Kevin Mitnick, former hacker turned security consultant, reveals how social engineering—like posing as a receptionist or planting malicious CDs—exploits trust to breach systems, including a 1997 case where vulnerabilities in Boeing and Lockheed Martin were exploited by a group linked to Osama bin Laden. He criticizes banks’ reliance on weak authentication (e.g., mother’s maiden name) over stronger methods like biometrics or VPNs, despite fraud losses measured in "basis points," and warns of risks in unsecured wireless networks (WEP) and peer-to-peer file-sharing (Morpheus, Kazaa). Mitnick’s shift from black-hat exploits to ethical consulting underscores the evolving but still fragile nature of cybersecurity. [Automatically generated summary]
Let's first go through a couple of the sort of show things.
Somebody asked me last week how the program gets from here to there, how it gets to your radio, you know, that kind of thing.
Well, the first big, giant step that it takes in that direction is from the Uplink facility located here at my house in a closet.
So for those of you who over the years have wondered what sends the signal from here to there, there is an associated parabolic dish outside that receives the signal sent from this stuff that's in my closet.
And it's been there for, I don't know, about a decade or so.
And I would imagine if that were to be replaced now, it would be the size of a suitcase or something.
But that is a complete satellite KU-band uplink setup thing you're seeing in my closet there, which is where it has resided since the very beginning.
That photograph is on the website, coastcoastam.com.
Simply click on ArtsWebcam, and there it will be, sitting in its closet, where if you don't want to look at it or hear it, you can just shut the door, and it's like it's not even there.
Now, I want to promo tomorrow night a little bit.
I'm going to do, it's going to be open lines.
So a lot of times a talk show host would like to launch a discussion in a certain direction for a program, and a lot of times it doesn't work at all.
In other words, the audience will take it in the direction they want to take it, and that may occur tomorrow night.
But I want to talk to you about oil and gas and the price of gas, which is now going up to the point where a lot of people who commute aren't going to be, or it's not going to be worth their while soon enough to continue that commute.
They're not going to be able to afford it.
We have a crisis ahead of us, directly ahead of us, in energy.
No question about it.
Last week I had Willie Nelson on.
Willie talked about his biodiesel.
And I just noticed tonight before I came on the air, CNN headline news ran about, I think, a two or three or four minute piece at least on Willie Nelson's biodiesel.
Showed his vehicles, all the rest of it.
So that's one thing we'll talk about tomorrow night.
I hope that CNN got the idea from the show here last Saturday.
I rather imagine they did.
Good for them.
Now, so tomorrow night, I'm going to want to talk to all of you and have you talk to me about oil and about the crisis.
And I've got some facts that I've dug up for the occasion.
And they're pretty bleak facts indeed.
So I'll sort of choose how much reality to give you.
Now, I'll give it all.
I was just talking about that with a group of friends on a hymn radio before I came on here tonight.
Reality.
How much reality do the American people really want?
Boy, is that a good question.
How much reality do the American people want?
And how much can they take?
In other words, with regard to the energy situation, the honest facts are so bleak that I'm not sure everybody wants to hear them.
So we'll talk about that tomorrow night.
This is a place where you do that kind of thing, where they won't talk about it elsewhere.
We will.
It's an emergency situation.
There was one article I read, which I've got, which I may read part of it, which was something, it was called The Long Emergency.
Well, yeah, it's going to be a long emergency, but the effects of it are being felt already.
Been to the gas station lately?
In a moment, we'll look at world news, and I guess maybe I'll hold that up for a moment.
Because even though I want to talk about oil tomorrow night and energy, I have a feeling, if it is still appropriate, the audience is going to want to talk about the Chivot case.
Maybe I'm wrong.
But this has been a national traumatic event.
It is currently a nationally traumatic event.
Everybody's traumatized by this case.
I mean, really traumatized, honestly traumatized.
The latest would appear to be after another round of losses in the courts, Terry Chavell's parents kept watch over their dying daughter Saturday.
Described, depending on whose lawyer you want to listen to, as being in peace or looking like a concentration camp person.
Anyway, trying in vain to give her Easter Communion as their attorneys acknowledged the fight to reconnect the brain-damaged woman's feeding tube was nearing an end.
They're about ready to give up, I guess.
Attorneys for Bob and Mary Schindler decided not to file another motion with the Federal Appeals Court, essentially ending their effort to persuade the federal judges to intervene, something allowed only by an extraordinary law passed by Congress.
Meantime, they're telling the people that are protesting and Standing outside, go home and be with your loved ones.
Pat Buchanan said, in part, our nation, ours is a nation, where a judge may not sentence beltway sniper Lee Malvo to death because he's too young to die, too young to die, but can sentence Terry Shivo to death because she is too severely handicapped to live.
Shivo continues a process of dying by starvation and dehydration, a method, capital punishment, a method of capital punishment, honestly, that most people would consider criminal if perpetrated on a pet, done to a pet.
We'll let a dog or a cat starve to death.
And, you know, if a dog or a cat was starving to death, the protests would be incredible.
You know, the animal organizations would all be out like crazy.
And it's not that the pro-lifers are not out on this.
They certainly are.
But they have not prevailed.
Here's somebody who sent me, you know, I've had a million emails on this subject, on the Chivaux.
I think every talk show host in America has been inundated with this sort of stuff.
This person says, Hey, Art, I wonder why the United Nations hasn't said anything, anything at all, concerning the way our justice system is treating Ms. Chivaux.
I thought they were concerned about human rights.
That's Tim.
This was an interesting one, I thought.
On the morning of 3-305, I told my husband Art that something will affect changes in consciousness worldwide.
You told us, meaning me, I believe it was the 5th of March I did, that the Princeton Consciousness Research Lab eggs had indicated unrest.
Yes.
She says, obviously, it was a prelude to the Terry Shivo situation.
And I haven't checked, but I would be willing to bet you that that might be true.
And that the eggs have registered a very great deal in the Shivo case.
unidentified
People have been so emotional, so incredibly emotional about this.
Either on one side or the other side, and damn near evenly divided.
It is as divisive an issue as abortion.
Actually, it is the same issue as abortion.
It's a whole life thing, right?
I think that we should have erred on the side of life in this case.
There was no written document.
This is what I told you last week.
No written document did you leave.
And so that's my personal take.
I understand others feel.
And then again, I'm a libertarian, too.
And I believe in less government, but yet I support the government's intervention, unsuccessful, albeit I support that effort.
And I shouldn't normally do so.
I'm not a perfect libertarian.
I'm not really a perfect anything.
I guess I don't fit into any exact description of what I ought to be.
Libertarianism should be, you know, behind the government staying the hell out of this.
So politically, I ought to be coming at it from that direction.
But this is a question of life and death.
And I think there should be a written document from the person involved.
And I've got, you know, I've seen what all of you have seen, the assault on the Internet.
I'm sure most of you did not get it to the degree that I have, but I have had all of these supposed testimonies, documents from nurses and things that bring tears to your eyes and make you think.
And I can't know they're all real or even whether half of them are real, you know.
Her attorneys are suggesting she has said she wanted to live.
And others have said, no, it's just a reflexive sound, reflective sound, a reflex of a dying brain or something or another.
This has been a trauma for America, a big trauma for America.
So the Princeton eggs around here ought to be jumping up and down.
And I don't have the chart to prove it, but I would be willing to bet you that during this Shybo situation, and prior to it, in fact, or just prior to it, they have been jumping around.
unidentified
more in a moment The Shiva case absolutely has been a gigantic trauma for America.
Dutch scientists are urgently checking whether perhaps the bird flu virus sweeping the country has now mutated into a dangerous human pathogen after it claimed its first human victim.
A 57-year-old Dutch veterinarian died of pneumonia in the southern city of Ben Bosch on Thursday, and the most likely cause, that's in quotes, say investigators, was the bird flu virus.
