Forgot your password?
typodupeerror
Security Books Media Book Reviews

The Art of Deception 241

Posted by timothy
from the ignore-the-man-behind-that-curtain dept.
MasterSLATE writes "One of the weakest links to the most secured computer systems are the humans that operate them. No matter how well secured a computer, network or information may be, there are always people that will have contact with them from the inside. This is what the social engineer exploits in order to gain access. In The Art of Deception, Kevin Mitnick writes about the human element and how it can be manipulated and exploited to gain access to computer systems or 'secure' information." Read on for the rest of Masterslate's review.
The Art of Deception
author Kevin Mitnick (& William L. Simon)
pages 346
publisher Wiley Publishing, Inc.
rating 9
reviewer MasterSLATE
ISBN 0471237124
summary Geared toward the company security guy, but a good read for anyone interested in security, especially social engineering

What's to Like?

The Art of Deception is extremely easy to understand and actually fun to read.

The first part of the book, Behind the Scenes contains the first chapter, Security's Weakest Link, which describes through many examples how and why the social engineer is able to so easily manipulate people to get what he wants.

Part 2, The Art of the Attacker, contains chapters 2-9, which describe various ways a social engineer can manipulate people over the phone. Each chapter tells of a different method that could be used to gain information. Each chapter also contains at least one example.

Part 3, Intruder Alert, contains chapters 10-14, which tell about different ways a social engineer can get inside a company, whether physically or through an internal contact. Each chapter contains at least one example.

Part 4, Raising the Bar, contains chapters 15 and 16, which explain how a company should create their security policies and training to prevent the social engineer from gaining access to sensitive information. These chapters are definitely more geared toward the executive, security analyst, or other specialist, as they contain specifics on what new policies should be implemented and why.

The last section in the book, Security at a Glance, contains some charts and information which should be read over by a more general audience, such as employees and other people that may be contacted by a social engineer.

And one sidenote: there's a nice little foreword by Woz (Steve Wozniak).

The Summary

Although this book is geared toward the company security expert, this book also has appeal to anyone with an interest in social engineering. I found it to be a quick and fun read. As a social engineer, this book taught me new tactics to try as well as ways that my targets might be prevented from giving me information I seek.

Table of Contents

Foreword
Preface
Introduction

Part 1 Behind the Scenes
* Chapter 1 Security's Weakest Link
Part 2 The Art of the Attacker
* Chapter 2 When Innocuous Information Isn't
* Chapter 3 The Direct Attack: Just Asking for It
* Chapter 4 Building Trust
* Chapter 5 "Let Me Help You"
* Chapter 6 "Can You Help Me?"
* Chapter 7 Phony Sites and Dangerous Attachments
* Chapter 8 Using Sympathy, Guilt and Intimidation
* Chapter 9 The Reverse Sting
Part 3 Intruder Alert
* Chapter 10 Entering the Premises
* Chapter 11 Combining Technology and Social Engineering
* Chapter 12 Attacks on the Entry-Level Employee
* Chapter 13 Clever Cons
* Chapter 14 Industrial Espionage
Part 4 Raising the Bar
* Chapter 15 Information Security Awareness and Training
* Chapter 16 Recommended Corporate Information Security Policies

Security at a Glance
Sources
Acknowledgments
Index


You can purchase The Art of Deception from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

This discussion has been archived. No new comments can be posted.

The Art of Deception

Comments Filter:
  • by eaddict (148006) on Tuesday January 14, 2003 @12:36PM (#5081596)
    Doesn't the US DCMA NOT allow for tools that bypass security? I wonder how soon it will be before someone tries to use the DCMA against someone who used social engineering.
    • "a technological measure that effectively controls access to a work protected under this title" is the exact wording.
      • Well, if businesses can patent vague ideas that are really more social than technological in nature -- e.g., 1-click -- then I'm sure some lawyer, somewhere, sometime, will argue that social engineering techniques are a "technological measure."
    • by Anonymous Coward
      I don't see why the DMCA (Digital Millenium Copyright Act, not Digital Copyright Millenium Act) enters into social engineering. There is no "tool" to accuse the person of possessing, so how would you build your case on that argument? That law only applies to cases where you're trying to subvert copyright (or possess tools that are used for such a purpose).

      This is simple infiltration. There are laws that make unauthorized access to computer systems illegal (e.g. parts of the Homeland Security Act) regardless of how you do it or what tools you use.

      I don't mean to burst your bubble or anything, and on the contrary I hope this makes you want to learn more about the (especially new ones) laws affecting our interaction with others and with technology.
    • I'd say no, right up until a court determines a "technique" is the same as a "tool".

    • From the article:
      >Part 2 The Art of the Attacker
      * Chapter 2 When Innocuous Information Isn't
      * Chapter 3 The Direct Attack: Just Asking for It
      * Chapter 4 Building Trust
      * Chapter 5 "Let Me Help You"
      * Chapter 6 "Can You Help Me?"
      * Chapter 7 Phony Sites and Dangerous Attachments
      * Chapter 8 Using Sympathy, Guilt and Intimidation
      * Chapter 9 The Reverse Sting

      From the poster:
      > Doesn't the US DCMA NOT allow for tools that bypass security? I wonder how soon it will be before someone tries to use the DCMA against someone who used social engineering.

      Don't worry, rumors to the effect that we're going to pass laws to extend DMCA to new areas happen all the time, they're pretty innocuous. Why don't you support us? We're just trying to make good laws, just like you're trying to make good code. If you're confused, that's OK, we've seen that before, let us help you with that.

      We're working with Senator Hollings (D-Dis), and we're considering new and novel approaches to promote consumer use of broadband. Can you help us help him to promote the use of consumer broadband?

