Computer Hacker Kevin Mitnick

How Tsutomou Shimomura and the FBI tracked down Kevin Mitnick, one of the world's most notorious computer hackers.

Just how does someone become known as "Cyberspace's Most Wanted?" Kevin Mitnick started running into trouble at an early age. He was part of a gang of hackers in Los Angeles and tapped into a computer system at Monroe High School. At 17, he stole manuals from Pacific Bell and also stole software from Microport Systems of Santa Cruz, getting probation both times due to his age. In 1988, he was convicted of computer fraud. Judge Mariana Pfaelzer likened Mitnick's hacking to a drug addiction and ordered him into therapy, prohibiting him from using a computer or telephone while in prison. He served one year.

By June 1992, Mitnick had gone to work for Teltec Investigations, Inc., in Calabasas, Los Angeles County. In late September of that year, FBI agents asked to search Mitnick's office. A warrant had been issued accusing Mitnick of violating the terms of his federal probation, which forbade him to access a computer illegally. At the same time, the California Department of Motor Vehicles accused him of posing as a law enforcement officer to gain classified information and possibly to create false identities for himself. According to an affidavit, the FBI was conducting a computer- and wire-fraud investigation into computer hacking, including unauthorized entry into Pacific Bell Telephone Co. computers. Mitnick was named as a suspect, and at that point, he officially went on the run.

Leading up to the 1990s, Mitnick had committed dozens of technology crimes costing companies millions of dollars. In December 1995, Tsutomou Shimomura, a renowned computer security expert, found that his systems had been breached. The assailant had been successful in stealing data from Shimomura's computer that was used in programming cell phones and security systems. The value of the software taken was considered to be over $500,000. Mitnick had made himself an electronic key to the computer systems so that he could enter at will; then, after stealing the data he wanted, he attempted to restore the system to its original state before the break-in. By editing log files, Mitnick had staged a scene to direct attention away from the crime. Thus, Shimomura, after many days of hard work, was able to verify that the attack had happened, but little more.

Shimomura contacted his connections at the FBI and the National Security Agency (NSA). (The NSA is responsible for the security of national computers and information.) The FBI wiretapped Shimomura's phone line. The first evidence that linked a name to the assailant came in the form of a phone call. The person whom had taken control of Shimomura's systems called to gloat over his achievements, and the conversation was recorded. When the voice sample was played back for many security experts, they realized that the voice was that of Kevin Mitnick.

Large amounts of forensic evidence were soon uncovered that pointed to Mitnick. He had not stored the tools he had used to do the hacking on his home computer. Instead, Mitnick had stored them on a public file site on the Internet, and he had connected to his victims from there. The site, known as The Well, installed special surveillance software that secretly recorded any connections coming in or out of the system.

Kathleen Carlson, the FBI agent who was in charge of the Mitnick investigation, informed Shimomura that they had uncovered one of Mitnick's aliases, "Marty." Mitnick had told many people that his favorite movie was a Robert Redford "hacker" movie named Sneakers. Redford's character was named Marty. Shimomura found logins to The Well using the name "Marty."

At this point, Netcom, one of the nation's largest Internet providers, had experienced a large security breach of its own, costing the company millions of dollars. The method of operation was identical to the attack Shimomura had experienced. Furthermore, the FBI was able to uncover that the hacker had probed Netcom's e-mail accounts for references to the name Kevin Mitnick. It appeared that Mitnick thought they might have been on to him.

To access Netcom's network directly, one would have to dial in directly over a regular phone line. Hoping Mitnick might get sloppy, the FBI started running phone taps on the several thousand phone lines Netcom ran. While Mitnick was smart enough to block his phone number, the FBI was able to isolate the calls to the Raleigh/Durham, North Carolina area. The FBI started monitoring all data traffic running into Netcom from that area and got a lucky break when they monitored a login using the "Marty" name. This time the login came from Colorado. This was highly suspicious and meant that Mitnick was probably not in either of these locations and was simply manipulating the phone systems to fake his location.

Shimomura and his staff actually got to watch Mitnick "talking" with the Netcom system in real time. This means they were able to watch him as he typed every character and see every single thing he did. Even if he was able to cover it up later, Mitnick's actions were "recorded". The FBI watched Kevin break into multiple computer systems through Netcom.

Several days later, Shimomura caught a login under the name "Martin." The user whom was logged in opened a chat with someone in Israel, and the FBI believed that Mitnick had fled to Israel in the 1980s when he was a fugitive from the California police. The person who was logged in started asking the Israeli for software that he could use to hack certain types of Unix servers. "Martin" then asked for tools needed to hack Oki Telecom, a cell phone manufacturer. Shimomura remembered that when Mitnick had accessed his systems, he had gone after phone data as well. This login came from Atlanta, meaning that Kevin was defiantly trying to cover his tracks.

