The Art of Deception: Controlling the Human Element of Security

If you want to learn a bit about hacking and/or conning people (called social engineering by Kevin Mitnick) or just read stories about the aforementioned topic Kevin Mitnick is the guy with the best stories. For the uninformed reader Kevin Mitnick is probably the most notorious hacker in US history. He's served jail time, company's claim he cost them millions of dollars and the government tracked him for years before capturing the super cyber fugitive. Of course some argue that Kevin Mitnick really didn't do too much wrong and even if he did it was more out of curiosity than malice. I haven't researched the topic enough to form a definitive opinion but I have seen and read enough to know that Kevin Mitnick is hacker supreme. Once you read The Art of Deception you won't doubt Kevin Mitnick's abilities and you'll see why he was able to get away with so much for so long. All this adds up to making Kevin Mitnick probably the single most authoritative person to write this kind of book.

First off let me say the scams that Kevin Mitnick references actually work, I know cause I tried one. I picked a company I knew a little about called the receptionist and asked for her user name and password. She told me her password and user name, no questions asked. I was startled by how easy the process was but I attempted no further hacking (not because I was scared or suddenly moral but because the company makes extremely boring stuff). Calling up and asking someone for a password is the simplest ruse of all and probably the most often used con. The trick, naturally, is to make the person on the other end of the phone think that you're entitled to the information somehow, and that's where the real "social engineering" starts. While the crux of any scam may be the same the road getting to that point can be very interesting. In The Art of Deception there are some scams so complicated they would make David Mamet salivate and these are the scams that are particularly enthralling to read even though the occasionally stretch the limits of plausibility. Regardless of the believability of the retold ruses they all have a common theme: they are very enjoyable short tales of human fallibility.

The cons and seductions are enough to carry The Art of Deception; less entertaining are the solutions to prevent said miracles of flimflam. Of course the prevention of the scheme is always less exciting than the actual scam so it's no surprise when you find yourself skimming the "what Bob could've done" sections. There are a few scams that may be directly useful to the average Joe (which one of these says PAYPAL: paypal or paypa1?) but most of the beguilements solutions will be of interest to IT directors and tech support folks. In fact I can reveal the solutions to the scams: know whom you're talking to and don't give out your password. That advice, while predictable, doesn't carry as much weight as it does when coupled with the scams and schemes presented in The Art of Deception. If you're one of the folks who think that you could never get suckered Kevin Mitnick will make you a believer.

Who is this book really for? Well if you're an IT director the book will be very useful. If you're a company that deals with very sensitive information you may want to make The Art of Deception required reading for anyone with a password. If you're in Sales and don't mind walking on slightly on the seamy side (if you're the type that snatches business cards out of restaurant fishbowls and passes the cards of as "calls") then some of the information gathering techniques may also be of interest. The casual reader will not find the information as useful as the previously mentioned professionals but will find The Art of Deception very diverting.

Bottom Line: Anyone who reads The Art of Deception will find it entertaining, and some people will find the book very useful.

MacMice Rating: 3 out of 5

Rating:
Summary: A ground-breaking book that is certain to be unheeded
Review: After all the media hype and disinformation surrounding his past "hacker" exploits, it would have been easy for Kevin Mitnick to just sell out and pen a cheesy "How To Be a Hacker" book, or even a simple autobiography setting an objective balance to sensationalist Mitnick-centered books such as John Markoff's "Cyberpunk" and "Takedown". Thankfully, Mitnick has instead seized a brilliant opportunity to fill a gigantic hole in the vast library of thoroughly redundant "information security" books currently flooding the market.

"The Art of Deception" is, by default, the definitive and authoritative reference work on the subject of "social engineering". No author has ever tackled this tremendously important--and consistently ignored--aspect of information security with the same amount of depth, specificity and firsthand knowledge that Mitnick documents in this book.

