| December 23, 2002 |
Volume 3, Number
4
|
http://www.securius.com
|
Book Review — The Art of Deception
Author: Kevin D. Mitnick (and William L. Simon) In his book, The
Art of Deception: Controlling the Human Element of Security,
Kevin Mitnick makes the point: why bother attacking technology when
the weakest link is not the computer hardware or software but rather
the wetware, the human operators who can be tricked into giving
up the secrets of the machine? The subject of several books and
a Hollywood movie, Mitnick was a famous hacker who eluded the authorities
for years before his arrest in 1995. His case and subsequent imprisonment
created a cause celebre that sparked a "Free Kevin" movement
online (see http://www.freekevin.com).
He's on the In the front matter of The Art of Deception, Mitnick states that social engineering "uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. The social engineer is able to take advantage of people to obtain information with or without the use of technology." Mitnick's stories are designed to allow the reader to "witness" how social engineering works. He alternates between the point of view of the attacker and the point of view of the victim. The narratives contain a predictable assortment of bad actors (private investigators, amoral headhunters, industrial spies, bank thieves), targets (banks, tech firms, phone companies), and con techniques (sympathy, guilt, intimidation). Many of the stories feature trusting and gullible employees who give out seemingly harmless information, which the attacker then uses to gain trust or acquire further access. None of this information will come as a surprise to information security professionals, who don't need a book to tell them, for example, that there's no easy way to identify incoming callers (even Caller ID can be subverted) and that sensitive information should not be given out over the phone to unknown parties. But this book has the potential to rapidly enlighten many of the front-line gatekeepers -- receptionists, sales reps, customer service personnel -- that are so frequently the target of deception. Mitnick doesn't say so, but an obvious goal of the book is to scare people into a stiffer and more secure social posture. The kinds of cons that Mitnick discusses are used in a variety of contexts, including email spam, telemarketing, and identity theft, so the moral of his stories has broad significance. In case the reader needs a reminder to take it all with a grain of salt, Mitnick baldly recommends that companies need to buy copies of the book for every employee. As another reviewer has noted: Nice try Kevin! Mitnick's message is important. His book is very persuasive and fairly well written. But I found this work disappointing. Mitnick has a great book inside of him, but The Art of Social Engineering is not it. Due to the terms of his probation, Mitnick could not write about his own hacking exploits, his life on the run, how he evaded the FBI, or life in prison. He writes around this by claiming that all the stories in the book are fictional -- a stilted technique that dilutes the impact of his message. Like it or not, Mitnick has attained a certain notoriety. After reading about Mitnick in Cyberpunk: Outlaws and Hackers on the Computer Frontier by Katie Hafner and John Markoff, what I really want from Mitnick is a "tell all" book that names names and describes real-world exploits. Perhaps someday, Mitnick will deliver the real goods. In the meantime, there's some hope that The Art of Deception will scare enough people silly that it actually becomes harder for the social engineers to ply their trade. On the other hand, for every sucker that smartens up, another one is born. See you next issue. 'Til then, keep your guard up! |
By
Seth Ross