Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Art of Deception

timothy posted more than 11 years ago | from the ignore-the-man-behind-that-curtain dept.

Security 241

MasterSLATE writes "One of the weakest links to the most secured computer systems are the humans that operate them. No matter how well secured a computer, network or information may be, there are always people that will have contact with them from the inside. This is what the social engineer exploits in order to gain access. In The Art of Deception, Kevin Mitnick writes about the human element and how it can be manipulated and exploited to gain access to computer systems or 'secure' information." Read on for the rest of Masterslate's review.

What's to Like?

The Art of Deception is extremely easy to understand and actually fun to read.

The first part of the book, Behind the Scenes contains the first chapter, Security's Weakest Link, which describes through many examples how and why the social engineer is able to so easily manipulate people to get what he wants.

Part 2, The Art of the Attacker, contains chapters 2-9, which describe various ways a social engineer can manipulate people over the phone. Each chapter tells of a different method that could be used to gain information. Each chapter also contains at least one example.

Part 3, Intruder Alert, contains chapters 10-14, which tell about different ways a social engineer can get inside a company, whether physically or through an internal contact. Each chapter contains at least one example.

Part 4, Raising the Bar, contains chapters 15 and 16, which explain how a company should create their security policies and training to prevent the social engineer from gaining access to sensitive information. These chapters are definitely more geared toward the executive, security analyst, or other specialist, as they contain specifics on what new policies should be implemented and why.

The last section in the book, Security at a Glance, contains some charts and information which should be read over by a more general audience, such as employees and other people that may be contacted by a social engineer.

And one sidenote: there's a nice little foreword by Woz (Steve Wozniak).

The Summary

Although this book is geared toward the company security expert, this book also has appeal to anyone with an interest in social engineering. I found it to be a quick and fun read. As a social engineer, this book taught me new tactics to try as well as ways that my targets might be prevented from giving me information I seek.

Table of Contents

Foreword
Preface
Introduction

Part 1 Behind the Scenes
* Chapter 1 Security's Weakest Link
Part 2 The Art of the Attacker
* Chapter 2 When Innocuous Information Isn't
* Chapter 3 The Direct Attack: Just Asking for It
* Chapter 4 Building Trust
* Chapter 5 "Let Me Help You"
* Chapter 6 "Can You Help Me?"
* Chapter 7 Phony Sites and Dangerous Attachments
* Chapter 8 Using Sympathy, Guilt and Intimidation
* Chapter 9 The Reverse Sting
Part 3 Intruder Alert
* Chapter 10 Entering the Premises
* Chapter 11 Combining Technology and Social Engineering
* Chapter 12 Attacks on the Entry-Level Employee
* Chapter 13 Clever Cons
* Chapter 14 Industrial Espionage
Part 4 Raising the Bar
* Chapter 15 Information Security Awareness and Training
* Chapter 16 Recommended Corporate Information Security Policies

Security at a Glance
Sources
Acknowledgments
Index


You can purchase The Art of Deception from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

cancel ×

241 comments

Sorry! There are no comments related to the filter you selected.

first Xbox ! (-1)

Adolf Hitroll (562418) | more than 11 years ago | (#5081577)

Please help! (-1, Troll)

PedoPeteTownshend (641098) | more than 11 years ago | (#5081842)

The pigs have found some naughty pictures on my computer and I don't know what to do. How can I keep them hidden?

Protecting people via DCMA (5, Interesting)

eaddict (148006) | more than 11 years ago | (#5081596)

Doesn't the US DCMA NOT allow for tools that bypass security? I wonder how soon it will be before someone tries to use the DCMA against someone who used social engineering.

Re:Protecting people via DCMA (3, Informative)

PhilHibbs (4537) | more than 11 years ago | (#5081707)

"a technological measure that effectively controls access to a work protected under this title" is the exact wording.

Re:Protecting people via DCMA (0)

Anonymous Coward | more than 11 years ago | (#5081722)

Geez, even by the usual "Isn't this a DMCA violation?" standards, this is pretty weak...

Re:Protecting people via DCMA (3, Interesting)

Anonymous Coward | more than 11 years ago | (#5081727)

I don't see why the DMCA (Digital Millenium Copyright Act, not Digital Copyright Millenium Act) enters into social engineering. There is no "tool" to accuse the person of possessing, so how would you build your case on that argument? That law only applies to cases where you're trying to subvert copyright (or possess tools that are used for such a purpose).

This is simple infiltration. There are laws that make unauthorized access to computer systems illegal (e.g. parts of the Homeland Security Act) regardless of how you do it or what tools you use.

I don't mean to burst your bubble or anything, and on the contrary I hope this makes you want to learn more about the (especially new ones) laws affecting our interaction with others and with technology.

Re:Protecting people via DCMA (3, Interesting)

WPIDalamar (122110) | more than 11 years ago | (#5081832)

I'd say no, right up until a court determines a "technique" is the same as a "tool".

Re:Protecting people via DCMA (3, Funny)

Tackhead (54550) | more than 11 years ago | (#5081870)

From the article:
>Part 2 The Art of the Attacker
* Chapter 2 When Innocuous Information Isn't
* Chapter 3 The Direct Attack: Just Asking for It
* Chapter 4 Building Trust
* Chapter 5 "Let Me Help You"
* Chapter 6 "Can You Help Me?"
* Chapter 7 Phony Sites and Dangerous Attachments
* Chapter 8 Using Sympathy, Guilt and Intimidation
* Chapter 9 The Reverse Sting

From the poster:
> Doesn't the US DCMA NOT allow for tools that bypass security? I wonder how soon it will be before someone tries to use the DCMA against someone who used social engineering.