Despite the book jacket's description of Mitnick as a "legendary hacker" and "cyber-desperado", this book is decidedly NOT about "hacking" in the purest form in the word. In fact, it's rather ironic that for most people, the name "Kevin Mitnick" is synonymous with the profile of a stereotypical "master hacker", because he is much less regarded in the underground hacker scene for his technical skills than for his adept social engineering skills. Some would even say that without his social engineering chops, Mitnick would have been nothing more than an average geek with knowledge of common computer intrusion techniques.

Even if you accept that opinion as true, it truly underscores the very real threat social engineering poses to ANY organization, and also proves one of the underlying themes of this book, which is that an attacker doesn't need to possess exotic and hyper-advanced "hacking" skills (or in many cases, even a computer!) to get at your company's sensitive data. All it takes is a phone call and gullible employees who aren't aware that answering a caller's seemingly innocuous questions can ultimately compromise the security of the entire company. Like the blurb on the book jacket says, "the gravest security risk of all is human nature."

The renowned cryptographer Bruce Schneier once wrote, "security is not a product, it's a process". "The Art of Deception" bolsters that notion, and completely shatters the myth that technological measures can ensure information (or even physical) security. If anything, a company's security technology can be artfully used against itself in ways that completely negate its effectiveness. There is a very enlightening section on Caller-ID spoofing which will definitely open the eyes of anyone who thinks that a Caller-ID display is positive proof of a caller's identity and location. Mitnick claims a 100% success rate in getting information out of people using a spoofed internal company Caller-ID name and number. Because of this, he continually reminds the reader of the absolute worthlessness of Caller-ID as a security mechanism. I'm glad he does this, because almost no one outside of the hacking and phreaking scene even realizes that Caller-ID spoofing is possible, and the more this fact can be beaten into the heads of I.T. or security managers, the better. You can have millions of dollars of firewall products, encryption technology, password policies, and intrusion detection systems in place, but if I can simply call up your company's new intern on the phone (using spoofed Caller-ID, of course) pretending to be a company executive, and social engineer him into divulging information or even sending out sensitive files or faxes directly from internal computers, then that "technology" is nothing more than a heap of black boxes with lots of pretty blinking lights. An iron door on a cardboard house.

There are many people who have automatic biases against Mitnick (due to his past record as a convicted felon) and will cast off this book as nothing more than a how-to manual on conning corporations out of their data. The debate on whether he deserved the treatment he received from the U.S. Federal Government and Justice Department, and whether he is truly a "criminal" or not, is completely ancillary to the value and legitimacy of this book. It is not an I.T. or con man's version of "The Anarchist Cookbook". He devotes 78 pages at the end of the book specifically outlining recommended corporate security policies. The book is always written from the perspective that the social engineer is the "bad guy", and Mitnick makes no concerted attempt to justify social engineering as a legitimate activity.

The only problem I see with "The Art of Deception" is, ironically, not the book itself. It is with the very people whom this book seeks to educate regarding the dangers of social engineering. No doubt, most IT managers will come away from this book as if they had a religious epiphany. However, knowing the time and budget constraints placed on employees by many companies, I am extremely skeptical that you can instill the same sense of urgency and vigilance in employees who don't have a direct, firsthand reason to care about information security. If you can social engineer the overnight janitor to turn on a restricted development server, or get an intern to divulge the name and internal phone extension of a project manager, then you're still screwed. It's difficult to see how it's possible to effectively guard against all forms of social engineering without making every single employee in a company act like an annoying paranoid twit in response to even the most truly innocuous situations.

Regardless, this book should be required reading for all company executive and managers, in both large and small organizations. When it comes right down to it, "The Art of Deception" is fundamentally a book on psychology than actual information security techniques, and as such, the principles demonstrated within are equally applicable to any company that has information or resources that need to be protected from outsiders. For example, Mitnick explains a hilarious, and ridiculously simple social engineering scheme that can get your traffic tickets dismissed. And with no computers required from the social engineer's end. The book is at least funny, if nothing else.

