Foreword.
Preface.
Introduction.
Part 1: Behind the Scenes.
Chapter 1: Security's Weakest Link.
Part 2: The Art of the Attacker.
Chapter 2: When Innocuous Information Isn't.
Chapter 3: The Direct Attack: Just Asking for It.
Chapter 4: Building Trust.
Chapter 5: "Let Me Help You".
Chapter 6: "Can You Help Me?".
Chapter 7: Phony Sites and Dangerous Attachments.
Chapter 8: Using Sympathy, Guilt, and Intimidation.
Chapter 9: The Reverse Sting.
Part 3: Intruder Alert.
Chapter 10: Entering the Premises.
Chapter 11: Combining Technology and Social Engineering.
Chapter 12: Attacks on the Entry-Level Employee.
Chapter 13: Clever Cons.
Chapter 14: Industrial Espionage.
Part 4: Raising the Bar.
Chapter 15: Information Security Awareness and Training.
Chapter 16: Recommended Corporate Information Security
Policies.
Security at a Glance.
Sources.
Acknowledgements.
Index.
KEVIN MITNICK is a security consultant to corporations worldwide
and a cofounder of Defensive Thinking, a Los Angeles-based
consulting firm (defensivethinking.com). He has testified before
the Senate Committee on Governmental Affairs on the need for
legislation to ensure the security of the government's information
systems. His articles have appeared in major news magazines and
trade journals, and he has appeared on Court TV, Good Morning
America, 60 Minutes, CNN's Burden of Proof and Headline News. He
has also been a keynote speaker at numerous industry events and has
hosted a weekly radio show on KFI AM 640 Los Angeles.
WILLIAM SIMON is a bestselling author of more than a dozen books
and an award-winning film and television writer.
“…authoritative…” (Retail Systems, December 2005) Mitnick is the
most famous computer hacker in the world. Since his first arrest in
1981, at age 17, he has spent nearly half his adult life either in
prison or as a fugitive. He has been the subject of three books and
his alleged 1982 hack into NORAD inspired the movie WarGames. Since
his plea-bargain release in 2000, he says he has reformed and is
devoting his talents to helping computer security. It's not clear
whether this book is a means toward that end or a, wink-wink,
fictionalized account of his exploits, with his name changed to
protect his parole terms. Either way, it's a tour de force, a
series of tales of how some old-fashioned blarney and high-tech
skills can pry any information from anyone. As entertainment, it's
like reading the climaxes of a dozen complex thrillers, one after
the other. As a security education, it's a great series of
cautionary tales; however, the advice to employees not to give
anyone their passwords is bland compared to the depth and energy of
Mitnick's description of how he actually hacked into systems. As a
manual for a would-be hacker, it's dated and nonspecific -- better
stuff is available on the Internet—but it teaches the timeless
spirit of th e hack. Between the lines, a portrait emerges of the
old-fashioned hacker stereotype: a socially challenged, obsessive
loser addicted to an intoxication sense of power that comes from
stalking and spying. (Oct.)
Forecast: Mitnick's notoriety and his well written, entertaining
stories should generate positive word-of-mouth. With the double
appeal of a true-crime memoir and a manual for computer security,
this book will enjoy good sales. (Publishers Weekly, June 24, 2002)
"...an interesting read..." (www.infosecnews.com, 17 July 2002)
"...highly entertaining...will appeal to a broad audience..."
(Publishing News, 26 July 2002) The world's most famous computer
hacker and cybercult hero, once the subject of a massive FBI
manhunt for computer fraud, has written a blueprint for system
security based on his own experiences. Mitnick, who was released
from federal prison in 1998 after serving a 22-month term, explains
that unauthorized intrusion into computer networks is not limited
to exploiting security holes in hardware and software. He focuses
instead on a common hacker technique known as social engineering in
which a cybercriminal deceives an individual into providing key
information rather than trying to use technology to reveal it.
