Virtually everyone in technology knows about Kevin Mitnick, who in the 1970s, '80s and '90s was a notorious fugitive hacker on the run from the FBI.
(If you're not familiar with the details of Mitnick's exploits, I recommend his book, Ghost in the Wires: My Adventures as the World's Most Wanted Hacker.)
Most experts also know that he's made his living since being released from prison as a security consultant. But did you know that he still hacks for a living?
Mitnick has always emphasised the importance of social engineering for hacking, an emphasis that's lacking in most security advice. He also focuses on how to get through to a public that struggles to appreciate the risks.
So he gets through to his public by hacking them (with their permission). Corporate training can make the eyes glaze over. So Mitnick drives his points home by actually hacking his clients, then showing them how they could be easily victimised in the future by a malicious hacker.
Mitnick, the chief hacking officer for a company called KnowBe4, is working on a new book called The Art of Invisibility, which will be a master class in securing one's privacy against a world of hacks and exploits.
In the meantime, he's got some easy tips for securing mobile devices.
I sat down with Mitnick at last week's RSA conference in San Francisco, and he rattled off advice that everyone can use. (You can hear the full interview on my FATcast podcast, which will be posted on 10 March.)
Mitnick specialises in making clients think about things they hadn't thought of before. For example, some people seeking privacy might buy a 'burner phone' - a phone purchased without a contract for privacy. But Mitnick points out that even buying a secure device can compromise your privacy, given that the purchase can be identified and tracked down because of the Uber you took or the rental car you rented. (Transportation can lead to the store, which could provide identifying information about the phone.)
At KnowBe4, Mitnick helps companies prevent and deal with the most pernicious and difficult hack, which is a phishing attack.
Phishing is a form of social engineering that involves tricking someone into believing an email or other message is coming from a trustworthy source; for example, an email that appears to come from PayPal or from someone claiming to be an executive in the company the victim works for. Once trust is gained, the target might open an application, download a file, reply with password or other information, or visit a website that delivers its own malicious payload.
Mitnick says, "It's much easier to hack a human than a computer because computers follow instructions, they don't vary. Humans go by emotion, by what's happening in their day... so it's not hard" to socially engineer someone "especially if they haven't been burned before."
Sign up for Computerworld eNewsletters.