Securius Newsletter

December 23, 2002
Volume 3, Number 4
http://www.securius.com

Book Review — The Art of Deception

By Seth Ross

Author: Kevin D. Mitnick (and William L. Simon)
Publisher: Wiley
Pub. Date: October 4, 2002
Length: 352 pages
To buy on Amazon.com:
http://www.amazon.com/exec/obidos/ASIN/0471237124/pcguardian-20

Computer security has always been about technical countermeasures designed to prevent a threat agent or attacker from subverting computer systems. Elaborate hardware and software systems have been designed and deployed to protect the confidentiality, integrity, and availability of computer systems -- almost all of these systems rely on robust technologies like encryption and firewalls. In many scenarios, direct
attacks on computer security systems involve a heavy workload. For example, breaking the 256-bit AES cipher by brute force -- that is, by guessing every possible key until the correct one is discovered -- could take centuries or billions of dollars or both.

In his book, The Art of Deception: Controlling the Human Element of Security, Kevin Mitnick makes the point: why bother attacking technology when the weakest link is not the computer hardware or software but rather the wetware, the human operators who can be tricked into giving up the secrets of the machine? The subject of several books and a Hollywood movie, Mitnick was a famous hacker who eluded the authorities for years before his arrest in 1995. His case and subsequent imprisonment created a cause celebre that sparked a "Free Kevin" movement online (see http://www.freekevin.com). He's on the
outside now, selling a book that provides dozens of examples of how computer security can be subverted by con artists through a set of techniques called "social engineering".

In the front matter of The Art of Deception, Mitnick states that social engineering "uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. The social engineer is able to take advantage of people to obtain information with or without the use of technology." Mitnick's stories are designed to allow the reader to "witness" how social engineering works. He alternates between the point of view of the attacker and the point of view of the victim. The narratives contain a predictable assortment of bad actors (private investigators, amoral headhunters, industrial spies, bank thieves), targets (banks, tech firms, phone companies), and con techniques (sympathy, guilt, intimidation). Many of the stories feature trusting and gullible employees who give out seemingly harmless information, which the attacker then uses to gain trust or acquire further access.

None of this information will come as a surprise to information security professionals, who don't need a book to tell them, for example, that there's no easy way to identify incoming callers (even Caller ID can be subverted) and that sensitive information should not be given out over the phone to unknown parties. But this book has the potential to rapidly enlighten many of the front-line gatekeepers -- receptionists, sales reps, customer service personnel -- that are so frequently the target of deception. Mitnick doesn't say so, but an obvious goal of the book is to scare people into a stiffer and more secure social posture. The kinds of cons that Mitnick discusses are used in a variety of contexts, including email spam, telemarketing, and identity theft, so the moral of his stories has broad significance. In case the reader needs a reminder to take it all with a grain of salt, Mitnick baldly recommends that companies need to buy copies of the book for every employee. As another reviewer has noted: Nice try Kevin!

Mitnick's message is important. His book is very persuasive and fairly well written. But I found this work disappointing. Mitnick has a great book inside of him, but The Art of Social Engineering is not it. Due to the terms of his probation, Mitnick could not write about his own hacking exploits, his life on the run, how he evaded the FBI, or life in prison. He writes around this by claiming that all the stories in the book are fictional -- a stilted technique that dilutes the impact of his message. Like it or not, Mitnick has attained a certain notoriety. After reading about Mitnick in Cyberpunk: Outlaws and Hackers on the Computer Frontier by Katie Hafner and John Markoff, what I really want from Mitnick is a "tell all" book that names names and describes real-world exploits. Perhaps someday, Mitnick will deliver the real goods. In the meantime, there's some hope that The Art of Deception will scare enough people silly that it actually becomes harder for the social engineers to ply their trade. On the other hand, for every sucker that smartens up, another one is born.

See you next issue. 'Til then, keep your guard up!



Subscribe to the Securius Newsletter
Please enter your email address:



Securius.com is a service of GuardianEdge Technologies.
Copyright © 2006 GuardianEdge. All rights reserved.
We will not share your personal information with third parties.
Nor will we contact you without your permission.