The Art Of Deception: Controlling The Human Element Of Security (2003) - Plot & Excerpts
Kevin Mitnick, probably the most famous (and controversial) computer hacker of the 1990's, has spent several years of his life on the run, as well as a few years in jail. For years after leaving prison he was forbidden to log on to a computer, a prohibition he appealed successfully. He now runs a computer security business, lectures to large corporations, and has co-authored two books on computer network security. This book focuses on the human element of computer security. Reminding us that even the most sophisticated high-tech security systems can be rendered worthless if the people running them are not sufficiently vigilant, Mitnick goes on to point out the myriad ways in which human carelessness can contribute to security breaches. An experienced con artist who is well-versed in social engineering techniques can often do far more damage by manipulating people to provide information they shouldn't than by relying on technologically sophisticated hacking methods.The book is interesting for the most part, though it would have benefited from a 25% reduction in length, and there are some annoying stylistic tics. Throughout the first 14 chapters, each of which reviews a particular type of ‘con’ used by hackers/social engineers to breach computer security, the chapter setup follows the same schema:(i) an anecdote or vignette, involving fictitious characters but based on actual events, which lays out the deception as it unfolds, following it through to the successful breach (ii) analysis of the ‘con’, focusing specifically on the mistakes or behaviors (at the individual and at the organizational level) which allowed it to succeed (iii) discussion of the changes that would be needed to stop the con from succeeding (e.g. behavior of individual employees, corporate policies and procedures, computer software and hardware). This is actually a pretty decent way to make the points Mitnick wants to get across – starting out with a concrete example of how things go wrong gets attention and motivates the reader to read on to figure out the solution. One feature of the book which was meant to be helpful started to drive me crazy by about the third chapter. Interspersed throughout each chapter, the authors insert highlighted textboxes of two types: ‘lingo’ – repeating the definition of a concept already adequately defined in the text, or ‘mitnick messages’ – which manage to be irritating beyond the cutesy name, as they do nothing but encapsulate the obvious in language which condescends to the reader. In general, this is not a book you will read for the delights of its prose style (after successfully gaining access to a cache of hidden documents, one hacker is described as spending his evening gleefully “pouring over” the documents); however, the prose is serviceable, managing to avoid lapses into the dreaded corpspeak, for the most part. For some readers, the most useful part of the book may be its final two chapters. Here the authors lay out, in considerable detail, outlines for recommended corporate information security policies, and an associated training program on information security awareness. Though I am no expert in these areas, the outlines strike me as being commendably thorough – complete enough that they could be fleshed out without too much difficulty to generate a comprehensive set of policies and procedures.Despite some redundancy, and occasional infelicities of style, this book seemed to me to be interesting, and likely to be practically useful.
Kevin Mitnick (whose teenage exploits were speculated at in the film War Games) describes himself not as a hacker, but a social engineer- one who is able to manipulate people and events through his knowledge of the inner workings of society. In this book, Mitnick describes many scenarios- some true, some hypothetical- including bank robbery, teenage break-ins, identity theft, and corporate espionage. In each scenario, we see how, with a couple of phone calls and a few simple questions, the attacker was able to obtain information that we normally consider private, including social security numbers, bank accounts, source codes, passwords, PIN numbers, and even access to "secure" facilities. His goal is not to encourage this "art" of social engineering, but to prevent it, especially in the corporate world. The focus of the book is corporate security, complete with an entire chapter detailing what steps and policies companies should take to be sure that their employees' information is safe. For the common, stay-at-home domestic engineer ("housewife") like me, the book opened my eyes to the importance of protecting my information. In many of the scenarios, attackers used easily obtainable information to get things that I thought were safe. My home address... my phone number... my birthday... things that I used to post on social networking sites all over the web... I now realize that with just a few more or less "public" pieces of information, an attacker can obtain something much more valuable, such as my bank account number or credit card information. Something I've heard over and over again (including from my own family, and myself early on) is, "But no one wants to attack ME." Or "That only happens to other people." But, sadly, to the other 6 billion people in the world, I am that very vulnerable Somebody Else. And who would want to attack me? They may not be after you specifically. They may just need access to an account at your bank, and you are the lucky number of the day. They may just want to see some files at your company, files in a completely different department, but they're going to use your bad password to get in. Or maybe they need some quick cash, saw you type your pin # into the machine at the BiLo and then picked up the receipt you dropped in the parking lot. However it happens, it's a lot more common than it was before. Grandma and Grandpa may lament the Good Ole Days when this kind of thing Never Happened (and thus be reluctant to protect their information), but I know better than to trust my generation. After reading this book, hopefully you will too.
