Hacker Mitnick testifies before Senate
"It was a computer system run by one individual. And this computer was in his home and it was in the U.K., in England, and I was unable to circumvent the security in that system because I didn't have control of BT [British Telecom]," Mitnick told the Senate Governmental Affairs Committee Thursday.
During his testimony, Mitnick -- who was only released from a medium security prison in Lompoc, Calif., on Jan. 21 -- offered tantalizing insight into his life as a computer intruder, and also took the opportunity to take another swipe at the FBI for "enticing" him back into illegal hacking activities.
Regarding that unsuccessful hack attempt, Mitnick, who successfully cracked computer systems belonging to Motorola (mot), Fujtsu and Sun Micosystems (sunw), said he targeted the computer because it belonged to an "individual" who had found vulnerabilities in Digital Equipment Corp.'s VMS operating system. "And my goal was obtaining information on all security vulnerabilities so I'd be effective in compromising any security system that I chose to compromise," he said.
However, the hacker said he found his target "extremely difficult" to crack because "this person was very, very sharp" on computer security.
"See," Mitnick said, "the real important point is that the more people that have access to a computer system the easier it is to penetrate. For social engineering an exploit into government or into large corporations it's very easy."
Dressed neatly in a jacket and tie, and rocking gently back and forth in his chair as he answered questions, the bespectacled Mitnick, 36, was the star witness at Thursday's Senate hearing, convened to discuss online security following last month's spate of denial-of-service attacks against eight major Web sites, including ZDNet.
To thwart computer attacks, Mitnick suggested that each U.S. government agency assess the risk to its systems and do a cost-benefit analysis on protecting them.
Mitnick also applauded as a "good first step" a pending bill to beef up federal information security practices. But he said the bill should go further and create an audit and oversight program that measures compliance plus a numeric "trust ranking" that would quantify its results.
Sen. John Edwards, D-N.C., asked Mitnick whether hacking was a "physical addiction."
Mitnick: "I enjoyed it. I would say it was a distinct preoccupation, but I don't think I could label it an addiction per se."
Edwards: "Did you ever try to stop?"
Mitnick: "I did stop for a while. And then at that time that I wasn't engaging in that behavior the Department of Justice, specifically the FBI, sent this informant [hacker Justin Petersen] to target me. And, basically, I got hooked back into computer hacking because of the enticements that this fellow that they sent to target me -- you know -- kind of enticed me back into that arena."
Mitnick went on to say that he didn't encourage "any activity which maliciously destroys, alters or damages computer information. Breaking into computer systems is wrong."
Mitnick is not the first hacker to appear before the Governmental Affairs Committee, chaired by Sen. Fred Thompson, R-Tenn. In May 1998, L0pht, a Boston-based hacker group that recently went corporate, also testified on computer security.
In a statement issued before Thursday's hearing, Thompson said federal agencies continue to "use a band-aid approach to computer security."
"Hopefully, the recent breaches of security at the various dotcom companies is the wake-up call needed to focus attention on the security of government computer systems," he said.
Reuters contributed to this report.