Amazon.co.uk
After Mitnick's first dozen examples anyone responsible for organisational security is going to lose the will to live. It's been said before but people and security are antithetical. Organisations exist to provide a good or service and want helpful friendly employees to promote the good or service. People are social animals who want to be liked. Controlling the human aspects of security means denying someone something. This circle can't be squared.
Considering Mitnick's reputation as a hacker guru the least and last point of attack for hackers using social engineering are computers. Most of the scenarios in The Art of Deception work just as well against computer-free organisations and were probably known to the Pheonicians. Technology simply makes it all easier. Phones are faster than letters after all and large organisations mean dealing with lots of strangers.
Much of Mitnick's security advice sounds practical until you think about implementation, when you realise more effective security means reducing organisational efficiency: an impossible trade in competitive business. And anyway, who wants to work in an organisation where the rule is "Trust no one"? Mitnick shows how easily security is breached by trust, but without trust people can't live and work together. In the real world effective organisations have to acknowledge total security is a chimera--and carry more insurance. --Steve Patient
Amazon.co.uk
After Mitnick's first dozen examples anyone responsible for organizational security is going to lose the will to live. It's been said before, but people and security are antithetical. Organizations exist to provide a good or service and want helpful, friendly employees to promote the good or service. People are social animals who want to be liked. Controlling the human aspects of security means denying someone something. This circle can't be squared.
Considering Mitnick's reputation as a hacker guru, it's ironic that the last point of attack for hackers using social engineering are computers. Most of the scenarios in The Art of Deception work just as well against computer-free organizations and were probably known to the Phoenicians; technology simply makes it all easier. Phones are faster than letters, after all, and having large organizations means dealing with lots of strangers.
Much of Mitnick's security advice sounds practical until you think about implementation, when you realize that more effective security means reducing organizational efficiency--an impossible trade in competitive business. And anyway, who wants to work in an organization where the rule is "Trust no one"? Mitnick shows how easily security is breached by trust, but without trust people can't live and work together. In the real world, effective organizations have to acknowledge that total security is a chimera--and carry more insurance. --Steve Patient, amazon.co.uk
From Library Journal
Copyright 2002 Cahners Business Information, Inc.
Pressestimmen
"...highly entertaining...will appeal to a broad audience..." (Publishing News, 26 July 2002)
"required reading for IT professionals, [and] is highly recommended for public, academic, and corporate libraries." (Library Journal, August 2002)
"This is Mitnick's account, complete with advice for how to protect yourself from similar attacks. I believe his story." (Wired, October 2002)
"does deliver on 'social engineering' exercises." And "[o]ne way or another, you'll find the information useful." (Red Herring, October 2002)
"Mitnick outlines dozens of social engineering scenarios in his book, dissecting the ways attackers can easily exploit what he describes as 'that natural human desire to help others and be a good team player.'" (Wired.com, October 3, 2002)
"Most of the book, coauthored by William Simon ..., is a series of fictional episodes depicting the many breathtakingly clever ways that hackers can dupe trusting souls into breaching corporate and personal security - information as simple as an unlisted phone number or as complicated as plans for a top-secret product under development." (Forbes, October 14, 2002)
"...the book describes how people can get sensitive information without even stepping near a computer through 'social engineering' -- the use of manipulation or persuasion to deceive people by convincing them that you are someone else." (CNN.com's Technology section, October 9, 2002)
"...engaging style...fascinating true stories..." (The CBL Source, October/December 2002)
"...the book describes how people can get information without even stepping near a computer..." (CNN, 16 October 2002)
"...each vignette reads like a mini-cybermystery thriller...I willingly recommend The Art of Deception. It could save you from embarrassment or an even worse fate..." (zdnet.co.uk, 15 October 2002)
"...details the ways that employees can inadvertently leak information that can be exploited by hackers to compromise computer systems...the book is scary in ways that computer security texts usually do not manage to be..." (BBC online, 14 October 2002)
"...more educational than tell-all..." (Forbes, 2 October 2002)
"...would put a shiver into anyone responsible for looking after valuable computer data...the exploits are fictional but realistic...the book is about hacking peoples heads..." (The Independent, 21 October 2002)
"...the key strength of The Art of Deception is the stream of anecdotes - with explanations about how and why hacks succeed...provides a solid basis for staff training on security..." (Information Age, October 2002)
"...should be on the list of required reading. Mitnick has done an effective job of showing exactly what the greatest threat of attack is - people and their human nature..." (Unix Review, 18 October 2002)
Mitnick is the most famous computer hacker in the world. Since his first arrest in 1981, at age 17, he has spent nearly half his adult life either in prison or as a fugitive. He has been the subject of three books and his alleged 1982 hack into NORAD inspired the movie WarGames. Since his plea-bargain release in 2000, he says he has reformed and is devoting his talents to helping computer security. It's not clear whether this book is a means toward that end or a, wink-wink, fictionalized account of his exploits, with his name changed to protect his parole terms. Either way, it's a tour de force, a series of tales of how some old-fashioned blarney and high-tech skills can pry any information from anyone. As entertainment, it's like reading the climaxes of a dozen complex thrillers, one after the other. As a security education, it's a great series of cautionary tales; however, the advice to employees not to give anyone their passwords is bland compared to the depth and energy of Mitnick's description of how he actually hacked into systems. As a manual for a would-be hacker, it's dated and nonspecific -- better stuff is available on the Internet--but it teaches the timeless spirit of the hack. Between the lines, a portrait emerges of the old-fashioned hacker stereotype: a socially challenged, obsessive loser addicted to an intoxication sense of power that comes from stalking and spying. (Oct.)