What do You think about The Art Of Deception: Controlling The Human Element Of Security (2003)?
The Art of Deception is one of two books by famous hacker Kevin Mitnick, the other being "The Art of Intrusion". Intrusion focuses primarily on physical or technological hacks, while this book focuses almost exclusively on social engineering attacks.A number of problems prevented this book from being very good. The main problem is simply that Mitnick did not have enough material to fill an entire book. This book would have been better if it were shorter and simply one section in a larger book about security. A great deal of the book feels like padding, the anecdotes about various social engineering attacks seem repetitive and pointless - reading just one is often enough, but Mitnick consistently indulges himself with identical tale after identical tale.I'm not entirely sure who the audience for this book could really be. It doesn't seem like it's for technical people, because the book goes out of it's way to define what things like "http" mean. The book claims to be geared toward nontechnical people or businesspeople, but the fact of the matter is that the subtle differences between a lot of the social engineering attacks will be missed by nontechnical people. To your average joe, 20 or so of the stories in the book will seem identical, testing the patience of the reader.The book is also frustrating in its design. It's constructed as a book to help managers and businesspeople manage security at their companies. Every story about a social engineering attack is followed by a "Mitnick Message" where Kevin explains how to prevent the attack from happening to you. In reality, however, the real focus is the story itself - the attackers are consistently painted as the hero of the story, with the hapless victims being drawn as naive morons. It's clear that Mitnick admires the attackers in these tales, and the "Mitnick Message" feels like it's been forced into the book to keep up the ruse that the book is intended for anyone other than wannabe hackers. Mitnick's advice is a restated form of "verify the identity of the caller" in nearly every instance.The book is, to put it simply, a bore. Reading it was a challenge, and I had to fight the frustration to skim or skip sections nonstop. The Art of Intrusion is far more interesting, and I recommend it over this book without reservation. There is value for businesspeople to read this book, but I imagine it will present a significant challenge to their patience.As an aside, Mitnick offers terrible advice regarding passwords. He argues that passwords should not consist of a constant combined with a predictable variable, such as "kevin01", "kevin02", "kevin03". I agree. He also says that users should not write down their passwords and tape the paper to their monitor or under their keyboards. I agree again. He also, unfortunately, argues that passwords should expire every month. Well, that's terrible advice. Passwords need to be something people can remember, or they have to write them down. If they are going to be memorable, they can't change constantly. If they change constantly and must still be memorable, people have no choice but to add some predictable pattern to a memorable portion of a password. In short, of options A) Don't write passwords down B) Don't use a simple increment in a password C) Change passwords monthly, security administrators can pick any two. To try for all three is delusion.
—Rod Hilton
A very interesting look into the ease at which one can bypass the most elaborate security system simply by asking. The book proves that it is too easy for a person to obtain almost anything, if they have the right information and ask the right person. I am a system security major, and work at a helpdesk of a very large financial corporation. The number of employees that call me and readily hand me their passwords without question is disturbing. I am a good person, and have no need for these passwords, but I cringe every time someone tells me their computer login. Were I a person of malicious intent, I could abuse this information in so many ways. This book, written by a former hacker turned security consultant, is a very good read for those who find themselves too gullible, those who want to know what to watch out for, and mostly for those who ask "why" whenever anybody asks anything of them.
—Cooperglocker
Comes off a little bit cocky at times, but that may be my take on it. Cocky or not, there is a lot of information between these pages that the public should be aware of for their own security. He is a genius who in high school managed to tap into the school's system to change a grade he didn't like... long story short, he wound up behind bars until the government hired him. (Guess we don't need to go there.) At any rate, he reveals some tactics people have used for identity theft, as well as receiving information from people put in precarious positions because of their inability to trust their instincts, and instead listen to the "nice guy" on the other end of the phone needing help. Anyone ever using a computer and putting his or her personal information onto the screen NEEDS to read this!
—Michelle