Mitnick illustrates the tactics comprising this "art of deception"
through actual case studies, showing that even state-of-the-art
security software can't protect businesses from the dangers of
human error. With Mitnick's recommended security policies, readers
gain the information their organizations need to detect and ward
off the threat of social engineering. Required reading for IT
professionals, this book is highly recommended for public,
academic, and corporate libraries. [This should not be confused
with Ridley Pearson's new thriller, The Art of Deception. —Ed]—Joe
Accardi, William Rainey Harper Coll. Lib., Palatine, IL (Library
Journal, August 2002) He was the FBI's most-wanted hacker. But in
his own eyes, Mitnick was simply a small-time con artist with an
incredible memory, a knack for social engineering, and an enemy at
The New York Times. That foe, John Markoff, made big bucks selling
two books about Mitnick - without ever interviewing him. This is
Mitnick's account, complete with advice for how to protect yourself
from similar attacks. I believe his story. (WIRED Magazine, October
2002) Kevin Mitnick spent five years in jail at the federal
authorities' behest, but The Art of Deception: Controlling the
Human Element of Security (Kevin Mitnick and William Simon),
reveals that he was no lowly grifter. Rather, by impersonating
others in order to talk guileless employees out of access
protocols, Mr. Mitnick was practicing "the performance art called
social engineering."
While every society has had its demimonde-like the Elizabethan
coney catchers who duped visitors to 16th-century London--it's in
the United States that con artists assumedlegendary status. The
definitive book is still The Big Con from 1940 (Anchor Books),
which commemorates a golden age already receding when it was
published: the grifters it describes--like the High Ass Kid and
Slobbering Bob--thrived between 1914 and 1929, when technological
advances and unparalleled prosperity generated a roller-coaster
stock market.
That sounds a lot like the past decade. So how did the culture of
the con do during the Internet era? On Mr. Mitnick's evidence, it
flourished and evolved. The Art of Deception is itself a bit of a
fraud as far as advice on upgrading security. But the book does
deliver on "social engineering" exercises. Some aren't even illegal
and Mr. Mitnick -- weasel that he is -- lovingly records their most
elaborate convolutions. One way or another, you'll find the
information useful. (Red Herring, October 2002) "Mitnick outlines
dozens of social engineering scenarios in his book, dissecting the
ways attackers can easily exploit what he describes as 'that
natural human desire to help others and be a good team player.'"
(Wired.com, October 3, 2002) Finally someone is on to the real
cause of data security breaches--stupid humans. Notorious hacker
Kevin Mitnick--released from federal prison in January 2000 and
still on probation--reveals clever tricks of the "social
engineering" trade and shows how to fend them off in The Art of
Deception: Controlling the Human Element of Security (Wiley,
$27.50).
Most of the book, coauthored by William Simon (not the one running
for governor of California), is a series of fictional episodes
depicting the many breathtakingly clever ways that hackers can dupe
trusting souls into breaching corporate and personal
security--information as simple as an unlisted phone number or as
complicated as plans for a top-secret product under development.
The rest lays out a fairly draconian plan of action for companies
that want to strengthen their defenses. Takeaway: You can put all
the technology you want around critical information, but all it
takes to break through is one dolt who gives up his password to a
"colleague" who claims to be working from the Peoria office.
What's useful about this book is its explanation of risks in
seemingly innocuous systems few people think about. The caller ID
notification that proves you're talking to a top executive of your
firm? Easily forged. The password your assistant logs in with?
Easily guessed. The memos you toss into the cheap office shredder?
Easily reconstructed. The extension that you call in the IT
department? Easily forwarded.
Physical security can be compromised, too. It's not hard to gain
access to a building by "piggybacking" your way in the door amid
the happy throng returning from lunch. You'd better have confidence
in your IT professionals, because they're likely to have access to
everything on the corporate system, including your salary and
personal information. Mitnick offers some ideas for plugging these
holes, like color-coded ID cards with really big photos.
Implementing the book's security action plan in full seems
impossible, but it's a good idea to warn employees from the boss
down to the receptionist and janitors not to give out even
innocuous information to people claiming to be helpful IT folks
without confirming their identity--and to use things like
encryption technology as fallbacks. Plenty of would-be
Mitnicks--and worse--still ply their trade in spaces cyber and
psychological. --S.M. (Forbes Magazine - October 14, 2002) "...the
book describes how people can get sensitive information without
even stepping near a computer through 'social engineering' -- the
use of manipulation or persuasion to deceive people by convincing
them that you are someone else." (CNN.com's Technology section,
October 9, 2002) "...engaging style...fascinating true stories..."