      He's taken an awful lot of hard knocks lately over the SSSCA, er, CBDTPA, and some people in the halls of power (and some who have really big guns!) think it's partially Slashdot's fault and are kinda cheezed about it. But neither bill had a chance to be passed, and Senator Hollings (D-Dis) knew it when he put them forward. Surely an honest geek can make up for misunderstanding the Senator's intention, can't he?

      Did you know that Senator Hollings (D-Dis) is starting up a brand-new 2600 chapter in Washington, DC? Why not come to our first meeting and say hello!

    • ...Is that the corporate big-wigs hit Mitnick with DMCA. After all, corporate espionage is the process of stealing information.

      There's a line that needs to be pointed out: The differences between proprietary information, copyrighted materials, and trade secrets.

      Both copyrights and trade secrets contribute to proprietary information. The only sense behind the DMCA is that it's supposed protects proprietary information. I don't think that the legislators realized that's what the spirit of the law really is.

      I'm hoping some large company, like a biotech firm, turns around and tries to slam Mitnick, because this book can be considered controversial enough to warrant an extended legal battle.

      The defense would have to point out that writing books has long been considered part of free speech, and that one consequence of this law is to suppress that speech when it goes against the wishes of corporations with massive volumes of sensitive data.

      The prosecution would then have to point out that copyrights are a specific exemption to the first ammendment. They'd probably try to point out that copyrights and proprietary information are in the same boat; their goal is not to be shared. Enter retroactive copyright legality.

      It's a pipe dream, and I'm probably all washed up, but here's to hoping.

      Consequences would follow, though. Mitnick is going to need money for lawyers. Where's he going to get it? For this topic, I'm sure a lot of people of geek origin would donate some money. In any case, the spin placed on the court case by the prosecuting company is goint to paint the book as "a tool for hackers, by a hacker." (Note the quotes.)

      Any lawyer who defends him, and everyone who sends support, is going to be guilty by association with a cracker. That means the open-source and free-software crowds. (Indeed, we'd only have to provide verbal support in order for companies like Microsoft and the **AAs to paint open source as an evil underground movement.
  • Is this always true? (Score:4, Interesting)

    by chrisseaton (573490) on Tuesday January 14, 2003 @12:37PM (#5081600) Homepage

    there are always people that will have contact with them from the inside

    Can't you get cryptographic keys that are sealed inside a black box device so that no-one can access them? Couldn't this sort of thing be done for at least some hardware?

    Oh dear, I think I've just justified security through obfuscation.

    • you can only pile on so many security procedures before Joe Whiteout in the cubical gets a glazed expression on his face. the problem with security procedures, is you've got to make them easy enough that your everyday user can use them without getting on your phone every 10 minutes asking if you can reset their account because they screwed up and got locked out of the system.

      you can have extensive logging and security measures going on behind the scenes, but once it gets to the user level, you've got to make it as simple as possible for them to log in and get access to what they need to know/work with. and all it takes is someone leaving their username and password on a sticky note on their monitor or answering a phone with someone official sounding on the other end, for that account to be compromised.

      I shouldn't have to mention it, but any user account that gets compromised can potentially get the whole network compromised. the human element is always the weakest link in the security chain; whether it's a sysadmin that just doesn't set everything up right and leaves default account names and passwords or the user that just gives his password out over the phone. the machines just do what they were programmed to do. nothing more, nothing less.
    • by Bastian (66383) on Tuesday January 14, 2003 @12:52PM (#5081710)
      SmartCard security, ATM cards, and a host of other security solutions (not just along the card theme) already employ the "Something you have, something you know" security scheme in which sensitive things can only be accessed if you have both a device (usually containing some sort of identifier) as well as a password.

      Another interesting version of this system involves a keychain or some similar device that contains a computer whose only job is to take some encryption key and scramble it every n time interval. The central sever is doing the same thing. The end result is that the user has to know two passwords - his normal password, plus a key that changes every minute or what have you.
      • Not Sufficient (Score:5, Interesting)

        by nosilA (8112) on Tuesday January 14, 2003 @01:03PM (#5081770)
        One of the anecdotes in this book exploits a SecurID, using a well-meaning 3rd party. Basically a caller poses as an employee when talking to an operator during a snowstorm. He says he needs to get some work done, but he left his SecurID on his desk. The operator doesn't want to go to the desk to get it, so instead he gives his own SecurID number and PIN to the caller. This was probably one of the most clever manipulations in the book.

        Fundamentally, any time you have a human involved in a process, you have a potential security hole.

        -Alison
      • The one I like is RFID on the employee's nametag and a biometric reader (thumbprint in this case) on the terminal.
        User walks up, computer detect that Bob Jones is standing there, Bob Jones presses thumb, computer says that this is in fact Bob Jones. Unlock.

        The problem is always the human element.... and money too.

        • The one I like is RFID on the employee's nametag and a biometric reader (thumbprint in this case) on the terminal. User walks up, computer detect that Bob Jones is standing there, Bob Jones presses thumb, computer says that this is in fact Bob Jones. Unlock.

          That's a pretty good system, although it has a few fundamental flaws that make it unsuitable for ultra-paranoid environments. The problem is that Bob's fingerprint is a static key. If I want to fool the system, all I have to do is to capture Bob's fingerprint. Then I walk up to the computer, unplug the fingerprint reader and substitute my own device which simply reports that I am Bob.

          You could improve the fingerprint reader system a bit by encrypting the wire protocol between the hardware and the device driver, but it's still technically feasible to break open the device and splice in the pre-computed signal. Still, admittedly the fingerprint reader is not open to a social engineering attack.

          -a

          • You could always just take Bob's thumb. You could also find out some piece of information about Bob that could be used to make Bob want to let you in. You could drug Bob. You or someone working for you could seduce Bob. You could offer Bob a large amount of money/pr0n/whateverelseBobwants. You could convince Bob that you are good and that the person running the system you want access to is evil and that Bob should let you in.

