The Art of Deception: Controlling the Human Element of Security

Its a fun book with lots of entertaining and education stories on what
is possible by means of social engineering attacks. The characters
clearly push the limits of this "human technology".

One of the articles I have read on the book called it "Kevin Mitnick's
Latest Deception" due to his downplaying of technology security
controls and emphasizing people skills and weaknesses. However, the
human weaknesses do nullify the strengths of technology defenses and
humans are much harder to "harden" than UNIX machines.

The attack side is stronger in the book than the defense side,
naturally following from the author's background. However, there are
some great defense resource on policy design, awareness and needed
vigilance. However, there is this "minor" issues with defense against

social engineering: one of the definitions called it a "hacker's
clever manipulation of the natural human tendency to trust". The word
"natural" is key; if we are to believe the definition, all defenses
against social engineering will be going against _nature_ and, as a
result, will be ineffective for most environments. Author also
advocates social engineering penetration testing, which appears to be
the best way to prepare for such attacks. Security awareness, while
needed, will get you so far.

The book's stories show examples of hackers defeating firewalls,
passwords, token and two-factor authentication systems, multi-layer
defense, financial institutions security, armed guards and many other
commonly believed to be effective security controls. While some of the
stories first seem to defy common sense, upon more detailed
investigation there are clearly believable. Dialogs, stories,
situations are described with terrifying reality behind them: "So what is the money transfer code for today? - Its this-and-that..." Social
engineers bravely attack and conquer on the pages of this great book!

The book will give lots of ideas to those involved in penetration
testing. Using the book, it is possible to extract a structure of a
successful attack, gather some target selection criteria, learn how to
combine social and technical attacks and then use it for the
pentesting.

The biggest shortcoming of the book is that it has no "attack HOWTO"
part. It has zero content on developing, improving and polishing the
social engineering skills. While it might seem that natural ability is
all it takes, the author _knows_ that there are methods to develop
social engineering skills, but chose not to disclose them and I regret
his decision to withhold such information.

Anton Chuvakin, Ph.D., GCIA is a Senior Security Analyst with a major
information security company. In his spare time he maintains his
security portal info-secure.org

Rating:
Summary: The Art of Deception --- TRUTH!
Review: As a Technology Director, security is a huge risk. I purchased this book to find out what it was all about. Social Engineering is an incredible Psychological episode, and the authors have explained it very meticulously that hopefully everyone will get a warning before an attack occurs. If you are in the Information Technology field I highly recommend this book on everyone's bookshelf. If you are not in I.T., I would still recommend reading it, because you may not be ready for a social engineer attack. My congratulation goes out to the authors of this book.

Rating:
Summary: Scary Stuff
Review: When I picked this book up, I thought it was going to be an apologia from Mitnick for his prior life's work: cracking into supposedly secure phone and computer systems and networks. I read the book just before Hallowe'en, and that was appropriate, because the stories Mitnick recounts are really scary. Instead of wasting words explaining his own actions, Mitnick gives scores of fascinating examples of how most "security" proved to be simply non-existent. In the end, all security systems depend on humans, and therein lies the weakest link. The books shows how easy it is to gain people's trust- over the phone- and by getting them to reveal little bits of seemingly harmless information, gaining complete control over any data the con man (or woman) wants to get.

The book sets out security policies, and there's also a whole chapter on security training. One of Mitnick's recommendations is for companies to supply each employee with a copy of the book. Normally I'd dismiss this as blatant self-promotion. But believe me, in this case, the more people share the book's stories with each other at the water cooler, the closer the company will come to being a secure environment.

Mitnick makes it clear that everyone in the company has to be aware of security issues, and of the many types of attacks he describes so well, and know how to react to any demand for information, even from someone who appears to be an insider. By the time you finished the book, you'll be a believer, and you'll think two or three times before giving out information. And company security officers may want to stop simply sending e-mails about security, and get all employees (including the receptionists!) into classroom training.

The only problem I had with this book was Mitnick's use of the term "social engineering" to describe the manipulation of employees and security systems. Social engineering is what the conservatives accuse the liberals on the U.S. Supreme Court of doing.

But that's a minor item in an otherwise overwhelming and totally convincing book.

Rating:
Summary: Excellent Book To Understand A Real Threat To Anyone!
Review: This is one of the finest books I ever read not just on this subject but also just as a book. The Authors outline what has happen and what can happen if you do not at least become aware of your vulnerability to Computer Crime.

