Kevin Mitnick: The Art of the Phone Call
Zusammenfassung
Kevin Mitnick — the most-wanted computer criminal in the United States in the 1990s, pursued by the FBI for years and featured on the front page of The New York Times — used almost no technical exploits for most of his intrusions. His primary tool was social engineering: calling employees, impersonating technicians or colleagues, and persuading them to provide passwords, system information, or direct access. He gained entry to some of the most secure computer systems in the world by asking nicely. His post-prison career as a security consultant made him the world’s most prominent authority on the human element in computer security.
The Technique
Kevin Mitnick’s social engineering methodology, which he described in his books The Art of Intrusion and The Art of Deception, followed consistent principles:
Pretexting: Establishing a false identity that gave the target reason to help. Mitnick impersonated system administrators, technical support staff, vendors, and coworkers. Each persona was chosen to make the requested information seem routine rather than suspicious.
Authority and urgency: Invoking authority (posing as a senior employee or external auditor) and urgency (systems are down, I need this now) bypassed normal caution. People who would refuse a stranger’s request would help a “colleague” with a “critical system problem.”
Information chaining: Each successful social engineering call provided information used in the next call. A call to a help desk might yield an employee’s name and department; that information made the next call more convincing; the combined information made the third call effective.
The technical intrusions Mitnick did perform — session hijacking, TCP/IP sequence number prediction — were sophisticated, but they required prior access to network traffic that itself often came from socially engineered access to telephone company infrastructure.
The Arrest
Mitnick was arrested on February 15, 1995, after a months-long chase that involved computer security expert Tsutomu Shimomura. Shimomura had discovered that his own computers had been hacked — Mitnick had broken into his system on Christmas Day 1994, copying security tools and software. Shimomura’s public response and pursuit of Mitnick, working with the FBI and cellular phone companies to trace Mitnick’s location through cellular signals, became the subject of John Markoff’s book Takedown and later a film.
Mitnick spent four and a half years in federal prison, including eight months in solitary confinement because prosecutors convinced a judge that he could launch nuclear missiles by whistling into a telephone (this was not true).
The Post-Prison Career
After release in 2000, Mitnick founded Mitnick Security Consulting and became one of the most sought-after security speakers and consultants in the world. His penetration testing work confirmed what he had known from his criminal career: technical security controls regularly failed against competent social engineering. No firewall blocks a phone call to a help desk employee.
Kevin Mitnick’s full story — including the phone phreaking origins, the DEC intrusion, the cellular manhunt, and the legacy in security awareness training — is covered in the dedicated article.
📚 Sources
- Mitnick, Kevin D. & Simon, William L.: The Art of Deception: Controlling the Human Element of Security (2002), Wiley
- Mitnick, Kevin D.: Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (2011), Little, Brown
- Markoff, John & Shimomura, Tsutomu: Takedown: The Pursuit and Capture of Kevin Mitnick, America’s Most Wanted Computer Outlaw (1996), Hyperion