            Do not fool yourself *anytime* there is a human involved you can use social engineering to get in.
      • Didn't they get around this in "Ocean's 11" by tricking the guard with the scrambling password to take their package in for them? I'm thinking of the scene where the two twins get the guard to take the cart with the little Chinese guy inside into the vault--
    • According to some interpretations of Schrodinger's Cat [everything2.com], if one were to employ such a black box with cryptographic keys, it may never work; this is in the same jest that the code to Windows 9x has never been seen, and consequently randomly doesn't work.
  • Letter.. (Score:5, Funny)

    by grub (11606) <slashdot@grub.net> on Tuesday January 14, 2003 @12:39PM (#5081608) Homepage Journal

    Dear Amazon.com,

    I would like to get a copy of "The Art of Deception", however my grandmother needs surgery and I can't spare any money at the moment. If you'd like to lend me a copy please feel free to email for shipping information.

    I, and my grandmother, thank you.

    grubby
    • Re:Letter.. (Score:5, Funny)

      by Scratch-O-Matic (245992) on Tuesday January 14, 2003 @01:05PM (#5081789)
      Dear Mr. Grub...

      Hi, it's Scratch at Amazon. The suits here would never think of sending you something for free, but your story touched my heart, and I'd like to help. If you could send me the username and password of your Amazon account, I'd be happy to slip the order in for you, without charging your credit card.
    • Ahem (Score:3, Informative)

      by tiltowait (306189)
      Affiliate tags aside, according to OCLC's WorldCat about 450 libraries have this book available for lending free of charge. If you library doesn't, you can still usually order it through an interlibrary loan service.
  • by Ami Ganguli (921) on Tuesday January 14, 2003 @12:39PM (#5081609) Homepage

    The Register ran a review, along with the original first chapter of the book (which was cut by the editors).

    The first chapter is (or rather, was) a short bio and history of the Mitnik case. Interesting to read Kevin's side in his own words.

    The lost chapter [212.100.234.54]

  • Innocuous (Score:4, Insightful)

    by jfreis (614880) on Tuesday January 14, 2003 @12:39PM (#5081610)
    "Chapter 2 When Innocuous Information Isn't"

    All the little bits and pieces of info can sure add up to a major security hole if they are collected by the right person...
    • ... little bits and pieces of info can sure add up to a major security hole ...

      Back in the 70's there was an interesting case that was widely reported, mostly as a commentary on how US military security works. It seems that the DoD funded a couple of university profs to do a study of what could be learned about the US military solely by collecting information from public sources. They worked for a couple of months, and submitted their report.

      Suposedly the report got a Top Secret classification within 24 hours ...

      --
  • by Anonymous Coward on Tuesday January 14, 2003 @12:40PM (#5081614)

    As a social engineer, this book taught me new tactics to try as well as ways that my targets might be prevented from giving me information I seek.

    You misspelled "criminal".

  • Reminds me of _40 Years a Gambler on the Mississippi_ by Duevol. Did such a person exist? There is evidence that he did. Was he a great gambler and con artist? Contemporary records indicate he was. Did he actually do any of the things that he described in his book? Given (a) and (b), probably.

    Now the key question: how much can you believe of what you read in the book? Well, about as much as you should believe coming from a man who obtained millions of dollars (1860 millions!) by lying, cheating, and swindling.

    sPh

  • by beanerspace (443710) on Tuesday January 14, 2003 @12:41PM (#5081632) Homepage
    Wasn't it just yesterday we read an article here on /. that pointed out human factors being the weak link in the chain? In the case of yesterday's news, human factors in programming and today's, human factors in physical security.

    I mean look at an article on TechTV [techtv.com] as far back as October 2001 that point out such human blunders as "Default installs of operating systems and applications" or "Accounts with no passwords or weak passwords" ... human mistakes which make it as easy a pie for someone who socially engineers their way into the back office to penetrate your secure systems.

    Perhaps this quote from a Oct '02 SANS/FBI article [sans.org] point out the worth of this book where they say:
    The majority of the successful attacks on operating systems come from only a few software vulnerabilities ...
    Which is why I think books such as "The Art of Deception" are as needed as biometric identification systems to secure your computer facilities.

    • by einhverfr (238914) <chris...travers@@@gmail...com> on Tuesday January 14, 2003 @01:30PM (#5081945) Homepage Journal
      1) Ideally build security around "what you have/what you know" to the greatest extent possible.

      2) Train, train, train!

      3) Just like you do a network security audit from time to time, do mock attacks! Call up an employee and use something like the following script (modified each time)

      "Hi, my name is Joe Angstrom. I work over in IT."

      "We are investigating a potential security problem on our network and need to ask you a few questions. Have you noticed anything strange about your computer recently?"

      "Thank you, this has been very helpful. There is one more thing. So that we can be sure of this, could you verify your username and password?"

      Just make sure that it is approved of before you do it ;) If the employee gives out their login info, you send them an email letting them know that they should NEVER give out login information to ANYONE for ANY REASON, and tell them to change their password. Explain that passwords are not accessible to anyone, and that login information is available to anyone who would be investigating security problems. If it happens again, send an email to their manager as well ;-)

      The point is-- human factors can be mitigated by training, but no one puts that effort into things.
      • Why bother? Just give everyone a password and make them responsible for any abuse of the system committed in their name.

        You think this is a joke, but that's what the last place I worked for did. They thought of it as "personal responsibility". No training, nothing useful. They ran M$ for everything server to desktop, then made it so they could blame someone when things were broken into, complete with an electronic signature. What else do you expect from a M$ shop? You "training" efforts there would just end up as another way to "renew" or fire people.

        • Why bother? Just give everyone a password and make them responsible for any abuse of the system committed in their name.

