Cyber Attack: Is the Government Safe?
Senate Committee on Governmental Affairs
Thursday, March 2, 2000
SD-342 Dirksen Senate Office Building
Mr. Kevin Mitnick
Honorable Chairperson Thompson, Distinguished Senators,
and Members of the Committee:
My name is Kevin Mitnick. I appear before you today
to discuss your efforts to create legislation that will ensure
the future security and reliability of information systems owned
and operated by, or on behalf of, the federal government.
I am primarily self-taught. My hobby as an adolescent
consisted of studying methods, tactics, and strategies used to
circumvent computer security, and to learn more about how computer
systems and telecommunication systems work.
1985 1 graduated cum laude in Computer Systems and Programming
a technical college in Los Angeles, California,
and went on to successfully complete a post-graduate project
in designing enhanced security applications that ran on top of
operating system. That post-graduate project may have been one
of the earliest examples of "hire the hacker" the school's
administrators realized I was hacking into their computers in
ways that they couldn't prevent, and so they asked me to design
enhancements that would stop others' unauthorized access.
I have 20 years experience circumventing information
security measures, and can report that I have successfully compromised
all systems that I targeted for unauthorized access save one. I
have two years experience as a private investigator, and my responsibilities
included locating people and their assets using social engineering
My experience and success at accessing, and obtaining
information from computer systems first drew national attention
when I obtained user manuals for the COSMOS computer systems (Computer
Systems for Mainframe Operations) used by Pacific Bell.
years later the novel "Cyberpunk" was
published in 1991, which purported to be a "true" accounting
of my actions that resulted in my arrest on federal charges in
1988. One of the authors of that novel went on to write similarly
fictionalized "reports" about me for the New York Times,
including a cover story that appeared July 4, 1994. That largely
fictitious story labeled me, without reason, justification, or
proof, as the "world's most wanted cybercriminal." Subsequent
media reports distorted that claim into the false claim that I
was the first hacker on the FBI's "Ten Most Wanted" list.
That false exaggeration was most recently repeated during my appearance
on CNN's Burden of Proof program on February 10, 2000. Michael
White of the Associated Press researched this issue with the FBI,
and FBI representatives denied ever including me on their "Ten
Most Wanted" list.
I have gained unauthorized access to computer systems
at some of the largest corporations on the planet, and have successfully
penetrated some of the most resilient computer systems ever developed.
I have used both technical and non-technical means to obtain the
source code to various operating systems and telecommunications
devices to study their vulnerabilities and their inner workings.
After my arrest in 1995, 1 spent years as a pretrial
detainee without benefit of bail, a bail hearing, and without the
ability to see the evidence against me, combined circumstances
which are unprecedented in U.S. history according to the research
of my defense team. In March of 1999 1 pled guilty to wire fraud
and computer fraud. I was sentenced to 68 months in federal prison
with 3 years supervised release.
The supervised release restrictions imposed on me
are the most restrictive conditions ever imposed on an individual
in U.S. federal court, again according to the research of my defense
team. The conditions of supervised release include, but are not
limited to, a complete prohibition on the possession or use, for
any purpose, of the following: cell phones, computers, any computer
software programs, computer peripherals or support equipment, personal
information assistants, modems, anything capable of accessing computer
networks, and any other electronic equipment presently available
or new technology that becomes available that can be converted
to, or has as its function, the ability to act as a computer system
or to access a computer system, computer network, or telecommunications
In addition to these extraordinary conditions, I
am prohibited from acting as a consultant or advisor to individuals
or groups engaged in any computer-related activity. I am also prohibited
from accessing computers, computer networks, or other forms of
wireless communications myself or through third parties.
I was released from federal prison on January 21,
2000, just 6 weeks ago. I served 59 months and 7 days, after earning
180 days of time off for good behavior. I am permitted to own a
land line telephone.
Computer Systems and Their Vulnerabilities
The goal of information security is to protect the
integrity, confidentiality, availability and access control to
the information. Secure information is protected against tampering,
disclosure, and sabotage. The practice of information security
reduces the risk associated with loss of trust in the integrity
of the information.
Information security is comprised of four primary
topics: physical security, network security, computer systems security,
and personnel security. Each of these four topics deserves a complete
book, if not several books, to fully document them. My presentation
today is intended to provide a brief overview of these topics,
and to present my recommendations for the manner in which the Committee
may create effective legislation.
