s going to Black Hat/DEF CON. Not everybody is concerned about law enforcement or an intelligence agency, so then your level of security requirement are much lower and that’s where you have different sets of privacy protections that are good enough for your purposes.

Robert: Right.

Kevin: And you should be using Signal, maybe not even having to get a burner phone, maybe when you need to have a confidential conversation with a business partner you’re using Signal. Your discussing something that is critically important to the business then you are not worried about anonymity. But, you are more concerned about protecting the proprietary information of the business.

Robert: Well, on that note, I thank you, Kevin, for joining us today.

Kevin: Thank you. And by the way, Rob did a lot, and I mean a lot of awesome work on that book.

Robert: Thank you Kevin. I appreciate it. Take care.

Kevin: All right.

Robert: Okay. We’re out.