Ghost in the Wires by Kevin Mitnick and William L Simon is perhaps the seminal work on social engineering by one of the industry’s most famous exponents. Mitnick attained a certain amount of notoriety by going on the run for two years before finally being apprehended by the FBI, but I think that his biggest claim to fame is his ability [as alleged by prosecutors] to be able to phone NORAD, whistle down the line and launch a nuclear strike. This is obviously preposterous, and is not something that will be discussed in the rest of this article.
When reading the book the first time, I was struck by how early Mitnick embarked on his career as a social engineer. Persuading an LA bus driver to divulge where he could get a machine like the one used to punch tickets at the age of 12 shows how a bit of knowledge and the knack of talking to people can reap dividends.
I also particularly enjoyed the episode Mitnick describes in a South Dakota registrar’s office. Having explained that he was a private investigator, he was given a desk and ultimately given access to the Crown Jewels – blank birth certificates and the official embossing tool for them. In a short space of time he had all the documentation he needed to continue to reinvent his identity as and when needed. Patience and an open personality, with an eye on the prize in the long game again produced rewards.
Having called in to the NSA itself (and in the wake of Snowden’s revelations how ironic is that) and accidentally overheard a conversation about himself must have been incredible. It’s unsurprising that Mitnick didn’t dare to push his luck by calling in again.
It felt that throughout the book Mitnick was at pains to explain how he never hacked anything, just persuaded people to give him access through what he said and how he said it. He also made it clear that he wasn’t doing any of it for financial gain, but more as a test of his abilities, which were honed and improved over the years. Having a remarkable memory for numbers obviously helped tremendously.
I’m not convinced that downloading / obtaining source code and trawling through it for bugs which could be exploited is as innocent as he claims: at the very least, whoever he told about the vulnerabilities may have committed serious crimes.
This was an interesting book, and one which should be on every security professional’s reading list.