Don't worry, rumors to the effect that we're going to pass laws to extend DMCA to new areas happen all the time, they're pretty innocuous. Why don't you support us? We're just trying to make good laws, just like you're trying to make good code. If you're confused, that's OK, we've seen that before, let us help you with that.

We're working with Senator Hollings (D-Dis), and we're considering new and novel approaches to promote consumer use of broadband. Can you help us help him to promote the use of consumer broadband?

He's taken an awful lot of hard knocks lately over the SSSCA, er, CBDTPA, and some people in the halls of power (and some who have really big guns!) think it's partially Slashdot's fault and are kinda cheezed about it. But neither bill had a chance to be passed, and Senator Hollings (D-Dis) knew it when he put them forward. Surely an honest geek can make up for misunderstanding the Senator's intention, can't he?

Did you know that Senator Hollings (D-Dis) is starting up a brand-new 2600 chapter in Washington, DC? Why not come to our first meeting and say hello!

In Soviet Russia...... (-1, Troll)

rainman31415 (576575) | more than 11 years ago | (#5081597)

secure information exploits YOU!


rainman

Re:In Soviet Russia...... (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5081684)

In the REAL Soviet Russia, annoying people who repeat annoying and long-since-funny jokes get taken outside and shot.

Re:In Soviet Russia...... (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5081866)

man how many times have you been to soviet russia

the answer is
zero

because first of all the soviet russia jokes would make any commie laugh heartily out loud, that is what they do in communist territories, they lhol, no lol, it is also pronouncable in real dialect

man i've been all over the world, but never to soviet east germany, they wouldn't let me in, but let me tell you something, cubans enjoy russian sandwiches, and russians enjoy cuban comforts.

this is all relative to, of course, japan

Re:In Soviet Russia...... (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5081951)

you guys

we all know that Malaysia is watching us.

Is this always true? (4, Interesting)

chrisseaton (573490) | more than 11 years ago | (#5081600)

there are always people that will have contact with them from the inside

Can't you get cryptographic keys that are sealed inside a black box device so that no-one can access them? Couldn't this sort of thing be done for at least some hardware?

Oh dear, I think I've just justified security through obfuscation.

Re:Is this always true? (0)

Anonymous Coward | more than 11 years ago | (#5081687)

It's called a KEY, Eisenstein. You can find them at the hardware store.

Unfortunately, there's nothing restricting its use to authorized persons, and they are routinely stolen.

Re:Is this always true? (2)

chrisseaton (573490) | more than 11 years ago | (#5081752)

If I put my server in a room, lock it and then give you a key you could get to my server and fuck it up. If I give you one of these key boxes, the idea is your still couldn't get the raw key out.

Re:Is this always true? (5, Funny)

God! Awful 2 (631283) | more than 11 years ago | (#5081989)


It's called a KEY, Eisenstein. You can find them at the hardware store.

LOL... if sarcastically calling someone Einstein implies that they are stupid, does sarcastically calling someone Eisenstein imply that they are spouting propaganda?

-a

Re:Is this always true? (3, Insightful)

The Evil Couch (621105) | more than 11 years ago | (#5081703)

you can only pile on so many security procedures before Joe Whiteout in the cubical gets a glazed expression on his face. the problem with security procedures, is you've got to make them easy enough that your everyday user can use them without getting on your phone every 10 minutes asking if you can reset their account because they screwed up and got locked out of the system.

you can have extensive logging and security measures going on behind the scenes, but once it gets to the user level, you've got to make it as simple as possible for them to log in and get access to what they need to know/work with. and all it takes is someone leaving their username and password on a sticky note on their monitor or answering a phone with someone official sounding on the other end, for that account to be compromised.

I shouldn't have to mention it, but any user account that gets compromised can potentially get the whole network compromised. the human element is always the weakest link in the security chain; whether it's a sysadmin that just doesn't set everything up right and leaves default account names and passwords or the user that just gives his password out over the phone. the machines just do what they were programmed to do. nothing more, nothing less.

Re:Already done, only better (5, Interesting)

Bastian (66383) | more than 11 years ago | (#5081710)

SmartCard security, ATM cards, and a host of other security solutions (not just along the card theme) already employ the "Something you have, something you know" security scheme in which sensitive things can only be accessed if you have both a device (usually containing some sort of identifier) as well as a password.

Another interesting version of this system involves a keychain or some similar device that contains a computer whose only job is to take some encryption key and scramble it every n time interval. The central sever is doing the same thing. The end result is that the user has to know two passwords - his normal password, plus a key that changes every minute or what have you.

Not Sufficient (5, Interesting)

nosilA (8112) | more than 11 years ago | (#5081770)

One of the anecdotes in this book exploits a SecurID, using a well-meaning 3rd party. Basically a caller poses as an employee when talking to an operator during a snowstorm. He says he needs to get some work done, but he left his SecurID on his desk. The operator doesn't want to go to the desk to get it, so instead he gives his own SecurID number and PIN to the caller. This was probably one of the most clever manipulations in the book.

Fundamentally, any time you have a human involved in a process, you have a potential security hole.

-Alison

Re:Not Sufficient (1)

divisionbyzero (300681) | more than 11 years ago | (#5081976)

Ommm... that combination would only be valid for a single session or sixty seconds... which may or may not be enough time. Knowledge of the pin does nothing... Now, if you swiped a SecurID and you knew a PIN (any pin), and you could convince the SysAdmin to resync the SecurID you swiped with the PIN you discovered you would have unfettered access. This would probably only work in a company large enough where it is unlikely that the SysAdmin would personally know everyone. Of course, any SysAdmin worth his salt would check to make sure that the serial number on the SecurID token matched the one assigned to the person whose PIN you are using, but not all SysAdmins are worth their salt...