Concern about the virus has been mounting ever since it became clear that the highly pathogenic avian flu had been ravaging Dutch poultry farms since 28 February, and it also now, they're suggesting, can infect go from human to human.
That would be horrible if true.
Thus far, 82 people with clinical symptoms have tested positive for the bird flu virus.
Doesn't sound like a lot, right?
Nearly all have conjunctivitis, a mild eye infection.
Six people had typical flu-like symptoms.
Worryingly, there has been strong evidence, that's in quotes, that three of these cases did not catch the virus from sick poultry, but from a family member working on infected poultry farms.
So there's still the possibility that it came directly from poultry and not from one human to the next.
When that occurs, believe me, we'll all know about it.
It's going to go around the world as quickly as any flu, and for some reason, the scientists seem convinced because we get story after story after story about how it's going to jump and become suddenly infective from human to human.
I don't know how they know that, but they sort of seem to know it.
Speaking of knowing things, the federal government kept it secret for three months, but it does seem that genetically modified corn seed was sold accidentally to some U.S. farms for, let's see here, four years and may have gotten into the American food supply.
The accidental use of unapproved seed became public when the scientific journal Nature published a story and blew the whistle on Tuesday.
The corn seed was probably safe, however.
America's food supply and plant and animal stocks were not harmed and remain safe to eat, according to officials of the seed company and the federal government.
However, they decided to keep all of this secret from us.
I wonder if they would have told us, you know, if suddenly everything had gone wrong, what do you all think?
Would they have told us, well, we know why everything's going wrong?
It's because, unfortunately, this seed stuff got out.
It's not enough for everybody.
Sheldon Krimsky, a Tufts University environmental policy professor, said it's not acceptable.
He's a longtime foe of genetically modified crops.
He says, quote, they have both a moral and legal obligation to reveal violations, Krimsky said.
This is a government that's operating in a stealth manner that wants to keep bad news from the public, end quote.
I don't mean to laugh, but, you know, this might have been bad news, right?
Now, they've told us now that we know it isn't bad news.
We know, apparently, that it's all right.
But you've got to wonder, if it didn't go right, if it had all gone terribly wrong and people began getting sick, would they have revealed this now?
Well, I sort of doubt it.
So this professor at Tufts is probably right.
But think how that whole principle applies to the oil and gasoline crisis, for example.
You've got to keep bad news from the American public.
Let me tell you, folks, it's really bad news.
What's about to happen with energy in America and the world, actually the world, not just America, is really bad news.
So I guess that principle carries over, huh?
What do you think?
A 70 million-old, year-old Tryanosaurus rex fossil that they have dug out of a hunk of sandstone has yielded a real bonanza.
Oak, soft tissue.
Soft tissue from a Tryanosaurus rex.
How incredible is that?
Not hardened, petrified something or another, but real, honest to God, soft tissue.
Blood vessels, whole cells, pliable, malleable inside guts of a T-Rex.
Do you know what that means?
Well, potentially a lot of things.
Let me keep reading here.
When they got it into a lab and chemically removed the hard minerals, they found what looked like blood vessels, bone cells, and perhaps even blood cells.
They are transparent.
They're flexible, said Mary Higley Schweitzer of North Carolina State University and Montana State University.
She conducted the study, I guess she said.
The vessels were flexible, and in some cases their contents could be squeezed out.
Squeezed out.
How could it possibly have been kept in that kind of shape for that long?
A preservation of this extent, she said, where you still have this flexibility and transparency has never before seen in a dinosaur.
So could it mean Jurassic Park?
Well, the $64 billion question, of course, is whether they can get some sort of genetics from it.
If they get a genetic, a perfect genetic fingerprint of a Tryanosaurus, you've got to wonder, would they attempt to recreate the Tryanosaurus?
How would you vote?
If it turns out, because of this wonderfully appliable, soft, fresh, gutsy material of a T-Rex, I wonder how all of you would vote.
If we could create a T-Rex, should we create a T-Rex?
And we may be on the horns of that dilemma.
We may have the goods.
Down in Florida, something not so good is happening.
Seven children have contracted a life-threatening kidney infection.
Health officials there are very concerned, and apparently because they have gone to a petting zoo.
Five of the seven were hospitalized in critical condition, including one on dialysis, according to the Orlando Central.
And again, these children only went and petted some animals.
Of course, it could turn out to be something else, but they were just petting the animals, and they've come down with this.
This is a fascinating story.
I don't think I'm going to have time for it.
Marianne Fife and her family never thought they'd see their three-year-old cat Kane again.
But when the movers were at the Fife's Iroquois Point home December 15th, Kane was nowhere to be found.
The Fife thought that Kane might have run out of the house.
He's an indoor cat, but the movers had left all the doors of the Albatross Avenue home open.
Well, you know cats, right?
They like to hide in stuff, and they particularly like a dresser drawer.
Well, Kane figured out how to open drawers, I guess.
But, unfortunately, the movers in this case, remember this family was moving, caked all the drawers shut.
So, of course, they missed their cat before they moved, and they called and they called in the night, and they went out, and they called this poor little cat, Cain, and Cain did not come back.
The Fifes, alone Kane, stayed, or were, you know, part of the family, stayed in the Iroquois Point home five more days.
Five more days, waiting out on a Ludaw every night for Kane to possibly return.
The day before they moved into a hotel, Marianne and her 18-year-old daughter drove around the neighborhood looking for Kane.
She was crying, calling out his name, Marianne said.
Marianne gave the neighbors and maintenance workers her number and said, you know, call if you see Kane, call.
And the family left Hawaii on December 26th without Cain.
Very sad.
The Fife settled in Crofton, Kentucky.
That's a long ways away.
And their household items arrived January 27th.
Just in case Cain had been packed with the furniture, Larry Fife sent his wife and daughter away from the house before the movers arrived, you know, expecting to find the worst, of course.
When the movers unloaded the dresser, there was indeed a foul odor.
Larry thought the worst was about to be realized.
But when he opened the dresser, Kane was in one of the drawers staring back at him, meowing.
He called Mary Ann with the news.
He said, you're not going to believe this.
Cat's alive.
Mary Ann was driving around with her daughter.
I told her she was jumping up and down.
She was crying.
I was crying.
We were all hyperventilating.
Kane had weighed 13 and a half pounds in Hawaii.
When he arrived in Crofton, after 44 days inside the dresser, he weighed less than three pounds.
He's suggesting that we're establishing a precedent here.
And that if something like Macau disease should come along, then perhaps the Chival case, established law, would apply to millions and millions of people affected by CJD.
There is an angle I have not considered, I must confess.
Well, would it apply to people with Alzheimer's?
Where would we draw the line?
How much memory and consciousness do you have to display before you might not be lumped in with some sort of thing that comes out of this newly established?
It is sort of newly established law, isn't it?
In a lot of different ways.
In terms of the intervention of the federal government, in terms of what they've not been willing to listen to.
You know, some of this stuff, I must admit, I have no way of knowing.
In fact, we're going to talk about the internet tonight.
We're having, just for a lighter break here, Kevin Mitnick will be on.
Kevin is one of the famous hackers, most famous hackers in all the world.
On the website, it says the most celebrated hacker in the world, Kevin Mitnick, I added the world.
I wonder if that's the right word to use for a hacker.
And may the Easter Bunny bring you many unidentified flying Easter eggs.
You know, Art, I was thinking about this Terry Shivo thing.
I saw some Fox update before your show came on.
I guess that they're even talking about now that Terry Shivo may not even be able to be buried by her family, that Michael Shivo is going to take full control over even her burial.
You know, through all this, you've got to wonder why didn't he just divorce her?
unidentified
Absolutely.
