The Art of Deception 241
| The Art of Deception | |
| author | Kevin Mitnick (& William L. Simon) |
| pages | 346 |
| publisher | Wiley Publishing, Inc. |
| rating | 9 |
| reviewer | MasterSLATE |
| ISBN | 0471237124 |
| summary | Geared toward the company security guy, but a good read for anyone interested in security, especially social engineering |
What's to Like?
The Art of Deception is extremely easy to understand and actually fun to read.
The first part of the book, Behind the Scenes contains the first chapter, Security's Weakest Link, which describes through many examples how and why the social engineer is able to so easily manipulate people to get what he wants.
Part 2, The Art of the Attacker, contains chapters 2-9, which describe various ways a social engineer can manipulate people over the phone. Each chapter tells of a different method that could be used to gain information. Each chapter also contains at least one example.
Part 3, Intruder Alert, contains chapters 10-14, which tell about different ways a social engineer can get inside a company, whether physically or through an internal contact. Each chapter contains at least one example.
Part 4, Raising the Bar, contains chapters 15 and 16, which explain how a company should create their security policies and training to prevent the social engineer from gaining access to sensitive information. These chapters are definitely more geared toward the executive, security analyst, or other specialist, as they contain specifics on what new policies should be implemented and why.
The last section in the book, Security at a Glance, contains some charts and information which should be read over by a more general audience, such as employees and other people that may be contacted by a social engineer.
And one sidenote: there's a nice little foreword by Woz (Steve Wozniak).
The Summary
Although this book is geared toward the company security expert, this book also has appeal to anyone with an interest in social engineering. I found it to be a quick and fun read. As a social engineer, this book taught me new tactics to try as well as ways that my targets might be prevented from giving me information I seek.Table of Contents
Foreword
Preface
Introduction
Part 1 Behind the Scenes
* Chapter 1 Security's Weakest Link
Part 2 The Art of the Attacker
* Chapter 2 When Innocuous Information Isn't
* Chapter 3 The Direct Attack: Just Asking for It
* Chapter 4 Building Trust
* Chapter 5 "Let Me Help You"
* Chapter 6 "Can You Help Me?"
* Chapter 7 Phony Sites and Dangerous Attachments
* Chapter 8 Using Sympathy, Guilt and Intimidation
* Chapter 9 The Reverse Sting
Part 3 Intruder Alert
* Chapter 10 Entering the Premises
* Chapter 11 Combining Technology and Social Engineering
* Chapter 12 Attacks on the Entry-Level Employee
* Chapter 13 Clever Cons
* Chapter 14 Industrial Espionage
Part 4 Raising the Bar
* Chapter 15 Information Security Awareness and Training
* Chapter 16 Recommended Corporate Information Security Policies
Security at a Glance
Sources
Acknowledgments
Index
You can purchase The Art of Deception from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Innocuous (Score:4, Insightful)
All the little bits and pieces of info can sure add up to a major security hole if they are collected by the right person...
Human factors ... again ... (Score:5, Insightful)
I mean look at an article on TechTV [techtv.com] as far back as October 2001 that point out such human blunders as "Default installs of operating systems and applications" or "Accounts with no passwords or weak passwords"
Perhaps this quote from a Oct '02 SANS/FBI article [sans.org] point out the worth of this book where they say:
Which is why I think books such as "The Art of Deception" are as needed as biometric identification systems to secure your computer facilities.
Where's the review? (Score:5, Insightful)
Somewhat disappointing (Score:4, Insightful)
The book is primarily about social engineering. Most of the example crimes in this book could have been perpetrated by folks who had no more than a casual acquaintance with the inner workings of computers. In other words, Mitnick tells you how to exploit the stupidity of human beings in large organization, and not how to exploit weaknesses in operating systems and security software.
Part of this is probably due to court-ordered vagueness; the court obviously didn't want Mitnick spreading dangerous knowledge.