(The CBL Source, October/December 2002) "…the book describes how
people can get information without even stepping near a computer…"
(CNN, 16 October 2002) "…each vignette reads like a
mini-cybermystery thriller…I willingly recommend The Art of
Deception. It could save you from embarrassment or an even worse
fate…" (zdnet.co.uk, 15 October 2002) "…details the ways that
employees can inadvertently leak information that can be exploited
by hackers to compromise computer systems…the book is scary in ways
that computer security texts usually do not manage to be…" (BBC
online, 14 October 2002) "…more educational than tell-all…"
(Forbes, 2 October 2002) "…would put a shiver into anyone
responsible for looking after valuable computer data…the exploits
are fictional but realistic…the book is about hacking peoples
heads…" (The Independent, 21 October 2002) "…the key strength of
The Art of Deception is the stream of anecdotes - with explanations
about how and why hacks succeed…provides a solid basis for staff
training on security…" (Information Age, October 2002) "…should be
on the list of required reading. Mitnick has done an effective job
of showing exactly what the greatest threat of attack is - people
and their human nature…" (Unix Review, 18 October 2002
"…disturbingly convincing…" (Fraud Watch, Vol.10, No.5, 2002 "…the
worlds most authoritative handbook…an unputdownable succession of
case studies…chilling…trust me, Kevin Mitnick is right…" (Business
a.m, 29 October 2002) "…a damn good read…I would expect to see it
as required reading on courses that cover business security…Should
you read this book? On several levels the answer has to be yes. If
you run your own business, work in one, or just want a good read,
this is worth it…" (Acorn User, 29 October 2002) "...the analysis
of individual cases is carried out thoroughly...ultimately, the
value of the book is that it may encourage security managers to be
more assiduous in teaching their staff to check the identities of
the people they deal with, and better corporate security will be
the result..." (ITWeek, 1 November 2002) "...a penetrating insight
into the forgotten side of computer security..." (IT Week, 4
November 2002) "...a highly entertaining read...Mitnick has a
laid-back style which makes the book easy to read and of great
interest, even to those of us who have no interest in computers..."
(Business Age, September 2002) "...one of the hacker gurus of our
time...makes it abundantly clear that everyone can be fooled and
cheated by the professionals...." (The Times Higher Education
Supplement, 15 November 2002) "...focuses on teaching companies how
to defeat someone like him…full of specific examples of the ways
apparently innocent bits of information can be stitched together to
mount a comprehensive attack on an organisation's most prized
information..." (New Scientist, 23 November 2002) "...all simple
things, little titbits of seemingly innocuous information, which
when gathered together give the hacker the power to cripple the
biggest corporation or the smallest home business..." (New Media
Age, 14 November 2002) "…highly acclaimed…a fascinating account…"
(Information Security Management, November 2002) "...His new book,
The Art of Deception, presents itself as a manual to help companies
defeat hackers..." Also listed in recommended reading list (The
Guardian, 13 December 2002) “…gets it’s point across and contains
some valuable pointers…”(MacFormat, January 2003) “…supremely
educational…a sexy way to hammer home a relevant point…what makes
it sing is the clear information that Mitnick brings to the
table…”(Business Week, 8 January 2003) “…Indispensable…”(Focus,
February 2003) "...incredibly intriguing...a superb book which
would be beneficial for anyone to read..." (Telecomworldwire, 4
February 2003) "...a good overview of one of the most neglected
aspects of computer security..." (Technology and Society, 7
February 2003) "...fascinating to read...should strike fear into
the hearts of commercial computer security departments..."
(Business Week, 3 September 2003) "...a penetrating insight into
the forgotten side of computer security..." (Accountancy Age, 19
February 2003) Top 10 Popular Science Books (New Scientist, 21
February f2003) "...should be assigned as required reading in every
IT department...excellent advice..." (Electronic Commerce Guide, 12
February 2003) “…an interesting and educational read for anyone
with a role to play in corporate security…”(Computer Business
Review, 6 March 2003) “…if you were not having security nightmares
before, read this book and you certainly will…” (IT Showcase News,
6 March 2003) “….easy to understand and actually fun to
read…”(Slashdot, 6 March 2003) “…a good read, well written…”
(Managing Information, March 2003) “…structured like a mini
detective story series…the unfolding attacks are compulsive
reading…” (Aberdeen Evening Express, 7 June 21003) “…a real
eye-opener…well written and produced…an easy and valuable read…”
(Accounting Web, 19 June 2003) “…a superb book which would be
beneficial for anyone to read…” (M2 Best Books, 4 February 2003)
“…the insights for earlier chapters are fascinationg, and that
alone makes it worth blagging a copy for review…”(Mute,
Summer/Autumn 2003) “…a good read, well-written…this accessibility
makes it doubly important…” (Managing Information – 5 star rating,
October 2003)
Ask a Question About this Product More... |