Re:Already done, only better (2)

Dman33 (110217) | more than 11 years ago | (#5081791)

The one I like is RFID on the employee's nametag and a biometric reader (thumbprint in this case) on the terminal.
User walks up, computer detect that Bob Jones is standing there, Bob Jones presses thumb, computer says that this is in fact Bob Jones. Unlock.

The problem is always the human element.... and money too.

Heh heh (0)

Anonymous Coward | more than 11 years ago | (#5081886)

But I've cut off his thumb, let me in...

Re:Heh heh (3, Interesting)

God! Awful 2 (631283) | more than 11 years ago | (#5081920)


But I've cut off his thumb, let me in...

The reader would probably check if there is blood circulating through the thumb. I don't know about the commmercial fingerprint readers, but the retinal scanners definitely do that. You could maybe fool them with some kind of specialized pump, but it's not something the average thief could concoct.

-a

Re:Already done, only better (2, Insightful)

God! Awful 2 (631283) | more than 11 years ago | (#5081894)


The one I like is RFID on the employee's nametag and a biometric reader (thumbprint in this case) on the terminal. User walks up, computer detect that Bob Jones is standing there, Bob Jones presses thumb, computer says that this is in fact Bob Jones. Unlock.

That's a pretty good system, although it has a few fundamental flaws that make it unsuitable for ultra-paranoid environments. The problem is that Bob's fingerprint is a static key. If I want to fool the system, all I have to do is to capture Bob's fingerprint. Then I walk up to the computer, unplug the fingerprint reader and substitute my own device which simply reports that I am Bob.

You could improve the fingerprint reader system a bit by encrypting the wire protocol between the hardware and the device driver, but it's still technically feasible to break open the device and splice in the pre-computed signal. Still, admittedly the fingerprint reader is not open to a social engineering attack.

-a

Re:Is this always true? (1)

God! Awful 2 (631283) | more than 11 years ago | (#5081808)


Can't you get cryptographic keys that are sealed inside a black box device so that no-one can access them? Couldn't this sort of thing be done for at least some hardware?

This may not be what you meant, but I would venture a bet that there are some ultra-sensitive keys out there that *no one* has access to. For example, consider the private key for a very important root CA server. I would take that sucker, make everything triply redundant, and seal the whole mess in a thick layer of concrete. Now no one could possibly steal the private key without stealing the box.

-a

Re:Is this always true? (2)

Phroggy (441) | more than 11 years ago | (#5081862)

Now no one could possibly steal the private key without stealing the box.

Do not discount the possibility of someone stealing the box [slashdot.org] .

Letter.. (5, Funny)

grub (11606) | more than 11 years ago | (#5081608)


Dear Amazon.com,

I would like to get a copy of "The Art of Deception", however my grandmother needs surgery and I can't spare any money at the moment. If you'd like to lend me a copy please feel free to email for shipping information.

I, and my grandmother, thank you.

grubby

Re:Letter.. (5, Funny)

Scratch-O-Matic (245992) | more than 11 years ago | (#5081789)

Dear Mr. Grub...

Hi, it's Scratch at Amazon. The suits here would never think of sending you something for free, but your story touched my heart, and I'd like to help. If you could send me the username and password of your Amazon account, I'd be happy to slip the order in for you, without charging your credit card.

Re:Letter.. (0)

Anonymous Coward | more than 11 years ago | (#5081829)

The start of the movie "Slackers" has a simple social engineer where one of the guys gets a winery to send "a fuckin shitload" of boxed wine to them.

Slackers was a good movie, I was just disappointed that it was in fact, not about Slackware.

Re:Letter.. (1)

Cidtek (632990) | more than 11 years ago | (#5081879)

Dear Grubby, Your story touched our heart and a copy will be delivered immediately. Please forward the shipping information immediately. To ensure it does not suffer from the elements while you are visting your grandmother in the hospital, please leave your front doer unlocked and the postman will just slip it inside the door.

The lost first chapter to the book.... (5, Informative)

Ami Ganguli (921) | more than 11 years ago | (#5081609)

The Register ran a review, along with the original first chapter of the book (which was cut by the editors).

The first chapter is (or rather, was) a short bio and history of the Mitnik case. Interesting to read Kevin's side in his own words.

The lost chapter [212.100.234.54]

Re:The lost first chapter to the book.... (1)

ivaldes3 (175216) | more than 11 years ago | (#5081909)

Whew, the 'poor little innocent victim of others nefarious plots' wore thin after about the fifth victimization. It seems clear why it was cut. -- IV

Innocuous (4, Insightful)

jfreis (614880) | more than 11 years ago | (#5081610)

"Chapter 2 When Innocuous Information Isn't"

All the little bits and pieces of info can sure add up to a major security hole if they are collected by the right person...

small typo in the review (4, Funny)

Anonymous Coward | more than 11 years ago | (#5081614)

As a social engineer, this book taught me new tactics to try as well as ways that my targets might be prevented from giving me information I seek.

You misspelled "criminal".

Re:small typo in the review (1)

SUB7IME (604466) | more than 11 years ago | (#5081812)

Methinks this was supposed to be funny :-)

Reminds me of "40 Years a Gambler..." (1, Offtopic)

sphealey (2855) | more than 11 years ago | (#5081616)

Reminds me of _40 Years a Gambler on the Mississippi_ by Duevol. Did such a person exist? There is evidence that he did. Was he a great gambler and con artist? Contemporary records indicate he was. Did he actually do any of the things that he described in his book? Given (a) and (b), probably.

Now the key question: how much can you believe of what you read in the book? Well, about as much as you should believe coming from a man who obtained millions of dollars (1860 millions!) by lying, cheating, and swindling.

sPh

Re:Reminds me of "40 Years a Gambler..." (1, Insightful)

Anonymous Coward | more than 11 years ago | (#5081795)

"obtained millions of dollars (1860 millions!) by lying, cheating, and swindling"

The only thing Kevin Mitnick stole that cost anyone any money was phone calls.