1. Physical Security
1.1 Uncontrolled physical access to computer systems
and computer networks dramatically increases the likelihood that
the system can and will suffer unauthorized access.
May be locked in rooms or buildings, with guards,
security cameras, and cypher-controlled doors. The greatest risk
to information security in apparently secure hardware environments
is represented by employees, or impostors, who appear to possess
authorization to the secured space.
Government agencies require formal backup procedures
to ensure against data loss. Equally stringent requirements must
be in place to ensure the integrity and security of those backup
files. Intruders who cannot gain access to secure data but who
obtain unauthorized access to data backups successfully compromise
any security measures that may be in place, and with much less
risk of detection.
2. Network Security
Stand-alone computers are less vulnerable than computers that
to any network of any kind. Computers
connected to networks typically offer a higher incidence of misconfiguration,
or inappropriately enabled services, than computers that are
not connected to any network. The hierarchy of network "insecurity" is
as follows:-- Stand-alone computer - least vulnerable
-- Computer connected to a LAN, or local area network
- more vulnerable
-- Computer and a LAN accessible via dial-up - even
-- Computer and LAN connected to internet - most
vulnerable of all
2.1.1 Unencrypted Network Communications
network communications permit anyone with physical access to
the network to use software to monitor
all information traveling over the network, even though it's
intended for someone else. Once a network tap is installed, intruders
monitor all network traffic, and install software that enables
them to capture, or "sniff," passwords from network
2.1.2 Dial-in Access
Dial -in access increases vulnerabilities by opening
up an access point to anyone who can access ordinary telephone
lines. Off site access increases the risk of intruders gaining
access to the network by increasing the accessibility of the network
and the remote computer.
3. Computer Systems Security
3.1 Computer systems that are not connected to any
network present the most secure computing environment possible.
However, even a brief review of standalone computer systems reveals
many ways they may be compromised.
3.1.1 Operating Systems
operating systems control the functions of the computer: how
is stored, how memory is managed, and
how information is displayed -- it"s the master program of
the machine. At its core, the operating system is a group of discrete
software programs that have been assembled into a larger program
containing millions of lines of code. Large modern day operating
systems cannot be thoroughly tested for security anomalies, or "holes," which
represent opportunities for unauthorized access.
3.1.2 Rogue Software Programs
"Rogue" software applications can be installed
surreptitiously, or with the unwitting help of another. These programs
can install a "back door", which usually consists of
programming instructions that disable obscure security settings
in an operating system and that enable future access without
detection; some back door programs even log the passwords used
to gain access
to the compromised system or systems for future use by the intruder.
3.1.3 Ineffective Passwords
Computer users often choose passwords that are in
the dictionary, or that have personal relevance, and are quite
predictable. Static, or unchanging, passwords represent another
easy method for breaching a computer system -- once a password
is compromised, the user and the system administrators have no
way of knowing the password is known to an intruder. Dynamic passwords,
or non-dictionary passwords are problematic for many users, who
write them down and keep them near their computers for easy access
-- their own, or anyone who breaches physical security of the computer
3.1.4 Uninstalled Software Updates
Out-of-date system software containing known security
problems presents an easy target to an intruder. Systems administrators
cannot keep systems updated as a result of work overload, competing
priorities, or ignorance. The weaknesses of systems are publicized,
and out-of-date systems typically offer well-known vulnerabilities
for easy access.
3.1.5 Default Installations
Default installations of some operating systems disable
many of the built-in security features in a given operating system.
In addition, system administrators unintentionally misconfigure
systems, or include unnecessary services that may lead to unauthorized
access. Again, these weaknesses are widely publicized within the
computing community, and default or misconfigured installations
present an easy target.
4. Personnel Security
4.1 The most complex element in information security
is the people who use the systems in which the information resides.
Weaknesses in personnel security negate the effort and cost of
the other three types of security: physical, network, and computer
4.1.1 Social Engineering
engineering, or "gagging," is defined
as gaining intelligence through deception. Employees are trained
to be helpful, and to do what they are told in the workplace.
