Slashdot Mirror
The Art of Deception
The Art of Deception is extremely easy to understand and actually fun to read.
The first part of the book, Behind the Scenes contains the first chapter, Security's Weakest Link, which describes through many examples how and why the social engineer is able to so easily manipulate people to get what he wants.
Part 2, The Art of the Attacker, contains chapters 2-9, which describe various ways a social engineer can manipulate people over the phone. Each chapter tells of a different method that could be used to gain information. Each chapter also contains at least one example.
Part 3, Intruder Alert, contains chapters 10-14, which tell about different ways a social engineer can get inside a company, whether physically or through an internal contact. Each chapter contains at least one example.
Part 4, Raising the Bar, contains chapters 15 and 16, which explain how a company should create their security policies and training to prevent the social engineer from gaining access to sensitive information. These chapters are definitely more geared toward the executive, security analyst, or other specialist, as they contain specifics on what new policies should be implemented and why.
The last section in the book, Security at a Glance, contains some charts and information which should be read over by a more general audience, such as employees and other people that may be contacted by a social engineer.
And one sidenote: there's a nice little foreword by Woz (Steve Wozniak).
The Summary Although this book is geared toward the company security expert, this book also has appeal to anyone with an interest in social engineering. I found it to be a quick and fun read. As a social engineer, this book taught me new tactics to try as well as ways that my targets might be prevented from giving me information I seek.Table of Contents
Foreword
Preface
Introduction
Part 1 Behind the Scenes
* Chapter 1 Security's Weakest Link
Part 2 The Art of the Attacker
* Chapter 2 When Innocuous Information Isn't
* Chapter 3 The Direct Attack: Just Asking for It
* Chapter 4 Building Trust
* Chapter 5 "Let Me Help You"
* Chapter 6 "Can You Help Me?"
* Chapter 7 Phony Sites and Dangerous Attachments
* Chapter 8 Using Sympathy, Guilt and Intimidation
* Chapter 9 The Reverse Sting
Part 3 Intruder Alert
* Chapter 10 Entering the Premises
* Chapter 11 Combining Technology and Social Engineering
* Chapter 12 Attacks on the Entry-Level Employee
* Chapter 13 Clever Cons
* Chapter 14 Industrial Espionage
Part 4 Raising the Bar
* Chapter 15 Information Security Awareness and Training
* Chapter 16 Recommended Corporate Information Security Policies
Security at a Glance
Sources
Acknowledgments
Index
You can purchase The Art of Deception from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Doesn't the US DCMA NOT allow for tools that bypass security? I wonder how soon it will be before someone tries to use the DCMA against someone who used social engineering.
"If you are on fire you can just stop, drop, and roll. If you fall into Lava you are just dead." - my 5yr old daughter
there are always people that will have contact with them from the inside
Can't you get cryptographic keys that are sealed inside a black box device so that no-one can access them? Couldn't this sort of thing be done for at least some hardware?
Oh dear, I think I've just justified security through obfuscation.
Dear Amazon.com,
I would like to get a copy of "The Art of Deception", however my grandmother needs surgery and I can't spare any money at the moment. If you'd like to lend me a copy please feel free to email for shipping information.
I, and my grandmother, thank you.
grubby
Trolling is a art,
The Register ran a review, along with the original first chapter of the book (which was cut by the editors).
The first chapter is (or rather, was) a short bio and history of the Mitnik case. Interesting to read Kevin's side in his own words.
The lost chapter
It is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail. - Abraham Maslow
"Chapter 2 When Innocuous Information Isn't"
All the little bits and pieces of info can sure add up to a major security hole if they are collected by the right person...
As a social engineer, this book taught me new tactics to try as well as ways that my targets might be prevented from giving me information I seek.
You misspelled "criminal".
I mean look at an article on TechTV as far back as October 2001 that point out such human blunders as "Default installs of operating systems and applications" or "Accounts with no passwords or weak passwords"
Perhaps this quote from a Oct '02 SANS/FBI article point out the worth of this book where they say:
Which is why I think books such as "The Art of Deception" are as needed as biometric identification systems to secure your computer facilities.
healyourchurchwebsite.com - WWJB?
This isn't a review. It's a Table of Contents! Was the book even read?
Is generally the users. Excluding those who run open mail relays, most servers/sysadmins have enough brains not to run the file in their email coming with a message:
.exe/.vbs/etc entirely.
