The Art of Deception

MasterSLATE writes "One of the weakest links to the most secured computer systems are the humans that operate them. No matter how well secured a computer, network or information may be, there are always people that will have contact with them from the inside. This is what the social engineer exploits in order to gain access. In The Art of Deception, Kevin Mitnick writes about the human element and how it can be manipulated and exploited to gain access to computer systems or 'secure' information." Read on for the rest of Masterslate's review. The Art of Deception author Kevin Mitnick (& William L. Simon) pages 346 publisher Wiley Publishing, Inc. rating 9 reviewer MasterSLATE ISBN 0471237124 summary Geared toward the company security guy, but a good read for anyone interested in security, especially social engineering What's to Like?

The Art of Deception is extremely easy to understand and actually fun to read.

The first part of the book, Behind the Scenes contains the first chapter, Security's Weakest Link, which describes through many examples how and why the social engineer is able to so easily manipulate people to get what he wants.

Part 2, The Art of the Attacker, contains chapters 2-9, which describe various ways a social engineer can manipulate people over the phone. Each chapter tells of a different method that could be used to gain information. Each chapter also contains at least one example.

Part 3, Intruder Alert, contains chapters 10-14, which tell about different ways a social engineer can get inside a company, whether physically or through an internal contact. Each chapter contains at least one example.

Part 4, Raising the Bar, contains chapters 15 and 16, which explain how a company should create their security policies and training to prevent the social engineer from gaining access to sensitive information. These chapters are definitely more geared toward the executive, security analyst, or other specialist, as they contain specifics on what new policies should be implemented and why.

The last section in the book, Security at a Glance, contains some charts and information which should be read over by a more general audience, such as employees and other people that may be contacted by a social engineer.

And one sidenote: there's a nice little foreword by Woz (Steve Wozniak).

The Summary Although this book is geared toward the company security expert, this book also has appeal to anyone with an interest in social engineering. I found it to be a quick and fun read. As a social engineer, this book taught me new tactics to try as well as ways that my targets might be prevented from giving me information I seek.

Table of Contents

Foreword
Preface
Introduction

Part 1 Behind the Scenes
* Chapter 1 Security's Weakest Link
Part 2 The Art of the Attacker
* Chapter 2 When Innocuous Information Isn't
* Chapter 3 The Direct Attack: Just Asking for It
* Chapter 4 Building Trust
* Chapter 5 "Let Me Help You"
* Chapter 6 "Can You Help Me?"
* Chapter 7 Phony Sites and Dangerous Attachments
* Chapter 8 Using Sympathy, Guilt and Intimidation
* Chapter 9 The Reverse Sting
Part 3 Intruder Alert
* Chapter 10 Entering the Premises
* Chapter 11 Combining Technology and Social Engineering
* Chapter 12 Attacks on the Entry-Level Employee
* Chapter 13 Clever Cons
* Chapter 14 Industrial Espionage
Part 4 Raising the Bar
* Chapter 15 Information Security Awareness and Training
* Chapter 16 Recommended Corporate Information Security Policies

Security at a Glance
Sources
Acknowledgments
Index

You can purchase The Art of Deception from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Protecting people via DCMA

[eaddict]

Doesn't the US DCMA NOT allow for tools that bypass security? I wonder how soon it will be before someone tries to use the DCMA against someone who used social engineering.

Re:Protecting people via DCMA

I don't see why the DMCA (Digital Millenium Copyright Act, not Digital Copyright Millenium Act) enters into social engineering. There is no "tool" to accuse the person of possessing, so how would you build your case on that argument? That law only applies to cases where you're trying to subvert copyright (or possess tools that are used for such a purpose).

This is simple infiltration. There are laws that make unauthorized access to computer systems illegal (e.g. parts of the Homeland Security Act) regardless of how you do it or what tools you use.

I don't mean to burst your bubble or anything, and on the contrary I hope this makes you want to learn more about the (especially new ones) laws affecting our interaction with others and with technology.

Re:Protecting people via DCMA

[WPIDalamar]

I'd say no, right up until a court determines a "technique" is the same as a "tool".

Is this always true?

[chrisseaton]

there are always people that will have contact with them from the inside

Can't you get cryptographic keys that are sealed inside a black box device so that no-one can access them? Couldn't this sort of thing be done for at least some hardware?