On the other hand, Mitnick is probably correct in his contention that the greatest factor leading to compromised systems is the naivete of the folks who work with them.
It's a knack. (Score:4, Insightful)
I've read the book, and just like some people couldn't sell food to a starving man, only a few people can pull it off.
Get one tiny piece of information from one person, another from another, and after a while, enough of those pieces make you sound like you are an employee. And we all help our fellow downtrodden, overworked employees, don't we.
EG. If you have an intranet at work, I bet you have a nickname for it. And if someone asked you for something from it, and said "I can't get to the XXXX today, not sure why, it seems to be down..." you'd probably go and find the info for them.
Re:Is this always true? (Score:3, Insightful)
you can have extensive logging and security measures going on behind the scenes, but once it gets to the user level, you've got to make it as simple as possible for them to log in and get access to what they need to know/work with. and all it takes is someone leaving their username and password on a sticky note on their monitor or answering a phone with someone official sounding on the other end, for that account to be compromised.
I shouldn't have to mention it, but any user account that gets compromised can potentially get the whole network compromised. the human element is always the weakest link in the security chain; whether it's a sysadmin that just doesn't set everything up right and leaves default account names and passwords or the user that just gives his password out over the phone. the machines just do what they were programmed to do. nothing more, nothing less.
On Mitnick (Score:4, Insightful)
I.e. Mr. Mitnick is a criminal, who may or may not have extraordinary technological savvy; all those years in jail, and post-jail constraints, were surely well-deserved.
oversimplistic dork! (Score:2, Insightful)
A important criterea in social engineering is to get a person's help, hell, even goodwill, without them realizing that you up to any skullduggery. If you're really lucky, they won't even remember aiding you.
My thought (Score:2, Insightful)
Re:Reminds me of "40 Years a Gambler..." (Score:1, Insightful)
The only thing Kevin Mitnick stole that cost anyone any money was phone calls.
John Markoff, New York Times, and the prosecutors are the ones that did the lying.
Follow the money and it leads to John Markoff.
Good swindle John. I would hate to have your karma.
I check that Anonymously box for this post.
Re:On Mitnick (Score:2, Insightful)
But not for long, since he's been prohibited from working with computers, eventually his circa-1995 insights will be as useless as a how-to-vulcanize-your-tires manual.
I've never seen anything admirable about him. I've read no impressive technical feats, just a confidence man on the phone tricking you into revealing your networks passwords. If he was gathering SSN's or credit card numbers over the phone, would everyone be as impressed?
His motivations are irrelevant to me as well. If I came home to find my house broken into, I'd be no less pissed because the intruder swore he just did it for 'the thrill' of kicking my door in.
So, time to be modded down for an unpopular opinion. But Mitnick is no hero IMO, nonetheless.
A donkey laden with gold...... (Score:5, Insightful)
Philip of Macedon said that (I seem to remember) 2300 year ago. To put it short more codes have been cracked and more defenses of any kind have been breached by exploiting simple human weakness than any clever hacking/engineering ever has and ever will. It usually is the easyest way. Take the Enigma code, it was cracked, partly, because of the simplistic and repetitive choices of code key words made by the Wehrmacht communications personnel. It never ceases to amaze me how deeply this fact disappoints the tech freaks of this world. If I had to guess all the nerds at CIA-Langley with all their cool equipment will not contribute even half as much to catching Osam Bin Landen or determining his fate as simple traitors within Al Quaeda will do.
Re:Already done, only better (Score:2, Insightful)
The one I like is RFID on the employee's nametag and a biometric reader (thumbprint in this case) on the terminal. User walks up, computer detect that Bob Jones is standing there, Bob Jones presses thumb, computer says that this is in fact Bob Jones. Unlock.
That's a pretty good system, although it has a few fundamental flaws that make it unsuitable for ultra-paranoid environments. The problem is that Bob's fingerprint is a static key. If I want to fool the system, all I have to do is to capture Bob's fingerprint. Then I walk up to the computer, unplug the fingerprint reader and substitute my own device which simply reports that I am Bob.
