Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Art of Deception

Posted by timothy on from the ignore-the-man-behind-that-curtain dept.

MasterSLATE writes "One of the weakest links to the most secured computer systems are the humans that operate them. No matter how well secured a computer, network or information may be, there are always people that will have contact with them from the inside. This is what the social engineer exploits in order to gain access. In The Art of Deception, Kevin Mitnick writes about the human element and how it can be manipulated and exploited to gain access to computer systems or 'secure' information." Read on for the rest of Masterslate's review. The Art of Deception author Kevin Mitnick (& William L. Simon) pages 346 publisher Wiley Publishing, Inc. rating 9 reviewer MasterSLATE ISBN 0471237124 summary Geared toward the company security guy, but a good read for anyone interested in security, especially social engineering What's to Like?

The Art of Deception is extremely easy to understand and actually fun to read.

The first part of the book, Behind the Scenes contains the first chapter, Security's Weakest Link, which describes through many examples how and why the social engineer is able to so easily manipulate people to get what he wants.

Part 2, The Art of the Attacker, contains chapters 2-9, which describe various ways a social engineer can manipulate people over the phone. Each chapter tells of a different method that could be used to gain information. Each chapter also contains at least one example.

Part 3, Intruder Alert, contains chapters 10-14, which tell about different ways a social engineer can get inside a company, whether physically or through an internal contact. Each chapter contains at least one example.

Part 4, Raising the Bar, contains chapters 15 and 16, which explain how a company should create their security policies and training to prevent the social engineer from gaining access to sensitive information. These chapters are definitely more geared toward the executive, security analyst, or other specialist, as they contain specifics on what new policies should be implemented and why.

The last section in the book, Security at a Glance, contains some charts and information which should be read over by a more general audience, such as employees and other people that may be contacted by a social engineer.

And one sidenote: there's a nice little foreword by Woz (Steve Wozniak).

The Summary Although this book is geared toward the company security expert, this book also has appeal to anyone with an interest in social engineering. I found it to be a quick and fun read. As a social engineer, this book taught me new tactics to try as well as ways that my targets might be prevented from giving me information I seek.

Table of Contents

Foreword
Preface
Introduction

Part 1 Behind the Scenes
* Chapter 1 Security's Weakest Link
Part 2 The Art of the Attacker
* Chapter 2 When Innocuous Information Isn't
* Chapter 3 The Direct Attack: Just Asking for It
* Chapter 4 Building Trust
* Chapter 5 "Let Me Help You"
* Chapter 6 "Can You Help Me?"
* Chapter 7 Phony Sites and Dangerous Attachments
* Chapter 8 Using Sympathy, Guilt and Intimidation
* Chapter 9 The Reverse Sting
Part 3 Intruder Alert
* Chapter 10 Entering the Premises
* Chapter 11 Combining Technology and Social Engineering
* Chapter 12 Attacks on the Entry-Level Employee
* Chapter 13 Clever Cons
* Chapter 14 Industrial Espionage
Part 4 Raising the Bar
* Chapter 15 Information Security Awareness and Training
* Chapter 16 Recommended Corporate Information Security Policies

Security at a Glance
Sources
Acknowledgments
Index

You can purchase The Art of Deception from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

15 of 236 comments (clear)

  1. The lost first chapter to the book.... by Ami+Ganguli · · Score: 5, Informative

    The Register ran a review, along with the original first chapter of the book (which was cut by the editors).

    The first chapter is (or rather, was) a short bio and history of the Mitnik case. Interesting to read Kevin's side in his own words.

    The lost chapter

    --
    It is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail. - Abraham Maslow
  2. Table of Contents? by mmThe1 · · Score: 4, Informative

    May seem like a nitpick, but isn't this "review" more of a "Table of Contents with brief description of chapters"?

    Slashdot Book Review Guidelines

  3. excerpt available by squibix · · Score: 2, Informative
    The Register has an excerpt from the book:
    Mitnick had wished to include a brief biographical sketch debunking the legendary persona created by New York Times tech hack John Markoff and detailing his ordeal at the hands of federal prosecutors. Unfortunately, the publisher rejected what were to be the juiciest parts of Chapter One, but we thought you might like to see it anyway.
  4. A more informative review by phr2 · · Score: 5, Informative
    Here's a review by Rob Slade that's quite a bit more detailed than MasterSLATE's review.

    Before seeing Slade's review, I read most of The Art of Deception at the bookstore and decided not to buy it. I agree with most of what Slade says. The book is mostly aimed at PHB types and doesn't say all that much useful to techies. However, as a security implementer, I don't think trying to install paranoia in PHB's is such a bad thing. They are often completely unrealistic about vulnerabilities, so it's good to open their eyes a little.

  5. Excellent Book and Some Resources by webword · · Score: 5, Informative

    I'm reading this book now. Surprisingly, it isn't so much about technology and security. Instead, it is more about understanding humans. Despite the sterotype that geeks have for being socially incompetent, to be a truly good hacker using social engineering, you have to be good socially. Maybe not great, but pretty good. And, you need to know the right language and the right people to communicate with. Mitnik does a great job with this stuff and I am really enjoying the book. (However, I'm not so sure his tactics will work as well as they did a few years ago.)

    Here are some pretty good resources for learning more about social engineering:

    Social Engineering: What is it, why is so little said about it and what can be done?

    Social Engineering Fundamentals, Part I: Hacker Tactics

    Social Engineering: The Human Side Of Hacking

    --
    How to Download YouTube Videos
  6. Re:Protecting people via DCMA by PhilHibbs · · Score: 3, Informative

    "a technological measure that effectively controls access to a work protected under this title" is the exact wording.