John Markoff, New York Times, and the prosecutors are the ones that did the lying.

Follow the money and it leads to John Markoff.

Good swindle John. I would hate to have your karma.

I check that Anonymously box for this post.

1.86 Billion Dollars? Whooo ha ha ha haaaa! (1)

Anonymous Coward | more than 11 years ago | (#5081884)

Where do you get that figure of 1.86 Billion dollars from?

When I met Kevin Mitnick, he was just scraping by and is hoping his book sells well so he can get out of debt and pay off restitution. He's also hoping that Defensive Thinking takes off.

I think he sees himself as someone who is being given a second chance, and I think he wants to prove himself to the larger society as someone who is an asset, not a threat or liability.

By the way, Kevin is a nice guy in person, for what that's worth. Probably nicer than I am. He's also a good public speaker and has a few funny stories in him, if you can get him to open up.

I think he deserves to be given a chance to clear the air on some of the more outlandish charges that were leveled against him in the media (and didn't stick in court).

I understand that he'll be able to get on the Internet next week... maybe you can write him and ask him how things went down from his point of view. But he's probably more intersted in his future than in his past.

--No Account Coward

Human factors ... again ... (5, Insightful)

beanerspace (443710) | more than 11 years ago | (#5081632)

Wasn't it just yesterday we read an article here on /. that pointed out human factors being the weak link in the chain? In the case of yesterday's news, human factors in programming and today's, human factors in physical security.

I mean look at an article on TechTV [techtv.com] as far back as October 2001 that point out such human blunders as "Default installs of operating systems and applications" or "Accounts with no passwords or weak passwords" ... human mistakes which make it as easy a pie for someone who socially engineers their way into the back office to penetrate your secure systems.

Perhaps this quote from a Oct '02 SANS/FBI article [sans.org] point out the worth of this book where they say:
The majority of the successful attacks on operating systems come from only a few software vulnerabilities ...
Which is why I think books such as "The Art of Deception" are as needed as biometric identification systems to secure your computer facilities.

So... The solution is... (5, Insightful)

einhverfr (238914) | more than 11 years ago | (#5081945)

1) Ideally build security around "what you have/what you know" to the greatest extent possible.

2) Train, train, train!

3) Just like you do a network security audit from time to time, do mock attacks! Call up an employee and use something like the following script (modified each time)

"Hi, my name is Joe Angstrom. I work over in IT."

"We are investigating a potential security problem on our network and need to ask you a few questions. Have you noticed anything strange about your computer recently?"

"Thank you, this has been very helpful. There is one more thing. So that we can be sure of this, could you verify your username and password?"

Just make sure that it is approved of before you do it ;) If the employee gives out their login info, you send them an email letting them know that they should NEVER give out login information to ANYONE for ANY REASON, and tell them to change their password. Explain that passwords are not accessible to anyone, and that login information is available to anyone who would be investigating security problems. If it happens again, send an email to their manager as well ;-)

The point is-- human factors can be mitigated by training, but no one puts that effort into things.

Re:Human factors ... again ... (2, Interesting)

cellocgw (617879) | more than 11 years ago | (#5081961)

"The majority of the successful attacks on operating systems come from only a few software vulnerabilities ..."
That's basically why the Counterpane guys are now leaning towards "distributed security." The idea is not to let any one password (or person) have enough access to anything to cause problems. I read an article somewhere in which Schneier pointed out, among other stuff, that far too many people use the same password everywhere. Thus if you get hacked on amazon.com, the thief will get into your fidelity.com account and your employer's network as well.

Where's the review? (5, Insightful)

awch (134042) | more than 11 years ago | (#5081636)

This isn't a review. It's a Table of Contents! Was the book even read?

Re:Where's the review? (0)

Anonymous Coward | more than 11 years ago | (#5081715)

agreed. this looks like a book report from a second grader.

Right here (3, Funny)

Bastian (66383) | more than 11 years ago | (#5081741)

The Art of Deception is extremely easy to understand and actually fun to read.

Re:Where's the review? (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#5081892)


Fuck no. Slashdot will push anything off as news these days. /. sucks. Sucks ass. Sucks the shit right outta my asshole. Warm fecal sludge sliding down it's throat, resting as a heavy blob filling up it's stomach. Slashdot's digestive bile mixes with my solid waste products deep within it's organs. That's what I think.

Security's Weakest Link (5, Interesting)

phorm (591458) | more than 11 years ago | (#5081640)

Is generally the users. Excluding those who run open mail relays, most servers/sysadmins have enough brains not to run the file in their email coming with a message:
This iz a very fun game
I hope you anjoy it
I made this just for u


How users manage to continually fall for this idiocy is beyond me, but they do. My family is a prime example of this (they refer to me when something dies, but never listen to my "do not open attachments" rant): thus, they now get Mozilla and I'll probably block emails with .exe/.vbs/etc entirely.

Just based on the chapter titles, I think tricks such as the "Let me help you", etc are probably some of the nastiest. Considering the many people who seem to know shiat about progamming and come for help, it wouldn't be hard to slip something cruel into your "sample code."
It's amazing how, after helping somebody directly with something for 30 minutes or so, they're suddenly willing to let me
a) Have root access to their machine ('nix)
b) Control their PC (netmeeting/etc windows)

Luckily I'm a nice person, but not everybody is so helpful as they appear. Social engineering is definately an increasing trend, which is leading to user pananoia. I still don't think that the statement "One of the weakest links to the most secured computer systems are the humans that operate them."
A good sysadmin will block a lot of things that lead to exploitation (unused ports, etc), and perhaps notice odd happenings/traffic. It's the operators of the less-secure systems (clients) that are at risk most often.