Oh dear, I think I've just justified security through obfuscation.

Re:Is this always true?

[Oculus+Habent]

If I can't get the raw key out, the black box has no data interface.

At some point data has to enter and/or exit the box, and by observing that data, we have something. Like cracking Wi-Fi packets.

Anyhow, the basic concept behind having something like that is identical to having an electronic door key at a hotel, isn't it? Maybe it's closer to ATM cards, a device and a PIN. Again, it's only as secure as the user. If I steal your black box, I now have the access the intended user should have.

Unless you are using sub-dermal thermally-powered (radioactive, maybe) short-range wireless - dermal contact with a terminal or door plate would be a great system - cryptographic devices, security is still a concern.

Re:Is this always true?

[zaxus]

What happens when you need to change the key, because the encryption scheme you've used has become trivial to brute force? Historically most encryption has proven vulnerable to brute force attacks given enough time an computing power. I would imagine cracking the key out of the concrete would have a large pain-in-the-ass factor. Just a thought; keys aren't always permanent.

Security's Weakest Link

[phorm]

Is generally the users. Excluding those who run open mail relays, most servers/sysadmins have enough brains not to run the file in their email coming with a message:
This iz a very fun game
I hope you anjoy it
I made this just for u


How users manage to continually fall for this idiocy is beyond me, but they do. My family is a prime example of this (they refer to me when something dies, but never listen to my "do not open attachments" rant): thus, they now get Mozilla and I'll probably block emails with .exe/.vbs/etc entirely.

Just based on the chapter titles, I think tricks such as the "Let me help you", etc are probably some of the nastiest. Considering the many people who seem to know shiat about progamming and come for help, it wouldn't be hard to slip something cruel into your "sample code."
It's amazing how, after helping somebody directly with something for 30 minutes or so, they're suddenly willing to let me
a) Have root access to their machine ('nix)
b) Control their PC (netmeeting/etc windows)

Luckily I'm a nice person, but not everybody is so helpful as they appear. Social engineering is definately an increasing trend, which is leading to user pananoia. I still don't think that the statement "One of the weakest links to the most secured computer systems are the humans that operate them."
A good sysadmin will block a lot of things that lead to exploitation (unused ports, etc), and perhaps notice odd happenings/traffic. It's the operators of the less-secure systems (clients) that are at risk most often.

Re:Already done, only better

[Bastian]

SmartCard security, ATM cards, and a host of other security solutions (not just along the card theme) already employ the "Something you have, something you know" security scheme in which sensitive things can only be accessed if you have both a device (usually containing some sort of identifier) as well as a password.

Another interesting version of this system involves a keychain or some similar device that contains a computer whose only job is to take some encryption key and scramble it every n time interval. The central sever is doing the same thing. The end result is that the user has to know two passwords - his normal password, plus a key that changes every minute or what have you.

Not Sufficient

[nosilA]

One of the anecdotes in this book exploits a SecurID, using a well-meaning 3rd party. Basically a caller poses as an employee when talking to an operator during a snowstorm. He says he needs to get some work done, but he left his SecurID on his desk. The operator doesn't want to go to the desk to get it, so instead he gives his own SecurID number and PIN to the caller. This was probably one of the most clever manipulations in the book.

Fundamentally, any time you have a human involved in a process, you have a potential security hole.

-Alison

Re:Not Sufficient

[nosilA]

One log in is enough to create a backdoor. Furthermore, chances are the attacker knows exactly what they want to do and needs only one login to get the information they need. Finally, in the book, the caller had the combined excuse of a snowstorm and a weekend. That gives him 3 days to call up and request the combination on the SecurID of the operator, which is more than sufficient.

-Alison

Re:Not Sufficient

[nosilA]

I have no contempt for humanity. Our goal is never security for security's sake. We could theoretically make a security system that was completely free of any holes, but it would undoubtedly be far to complex to actually accomplish the true goal of our organization. So we let security be a little more lax than that by means of calculated risks.

It is true that organizations that are very security conscious will have security guards who memorize everyone's face, name, and purpose, rather than using IDs that can be defeated. However, for most organizations security by this method is too expensive, and either there would be a way to bypass this security or communicating from this organization would be too cumbersome to accomplish one's job.