          Because even well-meaning people are not capable of being completely responsible for these abuses if they are not properly trained or aware of how these things occur. My whole scenario is designed to test whether someone is thinking about security and has the knowledge to recognize the attack.
          • You say,

            Because even well-meaning people are not capable of being completely responsible for these abuses if they are not properly trained or aware of how these things occur.

            No one is responsible for what other people do without their knowldge and consent. Blaming the user for network security and software bugs is sorry. Telling people not to share their passwords and using that as a means of transfering blame is a cop-out. There should not be a way for someone to get at company information simply by talking to an employee over the phone or through email sniffing. Information that should be gaurded needs to be gaurded and employees who use the tools their employers give them are not responsible when those tools fail them. That's why I was disgusted with the way things were actually done.

            Your test is a bad idea. It is predicated on responsibility that should not be born by the employee. The very fact that the test might be useful shows that there are huge holes in data security. A company that displaces blame like that will invariably use your test data to fire competent employees when things get tight.

            • Security is a total solution, and it involves people, administration, software, etc.

              I think that where we agree is that security needs to be a systemic effort on the part of the employer, but I think we disagree on what needs to be part of the system. And I think you are right that some companies will use this to fire competent employees when things get tight. But my pov is that such companies will fire such competent employees anyway, and that is an HR problem, not a security problem.

              However, I think that from a raw security viewpoint, one has to always bear in mind that the weakest link is the critical one and if you assume that you don't need to worry about your employees, then you have to conclude that you cannot trust them at all. You could then do things like have security guards search everyone as they enter or leave (like some companies have done), but one way or another, you end up in this area.

              I guess the fundamental principle is that employees should be mindful of their employers too.
    • "The majority of the successful attacks on operating systems come from only a few software vulnerabilities ..."
      That's basically why the Counterpane guys are now leaning towards "distributed security." The idea is not to let any one password (or person) have enough access to anything to cause problems. I read an article somewhere in which Schneier pointed out, among other stuff, that far too many people use the same password everywhere. Thus if you get hacked on amazon.com, the thief will get into your fidelity.com account and your employer's network as well.
  • by awch (134042) on Tuesday January 14, 2003 @12:42PM (#5081636)
    This isn't a review. It's a Table of Contents! Was the book even read?
    • Right here (Score:3, Funny)

      by Bastian (66383)
      The Art of Deception is extremely easy to understand and actually fun to read.
    • You're kidding right? Seems most slashdot readers can't even read a short article and post relavent comments on it. Here you're expecting one to read a BOOK and write a REVIEW? Maybe in an alternate universe ;)
  • by phorm (591458) on Tuesday January 14, 2003 @12:43PM (#5081640) Journal
    Is generally the users. Excluding those who run open mail relays, most servers/sysadmins have enough brains not to run the file in their email coming with a message:
    This iz a very fun game
    I hope you anjoy it
    I made this just for u


    How users manage to continually fall for this idiocy is beyond me, but they do. My family is a prime example of this (they refer to me when something dies, but never listen to my "do not open attachments" rant): thus, they now get Mozilla and I'll probably block emails with .exe/.vbs/etc entirely.

    Just based on the chapter titles, I think tricks such as the "Let me help you", etc are probably some of the nastiest. Considering the many people who seem to know shiat about progamming and come for help, it wouldn't be hard to slip something cruel into your "sample code."
    It's amazing how, after helping somebody directly with something for 30 minutes or so, they're suddenly willing to let me
    a) Have root access to their machine ('nix)
    b) Control their PC (netmeeting/etc windows)

    Luckily I'm a nice person, but not everybody is so helpful as they appear. Social engineering is definately an increasing trend, which is leading to user pananoia. I still don't think that the statement "One of the weakest links to the most secured computer systems are the humans that operate them."
    A good sysadmin will block a lot of things that lead to exploitation (unused ports, etc), and perhaps notice odd happenings/traffic. It's the operators of the less-secure systems (clients) that are at risk most often.
  • by knobmaker (523595) on Tuesday January 14, 2003 @12:43PM (#5081642) Homepage Journal
    I read this recently, and although it's a pretty good introduction to the conman profession, I was a little disappointed in the lack of actual examples of clever hacking.

    The book is primarily about social engineering. Most of the example crimes in this book could have been perpetrated by folks who had no more than a casual acquaintance with the inner workings of computers. In other words, Mitnick tells you how to exploit the stupidity of human beings in large organization, and not how to exploit weaknesses in operating systems and security software.

    Part of this is probably due to court-ordered vagueness; the court obviously didn't want Mitnick spreading dangerous knowledge.

    On the other hand, Mitnick is probably correct in his contention that the greatest factor leading to compromised systems is the naivete of the folks who work with them.
    • by Savage-Rabbit (308260) on Tuesday January 14, 2003 @01:09PM (#5081813)
      ....can scale any fortress wall.

      Philip of Macedon said that (I seem to remember) 2300 year ago. To put it short more codes have been cracked and more defenses of any kind have been breached by exploiting simple human weakness than any clever hacking/engineering ever has and ever will. It usually is the easyest way. Take the Enigma code, it was cracked, partly, because of the simplistic and repetitive choices of code key words made by the Wehrmacht communications personnel. It never ceases to amaze me how deeply this fact disappoints the tech freaks of this world. If I had to guess all the nerds at CIA-Langley with all their cool equipment will not contribute even half as much to catching Osam Bin Landen or determining his fate as simple traitors within Al Quaeda will do.
      • guess all the nerds at CIA-Langley with all their cool equipment will not contribute even half as much to catching Osam Bin Landen

        So you mean to tell me this guy [landonland.com] is one of them?!?!?!

        I guess there will be 72 virgins on his Highway to Heaven, eh?
  • Table of Contents? (Score:4, Informative)

    by mmThe1 (213136) on Tuesday January 14, 2003 @12:44PM (#5081652) Homepage
    May seem like a nitpick [reference.com], but isn't this "review" more of a "Table of Contents with brief description of chapters"?