The skilled social engineer will use these traits to his or
as they seek to gain information that will enable them to achieve
4.1.2 Email Attachments
Email attachments may be sent with covert code embedded
within. Upon receiving the email, most people will launch the attachment,
which can lower the security settings on the target machine without
the user's knowledge. The likelihood of a successful installation
using this method can be increased by following up the email submittal
with a telephone call to prompt the person to open the attachment.
Information Security Exploits
Information security exploits are the methods, tactics,
and strategies used to breach the integrity, confidentiality, availability
or access control of information. Discovery of compromised information
security has several consequences, the most important of which
is the decline in the level of trust associated with the compromised
information and systems that contain that information. Examples
of typical security exploits follow.
5. Physical Security Exploits
5.1 Data Backup Exploit Using deception or sheer
bravado, the intruder can walk into the off site backup storage
facility, and ask for the physical data backup by pretending to
be from a certain agency. The intruder can claim that particular
backup is necessary to perform a data restoration. Once an intruder
has physical possession of the data, the intruder can work with
the data as though he possessed superuser, or system administrator,
5.2 Physical Access Exploit
If an intruder gains physical access to a computer
and is able to reboot it, the intruder can gain complete control
of the system and bypass all security measures. Ali extremely powerful
exploit, but one that exposes the intruder to great personal risk
because they're physically present on the premises.
5.3 Network Physical Access Exploit
Physical access to a network enables an intruder
to install a tap on the network cable, which can be used to eavesdrop
on all network traffic. Eavesdropping enables the intruder to capture
passwords as they travel over the network, which~will enable full
access to the machines whose passwords are compromised.
6. Network Security Exploits
Network software exists that probes computers for weaknesses.
system weaknesses are revealed and the
system is compromised, the intruder can install software (called "sniffer" software)
that compromises all systems on the network. Following that, an
intruder can install software that logs the passwords used to access
that compromised machine. Users routinely use the same or similar
passwords across multiple machines; thus, once one password for
one machine is obtained, then multiple machines can be compromised
(see "Personnel Security Exploits").
7. Computer System Exploits
7.1 Vulnerabilities in programs (e.g., the UNIX program
sendmail) can be exploited to gain remote access to the target
computer. Many system programs contain bugs that enable the intruder
to trick the software into behaving in a way other than that which
is intended in order to gain unauthorized access rights, even though
the application is a part of the operating system of the computer.
A misconfigured installation on a computer in operation at
the Raleigh News and
Observer, a paper in Raleigh,
North Carolina, demonstrates the problematic aspect of system
misconfiguration. Using the UNIX program "Finger," which enables one to
identify the users that are currently logged into a computer system,
I created a user name on the computer system I controlled. The
user name I assigned myself matched exactly the user name that
existed on the target host. The misconfigured system was set to"trust"'
any computer on the network, which left the entire network open
for unauthorized access.
8. Personnel Security Exploits
8.1 Social Engineering -- involves tricking or persuading
people to reveal information or to take certain actions at the
behest of the intruder. My work as a private investigator relied
heavily on my skills in social engineering.
In my successful efforts to social engineer my way
into Motorola, I used a three-level social engineering attack to
bypass the information security measures then in use. First I was
able to convince Motorola Operations employees to provide me, on
repeated occasions, the pass code on their security access device,
as well as the static PIN. The reason this was so extraordinary
is that the pass code on their access device changed every 60 seconds:
every time I wanted to gain unauthorized access, I had to call
the Operations Center and ask for the password in effect for that
The second level involved convincing the employees
to enable an account for my use on one of their machines, and the
third level involved convincing one of the engineers who was already
entitled to access one of the computers to give me his password.
I overcame that engineer's vigorous reluctance to provide the password
by convincing him that I was a Motorola employee, and that I was
looking at a form that documented the password that he used to
access his personal workstation on Motorola's network -- despite
the fact that he never filled out any such form! Once I gained
access to that machine, I obtained Telnet access to the target
machine, access which I had sought all along.
8.2 Voice Mail and Fax Exploit
This exploit relies on convincing an employee at
a large company to enable a voice mailbox: the intruder would call
the people who administer the voice mailboxes for the target company
and request a mailbox. The pretext would be that the intruder works
for a different division, and would like to retrieve messages without
making a toll call.