So, you know, could money have anything to do with this?
It could have very well have had something because, of course, the $1.5 million that he did receive initially for this suit, as she did have that accident, that fatal accident that.
I know, although I must admit, and maybe you should too.
Look, I've read all the Internet stuff.
Who the hell knows what you can believe and what you can't believe?
It's one of the complaints I have about the Internet.
If I were to believe, I don't know, a third of what I've read on the Chaivo case, I'd probably be over there out in front of the street myself protesting.
I just don't know what to believe.
On the Internet anymore, how can you know what to believe?
Even off the Internet, even if you go and you read the headlines, you know, according to one lawyer, it's one thing.
According to another lawyer, it's a peaceful, quiet death.
And people are, my God, this is emotional.
Saying why I say, if it's so peaceful and quiet, then let in a camera and we'll see how peaceful and quiet a death it really is.
One of the lawyers claims to have heard her saying something like, I want to live.
unidentified
Yeah, yeah, yeah, yeah.
But, I mean, why don't they do a test?
You know, where it's, you know, something she is able to do and, you know, is able to answer basically by swallowing water or not, you know, whether she wants to take water into her body or not.
That was one thing I was just wondering.
And then, you know, another thing is the whole thing that just really sits wrong with me is that this vow that Terry took or said to Michael supposedly is so, so, so important to him.
And yet his marital vows are obviously of little or no.
But if she's really brain dead, like they say, then waiting a little while longer to investigate this stuff, who's it going to hurt?
Who's it going to hurt?
To examine some of the allegations that have been made might take, I don't know how much of a court's time, but in terms of the significance to America and the precedent setting that's going on here, why would it hurt to wait a little bit?
If she's really brain dead, it's not going to hurt her at all, right?
But I mean, what if there is something to some of this stuff?
Wouldn't it hurt to wait?
First time caller line, you're on the air with a lot of noise there.
Well, he's about to be on, and this hour is drawing to a close.
So very quickly, what's up?
unidentified
I know some people who were present when he was arrested in North Carolina, and at the time of when they closed the door on him, he said No matter what happens, I'm a patriot.
No, no, he made the statement, no matter what happens, remember I'm a patriot.
And no one ever explained what that meant.
And my question is, I'd be interested if you would either explain what that meant and also explain whether he had ever been contacted by foreign intelligence agencies, for example the Israelis, in the context of hacking activities.
Kevin Mitnick is a security consultant to corporations worldwide.
He's co-founder of Defensive Thinking, a Los Angeles-based consulting firm, DefensiveThinking.com.
He has testified before the Senate Committee on Governmental Affairs on the need for legislation to ensure the security of the government's information systems.
His articles have appeared in major news magazines and trade journals.
He's appeared on court TV.
I bet.
Good morning, America.
60 Minutes, CNN's Burden of Proof, and Headline News.
Kevin has been a keynote speaker as well at numerous industry events, and in fact, has hosted his own weekly radio program on KFI 640 in Los Angeles.
The 50,000-watt torch in L.A. Here is Kevin Mitnick.
I remember at the time that the government had bandied about that I had hacked into computers at the CIA and very sensitive secret computers, which never did happen.
So I was always afraid that they would try to argue this in the court of public opinion.
Of course, they didn't do it, and I was never charged, nor arrested, nor convicted of it, but I was always afraid that they would have.
I could look into Google, but I don't even recall what the Fibonacci numbers are.
But anyway, so anyway, what I did is instead of writing that program, I wrote a program that would actually grab the teacher's password.
It was kind of like to pull a prank on him.
When he'd go to sign onto the computer, it would appear as he was signing onto the computer, but it was actually running a program.
So he was signing onto my program, and the program would take his username and password, or it would store it in a file, and then it would log him onto the computer.
At first, he couldn't believe how is Kevin getting all this?
How is he getting this?
And it became like this cat mouse pranksterism game between my teacher and myself.
And eventually, after I told him, he gave me an A for the program, actually gave me a lot of adaptoids.
He was actually in PrEP.
So actually when I was in high school, the ethics of computer hacking at the time is you were patted on the back and you were encouraged to do this type of stuff, unlike today, where you can get into a lot of trouble.
Like, if you came up with clever, innovative stuff like back in the 70s, you were actually rewarded for this stuff.
And you're given a lot of atta boys.
Unlike you do this today, you probably end up expelled from school.
So in any event, in fact, most of the security professionals today, 95% of them were hackers in the past.
But in any event, what had happened is to make a long story short, is I was really interested in becoming the best at circumventing security vulnerabilities.
And I made some regrettable and stupid decisions.
And I targeted the source code of, and source code is like the original programming instructions of certain operating systems, like certain, like Solaris and SunOS that was developed by Sun Microsystems, VMS that was developed by DEC.
And I moved a copy of the source code to some computers over at UFC in Los Angeles so I could scour through the code to look for holes or vulnerabilities that have been patched and some that might have not been identified by the developers.
So what I did is I stole the copy of the source code for different operating systems and cell phones for the purpose of identifying vulnerabilities.
And then that's what led me into a lot of hot water.
And then because of I had a case in 1988 where a federal prosecutor had told a judge that I could start a nuclear war by simply whistling into the telephone.
I think the guy was watching too many reruns of war games.
And what ended up happening is then I was afraid that the government was going to really exaggerate my case, and I was going to be held in solitary confinement for years.
That's the real name of famous magician Harry Houdini.
So I had a sense of humor, right?
But I quickly learned that the FBI had no sense of humor.
No sense of humor.
So what ended up happening, then I was moving around the country, and then I worked at a hospital in the IT department in Seattle, and I moved to Raleigh, North Carolina.
I had a, in my mindset, in my mind's eye, I treated it as if I was living an adventure or as if I was just like an undercover covert type agent, you know, living under a cover identity.
Well, all the ones that I could possibly identify.
Don't forget, you could have the blueprint right there, and some could be so obscure or difficult to identify that I might not see it.
But it's kind of like the blueprint.
It's like the secret recipe to the Orange Julius.
And what's strange these days is a lot of the source code, except for Microsoft Windows, which I wasn't interested in at the time, it's pretty much one open source.
Well, there's so many holes in a lot of what Microsoft, of course, they've been, my God, I think I have actually more patches for my operating system than I do megabytes of operating system.
Well, I'm serious.
You ought to see the patch.
You know, when you do a defrag, you can see it.
You can see all the patches down there.
My God, it's bigger than the operating system.
So there must be a lot of holes in Microsoft's stuff.
Has that code ever, ever been stolen?
Otherwise, how do they know about all these codes?
And Internet Explorer is riddled with security vulnerabilities.
That's why a lot of people, I think even Gartner advised people to switch to Firefox, a different browser, because what happens if your Internet Explorer browser is vulnerable, if you are persuaded or influenced to go to a particular website or somebody sends you an email with a hyperlink and you click on it and you go to a website that has certain code to exploit that vulnerability,
the bad guy could take complete control over your computer by simply installing software like a common piece of software would be like a keystroke logger or a piece of spyware that monitors everything you do on your computer.
A keystroke logger means that every key you hit, whether you're typing an email or doing anything else on your computer, is preserved and then transmitted to somebody else, yes?
So every keystroke you do, if you're an AOL instant messenger, if you're sending an email, signing on to your online bank, every keystroke you type is simply captured and it's emailed to a drop email address, a dead drop, as they call it.
And it can be a free Yahoo or Hotmail account or a Gmail account.
All right, would you differentiate for me, please?
Somebody, Harold, sends an email that says, hey, Art, I've noticed just about everything on the web nowadays installs what's called a data miner to slow down our computers by running in the background, even logging offline.
Some are even breaking my outerware remover that is hardened against such attacks.
Well, what I think he's speaking to is software that is considered a type of spyware, but it basically monitors what websites you're going to, so they could send you marketing materials.