  7. A weak book on security by prankster · · Score: 3, Informative

    I also read The Art of Deception

    I do not really know how to describe this book with its strange mixture of fact and fiction. 2/3 of the book are stories of social engineering in all forms and shapes. That gets a bit long and tedious long before you have finished the 245 pages of it.

    The rest of the book consists of recommendations for raising the bar. A long list of things to do if you want to tighten security at your company.

    So does social engineering really work? Yes, my guess is that most people will not know what hit them even if you ask them afterwards.

    At the very least you should be convinced by Mitnick talking Steve Wozniak into writing the foreword (Kevin Mitnick is one of the finest people I know) and Wiley Publishing, Inc. into publishing what I consider a weak book on security. There are of course a few good points but they are too few and too far apart.

    The leading Danish financial newspaper, Børsen, wrote that it should be required reading for people with an IT security responsibility. I can only say that if you have an IT security responsibility and still need to read this book you are most likely in deep trouble.

    You should only bother reading The Art of Deception if you know next to nothing about the human aspect of security and then only if you really think you are safe.

  8. I read it... by Hanashi · · Score: 5, Informative
    This article wasn't much of a review, so I thought I'd chime in. I read this book recently, and here are some of my thoughts.

    First, what's in this book? The bulk of the book is given over to scenarios of different types of social engineering attacks. This includes things like acting helpless, offering help and guilting your victim into "owing you something", and pushing certain psychological buttons designed to make the victim feel whatever emotions you want. There's also some stuff about how to create a good security policy for your organization, but you can skip that. There are much better references for this sort of thing.

    What did I like? The scenarios sure are entertaining! The book covers a wide variety of different situations and goals, from tricking someone into telling you their password to gaining physical access to "secure" facilities. The authors tell the story of each attack both from the victim's point of view and from the attackers, then provide an analysis of why it worked and how it could have been prevented. Very valuable!

    What did I dislike? There's a substantial amount of repetition in the scenarios, but some may view that as useful reinforcment, so it's not necessarily a bad thing. As I said, I think the security policy section isn't very good, and it could easily have been left out.

    My overall impression is good, and I highly recommend this to anyone responsible for physical or information security in their organization.

    --
    Check out my eclectic infosec blog at InfoSecPotpou
  9. Actually, a series of reviews by mcleland · · Score: 2, Informative
    A series of reviews of this book (including the one in the parent) is also found on the Risks Digest with a more positive opinion of the book by Don Norman:

    Don Norman's praise,
    Rob Slade's review (same issue), and
    Don Norman's response to Slade's review

  10. Karma whore alert by jsse · · Score: 2, Informative

    I wondered if the author actually committed the social crime like Frank W. Abagnale? :) who wrote the book The Art of the Steal and Catch Me If You Can - yes, the movie

    (save your mod point elsewhere thanks. :)

  11. Ahem by tiltowait · · Score: 3, Informative

    Affiliate tags aside, according to OCLC's WorldCat about 450 libraries have this book available for lending free of charge. If you library doesn't, you can still usually order it through an interlibrary loan service.

  12. Re:On Mitnick by syle · · Score: 2, Informative
    He was held without a bail hearing for four and a half years. That is WRONG no matter what his crime was.

    Did he deserve his time in prison? I think so. Did he deserve to have the U.S. government trample his basic rights and freedoms? No.

    Read the sample chapter that someone posted a link to earlier. Remember 'Free Kevin'? Did you think it was just because everyone thought breaking the law was Good Thing?

    --

    /syle

  13. More reviews of same book by Danta · · Score: 2, Informative

    There were recently 2 reviews of this book on the Risks mailing list: a positive one, a not so poitive one, and a reply to the not-so-positive one.

  14. Did anybody see the 2600 review in 19:3 ? by josh+crawley · · Score: 2, Informative

    "There was one chapter in particular that reallystood out for me. This was the one where Mitnick told HIS side of the story - of the despair and frustration of being demonized in the media and locked away for five years. He told of his anger towards John Markoff, the New York Times reporter who wrote articles about Mitnick that seemed to demonize him and who later went on to write a book which turned into a movie - all while Mitnick languished in jail. I think in a way it was therapeutic for Mitnick to get his anger out at last and certainly about time that the public got to hear his words.

    But these are words you WONT be hearing. Markoff's lawyers send the book publishers a threatening letter that was about as long as the chapter itself and Wiley is no longer printing that part of the book.(They claim to have reached this decision independantly)."

    ----Review done by Emmanuel Goldstein

  15. Re:On Mitnick by Anonymous Coward · · Score: 1, Informative

    I'm not going to argue with you about whether or not Mitnick was a criminal, but I would like to raise a point about your conjecture that "all those years in jail, and post-jail constraints, were surely well-deserved."

    As I understand it, Mitnick was held without bail and without charges for quite some time, in violation of his civil rights. Extraordinary and perhaps fraudulent claims for damages suffered from theft of source code (the same source that the victim made available through legitimate means) were made against him. Mitnick, a nonviolent and generally irrelevant criminal from the standpoint of doing a quantifiable amount of damage to people, suffered the kind of treatment that is normally reserved for todays "terrorists" under Ashcroft's new constitution-free justice system. Were our best interests really served here?

    When we throw the likes of two-bit Mitnicks into jail for years and let the Ken Lays of Enron and the Cheneys of Halliburton walk scott-free with a wink and nudge, it's pretty hard to keep denying the serious problems that our society and our government has with its priorities.