Somewhat disappointing (4, Insightful)

knobmaker (523595) | more than 11 years ago | (#5081642)

I read this recently, and although it's a pretty good introduction to the conman profession, I was a little disappointed in the lack of actual examples of clever hacking.

The book is primarily about social engineering. Most of the example crimes in this book could have been perpetrated by folks who had no more than a casual acquaintance with the inner workings of computers. In other words, Mitnick tells you how to exploit the stupidity of human beings in large organization, and not how to exploit weaknesses in operating systems and security software.

Part of this is probably due to court-ordered vagueness; the court obviously didn't want Mitnick spreading dangerous knowledge.

On the other hand, Mitnick is probably correct in his contention that the greatest factor leading to compromised systems is the naivete of the folks who work with them.

Re:Somewhat disappointing (0)

Anonymous Coward | more than 11 years ago | (#5081744)

Well you just bought the wrong book... It was not intended to be a book on computer security... Btw by writing this book he did indead spead dangerous knowledge... Operating System Vulnerability change everyday... but everyday ppl keep staying stupid...

A donkey laden with gold...... (5, Insightful)

Savage-Rabbit (308260) | more than 11 years ago | (#5081813)

....can scale any fortress wall.

Philip of Macedon said that (I seem to remember) 2300 year ago. To put it short more codes have been cracked and more defenses of any kind have been breached by exploiting simple human weakness than any clever hacking/engineering ever has and ever will. It usually is the easyest way. Take the Enigma code, it was cracked, partly, because of the simplistic and repetitive choices of code key words made by the Wehrmacht communications personnel. It never ceases to amaze me how deeply this fact disappoints the tech freaks of this world. If I had to guess all the nerds at CIA-Langley with all their cool equipment will not contribute even half as much to catching Osam Bin Landen or determining his fate as simple traitors within Al Quaeda will do.

Re:Somewhat disappointing (1)

DaveQat (186457) | more than 11 years ago | (#5081987)

I could see your complaint if the book was being advertised as a how-to for hackers/crackers. However, even the title, as well as other information about the book [amazon.com] all paint it as a book about human frailties.

Table of Contents? (4, Informative)

mmThe1 (213136) | more than 11 years ago | (#5081652)

May seem like a nitpick [reference.com] , but isn't this "review" more of a "Table of Contents with brief description of chapters"?

Slashdot Book Review Guidelines [slashdot.org]

Re:Table of Contents? (0)

Anonymous Coward | more than 11 years ago | (#5081880)

A nitpick on a review of a book by Mitnick!

sorry...

Re:Table of Contents? (0)

Anonymous Coward | more than 11 years ago | (#5081974)

sorry...

You should be.

It's a knack. (4, Insightful)

caluml (551744) | more than 11 years ago | (#5081656)

It's a knack, social engineering.
I've read the book, and just like some people couldn't sell food to a starving man, only a few people can pull it off.

Get one tiny piece of information from one person, another from another, and after a while, enough of those pieces make you sound like you are an employee. And we all help our fellow downtrodden, overworked employees, don't we.

EG. If you have an intranet at work, I bet you have a nickname for it. And if someone asked you for something from it, and said "I can't get to the XXXX today, not sure why, it seems to be down..." you'd probably go and find the info for them.

Re:It's a knack. (0)

Anonymous Coward | more than 11 years ago | (#5081992)

My cousin could sell ice to an Eskimo.

Security Books (0, Redundant)

jcannava (641086) | more than 11 years ago | (#5081674)

wow now even hacker's get their own books when they get famous. Seems to me that this will be just another security book saying the exact same thing as the other 200000 of them already in circulation.

Human element being manipulated (1)

Alcohol Fueled (603402) | more than 11 years ago | (#5081676)

"In The Art of Deception, Kevin Mitnick writes about the human element and how it can be manipulated and exploited..."

Hey Bob, I have $100 to give you if you give me access to such and such a network..

Lets face it. The easiest way to manipulate the human element is wave around some cash. Many people will do anything for the right price, whether it's illegal or not.

oversimplistic dork! (2, Insightful)

Thud457 (234763) | more than 11 years ago | (#5081748)

Wayving cash around usually leads people to think that you are up to someting improper, unethical or illegal.

A important criterea in social engineering is to get a person's help, hell, even goodwill, without them realizing that you up to any skullduggery. If you're really lucky, they won't even remember aiding you.

Re:oversimplistic dork! (1)

Alcohol Fueled (603402) | more than 11 years ago | (#5081806)

"Wayving cash around usually leads people to think that you are up to someting improper, unethical or illegal."

I agree. A lot of the time, people will think you're up to something improper or illegal. But my point was, money is one of the easiest ways to manipulate/influence another person. Go up to ten people, and offer them $100 to put a brick through a window, and see how many people will do it.

Re:Human element being manipulated (3, Interesting)

duffbeer703 (177751) | more than 11 years ago | (#5081785)

Not really, there are plenty of people are not willing to take bribes.

The easiest way to manipulate people is to pretend to be their friend. We tend to let our friends do things that don't jive with bueracratic and annoying rules, because they are friends.

Nazi-like policies and a lack of user education from arrogant and obnoxious IT people results in social engineering exploits.

Re:Human element being manipulated (0)

Anonymous Coward | more than 11 years ago | (#5081897)

I disagree. There are two sets of people who can be influenced to give you access to guarded information; (a) the naive people, and (b) the immoral people. To me, at least, it seems readily apparent that set (a) is a whole lot larger than set (b).

Furthermore, you have to be just as careful to approach the immoral person as you do the naive one. Very few people are going to just overtly take money to do something immoral if you ask them straight out. In either case, you have to cozy up to the person and sweet talk them into helping you, and it's a lot easier to convince somebody to help you out because you're a nice guy stuck at the mercy of some infantile bureaucracy than when you're paying them off to get information for you that they obviously shouldn't.