This iz a very fun game
I hope you anjoy it
I made this just for u
How users manage to continually fall for this idiocy is beyond me, but they do. My family is a prime example of this (they refer to me when something dies, but never listen to my "do not open attachments" rant): thus, they now get Mozilla and I'll probably block emails with
Just based on the chapter titles, I think tricks such as the "Let me help you", etc are probably some of the nastiest. Considering the many people who seem to know shiat about progamming and come for help, it wouldn't be hard to slip something cruel into your "sample code."
It's amazing how, after helping somebody directly with something for 30 minutes or so, they're suddenly willing to let me
a) Have root access to their machine ('nix)
b) Control their PC (netmeeting/etc windows)
Luckily I'm a nice person, but not everybody is so helpful as they appear. Social engineering is definately an increasing trend, which is leading to user pananoia. I still don't think that the statement "One of the weakest links to the most secured computer systems are the humans that operate them."
A good sysadmin will block a lot of things that lead to exploitation (unused ports, etc), and perhaps notice odd happenings/traffic. It's the operators of the less-secure systems (clients) that are at risk most often.
I read this recently, and although it's a pretty good introduction to the conman profession, I was a little disappointed in the lack of actual examples of clever hacking.
The book is primarily about social engineering. Most of the example crimes in this book could have been perpetrated by folks who had no more than a casual acquaintance with the inner workings of computers. In other words, Mitnick tells you how to exploit the stupidity of human beings in large organization, and not how to exploit weaknesses in operating systems and security software.
Part of this is probably due to court-ordered vagueness; the court obviously didn't want Mitnick spreading dangerous knowledge.
On the other hand, Mitnick is probably correct in his contention that the greatest factor leading to compromised systems is the naivete of the folks who work with them.
May seem like a nitpick, but isn't this "review" more of a "Table of Contents with brief description of chapters"?
Slashdot Book Review Guidelines
It's a knack, social engineering.
I've read the book, and just like some people couldn't sell food to a starving man, only a few people can pull it off.
Get one tiny piece of information from one person, another from another, and after a while, enough of those pieces make you sound like you are an employee. And we all help our fellow downtrodden, overworked employees, don't we.
EG. If you have an intranet at work, I bet you have a nickname for it. And if someone asked you for something from it, and said "I can't get to the XXXX today, not sure why, it seems to be down..." you'd probably go and find the info for them.
Get your own free personal location tracker
Before seeing Slade's review, I read most of The Art of Deception at the bookstore and decided not to buy it. I agree with most of what Slade says. The book is mostly aimed at PHB types and doesn't say all that much useful to techies. However, as a security implementer, I don't think trying to install paranoia in PHB's is such a bad thing. They are often completely unrealistic about vulnerabilities, so it's good to open their eyes a little.
...and it seemed quite boring to me, probably because he was preaching to the choir when it comes to security people, as the book was geared more for CIOs and other management types.
He had an interesting way of presenting various stories of of how people can penetrate by switching to a first-person view of both the victim and then the attacker. It was a bit annoying how the "attacker" would be portrayed as 1337 sometimes, but it was an interesting approach, especially since some of the stories were possibly Mitnick himself.
Overall, though, I was underwhelmed.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
I'm reading this book now. Surprisingly, it isn't so much about technology and security. Instead, it is more about understanding humans. Despite the sterotype that geeks have for being socially incompetent, to be a truly good hacker using social engineering, you have to be good socially. Maybe not great, but pretty good. And, you need to know the right language and the right people to communicate with. Mitnik does a great job with this stuff and I am really enjoying the book. (However, I'm not so sure his tactics will work as well as they did a few years ago.)
Here are some pretty good resources for learning more about social engineering:
Social Engineering: What is it, why is so little said about it and what can be done?
Social Engineering Fundamentals, Part I: Hacker Tactics
Social Engineering: The Human Side Of Hacking
How to Download YouTube Videos
SmartCard security, ATM cards, and a host of other security solutions (not just along the card theme) already employ the "Something you have, something you know" security scheme in which sensitive things can only be accessed if you have both a device (usually containing some sort of identifier) as well as a password.
Another interesting version of this system involves a keychain or some similar device that contains a computer whose only job is to take some encryption key and scramble it every n time interval. The central sever is doing the same thing. The end result is that the user has to know two passwords - his normal password, plus a key that changes every minute or what have you.