Once the intruder has access to the voice mail system,
the intruder would call the receptionist, represent himself as
an employee of the company, and ask that they take messages for
him; last but not least, the intruder would request the fax number
and ask that incoming faxes be held for pickup. This sets the stage
for the call to the target division of the company.
At this point, the intruder would call the target
division to initiate the fax exploit with the goal of obtaining
the targeted confidential company information. During that call
the intruder would identify himself as an employee of the division
whose voice mail and fax systems have just been compromised, he
would cite the voice mail box in support of his identity, and would
social engineer the target employee into faxing the target information
to the compromised fax number located at one of their other offices.
the intruder would call the receptionist, tell the receptionist
he's in a business meeting, and ask that
the receptionist fax the confidential material "to the hotel." The
intruder picks up the fax containing confidential information
at the secondary fax, which can-not be traced back to either
or the targeted company.
used this exploit to successfully compromise ATT's protected
access points routinely. ATT had learned that
a system had been compromised by unauthorized entry at a central
network access point called "DataKit." They imposed
network access passwords on all DataKits to inhibit unauthorized
I contacted one of the manager's secretaries and used the Fax
Exploit to convince the secretary to fax me the password that
to a DataKit that controlled dial-up access to ATT's worldwide
The Voice Mail and Fax Exploit demonstrates the most
important element in my testimony today: that verification mechanisms
are the weak link in information security, and voice mail and fax
are the tools used to verify the authenticity of the credentials
presented by someone seeking physical, network, or computer systems
The methods that will most effectively minimize the
ability of intruders to compromise information security are comprehensive
user training and education. Enacting policies and procedures simply
won't suffice. Even with oversight the policies and procedures
may not be effective: my access to Motorola, Nokia, ATT, Sun depended
upon the willingness of people to bypass policies and procedures
that were in place for years before I compromised them successfully.
The corporate security measures that I breached were created by
some of the best and brightest in the business, some of whom may
even have been consulted by the committee as you drafted your legislation,
Senate Bill S1993.
S1993 is represents a good first step toward the
goal of increasing information security on government computer
systems. I have several recommendations that I hope will increase
the effectiveness of your bill.
1. Each agency perform a thorough risk assessment
of the assets they want to protect.
2. Perform a cost-benefit analysis to determine whether
the price to protect those systems represents real value.
3. Implement policies, procedures, standards and
guidelines consistent with the risk assessment and cost benefit
analyses. Employee training to recognize sophisticated social engineering
attacks is of paramount importance.
4. After implementing the policies, procedures, standards
and guidelines, create an audit and oversight program that measures
compliance throughout the affected government agencies. The frequency
of those audits ought to be determined consistent with the mission
of a particular agency: the more valuable the data, the more frequent
the audit process.
Create a numeric "trust ranking" that
quantifies and summarizes the results of the audit and oversight
programs described above. The numeric "trust ranking" would
provide at-a-glance ranking -- a report card, if you will --
of the characteristics that comprise the four major categories
above: physical, network, computer systems, and personnel.
6. Effective audit procedures -- implemented from
the top down -- must be part of an appropriate system of rewards
and consequences in order to motivate system administrators, personnel
managers, and government employees to maintain effective information
security consistent with the goals of this committee.
Obviously a brief presentation such as the one I've
made today cannot convey adequately the measures needed to implement
effective information security measures. I'm happy to answer any
questions that may have been left unanswered for any members of
U.S. SENATOR FRED THOMPSON (R-TN): . . . It seems, in essence,
what you're telling us is that all our systems are vulnerable,
both government and private.
MITNICK: Absolutely. . . .
THOMPSON: And you also point out that the key to all of this--we
sit here and think of systems and programs and all, but you
point out the key is personnel--that that is the weakest link,
no matter what kind of system you have . . . . Can you explain
on the importance of the personnel aspect to this, and what
you think we might can do about it?
MITNICK: Well, in my experience when I would try to get into
these systems, the first line of attack would be what I call
a social engineering attack, which really means trying to manipulate
somebody over the phone through deception. And I was so successful
in that line of attack that I rarely had to go toward a technical
attack. . . .
The problem is people could do what they call information
mining. It's where you call several people within an organization
and you basically ask questions that appear to be innocuous
but it's really intended to gain intelligence.
