=============================================================== T H E S E C U R I U S N E W S L E T T E R =============================================================== December 23, 2002 | Vol. 3, #04 | http://www.securius.com/ CONTENTS: * Book Review -- The Art of Deception =============================================================== A service of PC Guardian | San Rafael, California Computer security products | http://www.pcguardian.com/ "Protecting Computers & Data Worldwide -- Since 1984" =============================================================== -------------------------------------------------------- THE ART OF DECEPTION -------------------------------------------------------- Author: Kevin D. Mitnick (and William L. Simon) Publisher: Wiley Pub. Date: October 4, 2002 Length: 352 pages To buy on Amazon.com: http://www.amazon.com/exec/obidos/ASIN/0471237124/pcguardian-20 Computer security has always been about technical countermeasures designed to prevent a threat agent or attacker from subverting computer systems. Elaborate hardware and software systems have been designed and deployed to protect the confidentiality, integrity, and availability of computer systems -- almost all of these systems rely on robust technologies like encryption and firewalls. In many scenarios, direct attacks on computer security systems involve a heavy workload. For example, breaking the 256-bit AES cipher by brute force -- that is, by guessing every possible key until the correct one is discovered -- could take centuries or billions of dollars or both. In his book, _The Art of Deception: Controlling the Human Element of Security_, Kevin Mitnick makes the point: why bother attacking technology when the weakest link is not the computer hardware or software but rather the wetware, the human operators who can be tricked into giving up the secrets of the machine? The subject of several books and a Hollywood movie, Mitnick was a famous hacker who eluded the authorities for years before his arrest in 1995. His case and subsequent imprisonment created a cause celebre that sparked a "Free Kevin" movement online (see http://www.freekevin.com). He's on the outside now, selling a book that provides dozens of examples of how computer security can be subverted by con artists through a set of techniques called "social engineering". In the front matter of _The Art of Deception_, Mitnick states that social engineering "uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. The social engineer is able to take advantage of people to obtain information with or without the use of technology." Mitnick's stories are designed to allow the reader to "witness" how social engineering works. He alternates between the point of view of the attacker and the point of view of the victim. The narratives contain a predictable assortment of bad actors (private investigators, amoral headhunters, industrial spies, bank thieves), targets (banks, tech firms, phone companies), and con techniques (sympathy, guilt, intimidation). Many of the stories feature trusting and gullible employees who give out seemingly harmless information, which the attacker then uses to gain trust or acquire further access. None of this information will come as a surprise to information security professionals, who don't need a book to tell them, for example, that there's no easy way to identify incoming callers (even Caller ID can be subverted) and that sensitive information should not be given out over the phone to unknown parties. But this book has the potential to rapidly enlighten many of the front-line gatekeepers -- receptionists, sales reps, customer service personnel -- that are so frequently the target of deception. Mitnick doesn't say so, but an obvious goal of the book is to scare people into a stiffer and more secure social posture. The kinds of cons that Mitnick discusses are used in a variety of contexts, including email spam, telemarketing, and identity theft, so the moral of his stories has broad significance. In case the reader needs a reminder to take it all with a grain of salt, Mitnick baldly recommends that companies need to buy copies of the book for every employee. As another reviewer has noted: Nice try Kevin! Mitnick's message is important. His book is very persuasive and fairly well written. But I found this work disappointing. Mitnick has a great book inside of him, but _The Art of Social Engineering_ is not it. Due to the terms of his probation, Mitnick could not write about his own hacking exploits, his life on the run, how he evaded the FBI, or life in prison. He writes around this by claiming that all the stories in the book are fictional -- a stilted technique that dilutes the impact of his message. Like it or not, Mitnick has attained a certain notoriety. After reading about Mitnick in _Cyberpunk: Outlaws and Hackers on the Computer Frontier_ by Katie Hafner and John Markoff, what I really want from Mitnick is a "tell all" book that names names and describes real-world exploits. Perhaps someday, Mitnick will deliver the real goods. In the meantime, there's some hope that _The Art of Deception_ will scare enough people silly that it actually becomes harder for the social engineers to ply their trade. On the other hand, for every sucker that smartens up, another one is born. See you next issue. 'Til then, keep your guard up! =============================================================== ABOUT THIS NEWSLETTER The Securius Newsletter is published periodically by PC Guardian. For information about our simple and effective crypto software and anti-theft devices, please visit us at http://www.pcguardian.com/ You can find our archive of back issues at http://www.securius.com/ SUBSCRIBING/UNSUBSCRIBING To unsubscribe from this newsletter, send an email to leave-securius-nl@lists.securius.com To subscribe to this newsletter, send an email to join-securius-nl@lists.securius.com FEEDBACK OR QUESTIONS Write the author, Seth T. Ross sross@pcguardian.com PC Guardian 1133 East Francisco Blvd. San Rafael, CA 94901 US ABOUT THE AUTHOR Seth is the Chief Strategy Officer at PC Guardian and author of the book, _UNIX System Security Tools_ (McGraw-Hill 1999): http://www.amazon.com/exec/obidos/ASIN/0079137881/pcguardian-20 SPECIAL THANKS TO Emily Navarre, editor extraordinaire FORWARD THIS MAIL RIGHT NOW Please take a moment and forward this newsletter to a colleague or friend. =============================================================== Redistribution of this newsletter is permitted, as long as the entire message body and this notice are included. Copyright 2002 PC Guardian. All rights reserved.