Book Review The Art of Deception
By
Seth Ross
Author: Kevin D. Mitnick (and William L. Simon)
Publisher: Wiley
Pub. Date: October 4, 2002
Length: 352 pages
To buy on Amazon.com:
http://www.amazon.com/exec/obidos/ASIN/0471237124/pcguardian-20
Computer security has always been about technical countermeasures
designed to prevent a threat agent or attacker from subverting computer
systems. Elaborate hardware and software systems have been designed
and deployed to protect the confidentiality, integrity, and availability
of computer systems -- almost all of these systems rely on robust
technologies like encryption and firewalls. In many scenarios, direct
attacks on computer security systems involve a heavy workload. For
example, breaking the 256-bit AES cipher by brute force -- that
is, by guessing every possible key until the correct one is discovered
-- could take centuries or billions of dollars or both.
In his book, The
Art of Deception: Controlling the Human Element of Security,
Kevin Mitnick makes the point: why bother attacking technology when
the weakest link is not the computer hardware or software but rather
the wetware, the human operators who can be tricked into giving
up the secrets of the machine? The subject of several books and
a Hollywood movie, Mitnick was a famous hacker who eluded the authorities
for years before his arrest in 1995. His case and subsequent imprisonment
created a cause celebre that sparked a "Free Kevin" movement
online (see http://www.freekevin.com).
He's on the
outside now, selling a book that provides dozens of examples of
how computer security can be subverted by con artists through a
set of techniques called "social engineering".
In the front matter of The Art of Deception, Mitnick states
that social engineering "uses influence and persuasion to deceive
people by convincing them that the social engineer is someone he
is not, or by manipulation. The social engineer is able to take
advantage of people to obtain information with or without the use
of technology." Mitnick's stories are designed to allow the
reader to "witness" how social engineering works. He alternates
between the point of view of the attacker and the point of view
of the victim. The narratives contain a predictable assortment of
bad actors (private investigators, amoral headhunters, industrial
spies, bank thieves), targets (banks, tech firms, phone companies),
and con techniques (sympathy, guilt, intimidation). Many of the
stories feature trusting and gullible employees who give out seemingly
harmless information, which the attacker then uses to gain trust
or acquire further access.
None of this information will come as a surprise to information
security professionals, who don't need a book to tell them, for
example, that there's no easy way to identify incoming callers (even
Caller ID can be subverted) and that sensitive information should
not be given out over the phone to unknown parties. But this book
has the potential to rapidly enlighten many of the front-line gatekeepers
-- receptionists, sales reps, customer service personnel -- that
are so frequently the target of deception. Mitnick doesn't say so,
but an obvious goal of the book is to scare people into a stiffer
and more secure social posture. The kinds of cons that Mitnick discusses
are used in a variety of contexts, including email spam, telemarketing,
and identity theft, so the moral of his stories has broad significance.
In case the reader needs a reminder to take it all with a grain
of salt, Mitnick baldly recommends that companies need to buy copies
of the book for every employee. As another reviewer has noted: Nice
try Kevin!
Mitnick's message is important. His book is very persuasive and
fairly well written. But I found this work disappointing. Mitnick
has a great book inside of him, but The Art of Social Engineering
is not it. Due to the terms of his probation, Mitnick could not
write about his own hacking exploits, his life on the run, how he
evaded the FBI, or life in prison. He writes around this by claiming
that all the stories in the book are fictional -- a stilted technique
that dilutes the impact of his message. Like it or not, Mitnick
has attained a certain notoriety. After reading about Mitnick in
Cyberpunk: Outlaws and Hackers on the Computer Frontier by
Katie Hafner and John Markoff, what I really want from Mitnick is
a "tell all" book that names names and describes real-world
exploits. Perhaps someday, Mitnick will deliver the real goods.
In the meantime, there's some hope that The Art of Deception
will scare enough people silly that it actually becomes harder for
the social engineers to ply their trade. On the other hand, for
every sucker that smartens up, another one is born.
See you next issue. 'Til then, keep your guard up!
|