A silver tongue will often get you a lot farther than a silver dollar.

-d

Most people want to do a good job (2)

nuggz (69912) | more than 11 years ago | (#5081944)

I am a bit of an optimist, so obviously my view is coloured.

I think most people want to do whatever they do well. They want to do a good job, be productive and have a positive impact.

Many times the security at a location (Bouncers, Security guards, Police, Military, or receptionist) won't let you pass with a bribe, they want to do a good job.
Although I think it is much more rare that they'd deny you access for something reasonable. I have to use the restroom, forgot my coat, is my gf/wife/friend in there, have you seen Mr Smith, he said he'd meet me.

That is the point, you can get this useful information even if it shouldn't be given out depending on your approach, which is the point that he is trying to convey.

Sorry but no (5, Interesting)

Inexile2002 (540368) | more than 11 years ago | (#5081977)

A HUGE part of my job is preventing social engineering type stuff (or if you want to be specific - evaluating the degree to which a client has successfully implemented good risk management and security management). I interview people all the time, and I assure you that waving $100 is the most sure fire way to not get what you want.

People are more afraid of getting caught, of loosing their job or of getting in trouble than I think you realize. That said, it is amazing the things people do, if they think they're supposed to do them.

I'll routinely call people at a client and just start asking questions to total strangers. I've been in server rooms interviewing people and I'll ask questions like, "How does a visitor get access to this room?" When they answer, I'll ALWAYS follow up with, "Why was I not subjected to that procedure?" I'm legitimately supposed to get access to the information I get, and I sign NDAs and get approval for everything I do. Not once have I ever been challenged to provide that information. (For some reason, if you call the manager of a department and tell him that you'll be talking to his employees and why - they assume you're legitimate.)

Show up, talk the talk and look like you belong there and people will tell you anything. Wave around $100 and people call security.

excerpt available (2, Informative)

squibix (602253) | more than 11 years ago | (#5081677)

The Register has an excerpt from the book:
Mitnick had wished to include a brief biographical sketch debunking the legendary persona created by New York Times tech hack John Markoff and detailing his ordeal at the hands of federal prosecutors. Unfortunately, the publisher rejected what were to be the juiciest parts of Chapter One, but we thought you
might like to see it [212.100.234.54] anyway.

The supressed chapter... (1, Redundant)

Cally (10873) | more than 11 years ago | (#5081691)

Chapter 1 was removed from the book by Kevin's publisher. It gives an interesting insight into HIS perspective on how he came to be known as Public Enemy Number 1 on the Internet, the feud with John Markoff, the Takedown film, as well as how he got into social engineering in the first place (getting free rides on the bus...)

The Register have it here [212.100.234.54] .

A more informative review (5, Informative)

phr2 (545169) | more than 11 years ago | (#5081693)

Here's a review by Rob Slade [victoria.tc.ca] that's quite a bit more detailed than MasterSLATE's review.

Before seeing Slade's review, I read most of The Art of Deception at the bookstore and decided not to buy it. I agree with most of what Slade says. The book is mostly aimed at PHB types and doesn't say all that much useful to techies. However, as a security implementer, I don't think trying to install paranoia in PHB's is such a bad thing. They are often completely unrealistic about vulnerabilities, so it's good to open their eyes a little.

Actually, a series of reviews (2, Informative)

mcleland (620018) | more than 11 years ago | (#5081822)

A series of reviews of this book (including the one in the parent) is also found on the Risks Digest with a more positive opinion of the book by Don Norman:

Don Norman's praise [ncl.ac.uk] ,
Rob Slade's review (same issue) [ncl.ac.uk] , and
Don Norman's response to Slade's review [ncl.ac.uk]

i've read it... (3)

jeffy124 (453342) | more than 11 years ago | (#5081695)

...and it seemed quite boring to me, probably because he was preaching to the choir when it comes to security people, as the book was geared more for CIOs and other management types.

He had an interesting way of presenting various stories of of how people can penetrate by switching to a first-person view of both the victim and then the attacker. It was a bit annoying how the "attacker" would be portrayed as 1337 sometimes, but it was an interesting approach, especially since some of the stories were possibly Mitnick himself.

Overall, though, I was underwhelmed.

Excellent Book and Some Resources (5, Informative)

webword (82711) | more than 11 years ago | (#5081698)

I'm reading this book now. Surprisingly, it isn't so much about technology and security. Instead, it is more about understanding humans. Despite the sterotype that geeks have for being socially incompetent, to be a truly good hacker using social engineering, you have to be good socially. Maybe not great, but pretty good. And, you need to know the right language and the right people to communicate with. Mitnik does a great job with this stuff and I am really enjoying the book. (However, I'm not so sure his tactics will work as well as they did a few years ago.)

Here are some pretty good resources for learning more about social engineering:

Social Engineering: What is it, why is so little said about it and what can be done? [sans.org]

Social Engineering Fundamentals, Part I: Hacker Tactics [securityfocus.com]

Social Engineering: The Human Side Of Hacking [earthweb.com]

Re:Excellent Book and Some Resources (3, Interesting)

peterpi (585134) | more than 11 years ago | (#5081793)

Dammit, I was halfway through writing my own review for this book! Anyway, on with my post:

You wrote: "However, I'm not so sure his tactics will work as well as they did a few years ago"

That's because we're so much smarter about security now, right?

Well, we are smarter now. We are the people who have been around computers for a few years now (enough to be intersted in /. reviews of security books). However, every single day there's a new sucker using a computer for the very first time.

I'm absolutely certain that I could sucessfully use all of those tricks against the company I currently work for.

Re:Excellent Book and Some Resources (2)

Elwood P Dowd (16933) | more than 11 years ago | (#5081932)

That's because we're so much smarter about security now, right?