Rating:
Summary: Much-needed complement to books on network security
Review: Kevin Mitnick has put together an excellent book, that fills a major gap in the computer and network security literature. The examples are realistic (I suspect more than one is a thinly-veiled example from real life) and clear depictions of the principles they illustrate. The book is well-organized, and most importantly, it gives sound advice on how to defeat the social engineer. The suggested information security policies at the end of the book are worth the price of the book all by themselves. This is a must-read for information security professionals and corporate executives. It is nice to see that Kevin Mitnick has returned something of value to the world.

Rating:
Summary: Disappointing...
Review: Having read several positive reviews and recommendations of the book, I picked up a copy. Only a quarter of the way into the book, a growing sense of dread came over me as I realized that in finishing the book, I would put it down unsatisfied and disappointed. Having just completed the book, I can report that my initial feelings held true.

The book provides little insight and repeatedly makes the same points: 1) the quality of one's security is only as good as the weakest link. 2) you must analyze your security, determine the weakest link, and take appropriate measures to correct for the weakness. 3) there are numerous individuals who for innumerable motives wish to compromise your security in order to achieve some gain. 4) if it just doesn't look right (jdlr), it probably isn't. 5) be wary.

The book prosaically presents various forms of social engineering attacks to demonstrate how a given attack may achieve its purpose. None of the examples were very artful, enlightening, or innovative. Many center around the art of conning others and bootstrapping bits of information for maximum effect.

Very little insight was provided within. The book seems a rehashing of existing warnings and knowledge, but a rehash provided by an infamous author (and, therefore, saleable).

This is not a how-to book either for executing an attack or preventing one. There are far better volumes to understand both of these. It will tell you no more than what you already knew or should know from other security resources which can provide much more helpful information much more succinctly. At best, it can depict potential compromises for those who haven't the time to put their imagination to work.

This is certainly not a book for information security professionals. I think it would prove a dull read even for those unfamiliar with the topic.

Rating:
Summary: Personalities aside, an original, entertaining, scary book
Review: There's nothing new about debating a criminal's right to publish his story. Frank Abagnale Jr, hero of the excellent "Catch Me If You Can" movie, wrote two books about his escapades. Concentrate on the message, not the messenger, and you'll learn something from either Mitnick or Abagnale.

Mitnick's message is frightening: the easiest way to get what you want may be to ASK for it. "The Art of Deception" (TAOD) is built around dozens of realistic scenarios, showing how con men (and women) deceive victims and defeat security. It's easy to dismiss Mitnick's insights as trite. For example, it makes sense that "valuable information must be protected no matter what form it takes or where it is located. An organization's customer list has the same value whether in hardcopy form or an electronic file." (p. 227) This "Mitnick Message" seems obvious at first glance, but how many company's act on that truism?

"TAOD" shares technical, procedural, and psychological insights which aren't normally discussed by security personnel. Mitnick mentions secrets of the telecom system, like reprogramming caller ID on phone switches. He dances across company lines, shuttling information among secretaries, fax machines, voice mail, and other vulnerable parts of business life. His understanding of human nature shows he treats his craft seriously, believing security awareness is the best defense against social engineering. I found his "Security at a Glance" chapter indispensable, especially its 'Warning Signs of an Attack' and 'Responding to a Request for Information' sections.

Mitnick's security policy recommendations in chapter 16 appear to be squarely based on military information handling guidelines. I followed all of his ideas, like data classification, need to know, cover sheets, and so on, as a military intelligence officer in a top secret facility. The corporate world, particularly the financial sector, is implementing some of these practices already.

It's still too easy to defeat the technical defenses of many organizations. Those who do have their networks locked down leave social engineering and insider fraud as the best ways to steal information and money. As more organizations fall victim to "the art of deception," they will turn to the wisdom of books by Mitnick and others. While they won't follow Mitnick's advice to provide "copies of this book to all employees" (p. 257), they will learn how to improve their "human firewalls."

Rating:
Summary: Better Than I Expected
Review: I expected a light read of the same genre as Cyberpunk... the other side to this interesting story. Instead, what I found was valuable information worth keeping. It is as well written as it is informative, and is worthy of consideration for permanent shelf-space.