Forecast: Mitnick's notoriety and his well written, entertaining stories should generate positive word-of-mouth. With the double appeal of a true-crime memoir and a manual for computer security, this book will enjoy good sales. (Publishers Weekly, June 24, 2002)
"...an interesting read..." (www.infosecnews.com, 17 July 2002)
"...highly entertaining...will appeal to a broad audience..." (Publishing News, 26 July 2002)
The world's most famous computer hacker and cybercult hero, once the subject of a massive FBI manhunt for computer fraud, has written a blueprint for system security based on his own experiences. Mitnick, who was released from federal prison in 1998 after serving a 22-month term, explains that unauthorized intrusion into computer networks is not limited to exploiting security holes in hardware and software. He focuses instead on a common hacker technique known as social engineering in which a cybercriminal deceives an individual into providing key information rather than trying to use technology to reveal it. Mitnick illustrates the tactics comprising this "art of deception" through actual case studies, showing that even state-of-the-art security software can't protect businesses from the dangers of human error. With Mitnick's recommended security policies, readers gain the information their organizations need to detect and ward off the threat of social engineering. Required reading for IT professionals, this book is highly recommended for public, academic, and corporate libraries. [This should not be confused with Ridley Pearson's new thriller, The Art of Deception. --Ed]--Joe Accardi, William Rainey Harper Coll. Lib., Palatine, IL (Library Journal, August 2002)
He was the FBI's most-wanted hacker. But in his own eyes, Mitnick was simply a small-time con artist with an incredible memory, a knack for social engineering, and an enemy at The New York Times. That foe, John Markoff, made big bucks selling two books about Mitnick - without ever interviewing him. This is Mitnick's account, complete with advice for how to protect yourself from similar attacks. I believe his story. (WIRED Magazine, October 2002)
"Mitnick outlines dozens of social engineering scenarios in his book, dissecting the ways attackers can easily exploit what he describes as 'that natural human desire to help others and be a good team player.'" (Wired.com, October 3, 2002)
"...Mitnick remains what can best be called a colourful character... The Art of Deception is an entertaining read - and more than a little scary..."
Financial Times vom 16.12.2002
Publishing News, 26 July 2002
Library Journal, August 2002
Kurzbeschreibung
Kevin Mitnick's exploits as a cyber-desperado and fugitive form one of the most exhaustive FBI manhunts in history and have spawned dozens of articles, books, films, and documentaries. Since his release from federal prison, in 1998, Mitnick has turned his life around and established himself as one of the most sought-after computer security experts worldwide. Now, in The Art of Deception, the world's most notorious hacker gives new meaning to the old adage, "It takes a thief to catch a thief."
Focusing on the human factors involved with information security, Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system. With the help of many fascinating true stories of successful attacks on business and government, he illustrates just how susceptible even the most locked-down information systems are to a slick con artist impersonating an IRS agent. Narrating from the points of view of both the attacker and the victims, he explains why each attack was so successful and how it could have been prevented in an engaging and highly readable style reminiscent of a true-crime novel. And, perhaps most importantly, Mitnick offers advice for preventing these types of social engineering hacks through security protocols, training programs, and manuals that address the human element of security.
Synopsis
Klappentext
Inviting you into the complex mind of the hacker, Mitnick provides realistic scenarios of cons, swindles, and social engineering attacks on businesses-and the consequences. Focusing on the human factors involved with information security, Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system. He illustrates just how susceptible even the most locked-down information systems are to a determined con artist impersonating an IRS agent or any other seemingly innocent character. Narrated from the points of view of both the attacker and the victim, The Art of Deception explores why each attack was so successful-and how it could have been averted-in an engaging and highly readable manner reminiscent of a true-crime novel.