Wow, what a great point. +1 Insightful, totally.

I'm absolutely certain that I could sucessfully use all of those tricks against the company I currently work for.

Hehehe. Good point. That's really funny, dude.

What company? ...

Oh. Actually, I bet you say in your bio/journal...

Damn Mitnick! (0)

Anonymous Coward | more than 11 years ago | (#5081699)

I didn't want to buy his book, but he somehow deceived me into buying it.

Now I'll have to read it to figure out how he pulled it off.

mitnick (0, Offtopic)

sketchkid (555690) | more than 11 years ago | (#5081711)

hey, kevin! man, i just wanted to let you know that your performance in "Hackers 2: Operation Takedown" was outstanding! Do you consider acting side by side with Master P in that movie the high point of your career? Also, could you sign my copy of "Scream"? I thought you were great in that too.

What do you mean that was skeet ulrich and not you???

Re:mitnick (1)

stopbit (444789) | more than 11 years ago | (#5081931)

hmmmmmmm....could someone please print out the above post and have Kevin read and then write a response then post that response? ;)

On Mitnick (4, Insightful)

Anonymous Coward | more than 11 years ago | (#5081724)

Am I the only participant to this forum who thinks that any admiration on Mitnick is admiration on a crook? As this book clearly seems to illustrate, the basis of his success as a cracker was his ruthlessness and willingness to lie and deceive people, rather than his technical prowess.

I.e. Mr. Mitnick is a criminal, who may or may not have extraordinary technological savvy; all those years in jail, and post-jail constraints, were surely well-deserved.

Re:On Mitnick (2, Insightful)

stratjakt (596332) | more than 11 years ago | (#5081801)

And now he's going to try and profit from it.

But not for long, since he's been prohibited from working with computers, eventually his circa-1995 insights will be as useless as a how-to-vulcanize-your-tires manual.

I've never seen anything admirable about him. I've read no impressive technical feats, just a confidence man on the phone tricking you into revealing your networks passwords. If he was gathering SSN's or credit card numbers over the phone, would everyone be as impressed?

His motivations are irrelevant to me as well. If I came home to find my house broken into, I'd be no less pissed because the intruder swore he just did it for 'the thrill' of kicking my door in.

So, time to be modded down for an unpopular opinion. But Mitnick is no hero IMO, nonetheless.

A weak book on security (3, Informative)

prankster (162363) | more than 11 years ago | (#5081726)

I also read The Art of Deception

I do not really know how to describe this book with its strange mixture of fact and fiction. 2/3 of the book are stories of social engineering in all forms and shapes. That gets a bit long and tedious long before you have finished the 245 pages of it.

The rest of the book consists of recommendations for raising the bar. A long list of things to do if you want to tighten security at your company.

So does social engineering really work? Yes, my guess is that most people will not know what hit them even if you ask them afterwards.

At the very least you should be convinced by Mitnick talking Steve Wozniak into writing the foreword (Kevin Mitnick is one of the finest people I know) and Wiley Publishing, Inc. into publishing what I consider a weak book on security. There are of course a few good points but they are too few and too far apart.

The leading Danish financial newspaper, Børsen, wrote that it should be required reading for people with an IT security responsibility. I can only say that if you have an IT security responsibility and still need to read this book you are most likely in deep trouble.

You should only bother reading The Art of Deception if you know next to nothing about the human aspect of security and then only if you really think you are safe.

Re:A weak book on security (1)

dipipanone (570849) | more than 11 years ago | (#5081830)

So does social engineering really work?

It's a moot question really. I suppose it's like anything else. Sometimes it does, and sometimes it doesn't.

If I wanted to read about it though, I'd want to read the insights of a social engineer who was successful -- not one who couldn't keep his stupid arse out of jail.

The Register has a foreword that his publishers supposedly 'censored' where Kevin whines on about how he didn't really do anything wrong, and how it was all Markoff and the FBI and others who railroaded him. Surely the term for that isn't censoring. That's *editing*.

If the foreword is to be believed though, its that Markoff who wants to write the book on social engineering. Making a legitimate fortune by railroading an innocent man and getting away with it -- that's my idea of a *real* social engineer -- not some whining ex-jailbird.

What is this? A review? (0)

Anonymous Coward | more than 11 years ago | (#5081746)

This "article" is an example of why Slashdot gets less and less interesting. It's articles are often duplicates stories already posted, screeds by JonKatz (a writer who fills a much needed void) or content free nonsense like this one.

This is not a review at all. It's just some guy commenting briefly on a book that's been out for ages. Slashdot is way behind the times and the review is worthless.

Why editors did you choose to publish this on the site?

John.

Re:What is this? A review? (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#5081980)

SHUT UP you should be given a negative billion for something, this sucks, you suck, you disagree with the norm, thus you are wrong, or something, cult mentality mob tactics rule.

excellent book (1)

oogoody (302342) | more than 11 years ago | (#5081751)

I loved this book. It showed in detail the
application of social engineering in ways
you might not have thought possible. It didn't
show a lot of heroic hacking, which was part
of the point. There were some good bits
on how to install trojan horses though.

My thought (2, Insightful)

rczyzewski (585306) | more than 11 years ago | (#5081753)

I have always thought the easiest people to exploit (not that I do) are minimum wage or poorly paid employees at crappy jobs. You can sweet talk a lazy teenager and usually get what you want, but I think sweet talking an adult gets you more in the long run. Who do you think you could get better results from, a lazy clerk or a lazy manager? I'd take manager any day.

Fine for what it is (1, Troll)

Jack Wagner (444727) | more than 11 years ago | (#5081755)

I was given an advanced copy of this book as I had done some work for Motorola and Sun Microsystems after Mitnick had broken into them and I thought it kind of glossed over some important info.