    Slashdot Book Review Guidelines [slashdot.org]
  • It's a knack. (Score:4, Insightful)

    by caluml (551744) <slashdot AT spam ... OT calum DOT org> on Tuesday January 14, 2003 @12:45PM (#5081656) Homepage
    It's a knack, social engineering.
    I've read the book, and just like some people couldn't sell food to a starving man, only a few people can pull it off.

    Get one tiny piece of information from one person, another from another, and after a while, enough of those pieces make you sound like you are an employee. And we all help our fellow downtrodden, overworked employees, don't we.

    EG. If you have an intranet at work, I bet you have a nickname for it. And if someone asked you for something from it, and said "I can't get to the XXXX today, not sure why, it seems to be down..." you'd probably go and find the info for them.
  • "In The Art of Deception, Kevin Mitnick writes about the human element and how it can be manipulated and exploited..."

    Hey Bob, I have $100 to give you if you give me access to such and such a network..

    Lets face it. The easiest way to manipulate the human element is wave around some cash. Many people will do anything for the right price, whether it's illegal or not.

    • by Thud457 (234763)
      Wayving cash around usually leads people to think that you are up to someting improper, unethical or illegal.

      A important criterea in social engineering is to get a person's help, hell, even goodwill, without them realizing that you up to any skullduggery. If you're really lucky, they won't even remember aiding you.

    • Not really, there are plenty of people are not willing to take bribes.

      The easiest way to manipulate people is to pretend to be their friend. We tend to let our friends do things that don't jive with bueracratic and annoying rules, because they are friends.

      Nazi-like policies and a lack of user education from arrogant and obnoxious IT people results in social engineering exploits.
    • I am a bit of an optimist, so obviously my view is coloured.

      I think most people want to do whatever they do well. They want to do a good job, be productive and have a positive impact.

      Many times the security at a location (Bouncers, Security guards, Police, Military, or receptionist) won't let you pass with a bribe, they want to do a good job.
      Although I think it is much more rare that they'd deny you access for something reasonable. I have to use the restroom, forgot my coat, is my gf/wife/friend in there, have you seen Mr Smith, he said he'd meet me.

      That is the point, you can get this useful information even if it shouldn't be given out depending on your approach, which is the point that he is trying to convey.
    • Sorry but no (Score:5, Interesting)

      by Inexile2002 (540368) on Tuesday January 14, 2003 @01:34PM (#5081977) Homepage Journal
      A HUGE part of my job is preventing social engineering type stuff (or if you want to be specific - evaluating the degree to which a client has successfully implemented good risk management and security management). I interview people all the time, and I assure you that waving $100 is the most sure fire way to not get what you want.

      People are more afraid of getting caught, of loosing their job or of getting in trouble than I think you realize. That said, it is amazing the things people do, if they think they're supposed to do them.

      I'll routinely call people at a client and just start asking questions to total strangers. I've been in server rooms interviewing people and I'll ask questions like, "How does a visitor get access to this room?" When they answer, I'll ALWAYS follow up with, "Why was I not subjected to that procedure?" I'm legitimately supposed to get access to the information I get, and I sign NDAs and get approval for everything I do. Not once have I ever been challenged to provide that information. (For some reason, if you call the manager of a department and tell him that you'll be talking to his employees and why - they assume you're legitimate.)

      Show up, talk the talk and look like you belong there and people will tell you anything. Wave around $100 and people call security.
      • Show up, talk the talk and look like you belong there and people will tell you anything.

        Another good trick, which I learned from a brother that drives truck in the spring, is to carry a clipboard and walk briskly to get wher're you're going, even if you don't know where to go. Just don't hesitate at turns, act like you know where you're going. Don't even slow down for a security, or anybody looking at you weird. If they say anything, just hold up the clipboard and say, "I gotta get this signed." or anything that seems reasonable. Works quite well when you don't want to wade through person after person trying to get your job done.

        I used to pull something similar when doing a project at a manufacturing plant. You just walk right in, look straight ahead and don't slow down. Helps if you've got a cellphone too -- just pull it out and start talking before you walk in and keep the discussion about business, well the fake discussion. You can have alot of fun with this stuff. :)

  • excerpt available (Score:2, Informative)

    by squibix (602253)
    The Register has an excerpt from the book:
    Mitnick had wished to include a brief biographical sketch debunking the legendary persona created by New York Times tech hack John Markoff and detailing his ordeal at the hands of federal prosecutors. Unfortunately, the publisher rejected what were to be the juiciest parts of Chapter One, but we thought you
    might like to see it [212.100.234.54] anyway.
  • by Cally (10873)
    Chapter 1 was removed from the book by Kevin's publisher. It gives an interesting insight into HIS perspective on how he came to be known as Public Enemy Number 1 on the Internet, the feud with John Markoff, the Takedown film, as well as how he got into social engineering in the first place (getting free rides on the bus...)

    The Register have it here [212.100.234.54].
  • by phr2 (545169) on Tuesday January 14, 2003 @12:50PM (#5081693)
    Here's a review by Rob Slade [victoria.tc.ca] that's quite a bit more detailed than MasterSLATE's review.

    Before seeing Slade's review, I read most of The Art of Deception at the bookstore and decided not to buy it. I agree with most of what Slade says. The book is mostly aimed at PHB types and doesn't say all that much useful to techies. However, as a security implementer, I don't think trying to install paranoia in PHB's is such a bad thing. They are often completely unrealistic about vulnerabilities, so it's good to open their eyes a little.

  • by jeffy124 (453342) on Tuesday January 14, 2003 @12:50PM (#5081695) Homepage Journal
    ...and it seemed quite boring to me, probably because he was preaching to the choir when it comes to security people, as the book was geared more for CIOs and other management types.