For instance, a vendor might call a company and ask them what
software, what are you currently using, what computer systems
do you have to sell them a particular product because they
need to know that information. But the intent of the caller
might be to gain intelligence or try to target their computer
So I really have a firm belief that there has to be extensive
training and education to educate the users and the people
who administer and use these computer systems that they can
be victims of manipulation over the telephone. Because, like
I said in my prepared statement, companies could spend millions
of dollars towards technological protections and that's money
wasted if somebody could basically call somebody on the telephone
and either convince them to do something on the computer which
lowers the computers defenses or reveals the information that
THOMPSON: So you can compromise a target without even using
MITNICK: Yes. For example, personally, with Motorola, I was
working at a law firm in Denver. And I left work that day and
just on an impulse I used my cellular telephone and called
Motorola, their 800-number, and without getting in details
of how this because of the time constraints, by the time I
left work and by the time I walked home, which was about a
15-to-20- minute period, without any planning or anything,
by the time I walked to the front door, I had the source code
to the firmware which controlled the Motorola ultra-light telephone
sitting at a server in Colorado. Just by simply making pretext
telephone calls, within that 15-to- 20 minute period, I had
the software. I convinced somebody at Motorola to send the
software to a particular server. . . .
JOSEPH LIEBERMAN (D-CT): Mr. Mitnick, thanks for your testimony.
My staff lifted up some clips in preparation,
and one of them described you as, and I quote, "arguably
the most notorious computer hacker in the world." And
I thought I would ask you if you would be comfortable, as we
confront this problem, helping us to answer the question of
why? ... If a foreign government as the Serbs did during the
Kosovo conflict or some sub-national group of terrorists tries
to break into our computer system, that's pretty clear why.
But this is not like most crime waves. To a certain extent,
as I've read about your story and hear about others, and the
kind of daily breaking of government computer systems, it seems
to me that there's a different sort of motivation here. And
in some sense, it almost seems to be the challenge of it. If
you would, just talk about why you, or if you want to third-personize
it, why people generally become hackers.
MITNICK: Well the definition of the word hacker, it's been
widely distorted by the media. But . . . my motivation was
the quest for knowledge, the intellectual challenge, the thrill
and also the escape from reality--kind of like somebody who
chooses to gamble to block out things that they would rather
not think about. My hacking involved pretty much exploring
computer systems and obtaining access to the source code of
telecommunication systems and computer operating systems, because
my goal was to learn all I can about security vulnerabilities
within these systems.
My goal wasn't to cause any harm, it wasn't to profit in any
way. I never made a red cent from doing this activity. And
I acknowledge that breaking the computers is wrong, and we
all know that. I considered myself a trespasser, and my motivation
was more of--I felt kind of like as an explorer on these computer
It really wasn't towards any end. What I would do is, I would
try to obtain information on security vulnerability which would
give me greater ability at accessing computers and accessing
telecommunications systems. Because ever since I was a young
boy, I was fascinated with communications. I started with CB
radio, ham radio, and eventually went into computers. And I
was just fascinated with it. And back then, when I was in school,
computer hacking was encouraged. It was an encouraged activity.
. . . In fact, I remember one of the projects my teacher gave
me was writing a log-in simulator. A log-in simulator is a
program to trick some unknowing user into providing their user
name and password. And of course I got an A.
But it was encouraged back then. We're talking about the '70s.
And now it's taboo.
And a lot of people in the industry today, like Steve Jobs
and Steve Wozniak , they started out by manipulating the phone
system. And I think even went to the point of selling blue
boxes on Berkeley's campus. And they're well recognized as
computer entrepreneurs. They were the founders of Apple Computer.
LIEBERMAN: So that the fork in the road went in different
directions, in their case.
MITNICK: Just slightly.
LIEBERMAN: Just slightly. Well, maybe there's still time.
Well, you're young, so there is still time. Your answer is
very illuminating. Part of what you're saying has struck me,
which is unlike other forms of trespass or crime, you didn't
profit at all.
MITNICK: I didn't make a single dime. One of the methods how
I would try to avoid detection in being traced was to use illegitimate
cellular phone numbers and electronic serial numbers to mask
my location. I didn't use this to try to avoid the costs of
making a phone call, because most of the phone calls were local.