The point of this book is to make us aware of the potential security holes around us, not necessarily to eliminate them. The final part of the book focuses on how to identify information that demands a higher level of security and implement appropriate security procedures. It establishes a 4-level classification scheme (although 3 or 5 would be okay too). At the highest levels of security, a face-to-face or other strong identification method would be required. At the lower levels, something as simple as verifying a name would be acceptable. In the middle, one may verify a story by a third trusted party, for example.

The point is not that humanity is bad, just that one of our best qualities, desire to help others, can be turned into a weakness.

-Alison

Re:Human element being manipulated

[duffbeer703]

Not really, there are plenty of people are not willing to take bribes.

The easiest way to manipulate people is to pretend to be their friend. We tend to let our friends do things that don't jive with bueracratic and annoying rules, because they are friends.

Nazi-like policies and a lack of user education from arrogant and obnoxious IT people results in social engineering exploits.

Re:Excellent Book and Some Resources

[peterpi]

Dammit, I was halfway through writing my own review for this book! Anyway, on with my post:

You wrote: "However, I'm not so sure his tactics will work as well as they did a few years ago"

That's because we're so much smarter about security now, right?

Well, we are smarter now. We are the people who have been around computers for a few years now (enough to be intersted in /. reviews of security books). However, every single day there's a new sucker using a computer for the very first time.

I'm absolutely certain that I could sucessfully use all of those tricks against the company I currently work for.

Re:Heh heh

[God!+Awful+2]

But I've cut off his thumb, let me in...

The reader would probably check if there is blood circulating through the thumb. I don't know about the commmercial fingerprint readers, but the retinal scanners definitely do that. You could maybe fool them with some kind of specialized pump, but it's not something the average thief could concoct.

-a

Re:Human factors ... again ...

[cellocgw]

"The majority of the successful attacks on operating systems come from only a few software vulnerabilities ..."
That's basically why the Counterpane guys are now leaning towards "distributed security." The idea is not to let any one password (or person) have enough access to anything to cause problems. I read an article somewhere in which Schneier pointed out, among other stuff, that far too many people use the same password everywhere. Thus if you get hacked on amazon.com, the thief will get into your fidelity.com account and your employer's network as well.

Sorry but no

[Inexile2002]

A HUGE part of my job is preventing social engineering type stuff (or if you want to be specific - evaluating the degree to which a client has successfully implemented good risk management and security management). I interview people all the time, and I assure you that waving $100 is the most sure fire way to not get what you want.

People are more afraid of getting caught, of loosing their job or of getting in trouble than I think you realize. That said, it is amazing the things people do, if they think they're supposed to do them.

I'll routinely call people at a client and just start asking questions to total strangers. I've been in server rooms interviewing people and I'll ask questions like, "How does a visitor get access to this room?" When they answer, I'll ALWAYS follow up with, "Why was I not subjected to that procedure?" I'm legitimately supposed to get access to the information I get, and I sign NDAs and get approval for everything I do. Not once have I ever been challenged to provide that information. (For some reason, if you call the manager of a department and tell him that you'll be talking to his employees and why - they assume you're legitimate.)

Show up, talk the talk and look like you belong there and people will tell you anything. Wave around $100 and people call security.

mv "Social Engineer" "Con Artist"

I hope I'm not the only one out there who gets disgusted everytime I here the term "social engineering" used to describe what is essentially taking advantage of individuals who are only guilty of being naive and trusting. I've spent my entire adult life around engineers, and almost without exception, the one thing they all had in common was that they work hard to create something new and useful for the benefit of others. The coining of the term "social engieering" to describe the under-handed techniques used to get people to betray the security of their system is, to me, an afront to engineers everywhere. I have no idea what thought process lead Mr. Mitnick to describe what is essentially a con artist as some sort of engineer. In my mind, an engineer is someone you can trust and can rely on to get a job done. The key words being trust and rely upon.

Mr. Mitnick, if you are reading this, I would ask that you please reconsider popularlizing the term "social engineering" to describe what you did. I'd much rather the term engineer continue to be synonomous with helpful and useful rather than deceitful and untrustworthy.

(For a better example of what I would consider social engineering, please refer to _Childhood's End_ by Arthur C. Clarke.)