Kevin Mitnick and Bill Simon provide a detailed method how humans use computers to cause all kinds of trouble for fun and intentional hate. I came away actually admiring Kevin Mitnick for the way he has approaches many trials in his life since being a former hacker himself.

He is refreshing in his honesty, clearly contrite in his admissions of what he feels he did do wrong and has paid the price in my opinion to be welcome into society as an asset today. He is a prime example of an American turning adversity into opportunity and becoming a far better person in the end.

He is now going to use his talent to help many people help defend themselves in this brave new world of technology. He is still an advocate of liberal individualism knowing it is the sacred heart of a free society. I highly recommend this book written in easy to read style and complete integrity but making you realize anyone is susceptible to computer crimes in the future.

It is time to arm yourself with knowledge and assistance as Kevin Mitnick provides in this book.

Rating:
Summary: A Must Read
Review: When I started reading this book, I thought - Wow! these writers are telling everybody how they can steal a company's most secret information just by telling a few lies. But there's more to it. If you want to tell a bank how to protect itself against bank robbers, you have to tell them what tricks bank robbers use and how they think. That's what Kevin Mitnick is doing in this book. He's actually teaching every company how to protect itself. And when really think about "social engineering," you can even imagine how it can easily entrap individuals as well.

Rating:
Summary: Mitnick book makes you think...
Review: "Every other book on corporate security I've ever read has important information but is about as much fun as a visit to your tax guy. Kevin Mitnick and his writing partner have written a book that reads like a bunch of stories by Robert Ludlum or Michael Connelly. They have done a wonderful job."

Rating:
Summary: If you use a telephone at work, you must read this book.
Review: You'll be amazed how easy it is to get information and get people to tell you about things they shouldn't be talking about. Mitnick and Simon have given the world fair warning. Everyone should read this book, and learn how not to be bamboozled by social engineers. Not only is the information really valuable -- it's a very good, fast paced read with as much suspense as you'd get from most mystery books. I was surprised at how much I enjoyed it and how much I learned. If anyone in government or business doesn't read this book they are making a big mistake.

Rating:
Summary: The Weakest Link
Review: To many in the tech industry, Kevin Mitnick was elevated to "hero" status following his capture in 1995. More than other hackers that were prosecuted, Mitnick attained this status, because he was able to penetrate networks of some of the world's largest corporations, but never profitted from his exploits.

His book, The Art of Deception, is a thrilling read for both the technology sector and the average person on the street. Mitnick shows that even with the most sophisticated hardware and software in place, networks are still vulnerable and can be easily compromised by attacking the weakest link---humans.

In today's world, most of our personal data lives on a computer or computers somewhere. Identity theft is quickly becoming the crime of the decade, and a criminal doesn't need that much information to become someone else. Corporate and government espionage are also at an all-time high. One of the easiest lessons we have been taught as humans, is that if you act like you belong, others will usually accept that you do. Mitnick shows that by using this information, you can find out almost anything you need to know to attain entry into a computer network.

I think that this book is a "must read" for all individuals working in the IT/security sector, and its examples and techniques should be implemented into security awareness training programs everywhere. Forewarned is forearmed.

Rating:
Summary: These Days More Than Ever
Review: These days - more than ever - it's vital to realize how easily we can all get taken in by social engineers of every variety. This book read like a thriller (congratulations Simon) with information from Mitnick that will shock you. Homeland security should be hiring Mitnick and passing these books around the country. Companies will see how important it is for them but I see it as a way to fight terrorism. A book like this that has it all doesn;t come along very often. A must read!

Rating:
Summary: Cuts to the chase, and exposes the weakest link...
Review: This book cuts to the chase, and exposes what was, currently is, and will continue to be the weakest link in computer security... the human element. Historically, people seem to take the path of least resistance. Give them a reason to believe you are who you say you are, and they will accept it. Give them a reason to think you're helping them (even with a problem they never knew they had until you pointed it out to them), and they will put at your disposal all their tools and information. We won't be able to make much inroads into security (of any kind) until we being to change the essence of human nature... and that, my friend, is unlikely to change. Kevin Mitnick tells it like it is -- from the voice of experience. As obvious as some of the pretexts are, they worked for him... and will likely continue to work for the next generation's social engineer. Remember, the difference between truth and fiction is but a state of mind. Persuasion is still the key element... one that Mitnick has mastered. Read, learn, and avoid the simple mistakes of others. Thanks for the book, Kevin.