I could have picked up a phone at home and it would have been
a flat rate. I did it to avoid detection. But at the same time,
it was cellular phone fraud because I was using air time without
paying for it.
LIEBERMAN: Were you aware, as you went through this pattern
of behavior, that you were violating law?
MITNICK: Of course, yes, I was aware of it.
LIEBERMAN: You were. And were you encouraged or at least not
deterred by the fact that you had some confidence that there
were few or no consequences that attached to it? I mean, there
are occasions where people know that they're doing something
illegal, but they think that the prospects of them being apprehended
and charged are so slight that they go forward nonetheless.
MITNICK: Well that's true. Because as you're doing some illegal
activity, you're not doing a cost-benefit -- well, at least
I wasn't doing a cost-benefit analysis. And I didn't think
of the consequences when I was engaging in this behavior. I
just did it and I wasn't thinking about, well, if I were to
get caught I'd have these consequences. I was just focusing
on the activity at hand and just doing it.
LIEBERMAN: Because of what you described before as the thrill
of it, or the challenge of it, the adventure.
MITNICK: It was quest for knowledge, it was the thrill, and
there was the intellectual challenge. And [with] a lot of the
companies I targeted, to get the software was simply a trophy.
I'd copy the code, store it on the computer and go right on
to the next without even reading the code.
MITNICK: And that's a completely different motivation of somebody
who's really out for financial gain or foreign country or competitor
trying to obtain information, like economic espionage, for
instance. . . .
LIEBERMAN: You've talked about the prominent role of what
you described as social engineering, which is to kind of manipulate
unwitting employees. I know this is hard to state a percentage
on this, but would you guess that most of the hacking done
is being done in that way by the manipulation of the cultural
weaknesses, the human weaknesses? And how much does hacking
depend on successful human penetration of a system, as opposed
to technological penetration of a system without any assistance
from anybody inside? . . . .
MITNICK: Well in my experience, most of my hacking involved
the social engineering exploitations. But I think that most
of the hacking out there is really the weaknesses that are
exploited in the operating systems and the software applications.
Because if you go on the internet, you can simply connect to
computer sites that basically have scripts of the exploit codes
so anybody that has access to a computer and modem can download
these exploits and exploit these vulnerabilities that are in
the operating systems developed by the software manufacturers.
And that's why . . . I think it's important for the software
manufacturers to be committed to thoroughly testing their software
to avoid these security flaws from from being released to the
marketplace. . . .
U.S. SENATOR JOHN EDWARDS (D-NC): In answering one of Senator
Lieberman's questions about why you got involved in hacking
to begin with, I was listening to the words you were using.
And they sounded very much to me like a description of addictive
behavior. Do you believe that addictive behavior is involved
with folks who are habitually involved in hacking like you
MITNICK: I'm not sure I'd consider it addictive behavior.
It was just an activity I was intensely interested and focused
on because ever since I was a young boy I was interested in
telecommunications and computers. And that was just my calling,
just like somebody who is very interested in sports and every
day they go out and practice. I'm not sure that you could really
equate it to like a physical addiction. But then again, I'm
not a health services professional so I wouldn't know.
EDWARDS: I understand. But did you feel like you yourself
were addicted to this hacking behavior?
MITNICK: I enjoyed it. I would say it was a distinct preoccupation,
but I don't think I could label it as an addiction per se.
EDWARDS: Did you ever try to stop?
MITNICK: I did stop for a while and then at that time that
I wasn't engaging in that behavior, the Department of Justice,
specifically the FBI, sent this informant to target me. And
basically, I got hooked back into computer hacking because
of the enticements that this fellow that they sent to target
me kind of enticed me back into that arena.
EDWARDS: What advice would you give to other hackers, or probably
more importantly, potential hackers?
MITNICK: That's hard to say, I'd have to really think about
that. I don't encourage any activity which maliciously destroys
alters or damages computer information. Breaking into computer
systems is wrong. Nowadays--which was not possible for me when
I was younger, as computer systems are now more affordable--if
somebody wants to hack they can buy their own computer system
and hack the operating system and learn the vulnerabilities
on their own system without affecting anybody else with the
potential for causing any type of harm. So what I would suggest
if people are interested in the hacking aspect of computers,
they can do it with their own systems and not intrude upon
and violate other personal or corporation's privacy, or government.