You could improve the fingerprint reader system a bit by encrypting the wire protocol between the hardware and the device driver, but it's still technically feasible to break open the device and splice in the pre-computed signal. Still, admittedly the fingerprint reader is not open to a social engineering attack.
-a
If Kevin's so good, why did he get caught? (Score:1, Insightful)
So... The solution is... (Score:5, Insightful)
2) Train, train, train!
3) Just like you do a network security audit from time to time, do mock attacks! Call up an employee and use something like the following script (modified each time)
"Hi, my name is Joe Angstrom. I work over in IT."
"We are investigating a potential security problem on our network and need to ask you a few questions. Have you noticed anything strange about your computer recently?"
"Thank you, this has been very helpful. There is one more thing. So that we can be sure of this, could you verify your username and password?"
Just make sure that it is approved of before you do it
The point is-- human factors can be mitigated by training, but no one puts that effort into things.
Re:A weak book on security (Score:3, Insightful)
Publishers, like any business, are just out to make a buck. Screw the actual quality of the book, if it will bring in the cash, then they'll publish it. And with such a high profile name as Kevin Mitnick, they're almost assured of a profit. Enough people are going to buy it, so it doesn't even matter how weak it is, as long as it's barely enough to get by.
Admiration? (Score:4, Insightful)
Am I the only participant to this forum who thinks that any admiration on Mitnick is admiration on a crook?
Actually, I haven't really seen too many posts here glorifing Mitnick so I don't know where your incredulous attitude is coming from. I agree that he is not someone to be admired. I'm guessing that a large number of slashdotters do too. However, we are interested in what he has to say, regardless of whether he was a decent person or not. He did manage to pull off quite a few feats. There are a lot of people here saying things like "Oh, that's obvious" and "He has no technical skill." So what? He has shown us that technical skill is really not required. As technical/science/engineering types here, we are interested in discovering the truth -- even if the truth is underwhelming when we finally get to it.
I.e. Mr. Mitnick is a criminal, who may or may not have extraordinary technological savvy; all those years in jail, and post-jail constraints, were surely well-deserved.
True enough. But there is something to be learned from his book (I'm guessing here -- I haven't read it). That's why the review is here on slashdot. That, in an of itself, doesn't imply that we're all Mitnick fanboys around here.
GMD
Re:Already done, only better (Score:3, Insightful)
Do not fool yourself *anytime* there is a human involved you can use social engineering to get in.
Re:On Mitnick (Score:5, Insightful)
Of course, don't answer any of his questions about your network, either.
There are plenty of ex-criminals that went on to give plenty of good to society or to hold positions of power. Have you seen 'catch me if you can'? Based on a true story/book, the guy who went on to work for the check fraud division of the FBI. Is that another ex-criminal who should be working at some grocery store bagging groceries instead of lending their talents later to banks to help prevent fraud?
That attitude (once a con, always a con) is part of the problem of recivitism (sp); if convicts could make a decent living like most people, they wouldn't have to go back to crime.
I thought the "Free Kevin" stuff was kind of silly once he was charged with a crime. I don't know much about this particular case, anyway, so.
Re:mitnick (Score:3, Insightful)
I just read this book too. It really does make you think about how easy it would be for someone to manipulate you or your coworkers. The book is full of suggestions, especially the last few chapters. The chapter about training and warning employees prompts to add security awareness training both for new hires and continued, and retool policy and procedures in a way that employees will follow them. Sadly, a friend of mine showed up at work Monday to find out that 10 laptops, including hers, had been stolen. Security had no record of unauthorized access which makes it seem like it had to have been some kind of social engineering.
Re:On Mitnick (Score:4, Insightful)
Besides, all that time spent before his plea counted toward his sentence. He just got it over with early.
Shouldn't a suspect be considered innocent until proven guilty in a court of law?