|Kevin Mitnick, a legal hacker, warns of 'the new normal'|
KNIGHT RIDDER/TRIBUNE 3:05 PM ET 10/4/2017
Oct. 04--Hacker-turned-security-consultant Kevin Mitnick used an arsenal of everyday items -- laptops, a Bluetooth speaker and Wi-Fi -- to demonstrate the ease with which one bad actor can wreak havoc on a business or consumer.
His Houston presentation came the same week that Equifax(EFX) and Yahoo expanded the number of people affected by their data breaches. In an era of cyberwarfare, he said, the attacks aren't going to ebb anytime soon.
"I believe it's the new normal," Mitnick told the Chronicle. "And that's because of the limited budgets companies spend on security."
He addressed the BBVA Compass Bright Perspectives forum Tuesday at downtown's JW Marriott.
"It's only fitting to have Kevin speak here today because at BBVA Compass we're focused on bringing the forefront knowledge to our clients about the world's rapid digital transformation," Houston CEO Mark Montgomery told 150 banking clients and prospects.
Equifax (EFX) disclosed Monday that an additional 2.5 million U.S. consumers could have been affected by its data breach, bringing the total to 145.5 million people. Yahoo on Tuesday announced that an August 2013 breach affected all 3 billion user accounts. That is three times the size of the impact it previously reported.
According to Identity Theft Resource Center and CyberScout, the number of U.S. data breaches tracked through June 30 hit a half-year record of 791, up 29 percent over 2016. At this pace, the number of breaches could reach 1,500 in 2017, a 37 percent increase over the record-breaking 1,093 breaches in 2016.
All data breaches are damaging to companies and consumers, but Mitnick said the Equifax(EFX) heist could have longer-term implications. Criminals may have gained access to Social Security numbers, birth dates and addresses.
"Because all the information in your credit profile is used to verify your identity, it's now going to be super easy for the bad guys to impersonate you for any purpose whatsoever," Mitnick said. "So it's really, really significant."
He hopes the recent string of attacks will encourage companies to invest more in cybersecurity efforts and to be proactive rather than reactive.
Mitnick is a security consultant hired by governments and Fortune 500 companies to identify and fix cybersecurity weaknesses. But he didn't always hack into companies with their permission.
In high school, Mitnick was involved with phone phreaking, a predecessor of sorts to computer hacking that used phone systems. If he called one number, it would read back the number he was calling from. Another number enabled him to use a five-digit code to call anywhere in the world for free.
Mitnick could even change his friend's home phone to a payphone. Whenever his friend's family tried to make a call, it would ask them to deposit 25 cents.
This interest in phone phreaking led Mitnick to computers, where the first program he wrote was designed to steal his teacher's password.
"It was all about the seduction of adventure, the pursuit of knowledge and the challenge," he told the audience. He wasn't in it for the money or to cause damage, he said.
Mitnick ultimately hacked into 40 major corporations and landed on the FBI's Most Wanted list. He spent time in federal prison, some of that in solitary confinement. When he returned to his old habits, he was on the side of those trying to keep their information secure.
As CEO of Mitnick Security Consulting, Mitnick and his team have a 100 percent success rate at being able to penetrate the security of any system they're paid to hack using technical exploits and social engineering. Their work exposes weaknesses that the companies can then address.
Data breaches are harmful to company's image and bottom line. The average cost of a data breach is $3.62 million, according to the 2017 Cost of Data Breach Study: Global Overview released by IBM Security and Ponemon Institute.
That's down from $4 million reported in fiscal 2016. Despite the decline, the 419 companies that participated in this year's study reported larger data breaches. The average size increased 1.8 percent.
"At the end of the day, a breach costs you money," Mitnick said.
He also spoke to the Chronicle about the Russians using Facebook(FB) ads to meddle with the U.S. election, an attack he described as a psychological operation. He said he doesn't think there are laws that criminalize creating false advertisements, though Mitnick acknowledged he is not an expert in the area.
"Of course it's very concerning and it should be illegal," he said, "but I don't think there's any law that has been broken."