    He had an interesting way of presenting various stories of of how people can penetrate by switching to a first-person view of both the victim and then the attacker. It was a bit annoying how the "attacker" would be portrayed as 1337 sometimes, but it was an interesting approach, especially since some of the stories were possibly Mitnick himself.

    Overall, though, I was underwhelmed.
  • by webword (82711) on Tuesday January 14, 2003 @12:51PM (#5081698) Homepage
    I'm reading this book now. Surprisingly, it isn't so much about technology and security. Instead, it is more about understanding humans. Despite the sterotype that geeks have for being socially incompetent, to be a truly good hacker using social engineering, you have to be good socially. Maybe not great, but pretty good. And, you need to know the right language and the right people to communicate with. Mitnik does a great job with this stuff and I am really enjoying the book. (However, I'm not so sure his tactics will work as well as they did a few years ago.)

    Here are some pretty good resources for learning more about social engineering:

    Social Engineering: What is it, why is so little said about it and what can be done? [sans.org]

    Social Engineering Fundamentals, Part I: Hacker Tactics [securityfocus.com]

    Social Engineering: The Human Side Of Hacking [earthweb.com]
    • Dammit, I was halfway through writing my own review for this book! Anyway, on with my post:

      You wrote: "However, I'm not so sure his tactics will work as well as they did a few years ago"

      That's because we're so much smarter about security now, right?

      Well, we are smarter now. We are the people who have been around computers for a few years now (enough to be intersted in /. reviews of security books). However, every single day there's a new sucker using a computer for the very first time.

      I'm absolutely certain that I could sucessfully use all of those tricks against the company I currently work for.

      • That's because we're so much smarter about security now, right?

        Wow, what a great point. +1 Insightful, totally.

        I'm absolutely certain that I could sucessfully use all of those tricks against the company I currently work for.

        Hehehe. Good point. That's really funny, dude.

        What company? ...

        Oh. Actually, I bet you say in your bio/journal...
    • Surprisingly, it isn't so much about technology

      Surprisingly, this can happen when you spend the evolution of most current technology in a cave somewhere or, say, jail?

  • On Mitnick (Score:4, Insightful)

    by Anonymous Coward on Tuesday January 14, 2003 @12:55PM (#5081724)
    Am I the only participant to this forum who thinks that any admiration on Mitnick is admiration on a crook? As this book clearly seems to illustrate, the basis of his success as a cracker was his ruthlessness and willingness to lie and deceive people, rather than his technical prowess.

    I.e. Mr. Mitnick is a criminal, who may or may not have extraordinary technological savvy; all those years in jail, and post-jail constraints, were surely well-deserved.
    • Re:On Mitnick (Score:2, Insightful)

      by stratjakt (596332)
      And now he's going to try and profit from it.

      But not for long, since he's been prohibited from working with computers, eventually his circa-1995 insights will be as useless as a how-to-vulcanize-your-tires manual.

      I've never seen anything admirable about him. I've read no impressive technical feats, just a confidence man on the phone tricking you into revealing your networks passwords. If he was gathering SSN's or credit card numbers over the phone, would everyone be as impressed?

      His motivations are irrelevant to me as well. If I came home to find my house broken into, I'd be no less pissed because the intruder swore he just did it for 'the thrill' of kicking my door in.

      So, time to be modded down for an unpopular opinion. But Mitnick is no hero IMO, nonetheless.
    • Admiration? (Score:4, Insightful)

      by GuyMannDude (574364) on Tuesday January 14, 2003 @01:49PM (#5082075) Journal

      Am I the only participant to this forum who thinks that any admiration on Mitnick is admiration on a crook?

      Actually, I haven't really seen too many posts here glorifing Mitnick so I don't know where your incredulous attitude is coming from. I agree that he is not someone to be admired. I'm guessing that a large number of slashdotters do too. However, we are interested in what he has to say, regardless of whether he was a decent person or not. He did manage to pull off quite a few feats. There are a lot of people here saying things like "Oh, that's obvious" and "He has no technical skill." So what? He has shown us that technical skill is really not required. As technical/science/engineering types here, we are interested in discovering the truth -- even if the truth is underwhelming when we finally get to it.

      I.e. Mr. Mitnick is a criminal, who may or may not have extraordinary technological savvy; all those years in jail, and post-jail constraints, were surely well-deserved.

      True enough. But there is something to be learned from his book (I'm guessing here -- I haven't read it). That's why the review is here on slashdot. That, in an of itself, doesn't imply that we're all Mitnick fanboys around here.

      GMD

    • Re:On Mitnick (Score:5, Insightful)

      by DrMaurer (64120) <danlowlite@NoSPaM.gmail.com> on Tuesday January 14, 2003 @02:00PM (#5082159) Homepage
      Perhaps he's trying to turn his life around and teach people lessons that can help thwart people like he used to be. He's out of prison, served his time, give him a chance to turn around and give him the benefit of doubt. He knows what he knows, and the information he can provide can help security.

      Of course, don't answer any of his questions about your network, either.

      There are plenty of ex-criminals that went on to give plenty of good to society or to hold positions of power. Have you seen 'catch me if you can'? Based on a true story/book, the guy who went on to work for the check fraud division of the FBI. Is that another ex-criminal who should be working at some grocery store bagging groceries instead of lending their talents later to banks to help prevent fraud?

      That attitude (once a con, always a con) is part of the problem of recivitism (sp); if convicts could make a decent living like most people, they wouldn't have to go back to crime.

      I thought the "Free Kevin" stuff was kind of silly once he was charged with a crime. I don't know much about this particular case, anyway, so.
    • Re:On Mitnick (Score:2, Informative)

      by syle (638903)
      He was held without a bail hearing for four and a half years. That is WRONG no matter what his crime was.