Yeah, where you're going on the internet, basically, you know, looking at your cookies.
Basically, you've heard of DoubleClick, which is a lot of these e-commerce sites are affiliates, so basically through cookies, they can kind of keep track to what sites that you visit on the Internet and report that data back so they could target you for marketing.
And it's just like if you go to Amazon and you start clicking on computer books and Amazon remembers by storing a cookie of what your interests were.
So when you go back on to their site and do some shopping, it's going to be a lot of fun.
I mean, that's not too bad, but you also have the feeling that these data miners or keystroke things or whatever could be a lot more malignant in their intent.
I mean, the Attaware, while people don't appreciate being tracked for privacy purposes, the most insidious type of software is the real spyware, which monitors what you're doing.
In fact, there was this guy in New York who went to all the different Kinko copier establishments out in New York and installed keystroke loggers on all those computers.
So anyone that would use their online banking or sign on to sensitive email from Kinkos, all their communications were essentially, and all their keystrokes were monitored by the bad guy.
And eventually he got caught because what he was doing this was for identity theft.
Yeah, unfortunately, he got caught, but you have to think about what about all the other guys that are doing the same thing?
Anytime you go up to an internet kiosk, anytime you go to a Kinko's, or anywhere where you're not using a computer that you can trust, you could be easily monitored and people don't even think about that.
Usually the bad guys are able to get certain non-public personal identifying information like your mother's maiden name or your social security number.
And people think these pieces of information are private, but anybody with an internet connection and a credit card could easily obtain these details and then become you.
when you call social security talk about social security they want to know your mother's made me and couple of things and then they know it's you Abomba Abomba Abomba If you ask about my mother
unidentified
Abomba
When you hear my heartbeat in this corner, you know that behind all this gold sound, the smell of a touch to the something inside that we need so much.
The sight of the touch or the scent of the sand, or the strength of an oak leaves deep in the ground.
The wonder of flowers to be covered and then to burst up through tarmac to the sun again.
Or to fly to the sun without burning a wing, to lie in the meadow and hear the grass sing, and all these things in our memories hall.
I'm the user to help us survive Yeah Fight Fight, let's dissolve Take this place On this trip Just go here
Fight Take a break I can't Refin my wish Of a seed It's for free Wanna take a ride?
To talk with Art Bell, call the wildcard line at area code 775-727-1295.
The first-time caller line is area code 775-727-1222.
To talk with Art Bell from east of the Rockies, call toll-free 800-825-5033.
From west of the Rockies, call 800-618-8255.
International callers may reach ARC by calling your in-country sprint access number, pressing option 5, and dialing toll-free 800-893-0903.
From coast to coast and worldwide on the internet, this is Coast to Coast AM with Art Bell.
Well, the hackers that don't kill you will make you stronger.
In other words, if you don't completely slaughter them by stealing their source code and finding all their vulnerabilities, then in the end, I mean, even though you go to prison and they want you tortured and killed, maybe, since you're not and you do get out of prison, then they want to employ you to help protect, right?
Well, usually, with respect to identity theft, if your computer is vulnerable and a bad guy breaks in, of course you might have certain data on there that might help them.
But usually the people you have to be concerned about are looking for many pieces of information on many different people.
So they're going to target databases.
Like, for example, in the recent news, I don't know if you heard about this, Art ChoicePoint, which is a company that sells non-public personal identifying information, was essentially hacked.
LexisNexis apparently had some problems too.
And this is where the bad guys get hundreds, thousands, tens of thousands of social security numbers matched with names, with addresses, dates of birth, and so on.
And this is where the serious problem exists.
And because in America our system is broken to essentially become somebody else, all you need to know is certain key pieces of information.
To get a birth certificate, to get a certified copy of a birth certificate, all the requester has to know is the person's full name, date of birth, place of birth, mother's name, father's name.
Then the bad guy gets a copy of the birth certificate and they can essentially become you.
I mean, it's a real simple process and that's because of how the system with identity works here in America.
Well, it's highly likely, but these people are, since they're targeting so many people, not just one, two, three, 10, what they're doing is they're basically doing it based on information.
And if they have certain pieces of information about you, they can simply go online and apply for credit.
Get an extension of credit in your name.
There's even been cases where people open up a mortgage in your name.
And all they need to know is certain key pieces of information about you.
And why this needs to be out there in the public, why people need to know about these websites, is so they'll be encouraged to contact their financial institution immediately and change the mother's maiden name or set a password because people are relying on protecting very sensitive information like access to their bank account based on information that's readily available on the internet.
There'd have to be a social security number, which also there's sites out there primarily for private investigators and underwriters that pretty much anybody can get an account at by filling out the appropriate paperwork.
And then you can basically pull the person's social security number and date of birth, and you have the mother's maiden name.
And it's quite simple for identity thieves to get extensions of credit in your name.
Somebody stole my identity and opened up a cellular phone account in Denver and ran up hundreds of dollars Worth of long-distance calls, and then I got the bill for it.
It took me a little, you know, I had to prove it wasn't me, which was very time-consuming.
But at the end of the day, I didn't have to pay the bill because it simply wasn't me.
Well, time, and as we know, time equates to money.
And what the biggest headache is, and I'm sure there's people in your audience that have also been victimized by this, is having your credit profile changed negatively.
And then going back to these bureaus, I'm talking about TransUnion, Equifax, and Experian, and getting them to correct it.
It's really time-consuming process.
And the burden of proof shifts on you.
And I really believe that when your identity is stolen, that to make it easier for the victim, that the burden of proof shouldn't shift to the victim, but should shift to the Bureau.
But at the end of the day, we're all paying for it because that's why they're charging us higher interest rates, right?
So everybody is paying for the thievery that's going on, but actually the first line of the attack is going to be the issuer in the instance of credit cards.
I spoke at an event, and the heads of a lot of the major, major credit card companies were there.
And what they do is they measure their losses.
They call them basis points.
And I don't know the exact calculation for it at this point because it really wasn't explained to me.
But the bottom line is they basically measure their loss.
And then they measure, well, how much money would it take us to offset the loss?
Or how much money is it going to take us to prevent this from happening?
And so far, the attitude is one remedy is to use a stronger form of authentication.
Authentication is when you have to prove that you are who you say you are.
Usually online you do that through a password.
But the problem is with all these phishing scams going on in the Internet, how do you, you know, and people are giving up their password through phishing scams, by people that are victims of social engineering attacks.
So these static passwords are really dangerous because you never know when somebody else has your password.
So stronger forms of authentication are like smart cards, maybe a device you carry on your keychain that the code changes every 60 seconds, maybe a biometric like your thumbprint or an eye retina scan.
Well, the problem is for banks, credit card companies and banks to deploy these technologies, it will actually cost them more money to deploy that technology than the losses they were suffering.
So what they do is they just choose to accept the loss.
And if it costs $10 million to deploy a stronger form of authentication that their customers could use, then it's not going to be worth it, so they just simply accept it, and that's it.
Well, what's going to happen, then these companies will say, oh, to manage our risk, we'll deploy a stronger form of authentication to make it more difficult for the thieves to do their business.
Why would you want to bother yourself having to use all these fancy devices to prove who you are when at the end of the day, it doesn't cost you a dime if you're defrauded.
It costs the bank.
So people really don't care.
But in Eastern European countries, it's the opposite.
It's where the consumer takes the risk.
So now they're interested in these better forms of authentication and they're really pushing for it because they don't want to take the loss.
Well, with social engineering, the best definitions or the best information could be found in the old art of deception book.
But real quickly, it's basically where the bad guy uses manipulation, deception, and influence tactics.