For instance he leaves out the famous ack flood attack which was used to break into Motorola by utilizing a well known hole in the TCP/IPv4 protocol simply because he doesn't want people to know about it and upgrade to IPv6. Of course if they did then he wouldn't be able to get consulting jobs by showing the exploit and them having these Fortune 500 companies pay him big bucks to fix them. Here's a freebie to all you from Wagner Consulting LLC., UPGRADE YOUR NETWORK LAYER TO IPv6!!!

Fred Brooks in "The Mythical Man Month" states that for every exploit you find in your code there are 3 that go un-found so this means that there are still lots of holes in IPv4, yet the ack flood is the easiest one to exploit.

Warmest regards,
--Jack

Re:Fine for what it is (2)

nosilA (8112) | more than 11 years ago | (#5081800)

He wasn't allowed to talk about his own exploits, as part of his probation. So all of the stories are either fiction or someone else's story. Not to mention that he didn't cover any actual security holes except in passing. The point was to cover the human element, nothing else.

-Alison

Watch out for the swedish translation. (1)

TripleA (232889) | more than 11 years ago | (#5081761)

I got the swedish translatin of this book as a christmas gift from my father. Although I find the book somewhat interresting, the translation could be better.

RE-WRITING CHAPTER 7 (3, Funny)

mustangdavis (583344) | more than 11 years ago | (#5081762)

Chapter 7 Phony Sites and Dangerous Attachments



More like:

Chapter 7: Porn Sites and Dangerous Screen Savers

moron the WANd being quirkIEr than the eyecon (0)

Anonymous Coward | more than 11 years ago | (#5081768)

it's all nonsense, no DOWt.

we've had sites up for years. although there's been minor vandalism (boyz with billy boXes, no DOWt), all in all, webhosting has been a real pleasure.

the real foolz, are folks who (are MiSled to) bulleave that they can store sensitive inf. (covers a universe of stuff), on public webservers. not yet, you can't.

tell 'em robbIE. you MuSt be leaving a windough open somewhere (over the rainbow) for all those whoreabull corepirate slackhard jump-you ADs, to keep popping up, taking over yOUR hole cite?

Who sez? (1)

teeker (623861) | more than 11 years ago | (#5081773)

Who says geeks don't have good people skills?

Does social engineering work? (0)

Anonymous Coward | more than 11 years ago | (#5081775)

Just ask the idiots who opened the files that someone sent them to ask for advice!!!!! :P

Or the people who listen to me when I tell them they have to reboot hourly to 'swab their ram'.

I swear, people should need to get a license before they can operate a computer.

Kevin Mitnik in Joy of Tech comic (1)

Snaggy (140728) | more than 11 years ago | (#5081781)

On a semi-related note, Mitnik makes a cameo [joyoftech.com] in our latest Joy of Tech [joyoftech.com] comic.

It's about live coverage of his first Internet surf in 5 years...

enJoy :)

I read it... (5, Informative)

Hanashi (93356) | more than 11 years ago | (#5081816)

This article wasn't much of a review, so I thought I'd chime in. I read this book recently, and here are some of my thoughts.

First, what's in this book? The bulk of the book is given over to scenarios of different types of social engineering attacks. This includes things like acting helpless, offering help and guilting your victim into "owing you something", and pushing certain psychological buttons designed to make the victim feel whatever emotions you want. There's also some stuff about how to create a good security policy for your organization, but you can skip that. There are much better references for this sort of thing.

What did I like? The scenarios sure are entertaining! The book covers a wide variety of different situations and goals, from tricking someone into telling you their password to gaining physical access to "secure" facilities. The authors tell the story of each attack both from the victim's point of view and from the attackers, then provide an analysis of why it worked and how it could have been prevented. Very valuable!

What did I dislike? There's a substantial amount of repetition in the scenarios, but some may view that as useful reinforcment, so it's not necessarily a bad thing. As I said, I think the security policy section isn't very good, and it could easily have been left out.

My overall impression is good, and I highly recommend this to anyone responsible for physical or information security in their organization.

man this is jake (0)

Anonymous Coward | more than 11 years ago | (#5081846)

it's really not a bad book, and if I could slashdot a book, I would first slashdot all of my C++ books, then this guy's stupid book. but not before slashdotting all of your houses, and that stupid physics of star trek book.

and stephen king, that arrogant ass

Sad news ... Stephen King dead at 55 (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5081858)


I just heard some sad news on talk radio - Horror/Sci Fi writer Stephen King was found dead in his Maine home this morning. There weren't any more details. I'm sure everyone in the Slashdot community will miss him - even if you didn't enjoy his work, there's no denying his contributions to popular culture. Truly an American icon.

this is a semi-truth (0)

Anonymous Coward | more than 11 years ago | (#5081937)

while there is a semi-truth to this report, what actually happened was that he had a heart attack

after i cut his fingers off that peice of crap

Karma whore alert (2, Informative)

jsse (254124) | more than 11 years ago | (#5081906)

I wondered if the author actually committed the social crime like Frank W. Abagnale? [amazon.com] :) who wrote the book The Art of the Steal [amazon.com] and Catch Me If You Can [amazon.com] - yes, the movie [leonardodicaprio.com]

(save your mod point elsewhere thanks. :)

the REAL story behind Kevin Mitnick (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#5081911)


Forget social engineering. KM will be sadly be remembered as a non-nigger who commited a bunch of crimes and went to jail for it. He's a disgrace to our race, and he should have gotten the chair.

If Kevin's so good, why did he get caught? (1, Insightful)

Anonymous Coward | more than 11 years ago | (#5081922)

Did anyone bother to ask that? He's not a hero, folks. Don't idolize him.

social engineering (2, Funny)

BigBir3d (454486) | more than 11 years ago | (#5081972)

"My name is Bond, James Bond."

He always could get what he wanted from people.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?