      Did he deserve his time in prison? I think so. Did he deserve to have the U.S. government trample his basic rights and freedoms? No.

      Read the sample chapter that someone posted a link to earlier. Remember 'Free Kevin'? Did you think it was just because everyone thought breaking the law was Good Thing?

  • by prankster (162363) on Tuesday January 14, 2003 @12:55PM (#5081726) Homepage
    I also read The Art of Deception

    I do not really know how to describe this book with its strange mixture of fact and fiction. 2/3 of the book are stories of social engineering in all forms and shapes. That gets a bit long and tedious long before you have finished the 245 pages of it.

    The rest of the book consists of recommendations for raising the bar. A long list of things to do if you want to tighten security at your company.

    So does social engineering really work? Yes, my guess is that most people will not know what hit them even if you ask them afterwards.

    At the very least you should be convinced by Mitnick talking Steve Wozniak into writing the foreword (Kevin Mitnick is one of the finest people I know) and Wiley Publishing, Inc. into publishing what I consider a weak book on security. There are of course a few good points but they are too few and too far apart.

    The leading Danish financial newspaper, Børsen, wrote that it should be required reading for people with an IT security responsibility. I can only say that if you have an IT security responsibility and still need to read this book you are most likely in deep trouble.

    You should only bother reading The Art of Deception if you know next to nothing about the human aspect of security and then only if you really think you are safe.
    • by ZxCv (6138)
      ....and Wiley Publishing, Inc. into publishing what I consider a weak book on security.

      Publishers, like any business, are just out to make a buck. Screw the actual quality of the book, if it will bring in the cash, then they'll publish it. And with such a high profile name as Kevin Mitnick, they're almost assured of a profit. Enough people are going to buy it, so it doesn't even matter how weak it is, as long as it's barely enough to get by.
  • My thought (Score:2, Insightful)

    by rczyzewski (585306)
    I have always thought the easiest people to exploit (not that I do) are minimum wage or poorly paid employees at crappy jobs. You can sweet talk a lazy teenager and usually get what you want, but I think sweet talking an adult gets you more in the long run. Who do you think you could get better results from, a lazy clerk or a lazy manager? I'd take manager any day.
  • by mustangdavis (583344) on Tuesday January 14, 2003 @01:01PM (#5081762) Homepage Journal
    Chapter 7 Phony Sites and Dangerous Attachments



    More like:

    Chapter 7: Porn Sites and Dangerous Screen Savers

  • I read it... (Score:5, Informative)

    by Hanashi (93356) on Tuesday January 14, 2003 @01:10PM (#5081816) Homepage
    This article wasn't much of a review, so I thought I'd chime in. I read this book recently, and here are some of my thoughts.

    First, what's in this book? The bulk of the book is given over to scenarios of different types of social engineering attacks. This includes things like acting helpless, offering help and guilting your victim into "owing you something", and pushing certain psychological buttons designed to make the victim feel whatever emotions you want. There's also some stuff about how to create a good security policy for your organization, but you can skip that. There are much better references for this sort of thing.

    What did I like? The scenarios sure are entertaining! The book covers a wide variety of different situations and goals, from tricking someone into telling you their password to gaining physical access to "secure" facilities. The authors tell the story of each attack both from the victim's point of view and from the attackers, then provide an analysis of why it worked and how it could have been prevented. Very valuable!

    What did I dislike? There's a substantial amount of repetition in the scenarios, but some may view that as useful reinforcment, so it's not necessarily a bad thing. As I said, I think the security policy section isn't very good, and it could easily have been left out.

    My overall impression is good, and I highly recommend this to anyone responsible for physical or information security in their organization.

    • A few more comments.. The scenarios are great. Call me cynical, but I find it hard to believe some of them would work, or at least not always. But they make for good reading.
      The stuff at the end about security policies for companies is extremely dry in comparison.

      I found the tone of the book a bit annoying at times. "A social engineer is amazing! You might not think that they could get this info, but they CAN! Even from you. Read on, and you won't get done anymore.." I guess it was Mitnick or Simon trying to make the book more readable, but IMHO they should've saved that kind of stuff for the back cover :-)

      Interesting to note that while a couple of the sites mentioned in the book no longer work, the Social Security info one is still up.
  • Karma whore alert (Score:2, Informative)

    by jsse (254124)
    I wondered if the author actually committed the social crime like Frank W. Abagnale? [amazon.com] :) who wrote the book The Art of the Steal [amazon.com] and Catch Me If You Can [amazon.com] - yes, the movie [leonardodicaprio.com]

    (save your mod point elsewhere thanks. :)
    • Yes, I've always seen a parallel between Mitnick and Abagnale. My grandfather helped bring in Abagnale, and when I talked to him a few years ago about Mitnick, he said he felt some deja vu coming on. This is how it will always be, I think that's the point of social engineering -- there will always be a way around the system.
  • "My name is Bond, James Bond."

    He always could get what he wanted from people.
  • by zerOnIne (128186) on Tuesday January 14, 2003 @01:37PM (#5081993) Homepage
    What I'm really wondering about this book is, does it come with that Free Kevin I've seen advertised for so many years on all these websites? I mean, I think it's about time I got my Kevin, but only if it's really free. I can't afford to have to pay for a Kevin myself.
  • by skydude_20 (307538) on Tuesday January 14, 2003 @01:43PM (#5082033) Journal
    "The first part of the book... contains the first chapter"
  • by Badgerman (19207) on Tuesday January 14, 2003 @02:03PM (#5082185)
    To prevent cracking security in human beings. At least until God releases a patch.
  • he proved to me how skilled he is at social engineering when he used it to get me to buy it. At my bookstore he gave away a small chapter sample of the book, but it was enough that after reading it I had to purchase the rest of the book...