I'm talking about the same influence tactics that sales and marketing people use to persuade or to influence rather a trusted person inside a company to either reveal information or to do some sort of action item that lets the bad guy in or gives the bad guy the information.
It's simply the art of getting a person to say yes, to comply with a request, and this request is what benefits the bad guy.
A guy walks into a building of a company during the day when the receptionist is quite busy, walks up to the receptionist maybe 10 minutes after sitting down.
The person's dressed in a suit, so the person has that authority, looks like a typical businessman or woman.
Briefcase, joculant hairstyle, typical trappings of a business person.
Hands the receptionist a $5 bill and says, excuse me, miss.
I found this money on the floor over there and I just wanted to turn it in.
And the receptionist is very surprised and says, okay, well, thank you so much.
And then about the person sits down 15 or 20 minutes later, the person goes back up to the same receptionist and says, listen, I just got an important SMS message or phone call.
I need to get something off my computer.
I need to be able to sit down somewhere.
Is it possible I could just use the conference room behind you just for 10 or 15 minutes?
If anybody comes in, I won't bother you.
I'd really, really appreciate it because I need to get this taken care of.
Receptionist knows that only employees are supposed to be in that conference room, but she thinks, well, she's attributed, she's given a positive attribution of trust to this person based on the person turning in the $5 pill that they found on the floor.
So she's thinking about it and she goes, well, sure, I can trust this person.
So he lets the guy into the conference room.
The guy plugs in the laptop into an Ethernet jack in the conference room because most companies have their network connectivity for conferences, of course.
Finds it's a live jack behind the company's firewall.
Person plants a wireless access point about this wireless access point being a device that fits about the size in the palm of your hand.
Plugs in the wireless access point into this Ethernet jack, puts a note on the wireless access point, please do not remove information security department.
And then from the parking lot with a directional antenna, of course, the bad guy has complete access to the company from the parking lot over radio.
Social engineering is where the bad guy or the hacker is getting access to company information or company resources by influencing people and exploiting technical vulnerability.
So then you have a keystroke logger that's sitting there, you know, basically installed a wiretap on the victim's computer that clicked on that spreadsheet.
Or worse yet, it's a program that attempts to connect out from that person's computer to the Internet to another machine, another computer that the bad guy had compromised, so now they could use that as a tunnel into Premier Radio Networks Network.
So there's an example of the social engineering attack, which is a little bit different.
It's actually influencing the target by getting access to something that they'd really like to look at, and by doing so, getting them to install malicious software on their computer that gives the bad guy an advantage.
So now what I used to do illegally for the intellectual challenge and pursuit of knowledge in Thrill, now I actually, it's a business because companies hire me to test for their security failures, banks and even some U.S. government agencies.
So it's quite interesting that you can take a scale for which you can get into trouble and now actually do something that benefits the community and also is as challenging and making a living from it.
Well, I mean with the ubiquitous wireless connectivity these days, especially with 802.11, which is 802.11b, that's like a protocol that's used like at Starbucks if you're using T-Mobile.
Well, most consumers these days are going to their local electronic shop and they're installing wireless access points at their homes.
Businesses are doing the same.
And what ward driving does, it's simply driving around the neighborhood.
And in some cases, it's called ward walking, where you walk with your laptop, like if you're in Manhattan, and you identify businesses and people that have open wireless networks.
No, because of the implementation of the protocol, because of a flaw in the implementation, it basically takes an attacker to capture a number of packets.
And once a certain number of packets are captured, let's say over a usual time period of six hours, with a program called Ether, or Ethereal, is another way of saying it.
Then you could take the output from this program and run it through another program called WebCrack and basically derive the web key.
And so for any companies that are running with WEP enabled, those are also easily hacked.
So what you have to do is you have to treat your wireless access point as basically a completely untrusted entity and run VPN over it.
Not only do hackers go, but law enforcement agencies go as well.
And they had a contest, I believe it was last year, and the contest was how far the distance to you know, you basically build your own antenna and how far can you communicate with a wireless access point.
And they were doing this all, I guess they, I don't know if they drove up to like Mount Podicy or something, but I mean they actually got that distance.
So these guys that basically hitchhiked all the way to Vegas to go to this hacker convention won the contest.
And imagine a social engineering attack with wireless, right?
Imagine an industrial spy wants to get access to a company's secrets.
So what they do is they'll do a little bit of research on the person, the family.
And what if the executive received a gift around Christmas time, purportedly from a company they'd normally do business with, with a wireless access point and with instructions to install it?
What are the chances that that executive will just happily install that at their house and then they send their operatives around three to four weeks later and then they have complete access to the network and will likely be able to break into the executive's machine or computer, if you will, and then once that executive is VPN'd, in other words, connected to the corporation securely from home, the attackers could hijack that person's connection.
good lord and be into the corporate network so you can you think it probably goes steps through is there how dangerous it is there any way to be safe now there well i take that back there's a way things, there's countermeasures you can do to raise the bar to mitigate the risk to an acceptable level, but there's no such thing as 100% security.
It was quite interesting because, again, the government played me up as such a threat that I could start a world war by whistling into a telephone that it scared the money.
It's like I had to call and get permission to use a fax machine.
Eventually, that lasted about six months, and then they got tired of it because they realized how ludicrous it was.
And then in the end, I even had permission to use a computer a lot sooner than the public had known about under the condition that I not tell the media about it.
Because it was all about most of the concern was their public image, the government's public image in this case.
So a lot of things I had to keep secret in exchange for them lightening up on a lot of the restrictions that they had.
In fact, in our new book, The Art of Intrusion, I have a story in there because there's always the threat of cyberterrorism being bandied about.
And it's about these two kids, one in Canada and one in Florida, very young kids that are interested in hacking.
And they spent a lot of time on IRC, which is Internet Relay Chat, kind of like a chat room.
And this guy from India, his name was Khaleed Abraham, or I mean is Khalib Abraham.
And what he was doing is he's actively recruiting hackers to break into government, military, and DOD contractor sites.
And these kids, because they were kind of lulled into the thrill of it all, one was doing it for money, one was doing it for the thrill, they were breaking into like Chinese universities, the Atomic Research Center in India, Lockheed Martin, and Boeing.
And they actually successfully penetrated Boeing and were able to get into their mail server from the outside.
And this was through exploiting actually a known vulnerability.
They put in what they call a sniffer.
It's basically a program that captures all the network traffic.
And they were able from the network traffic to obtain enough information to get further into Boeing's network.
And they were able to get the schematics to the nose of the 747 aircraft for this guy in India, which turned out to be part of a terrorist group that may have been associated with Osama bin Laden.
So what's scary about this is, you know, are these foreign adversaries, are potential terrorists trying to recruit kids or very young people that are impressionable on the Internet into doing their dirty work for them and essentially being their cutout?
But in this particular case, what was interesting, then these guys, and this is part of another hacking group called Global Hell, is they broke into the White House server, the mail server, no, the web server, and then from that they were able to get to the mail server.
And then this guy was on IRC with Khalid again, and Khalid sent one of these kids, you know, hey, you know, I'm writing a paper on hacking, and I was curious if you had any hacking incidents you can tell me about.
And then the kid emailed back, yeah, we just broke into the White House.
We just broke into the White House.
And about 15 minutes later, the system administrator from the White House logged onto the site and was running his own sniffer, basically a network monitor, to look at what was going on, which is really strange that right after they told this guy in India that they were on the White House site, that all of a sudden the White House administrator is looking around.
Within a couple weeks, these guys were all busted by the FBI and were rounded up.
And in the court documents, it said the FBI had Learned that these guys had compromised the White House from an informant in India.
Was this guy an FBI operative, an informant, or was he a double agent that he was recruiting kids to break into systems and at the same time was cooperating with the FBI?
I don't know.
Unfortunately, we don't know the whole story, but it's very interesting.