Rating:
Summary: An insider's view of an important security issue
Review: I will not get into the irrelevant debate (pro or con) about Kevin Mitnick's personality. What matters is this: Social engineering, the art of talking yourself into places you don't belong, is one of the largest, and most poorly understood, security exposures that most organizations face.

This book provides excellent insight into how the process works, what elements the social engineer relies on for success, and what you can do to make the social engineer's job more difficult. In order to fight this threat, you have to understand it. The book's approach is to present a long series of "fictional" (sometimes very thinly disguised) episodes, with some commentary and analysis. This structure, essentially a string of stories, can make the book seem rambling and unstructured at times.

Some of the stories may seem unsophisticated, glaringly obvious, common sense. Two things to keep in mind: (1) the reader has the advantage of knowing that a scam is being perpetrated, and (2) obvious or not, this stuff does work! Could it work on your organization? How sure are you?

Management wants to believe that security is a product, sold in a shrink-wrapped box, that you can install and then "be secure". The security industry wants to sell you those products.

The real truth is that security is hard work, it's never done, and it has much more to do with people than with the latest whiz-bang technology. Not a popular truth, but still true.

If you're not familiar with the ins and outs of social engineering, this book will help you figure out what it's all about. If you are already familiar with the concept, you'll still find value here -- something you'd never thought of before, or at least some new stories to help you convince management that this stuff matters. The story that sticks in my mind is the one involving a site using hardware "smart card" access tokens. Very good security, right? Well, the intruder gets in anyway....

I rate this book 4.5 stars, rounding up to 5.

Rating:
Summary: An Expert That Knows
Review: If you are used to going to books by experts available to the public (e.g., Bruce Schneier on cryptography), then this is the new classic book from an expert on "social engineering".

There are questions around the author's circumstances and deeds, how his rights were tread upon, etc. Disregard that and learn from a master. When hearing testimony from some criminals, serial killers for example, it is much harder to separate psychological problems from physiological problems from societal problems and so on. With crackers (bad hackers), it is a little easier. When one of them lays out all this material in an informational organized manner, we need to take note. This book is such a case.

Many crackers will brag about their technical prowess and escapades. Very few will brag about their social equilance. By far, the latter is more dangerous, as any (good) computer security expert knows.

The book starts out with many good examples of vulnerabilities in an easy-to-read manner. I learned several new areas where I need to tighten my OWN security. Kaching!

Where it really starts getting good is in the applications. Sections 2 and 3 are good, but especially good are chapters 11 ("Combining Technology and Social Engineering"), 15 ("Information Security Awareness and Training") and 16 ("Recommended Corporate Information Security Policies"). Chapter 16 is well worth the price of the book, all by itself.

If you are serious about REAL computer security that is effective, you must read this book.

Rating:
Summary: Make sure you don't get hacked
Review: Don't support this con-man any more than you have to. Go to the library and read it there, or find a nice coffee/book shop and read it in-store. If you have to own it, buy the book used.

These strategies will help you reap the "benefit" of this book just as much as anyone else and the author and publisher only get paid once. Share the love!

In short, I don't believe in legitimizing Mitnick's criminal past by turning his exploits, stories and strategies into "advice" for those of us that should already know better. However if you're interested in the subject then you might as well read the book.

Rating:
Summary: New title, another way for Mitnick to talk about himself
Review: I had kind of assumed this book would end up being another way for Kevin to write a story about his criminal history. I bought it on the off chance it would have some information on Social Engineering. It was really the only book on Amazon.com I could find that was suppose to be geared toward the subject. As a Security Analyst, I often have to do social engineering for our clients, and was hoping to pickup a few things from this. I did pick up a few things, but most everything covered in the book is common sense, and it's really just another story by Kevin to try and gain money, and tell his story another time. I give it 3 stars, because the book is actually written well. There are quite a few things defined in the book that I didn't know, common definitions and things of that nature. It is a quick read, and for the price, it can't hurt to read. Just don't expect to be blown away by this book.