    He's a sneaky guy, this Kevin.
  • by Danta (2241)
    There were recently 2 reviews of this book on the Risks [ncl.ac.uk] mailing list: a positive one [ncl.ac.uk], a not so poitive one [ncl.ac.uk], and a reply [ncl.ac.uk] to the not-so-positive one.
  • When you hear about some poor security guy that hands out his name/password to a fake employee, or a end-user that wilfully installs back-door software onto their machine you generally think 'I hope they can find a new job.' The biggest surprise to me is that very often people who violate these basic security principles are NOT held accountable for what they do.

    During my time at one of the nations larger companies I witnessed several different instances of employees serving as giant security holes. It was a big problem for the company. Instead of training and then actually holding employees accountable for their actions, more often than not the employees simply went on after the incident so they could do it again later.

    Companies need to invest time and money in training employees (EVERY employee with access to sensitive systems) and then developing systems by which employees can be held accountable for any security holes they create.
  • "There was one chapter in particular that reallystood out for me. This was the one where Mitnick told HIS side of the story - of the despair and frustration of being demonized in the media and locked away for five years. He told of his anger towards John Markoff, the New York Times reporter who wrote articles about Mitnick that seemed to demonize him and who later went on to write a book which turned into a movie - all while Mitnick languished in jail. I think in a way it was therapeutic for Mitnick to get his anger out at last and certainly about time that the public got to hear his words.

    But these are words you WONT be hearing. Markoff's lawyers send the book publishers a threatening letter that was about as long as the chapter itself and Wiley is no longer printing that part of the book.(They claim to have reached this decision independantly)."

    ----Review done by Emmanuel Goldstein
  • MasterSLATE is the Slashdot pseudonym of William Shatner [slashdot.org].

    Sorry that my post got so long.
  • The Washington Post had an online chat [washingtonpost.com] with Mitnick a month or two back.

    (Bitterness continues long after submission! ;-) )

    Interesting read, but I really enjoyed this part:

    "Per the terms of his parole agreement, Mitnick is barred from using nearly all computers except a court-approved laptop. He is also prohibited from sending e-mail or surfing the Internet. As such, Mitnick dictated his responses to a washingtonpost.com staffer who transcribed."

    That said, I wonder, was this the last book every written without a computer? ;-). Or maybe he could use his court-approved laptop. ;-)
  • They stuck it to him now he's sticking it to them with a book on how to be a digital grifter.

    Revenge is sweet.

  • I've got to respond to several things I've read here...First of all I would have thought the editors would hold out for a real review of the book by the famous/infamous Kevin Mitnick!

    With that said, many people are saying they are 'surprised' by the fact that this book doesn't emphasize technical aspects of hacking. Have you heard nothing of this book?! It says right on the cover that this is a book about social engineering, and much of Kevin's fame was due not to his technical prowess, but the combination of tech and 'social engineering'.

    With that said, I believe Kevin is a very intelligent person. I have heard him speak, and he is very well spoken, and organized. It is no wonder he was so successful at manipulating people in order to gain information he sought. I have to say that, although it takes an intelligent person to do this, I can't help thinking that 'social engineer' is only one way to interpret a malicious liar. Especially since he admittedly did most of his hacking 'for fun!'. When James Bond does it, its admirable, as it usually saves the world. In Kevin's case, he did it for the thrill of it (a hallmark of true hackers) and to see if he could get away with it. Something pathalogical about that...(although I don't doubt his self-proclaimed reform from 'the life' and new interest in helping people avoid being exploited by people like himself...)

    Some people are also saying here that they believe he is a criminal, and deserved to be in jail. Kevin himself doesn't deny that he broke the law, but the reason the hacker community rallied around his cause is that he was denied a bail hearing for years, denied many of his legal rights, and generally kept in legal limbo (and thus in jail) for many years. This, despite the fact that his actual crimes were pretty insignificant (although obviously punishable). This is pre 9/11, and he was basically intentionally 'lost in the system' and denied his rights because people in power feared him, and what they assumed he was capable of.

    Read the first chapter of the book, linked somewhere above, and also check out "Freedom Downtime", the documentary done by 2600.
  • I'm currently in the middle of this book, so consider this as a half review.

    First note: Kevin Mitnick didn't WRITE it, he contributed.. "co-authored".

    Second note: It's a text-book format. And they did a very poor job with it too. The "Mitnick-Messages" and "Lingos" and the rest are frequently positioned in the middle of sentences, which I find illogical and poorly organized. They are also frequently redundant.

    Third Note: This book is for people and companies wanting to protect against social engineers. If you're looking to become a social engineer, you'll find little useful information in this book.

    The Introduction, Preface, and First Chapter are all the same; pick one and skip the other two. I swear if they said "humans are the weakest factor" one more time I was going to throw the book out the window. These sections were very poorly written and painful to read, but don't worry, it gets better.

    The middle chapters are filled with fictional stories meant to illustrate methods and scenarios used by social engineers. Personally I find them to be rather vague on details. Of course, you couldn't expect a book to illustrate every conceivable scenario. The authors then try to analyze the situation, and offer suggestions on how to circumvent the attackers.

    If your business deals with sensitive or private information, this book will probably make you lie awake at night in a cold sweat, afraid to turn on your computer. You'll trust noone. You will force your employees to destroy their phones and communicate via telegraph and Western Union telegrams. Your business will inevitably be overcome with social engineers exploiting your every weakness and pilfering your every assest.

    I wouldn't recommend this book (so far) for anyone except security professionals, or perhaps business owners who have been burned in the past. Script kiddies, wanna be hax0rs, and other CriMiNalz will get nothing out of this book. You can't learn confidence and assertiveness from a book.

A method of solution is perfect if we can forsee from the start, and even prove, that following that method we shall attain our aim. -- Leibnitz

Working...