And what's interesting is that these kids were willing to do it.
I mean, we obviously have that the United States government has, you know, they have red teams that are used to essentially protect our government systems, but that they also have offensive teams that are used to break into our foreign enemy systems.
And I don't know where they recruit the people on these teams from.
I presumably people that have a lot of motivation and desire and skills in this area, which means they were probably hackers in the past.
But it's definitely known that they do this, that we're both offensive and defensive, because other countries like Korea and China, I don't know if you recall, remember when the Chinese aircraft was downed by U.S.?
Well, now, and in retaliation for that, there was a group of Chinese hackers that retaliated against the United States through attacking American systems and actually released a worm that caused a lot of problems here worldwide as a retaliation for that incident.
I don't have that information because I don't know who's on these teams.
I don't know what incidents have been investigated.
And that's probably extremely confidential.
I do know that, and we spoke to it in the book, is they had certain public operations.
I think it was Operation God, I'll get it for you in a moment, but it was a particular operation.
I'm trying to think of the code name.
And this operation is where certain government red teams were under instructions that if they used, that they could only use off-the-shelf software, public Internet sites that had exploit code.
The exploit code is programs that exploit vulnerabilities.
Just stuff that's available in the public domain.
And they were able to compromise numerous governmental computer systems just with this publicly available information.
So that was quite eye-opening.
So you have to think about, well, what about people that are much more sophisticated that aren't using off-the-shelf exploits?
I'm really careful because unless I see it with my own eyes, I'm really, really skeptical.
But from what I hear from some trusted sources, our government does have monitoring stations all around the globe, and they're able to intercept communications.
Kevin, if you had a chance to, well, I don't know, maybe get into some secret back door to Echelon and somebody gave you some password that would achieve that and some routing that would achieve that, would you do it?
Nothing but the color of the lights that shine Electricity so fine, look and dry your eyes I live by my...
Before the morning comes to stories old You take me down, you take my super close I'm not the best, I'm not a big dog.
I never saw myself do one of them You found me too, forget you play my role You take self, you make myself ungrown I, I live up among the creatures of the night I haven't got the wheels to try and fight Against a new tomorrow So I guess I'll just believe it Tomorrow will never
come I said it's night I'm living in the forest of my dreams I know the night is not as it would seem I must believe in something So I'll make myself believe it This night will never go Oh, oh, oh, oh Oh, oh, oh, oh Oh, oh
To talk with Art Bell, call the wildcard line at area code 775-727-1295.
The first-time caller line is area code 775-727-1222.
To talk with Art Bell from East to the Rockies, call toll-free at 800-825-5033.
From West to the Rockies, call ARC at 800-618-8255.
International callers may reach Art Bell by calling your in-country spread access number, pressing option 5, and dialing toll-free 800-893-0903.
From coast to coast and worldwide on the internet, this is Coast to Coast AM with Art Bell.
But there's a, you know, I look towards the future.
I don't really try to stay into the past.
And fortunately, I've been very successful at basically taking my background, my experience, and knowledge in helping businesses, government agencies, and universities protect themselves against the threats out there.
So I believe I'm extremely fortunate that I've been able to make lemonade out of lemons.
You can go to university and you can take acting school and you could be a darn good actor and actress.
Or you could have the talent.
You could be naturally gifted in that area.
I think for myself, I was naturally gifted in technology and in this area because since I was a very young boy, when I got involved in amateur radio when I was 12 and graduated into telephones and then into computers, I just had this knack for technology.
It was just a real strong passion.
And then as a kid, in that young age, I was a real prankster.
So I mixed the two.
And at first I would use my knowledge of computers and telephones to pull pranks on friends that shared similar interests.
For example, I remember this guy, Steve, that lives in Pasadena, and he was a phone freaker as well.
And I remember getting into the time, or Pacific Telephone, actually.
And I remember getting into the Switch electronically and changing his home phone number to the line class code or the service of a payphone.
So whenever he tried to make a call, it would say, please deposit a dime.
At the time we had dial phones in class, right, and we have this old Olivetti 110-baud acoustic coupler terminal that we'd used to dial into this PDP-1170, which is a piece of deck hardware that was running this operating system called RISTI-E.
And this is what we learned on.
And I remember my friends and I, we were dialing into a USC into their computer so we could play these really cool games like Star Wars and Grok and Adventure.
And how I used to do it was just simply call the zero operator, pretend I was the teacher, and have the operator connect me to the USC dial-up number.
Right?
So he brings into class one day this lock.
You know, these old phone locks that you put in the number one dial-up.
I remember the teacher's face went as white as a ghost because it totally embarrassed him when I was able just to pulse out the number on the switch hook and make the same phone call anyway.
Yeah, basically, you can basically, if you have the timing right, you can basically, through the switch hook, dial telephone numbers, through dial pulse.
Well, basically, you authorize applications or programs.
You give it permission to connect to the Internet, to use the Internet.
So basically, let's say you've installed a new mail program, like a different mail package other than Outlook.
You have a Zone Alarm installed, what's going to happen is before you can even use the program, a little dialog box is going to pop up and ask for permission for that mail program to be allowed to use the Internet.
As long as those definitions are up to date, go with AVG.
If you're under Windows, don't use Internet Explorer.
I mean, I heard Bill Gates recently was at some conference, I think, the CES show in Vegas, and he mentioned that they're working on a new release of Internet Explorer 7.
But I would use Firefox.
I would absolutely never use Internet Explorer.
I went to Aerosmith.com like six months ago, and I got a piece of spyware dropped on my computer that exploited a security hole with Internet Explorer.
So I'd stay away from that.
Next thing is keeping your operating system to the latest release level.
So if you're running Windows, XP Pro Service Pack 2 with the latest updates, I wouldn't be running Windows 98.
Same thing if you're running on the Mac, Mac OS, I wouldn't be running Mac OS 9.
I would be running the latest release of Panther, 10.3.5, I think it's at, or 10.4.
Installing the security patches, if you're in the consumer environment, it shouldn't be a problem to immediately upgrade any security patches as soon as possible.
With Windows, you can turn this on automatically to do it in the middle of the night if you keep your computer on to automatically update your system.
And then running utilities under at least the Windows environment to try to identify spyware that's already been installed on your computer.
And there's a lot of different programs out there.
Microsoft has released one, a free one, that people can use.
But I've tested a lot of these.
And what I did is I took, there's a company called Spectresoft.
And Spectresoft is the biggest commercial spyware vendor.
What they do is they market products like eBlaster.
It's basically a program you install on somebody's computer and it will monitor everything they do and it will email it to you.
And how they market it to get away with it is if you're an employer and want to watch your employees or if you're a parent and you want to watch your kids.
But you know who's buying those programs, right?
The people that are buying those programs are like people that want to watch their significant other.
And get this, Art.
This is what's really scary.
You go out and you buy a copy of Spectrosoft, right?
Which is malicious code.
It's basically used to spy on people and you install it on your computer, your ABG, or if you're running Norton Antivirus 2005 and all these programs that claim to identify spyware, it doesn't detect it because they won't put a signature in for that because they can get sued by Spectrosoft because it's a legitimate commercial company.
So a lot of these antivirus vendors will not detect commercially available keystroke loggers.
So what do the bad guys do?
They go out and they go to like RiteAid, they get a prepaid credit card and they just order the product.
So now they have it.
Or they use a stolen credit card and they get the product and they install it on the target's computer.
So how do you find this stuff?
One of the best programs that I found, and I think you could use it for 30 days for free, is SpyCop.
In fact, when I was doing my radio show at KFI, at that time I wasn't allowed to use computers, and my show was about the Internet.
So this was hilarious.
So my screener and my producer, I would have to go to the station in downtown L.A. and I'd have to work with them for a few hours before the show to prepare.