Up until now, there had been much circumstantial evidence collected. However, all Mitnick's actions that the FBI had observed were not illegal in themselves. It is not illegal to have software capable of hacking; it is only illegal to use the software to hack. Kevin finally made a fatal mistake. While logged in again as "Marty," he connected to chat with his Israeli friend again. The Israeli began telling Kevin about a new hack. When the Israeli asked if he would be safe using it, Mitnick made some derogatory comments about John Markoff and how Markoff was blind to his attacks. Markoff was an investigator at The Times looking into the Netcom attacks, so finally, the FBI had some solid evidence of Mitnick admitting he was involved in Netcom's attacks. Mitnick then managed to involve himself more, saying that the only person who was on his trail was "Japboy." (Shimomura is Japanese.) Mitnick then stated, "I know sendmail technique". These were the exact words Mitnick had used when making the phone call to Shimomura to gloat. Mitnick then referred to Oki Telecom and Motorola as good targets for his next attack.

The FBI had now collected enough evidence to prove probable cause for a warrant but still did not know where Mitnick was. They monitored his logins over many more days and noticed that most came from the same North Carolina area. The FBI then obtained a warrant to use a trap-and-trace device and completed a successful trace that returned a phone number from Raleigh. Apparently, Kevin had become lazy and used the local North Carolina Netcom number when he did not feel like covering his tracks, or so thought the FBI.

It turned out that the traced phone number did not exist. Mitnick had merely baited the FBI to show off his ability. However, they still knew that Mitnick was in the Raleigh area, just not at that number. Shimomura ascertained that while Mitnick may have been able to cover where the phone call came from, he could not cover its existence. The phone company checked for any calls made in the Raleigh area that lasted over 30 minutes and that happened at the time of the last attack. Furthermore, the phone company then took all phone numbers involved in calls made over 30 minutes and checked them against any involved in calling Colorado. One phone number came up in the search to those who had called the Raleigh Netcom number that had both called Colorado and had been in use for over 30 minutes during the time of the attack. Everything came back to one cell phone number. Unfortunately, without a valid subpoena, the phone company could not release the information to Shimomura.

This was finally enough evidence for Shimomura to fly to Raleigh and meet with Lathell Thomas, the FBI agent in Raleigh investigating Mitnick. Thomas was waiting on a subpoena to allow the FBI access to telephone records that the phone company had uncovered a few days before. While they did not have the phone number, they had the characteristics of the phone signal, known as a MIN. This was enough for Shimomura to act on his own by using radio transmitters to isolate the signal from the cell phone to a more limited area. While listening to local cell phone traffic, Shimomura actually overheard Mitnick in a conversation. Now that he had the exact frequency, Shimomura simply had to follow the signal to its source.

Of course, because Shimomura was not a law enforcement officer, he had to wait for the FBI to arrive in the area. Shimomura and his staff staked out the area all night, waiting for the FBI to make it to the location. A two-man FBI team arrived late the next evening and set up a "Triggerfish," which was similar to the signal detector Shimomura was using but much more powerful. The Triggerfish antenna was attached to a truck and used it to follow the frequency Shimomura had uncovered. The FBI scanners led the group to what they thought was Mitnick's address. Suddenly, the cell signal was now coming from across town. Mitnick had succeeded in convincing the FBI that he was in a different location. Now the FBI had to wait for a new warrant to search the new address to where they were heading.

This time, Mitnick could not thwart the FBI technology. Being none two happy with running around, the FBI had the second warrant delivered to the new location with a squad of police. The FBI found Mitnick's apartment and raided it. Mitnick began to vomit on the floor as the officers arrived. Various photos of the apartment were taken, as well as all papers, computers, and any other items that could possibly contain evidence.

Mitnick pleaded guilty to one count of cellular telephone fraud, and without a trial, was sentenced to 8 months in jail and several years of probation. He had originally been charged with 23 counts, but all were dropped in exchange for a quick plea bargain. After being released on probation, Mitnick violated the terms and was sentenced to 46 months in prison after pleading guilty to 5 felony charges of computer fraud and abuse in April 1999. While 46 months may not seem very long for the crimes he had committed, Mitnick had served nearly all that time in jail before he even had his day in court. The prosecution felt that this was a smart compromise. Mitnick originally had the right to appeal, but because there was no new time added to his sentence, Mitnick had nothing to appeal.

Mitnick is out of prison once again, but now if he even touches a computer or cell phone, it means a parole violation and a return to jail. He travels the country giving lectures about his story in order to teach companies better computer security.

© High Speed Ventures 2011