Saturday, December 22, 2007

Book Info : The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick

Date: Fri, Dec 21, 2007 at 11:53 AM

When I started my career 5-6 years back, computer security always fascinated me. I don't know why and how but I was always loved reading about computer security - Encryption, System Security, Network Security, Firewalls, Hacking, Cracking and anything else that comes to the mind.
During my stay at ESS(My previous company, a great place to work), one day I was browsing about programming best practices and from one link to another it
took me to a special web page that mentioned a guy called Kevin Mitnick and a small para regarding his work. I said : huh.. interesting...these guy
breaks in to information systems without using any software/technique. And I decided to read his master piece : The Art of Deception. I borrowed the
book from one of a friend and really it took some months before I could start reading it. But yes, when I started, I could not believe how easy it is to
play with Human mind and get things done which will be too difficult to do if we are using standard software attack techniques(Session Hijacking, IP
Spoofing to name a few). I completed the book in few sittings and I must say I am so impressed with it. It is not only the element of surprise that
is being maintained in all the real life scenarios but also the style, sophistication, confidence and smartness of the attacker(Hacker).
There are more than 20 scenarios i.e. 20+ different real life attacks which caused a lot of damage(In most of the cases) to the victims. If you are really interested in
keeping yourself secure I must say this is the one you can start with. This book explains how to keep you, your job/your business and people around
you safe from a different kind of attack : Social Engineering.
Here is what other reputed sources have to say about the book :
The Art of Deception is about gaining someone's trust by lying to them and then abusing that trust for fun and profit. Hackers use the euphemism "social engineering" and hacker-guru Kevin Mitnick examines many example scenarios.

After Mitnick's first dozen examples anyone responsible for organizational security is going to lose the will to live. It's been said before, but people and security are antithetical. Organizations exist to provide a good or service and want helpful, friendly employees to promote the good or service. People are social animals who want to be liked. Controlling the human aspects of security means denying someone something. This circle can't be squared.

Considering Mitnick's reputation as a hacker guru, it's ironic that the last point of attack for hackers using social engineering are computers. Most of the scenarios in The Art of Deception work just as well against computer-free organizations and were probably known to the Phoenicians; technology simply makes it all easier. Phones are faster than letters, after all, and having large organizations means dealing with lots of strangers.

Much of Mitnick's security advice sounds practical until you think about implementation, when you realize that more effective security means reducing organizational efficiency--an impossible trade in competitive business. And anyway, who wants to work in an organization where the rule is "Trust no one"? Mitnick shows how easily security is breached by trust, but without trust people can't live and work together. In the real world, effective organizations have to acknowledge that total security is a chimera--and carry more insurance. --Steve Patient, amazon.co.uk

From Publishers Weekly
Mitnick is the most famous computer hacker in the world. Since his first arrest in 1981, at age 17, he has spent nearly half his adult life either in prison or as a fugitive. He has been the subject of three books and his alleged 1982 hack into NORAD inspired the movie War Games. Since his plea-bargain release in 2000, he says he has reformed and is devoting his talents to helping computer security. It's not clear whether this book is a means toward that end or a, wink-wink, fictionalized account of his exploits, with his name changed to protect his parole terms. Either way, it's a tour de force, a series of tales of how some old-fashioned blarney and high-tech skills can pry any information from anyone. As entertainment, it's like reading the climaxes of a dozen complex thrillers, one after the other. As a security education, it's a great series of cautionary tales; however, the advice to employees not to give anyone their passwords is bland compared to the depth and energy of Mitnick's descriptions of how he actually hacked into systems. As a manual for a would-be hacker, it's dated and nonspecific better stuff is available on the Internet but it teaches the timeless spirit of the hack. Between the lines, a portrait emerges of the old-fashioned hacker stereotype: a socially challenged, obsessive loser addicted to an intoxicating sense of power that comes only from stalking and spying.