And they would go onto the Internet and I'd say, oh, go here, go there, go here, type this.
I was basically surfing the Internet through proxy through my screeners and producers to be able to prepare for my show.
Because how can you do a show on the Internet without being able to look at it?
No, they never did because it was very, you know, a lot of times they would do a lot of the research and they'd come to me and say, hey, this is kind of the current event.
And my producer would also give me ideas of what I should cover in the show.
It wasn't like I was giving them here, go to www.ca.gov, and oh, no, and enter this long story of characters.
And the last thing, Art, about the personal security is if you're running a wireless access point at home, I would definitely, at the minimum, enable WEP.
At the minimum.
What I usually do at home is I actually run an open wireless network because I can really, because if someone neighbor wants to use it, I don't care.
But what I do is I also run a stiffer.
So any time anybody's using the network, if it's not any of the MAC addresses, what I do is the MAC addresses of the computers that are authorized, I don't monitor those.
I just ignore those packets.
But any other packets that are kind of foreign to the network, I log everything so I can see.
So I'm sure that someone's not breaking into bankofamerica.com through my wireless access point or something.
So you've got to watch your back ten times more than anybody else, because if something like that happened, you go directly to jail without passing the Microsoft building.
So anyway, as I was saying, a lot of my audience is going to want to ask you personal and probably seeming to you to be very simple questions, but I can understand why after hearing all of this, and I hope you can too.
All right?
Coming up in the next hour.
So relax, get a cup of coffee or whatever keeps you going in the nighttime.
By the way, I wanted to ask Kevin, most hackers, they're night people, aren't they?
well who knows what yeah My whole life spins into a fancy.
My whole life spins into a fancy.
Picking up, you know, don't be home.
To be queer, yeah, to be queer.
She musters a smile for his nostalgia tear Never coming near what he wanted to say Only to realize it never really was She had a place in his life
Ooh, all the breaks I think close Everybody has a good job.
Everybody else would surely know You're watching my girl But who believe Can you see The wise and wise of my world To talk with Art Bell, call the wildcard line at area code 775-727-1295.
The first-time caller line is area code 775-727-1222.
To talk with Art Bell from east of the Rockies, call toll-free at 800-825-5033.
From west of the Rockies, call 800-618-8255.
International callers may reach ART by calling your in-country sprint access number, pressing option 5, and dialing toll-free 800-893-0903.
From coast to coast and worldwide on the internet, this is Coast to Coast AM with Art Bell.
Suppose you were to hook up with somebody who said that they already had access to a computer up at the infamous Area 51, and they had information about what our government knows about alien presence.
I was at a Starbucks in Los Angeles about two months ago, and I ran in there just to grab my email really quick.
I mean, I must have been in there five minutes, and I grabbed a latte because I was on the road.
And then a month later, I get this call from this guy going, are you the famous Kevin Mitnick?
I go, you mean the guy that used to be a hacker?
And he goes, yeah.
And I go, yeah, that's me.
He goes, were you in a Starbucks in Los Angeles about a month, a month and a half ago?
And I go, I don't know.
Why?
He goes, because I was in a Starbucks and I was capturing everybody's emails that were going over the wireless network, and I think I got your email password.
And presumably, I know he could have got the password because when you use a wireless network in the clear where you pay for it, meaning there's no encryption key, anybody could monitor any of the traffic and get your passwords or any of your communications unless you're using something like SSL, which is called Secure Sockets Layer.
It's like when you see the little padlock on Internet Explorer and you're signing on to your bank, that information cannot be captured that easily.
There's another attack called a man-in-the-middle attack, but I'm not going to go into that now unless you're interested, but that might take a little while of explaining.
So if you're doing anything sensitive over wireless, I'd make sure that you're using something like SSL.
Or if you're using like, if you're to do anything, like a lot of those Yahoo and Hotmail accounts, I think they use SSL to log in, but once you're logged in, all your email is sent over the wireless network in the Clare.
unidentified
All right.
And then the second question was for you, Art, about the weather.
Because I live on the other side of the pass from you.
And I remember, I think it was last summer, the lake was down like 75 feet or something.
Yes.
And I was wondering if all this rain has helped that out at all out.
Well, the definitions mean different things to different people.
There's no clear definition.
But a white hat hacker is an ethical hacker that hasn't done anything illegal in the past, but has pretty much, through self-study and maybe through some university courses, now does vulnerability assessments or pen testing.
Pen testing is simply trying to penetrate into a client's network and find their vulnerability so you could submit a report.
A black hat hacker, on the other hand, is somebody who is currently illegally accessing systems or is malicious.
Yeah, like I said, most of the white hat hackers, I mean, even they have this certification called a CISSP, and one of their code of ethics is you can't even associate with hackers.
But I know several people that have this certification, which isn't really that tough to get.
It really is a test where it tests your definitions of stuff.
It's pretty simple.
And a good percentage of those people have illegally accessed systems in the past, at least the people that I've talked to.
Well, well, I even know about five or six of them that have convicted fella you know, they were convicted of computer-related crimes, but they simply do not disclose that to get the certification.
But the truth of the matter is a lot of people that are from the old school, and I don't mean hackers in the sense of writing worms and viruses and stealing credit card numbers and doing really malicious stuff, but I'm purely talking in the sense of unauthorized access.
I mean, even at the university level.
I mean, if you're in college and you're breaking into your teacher's account, you know, it's still hacking.
My question to you is, what, I mean, I have hobbies.
And one of my hobbies when I was a kid, about your age, was listening to scanners and learning about different frequencies on the scanners and stuff like that.
Well, that's why they call it fraud, because it is, it's grifting, it's fraud.
I mean, speaking plain, that's what it is.
unidentified
Okay.
And I don't know how long, but so for me, how do, I mean, because I have like a credit, I've got a credit card out there, so would I be vulnerable for this?
Every time you use your credit card, there's an audit trail created, of course.
But I mean, unless you have something to be concerned about creating an audit trail, using a credit card is pretty safe because if somebody obtains the number and defrauds you, actually the bank takes the loss and it takes some time.
you probably fill out a form, an affidavit claiming that you didn't make the transaction.
Because you could have someone that skims it at a restaurant.
Now, of course, the vulnerability is that a lot of these e-commerce sites store, especially if they're doing any type of reoccurring billing, they'll store your credit card in their database.
And if their system is compromised by a group of Russian hackers and they steal the database, they have your number.
Well, there's always the chance that if you're using Internet banking, you're using static passwords and it's possible for an attacker to get your static passwords.
They can cause you some difficulties.
But I'd have to be - you know, I'm curious about the legalities involved.
If someone were to retain your password and commit fraud, who takes the risk?
You or the bank?
If it was me, the consumer, I'd rather go to a teller.
If it's the bank, all I have to do is fill out an affidavit and they credit my account back, the money that was illegally transferred or used, then I would say using the Internet, because there's no risk to you as the consumer.
You know, actually, I did sign up for Internet Banking, and they give you this, it looks like an EULA, and user licensing agreement with all this legal stuff.
I have a couple of computer questions, but I just wanted to tell you, first of all, that I'm possessed by demons, and if they start talking, I'm sorry.
I work for a sheriff's office, and sometimes I take my work home and work on it on my laptop, and I have a wireless network, and I was listening to you earlier saying that at the minimum, have a WEP system set up.
On 802.11 wireless access points, you can enable WEP.
It uses a security key.
And then you basically, on your laptop, if you're using Windows, for example, and you connect, you basically type in the same security key you set on the access point, and that's how you set it up.
unidentified
Okay, is there anything more secure than WEP that I could do?
If you're accessing sheriff information, I'd be using something like a VPN, which is called a virtual private network, over the wireless network.
So that way, the only threat is for denial of service attacks, and that's where somebody takes a stronger transmitter and tries jamming the radio signal, which you really have no defense for.
