The Art of Deception

MasterSLATE writes "One of the weakest links to the most secured computer systems are the humans that operate them. No matter how well secured a computer, network or information may be, there are always people that will have contact with them from the inside. This is what the social engineer exploits in order to gain access. In The Art of Deception, Kevin Mitnick writes about the human element and how it can be manipulated and exploited to gain access to computer systems or 'secure' information." Read on for the rest of Masterslate's review. The Art of Deception author Kevin Mitnick (& William L. Simon) pages 346 publisher Wiley Publishing, Inc. rating 9 reviewer MasterSLATE ISBN 0471237124 summary Geared toward the company security guy, but a good read for anyone interested in security, especially social engineering What's to Like?

The Art of Deception is extremely easy to understand and actually fun to read.

The first part of the book, Behind the Scenes contains the first chapter, Security's Weakest Link, which describes through many examples how and why the social engineer is able to so easily manipulate people to get what he wants.

Part 2, The Art of the Attacker, contains chapters 2-9, which describe various ways a social engineer can manipulate people over the phone. Each chapter tells of a different method that could be used to gain information. Each chapter also contains at least one example.

Part 3, Intruder Alert, contains chapters 10-14, which tell about different ways a social engineer can get inside a company, whether physically or through an internal contact. Each chapter contains at least one example.

Part 4, Raising the Bar, contains chapters 15 and 16, which explain how a company should create their security policies and training to prevent the social engineer from gaining access to sensitive information. These chapters are definitely more geared toward the executive, security analyst, or other specialist, as they contain specifics on what new policies should be implemented and why.

The last section in the book, Security at a Glance, contains some charts and information which should be read over by a more general audience, such as employees and other people that may be contacted by a social engineer.

And one sidenote: there's a nice little foreword by Woz (Steve Wozniak).

The Summary Although this book is geared toward the company security expert, this book also has appeal to anyone with an interest in social engineering. I found it to be a quick and fun read. As a social engineer, this book taught me new tactics to try as well as ways that my targets might be prevented from giving me information I seek.

Table of Contents

Foreword
Preface
Introduction

Part 1 Behind the Scenes
* Chapter 1 Security's Weakest Link
Part 2 The Art of the Attacker
* Chapter 2 When Innocuous Information Isn't
* Chapter 3 The Direct Attack: Just Asking for It
* Chapter 4 Building Trust
* Chapter 5 "Let Me Help You"
* Chapter 6 "Can You Help Me?"
* Chapter 7 Phony Sites and Dangerous Attachments
* Chapter 8 Using Sympathy, Guilt and Intimidation
* Chapter 9 The Reverse Sting
Part 3 Intruder Alert
* Chapter 10 Entering the Premises
* Chapter 11 Combining Technology and Social Engineering
* Chapter 12 Attacks on the Entry-Level Employee
* Chapter 13 Clever Cons
* Chapter 14 Industrial Espionage
Part 4 Raising the Bar
* Chapter 15 Information Security Awareness and Training
* Chapter 16 Recommended Corporate Information Security Policies

Security at a Glance
Sources
Acknowledgments
Index

You can purchase The Art of Deception from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Human factors ... again ...

[beanerspace]

Wasn't it just yesterday we read an article here on /. that pointed out human factors being the weak link in the chain? In the case of yesterday's news, human factors in programming and today's, human factors in physical security.

I mean look at an article on TechTV as far back as October 2001 that point out such human blunders as "Default installs of operating systems and applications" or "Accounts with no passwords or weak passwords" ... human mistakes which make it as easy a pie for someone who socially engineers their way into the back office to penetrate your secure systems.

Perhaps this quote from a Oct '02 SANS/FBI article point out the worth of this book where they say:

The majority of the successful attacks on operating systems come from only a few software vulnerabilities ...

Which is why I think books such as "The Art of Deception" are as needed as biometric identification systems to secure your computer facilities.

Where's the review?

[awch]

This isn't a review. It's a Table of Contents! Was the book even read?

A donkey laden with gold......

[Savage-Rabbit]

....can scale any fortress wall.

Philip of Macedon said that (I seem to remember) 2300 year ago. To put it short more codes have been cracked and more defenses of any kind have been breached by exploiting simple human weakness than any clever hacking/engineering ever has and ever will. It usually is the easyest way. Take the Enigma code, it was cracked, partly, because of the simplistic and repetitive choices of code key words made by the Wehrmacht communications personnel. It never ceases to amaze me how deeply this fact disappoints the tech freaks of this world. If I had to guess all the nerds at CIA-Langley with all their cool equipment will not contribute even half as much to catching Osam Bin Landen or determining his fate as simple traitors within Al Quaeda will do.

So... The solution is...

[einhverfr]

1) Ideally build security around "what you have/what you know" to the greatest extent possible.

2) Train, train, train!

3) Just like you do a network security audit from time to time, do mock attacks! Call up an employee and use something like the following script (modified each time)

"Hi, my name is Joe Angstrom. I work over in IT."

"We are investigating a potential security problem on our network and need to ask you a few questions. Have you noticed anything strange about your computer recently?"

"Thank you, this has been very helpful. There is one more thing. So that we can be sure of this, could you verify your username and password?"

Just make sure that it is approved of before you do it ;) If the employee gives out their login info, you send them an email letting them know that they should NEVER give out login information to ANYONE for ANY REASON, and tell them to change their password. Explain that passwords are not accessible to anyone, and that login information is available to anyone who would be investigating security problems. If it happens again, send an email to their manager as well ;-)

The point is-- human factors can be mitigated by training, but no one puts that effort into things.

Re:On Mitnick

[DrMaurer]

Perhaps he's trying to turn his life around and teach people lessons that can help thwart people like he used to be. He's out of prison, served his time, give him a chance to turn around and give him the benefit of doubt. He knows what he knows, and the information he can provide can help security.

Of course, don't answer any of his questions about your network, either.

There are plenty of ex-criminals that went on to give plenty of good to society or to hold positions of power. Have you seen 'catch me if you can'? Based on a true story/book, the guy who went on to work for the check fraud division of the FBI. Is that another ex-criminal who should be working at some grocery store bagging groceries instead of lending their talents later to banks to help prevent fraud?

That attitude (once a con, always a con) is part of the problem of recivitism (sp); if convicts could make a decent living like most people, they wouldn't have to go back to crime.

I thought the "Free Kevin" stuff was kind of silly once he was charged with a crime. I don't know much about this particular case, anyway, so.