Am I the only participant to this forum who thinks that any admiration on Mitnick is admiration on a crook? As this book clearly seems to illustrate, the basis of his success as a cracker was his ruthlessness and willingness to lie and deceive people, rather than his technical prowess.
I.e. Mr. Mitnick is a criminal, who may or may not have extraordinary technological savvy; all those years in jail, and post-jail constraints, were surely well-deserved.
I also read The Art of Deception
I do not really know how to describe this book with its strange mixture of fact and fiction. 2/3 of the book are stories of social engineering in all forms and shapes. That gets a bit long and tedious long before you have finished the 245 pages of it.
The rest of the book consists of recommendations for raising the bar. A long list of things to do if you want to tighten security at your company.
So does social engineering really work? Yes, my guess is that most people will not know what hit them even if you ask them afterwards.
At the very least you should be convinced by Mitnick talking Steve Wozniak into writing the foreword (Kevin Mitnick is one of the finest people I know) and Wiley Publishing, Inc. into publishing what I consider a weak book on security. There are of course a few good points but they are too few and too far apart.
The leading Danish financial newspaper, Børsen, wrote that it should be required reading for people with an IT security responsibility. I can only say that if you have an IT security responsibility and still need to read this book you are most likely in deep trouble.
You should only bother reading The Art of Deception if you know next to nothing about the human aspect of security and then only if you really think you are safe.
The Art of Deception is extremely easy to understand and actually fun to read.
More like:
Chapter 7: Porn Sites and Dangerous Screen Savers
HallmarkOrnaments.Com
One of the anecdotes in this book exploits a SecurID, using a well-meaning 3rd party. Basically a caller poses as an employee when talking to an operator during a snowstorm. He says he needs to get some work done, but he left his SecurID on his desk. The operator doesn't want to go to the desk to get it, so instead he gives his own SecurID number and PIN to the caller. This was probably one of the most clever manipulations in the book.
Fundamentally, any time you have a human involved in a process, you have a potential security hole.
-Alison
Not really, there are plenty of people are not willing to take bribes.
The easiest way to manipulate people is to pretend to be their friend. We tend to let our friends do things that don't jive with bueracratic and annoying rules, because they are friends.
Nazi-like policies and a lack of user education from arrogant and obnoxious IT people results in social engineering exploits.
Conformity is the jailer of freedom and enemy of growth. -JFK
....can scale any fortress wall.
Philip of Macedon said that (I seem to remember) 2300 year ago. To put it short more codes have been cracked and more defenses of any kind have been breached by exploiting simple human weakness than any clever hacking/engineering ever has and ever will. It usually is the easyest way. Take the Enigma code, it was cracked, partly, because of the simplistic and repetitive choices of code key words made by the Wehrmacht communications personnel. It never ceases to amaze me how deeply this fact disappoints the tech freaks of this world. If I had to guess all the nerds at CIA-Langley with all their cool equipment will not contribute even half as much to catching Osam Bin Landen or determining his fate as simple traitors within Al Quaeda will do.
Only to idiots, are orders laws.
-- Henning von Tresckow
First, what's in this book? The bulk of the book is given over to scenarios of different types of social engineering attacks. This includes things like acting helpless, offering help and guilting your victim into "owing you something", and pushing certain psychological buttons designed to make the victim feel whatever emotions you want. There's also some stuff about how to create a good security policy for your organization, but you can skip that. There are much better references for this sort of thing.
What did I like? The scenarios sure are entertaining! The book covers a wide variety of different situations and goals, from tricking someone into telling you their password to gaining physical access to "secure" facilities. The authors tell the story of each attack both from the victim's point of view and from the attackers, then provide an analysis of why it worked and how it could have been prevented. Very valuable!
What did I dislike? There's a substantial amount of repetition in the scenarios, but some may view that as useful reinforcment, so it's not necessarily a bad thing. As I said, I think the security policy section isn't very good, and it could easily have been left out.
My overall impression is good, and I highly recommend this to anyone responsible for physical or information security in their organization.
Check out my eclectic infosec blog at InfoSecPotpou
But I've cut off his thumb, let me in...
The reader would probably check if there is blood circulating through the thumb. I don't know about the commmercial fingerprint readers, but the retinal scanners definitely do that. You could maybe fool them with some kind of specialized pump, but it's not something the average thief could concoct.