Most importantly, Mitnick redeems his former life of crime by providing specific guidelines for developing protocols, training programs, and manuals to ensure that a company's sophisticated technical security investment will not be for naught. He shares his advice for preventing security vulnerability in the hope that people will be mindfully on guard for an attack from the gravest risk of all-human nature.
Buchrückseite
"...a tour de force, a series of tales of how some old-fashioned blarney and high-tech skills can pry any information from anyone. As entertainment, it's like reading the climaxes of a dozen complex thrillers, one after the other" --Publishers Weekly
Kevin Mitnick's exploits as a cyber-desperado and fugitive from one of the most exhaustive FBI manhunts in history have spawned dozens of articles, books, films, and documentaries. Since his release from federal prison in 2000, Mitnick has turned his life around and established himself as one of the most sought-after computer security experts worldwide. Now, in The Art of Deception, the world's most famous hacker gives new meaning to the old adage, "It takes a thief to catch a thief."
Inviting you into the complex mind of the hacker, Mitnick provides realistic scenarios of cons, swindles, and social engineering attacks on businesses-and the consequences. Focusing on the human factors involved with information security, Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system. He illustrates just how susceptible even the most locked-down information systems are to a slick con artist impersonating an IRS agent or any other seemingly innocent character. Narrated from the points of view of both the attacker and the victim, The Art of Deception explores why each attack was so successful and how it could have been averted in an engaging and highly readable manner reminiscent of a true-crime novel.
Most importantly, Mitnick redeems his former life of crime by providing specific guidelines for developing protocols, training programs, and manuals to ensure that a company's sophisticated technical security investment will not be for naught. He shares his advice for preventing security vulnerability in the hope that people will be mindfully on guard for an attack from the gravest risk of all-human nature.
Über den Autor
WILLIAM SIMON is a bestselling author of more than a dozen books and an award-winning film and television writer.
Auszug aus The Art of Deception von Mitnick. Copyright © 2002. Abdruck erfolgt mit freundlicher Genehmigung der Rechteinhaber. Alle Rechte vorbehalten.
What do most people think is the real threat from social engineers? What should you do to be on your guard?
In reality penetrating a company's security often starts with the bad guy obtaining some piece of information or some document that seems so innocent, so everyday and unimportant, that most people in the organization wouldn't see any reason why the item should be protected and restricted.
Yet, much of this seemingly innocuous information is prized by a social engineering attacker because it can play a vital role in his effort to dress himself in a cloak of believability.
The Art of Deception shows how social engineers do what they do by letting you witness the attacks for yourself--sometimes presenting the action from the viewpoint of the people being victimized, allowing you to put yourself in their shoes and gauge how one might have responded.
Here's one of the many scenarios we present.
Peter Abels gets a phone call.
Hi, the voice at the other end of the line says. This is Tom at Parkhurst Travel. Your tickets to San Francisco are ready. Do you want us to deliver them, or do you want to pick them up?
San Francisco? Peter says. I'm not going to San Francisco.
Is this Peter Abels?
Yes, but I don't have any trips coming up.
Well, the caller says with a friendly laugh, you sure you don't want to go to San Francisco?
If you think you can talk my boss into it . . . Peter says, playing along with the friendly conversation.
Sounds like a mix-up, the caller says. On our system, we book travel arrangements under the employee number. Maybe somebody used the wrong number. What's your employee number?
Peter obligingly recites his number. And why not? It goes on just about every personnel form he fills out, lots of people in the company have access to it--human resources, payroll, and, obviously, the outside travel agency. No one treats an employee number like some sort of secret. What difference could it make?
The answer isn't hard to figure out. Two or three pieces of information might be all it takes to mount an effective impersonation--the social engineer cloaking himself in someone else's identity. Get hold of an employee's name, his phone number, his employee number--and maybe, for good measure, his manager's name and phone number--and a halfway-competent social engineer is equipped with most of what he's likely to need to sound authentic to the next target he calls.
If someone who said he was from another department in your company had called yesterday, given a plausible reason, and asked for your employee number, would you have had any reluctance in giving it to him?
And by the way, what is your social security number?
MITNICK MESSAGE
The moral of the story is, don't give out any personal or internal company information or identifiers to anyone, unless his or her voice is recognizable and the requestor has a need to know.