But at least the information that's being transmitted is fully encrypted using a stronger protocol than the wired equivalency privacy.
I was also at a conference in New York a couple days ago, and I turned on my Nokia, and I just scanned to see who has Bluetooth enabled in the room.
There were like three or four people, and you completely, when people don't realize the vulnerability of having Bluetooth on because you could basically snag somebody's address book through Bluetooth.
But what was your question on the wireless network again?
A subject all by itself, really, in a lot of ways.
Kevin Nitnick is my guest.
Kevin is a reformed, as I mentioned earlier, very nearly angelic figure who now helps out corporations and poor people protect themselves against the evil black-hatted doers of wrong.
We will be back to Kevin Midnick in just one moment.
Tomorrow night, I'm going to do something a little bit different, even though it's going to be an open-line session, which means you can really talk about anything you want to.
I am going to begin the show by sort of laying out the situation with regard to energy, America and energy, and the world and energy and where we are right now and what I think is about to happen.
And so give it a little bit of thought yourself tonight.
In fact, if you have anything specific to offer in this area, I'm available by email, two email addresses to get to me, artbell at aol.com or artbell at mindspring.com.
Either one of those two will reach me.
So if you have something specific with regard to this energy emergency time that I think we're about to enter, you're welcome to email me twits now and then.
And if you want to include a phone number, perhaps I'll get you on the air.
It will be an open line night, but believe me, that's going to be one subject I'm going to open up right at the beginning.
Kevin, you're back on the air again with our first-time caller line.
Yeah, I was calling actually about a topic that is sort of unique to the internet called massive multiplayer games.
I don't know if he's heard of this or not, but what they are is there's multiple millions of people that actually play these games all around the world.
They actually subscribe to them.
It's almost like a virtual reality type of thing where people actually become addicted.
And as a matter of fact, I've got a friend that's been playing for six years and he's lost his job over the game.
That's kind of like an addiction to the internet, right?
Or some part of the internet, the games.
unidentified
It's worse because, I mean, I've played myself various different games online for years.
Right now, I'm playing one called World of Warcraft.
And you'd have to look it up sometime, and you'd be surprised that almost, you know, you actually pay $15 a month to play the thing, but they update and add items and content daily.
And even games that you can play on the Xbox or Sony PlayStation, like the Grand Theft Auto, Vice City, San Andreas, those three games that are made by Rockstar, I've talked to people that just can't stop playing.
I mean, literally, they'll be late to work because they're playing these games.
And I have had friends that are in the computer industry.
I am too, but I'm not working there now.
That I've been sort of shocked that, you know, the earliest level of clearance is just credit check.
And a lot of those guys get in there and I'm surprised of what's going on with some of the servers.
I was curious if you had followed that whole scandal that had happened, I guess, at one point with scientists walking out with a hard drive from the hacker.
It's not really for the technically astute security person.
And, you know, Windows runs sluggish a lot, and it takes forever to reboot in some cases, so people prefer, like, macOS.
But, you know, it really...
depends what you're using the computer for.
And I'm not bashing Microsoft either.
A lot of the reason that there's so many security vulnerabilities found in their product is because everybody is looking to find vulnerabilities with Microsoft products because they have the largest market share.
So imagine you get the one vulnerability, then you could attack a lot of people.
Yeah, but for the reason is, imagine you find a vulnerability in Windows, then imagine that you have a bigger, you know, a large surface of businesses and consumers that you could attack.
You find a vulnerability in Mac OS, it's going to be much smaller.
You're a Mac user and you've got your security updated.
Yep.
unidentified
And my operating system is updated and everything.
And everything coming in is fine, but when I use my credit card, is it secure or is there a way that I could make sure that when I hit the return key, that my information is still secure from my credit card?
Well, as long as you're using a site that's using SSL, it raises the security somewhat.
I mean, there are attacks, like what I mentioned earlier in the show called Man in the Middle Attacks.
And then there's the issue of who, well, imagine the company that you're conducting the transaction.
Is it a reptile company or is this a fly-by-night company of a hacker that simply set up a website that purports to sell products and services for a discounted price and you conduct a transaction with it and yet they get your credit card information and it's at any legitimate site?
Man in the middle of attack is where it's a type of attack where the consumer is communicating through the hacker's computer to the legitimate site.
So imagine that you are connecting to, you know, say you're with Washington Mutual and you're online banking, but unbeknownst to you, when you're connecting to your bank, you're really going through my computer.
And I'm acting as the man in the middle taking your information and relaying it to the bank.
Again, so that people aren't unnecessarily frightened, is it generally true that if you take precautions, just general precaution, making sure you're on a secured server when you're ordering something, as long as you go that far, you're basically as safe doing this on your home computer as you are taking a card to a store somewhere and having them swipe it to buy something?
I believe that we're going to see our wireless mobility devices going, because right now we're converging telephony and Internet, so we have voice over IP, and I think we're going to even have more integration with our wireless devices, our PDAs, and our cell phones.
So that's what I think we're going to see in the future is a lot more wireless.
But for example, I have a Vonnage account with values.
I was in Europe about two months ago, and I ended up running up a $6,000 cell phone bill.
And then when I got back home and was sick to my stomach over that, I go, I've got to think of a solution.
So then I realized that I could use Vonnage soft phones.
So whenever I go to a hotel with broadband, I essentially bring my number with me no matter where I am in the world and could actually make calls to and from the United States.
I see these ads on TV, I think we all have lately for yak VoIP or whatever it is, where you can sit and yak with your sister-in-law in Seoul, Korea, or something all day long without additional charge.
I mean, eventually, from layman's point of view, from my point of view, that's going to affect the phone company.
Imagine if you can do self-you know, do cell phone calls using VoIP.
It connects to a local switch and it VoIPs it over the Internet and reducing the charges substantially so they could pass on the savings to the consumer.
But there's a downside to products like Vonnage.
For example, I believe this one family had only Vonage in the house, and then one person had to make a 911 call, and Vonage didn't have, there was no 911 implementation.
Yeah, it is valuable, but I'm looking at comparing, and why I'm doing this, I'm comparing the prices between Europe and the U.S., and in Europe it's much more expensive.
And in the U.S., it's substantially, like, you're going to pay 20% of the price here in America.
So I'm looking at this trend in America of how the prices are dropping substantially.
And these companies, because of their being competitive, are offering better packages for less money.
But as we finally get, I don't know, fiber into every home or into a lot of homes, eventually movies, television, telephone calls, all these things can come over fiber.
All of these broadcast networks, all of these telephone companies, all of these cable companies, television stations, they're all threatened, aren't they, ultimately by the net?
Unless they can jump on the bag wagon, yeah, it's two in the morning.
I understand.
But anyway, they jump on the bandwagon and maybe change their business model, and maybe they could exploit the situation and create a service that works in conjunction with the Internet.
I know exactly what you're talking about, and you're absolutely right.
I have a colleague, I had an office here in Los Angeles, and it's an office space for tech companies, and they share the same network.
And when one of those companies gets hit, it drags down the network for everyone.
And usually it's because of the same thing of the peer-to-peer networks.
In businesses, you basically just restrict it by blocking out the firewall.
But at the consumer level, it's running products, I guess, like Pest Patrol, hopefully, and running AV software.
But the problem is if a user of a peer-to-peer network runs executable code, a lot of these peer-to-peer networks are not only sharing movies and music, but they're sharing software.
And once you download software, it could have malicious code embedded, what we call a Trojan.
And unless that Trojan has been identified and the consumer is using a tool to detect it and eradicate it, they might not know it exists and it sits on their machine.
I know, but when you're sharing product that is supposed to be copyrighted and means something to somebody, you're taking money out of somebody's pocket, a performer or somebody, right?