-a
1) Ideally build security around "what you have/what you know" to the greatest extent possible.
;) If the employee gives out their login info, you send them an email letting them know that they should NEVER give out login information to ANYONE for ANY REASON, and tell them to change their password. Explain that passwords are not accessible to anyone, and that login information is available to anyone who would be investigating security problems. If it happens again, send an email to their manager as well ;-)
2) Train, train, train!
3) Just like you do a network security audit from time to time, do mock attacks! Call up an employee and use something like the following script (modified each time)
"Hi, my name is Joe Angstrom. I work over in IT."
"We are investigating a potential security problem on our network and need to ask you a few questions. Have you noticed anything strange about your computer recently?"
"Thank you, this has been very helpful. There is one more thing. So that we can be sure of this, could you verify your username and password?"
Just make sure that it is approved of before you do it
The point is-- human factors can be mitigated by training, but no one puts that effort into things.
LedgerSMB: Open source Accounting/ERP
A HUGE part of my job is preventing social engineering type stuff (or if you want to be specific - evaluating the degree to which a client has successfully implemented good risk management and security management). I interview people all the time, and I assure you that waving $100 is the most sure fire way to not get what you want.
People are more afraid of getting caught, of loosing their job or of getting in trouble than I think you realize. That said, it is amazing the things people do, if they think they're supposed to do them.
I'll routinely call people at a client and just start asking questions to total strangers. I've been in server rooms interviewing people and I'll ask questions like, "How does a visitor get access to this room?" When they answer, I'll ALWAYS follow up with, "Why was I not subjected to that procedure?" I'm legitimately supposed to get access to the information I get, and I sign NDAs and get approval for everything I do. Not once have I ever been challenged to provide that information. (For some reason, if you call the manager of a department and tell him that you'll be talking to his employees and why - they assume you're legitimate.)
Show up, talk the talk and look like you belong there and people will tell you anything. Wave around $100 and people call security.
Affiliate tags aside, according to OCLC's WorldCat about 450 libraries have this book available for lending free of charge. If you library doesn't, you can still usually order it through an interlibrary loan service.
Am I the only participant to this forum who thinks that any admiration on Mitnick is admiration on a crook?
Actually, I haven't really seen too many posts here glorifing Mitnick so I don't know where your incredulous attitude is coming from. I agree that he is not someone to be admired. I'm guessing that a large number of slashdotters do too. However, we are interested in what he has to say, regardless of whether he was a decent person or not. He did manage to pull off quite a few feats. There are a lot of people here saying things like "Oh, that's obvious" and "He has no technical skill." So what? He has shown us that technical skill is really not required. As technical/science/engineering types here, we are interested in discovering the truth -- even if the truth is underwhelming when we finally get to it.
I.e. Mr. Mitnick is a criminal, who may or may not have extraordinary technological savvy; all those years in jail, and post-jail constraints, were surely well-deserved.
True enough. But there is something to be learned from his book (I'm guessing here -- I haven't read it). That's why the review is here on slashdot. That, in an of itself, doesn't imply that we're all Mitnick fanboys around here.
GMD
watch this
You could always just take Bob's thumb. You could also find out some piece of information about Bob that could be used to make Bob want to let you in. You could drug Bob. You or someone working for you could seduce Bob. You could offer Bob a large amount of money/pr0n/whateverelseBobwants. You could convince Bob that you are good and that the person running the system you want access to is evil and that Bob should let you in.
Do not fool yourself *anytime* there is a human involved you can use social engineering to get in.
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
To prevent cracking security in human beings. At least until God releases a patch.
"The Sage treasures Unity and measures all things by it" - Lao Tzu
He'll be able to read it online in a week. From this article, Mitnick has been banned from using the Internet as a condition of his supervised release. He's free to go online again on January 21, 2003, after close to eight years offline. The first site he'll visit is his girlfriend's blog.
I just read this book too. It really does make you think about how easy it would be for someone to manipulate you or your coworkers. The book is full of suggestions, especially the last few chapters. The chapter about training and warning employees prompts to add security awareness training both for new hires and continued, and retool policy and procedures in a way that employees will follow them. Sadly, a friend of mine showed up at work Monday to find out that 10 laptops, including hers, had been stolen. Security had no record of unauthorized access which makes it seem like it had to have been some kind of social engineering.