The Friendliest Computer Club in Ventura County Since 1986
THE ART OF DECEPTION
This is a reprint from the July 2004 issue of TOE (The Outer Edge)
Book Review By John Weigle
If you worked at a bank, and someone called or walked up and asked for your computer password, you'd probably shake your head and walk away - or call security. But what if the caller explained he was from the bank's information services department and said he needed your password to help you check what appeared to be a glitch or a new virus in the computer system or to help you install an upgrade? Would you give him your password? According to Kevin Mitnick, many people would.
It's called social engineering, and it's a much easier way for someone who wants to break in to your company's system to get in than trying to guess names and passwords of several hundred employees.
Mitnick is a convicted hacker who is now a security consultant and formerly hosted the KFI radio show "The Darkside of the Internet." He admits what he did was illegal, although he insists he caused no damage to any system he hacked.
"I have gained unauthorized access to computer systems at some of the largest corporations on the planet, and have successfully penetrated some of the most resilient computer systems ever developed," he testified before Congress. "I have used both technical and nontechnical means to obtain the source code to various operating systems and telecommunication devices to study their vulnerabilities and their inner workings."
"The Art of Deception" explains many of the techniques that he and others have used - and still use - to break into other people's computers, and many of them require a gift of gab more than great hacking skills. With the right story, he makes clear, it's possible to get all kinds of information about a company and its security - or lack of same.
The key is social engineering, which he defines this way: "Social engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology."
The book, available in both hardback and paper, was published in 2002 but is as valid today as it was then because it shows how easily we can all be fooled.
Many of us will try to help a person who says he's a fellow employee from another division or plant by letting him into a room with a computer, install a program from the person who sends it to us from the IS department, answer simple questions that don't seem to have anything to do with computer security, give information to someone who identifies himself as a higher-up in the organization, throw away papers, or even manuals, that contain information that no one outside the organization should have.
Mitnick tells stories about himself and about other hackers, and makes up scenarios showing how the black hats might work. The weakest link in security, he emphasizes, is the human factor because people can be stupid, greedy and anxious to please - especially if the people they're trying to please have befriended them, helped them or are their superiors at work. He quotes Albert Einstein as saying, "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
The book ends with recommendations for corporate information security with both proposed policies and the reasons for them. One problem with many policies - be they security or other - is that no one explains the reasons behind them, so the people who are supposed to follow them have no idea why other than "it's the policy."
"The Art of Deception" should be required reading for anyone in charge of any kind of security, and it's valuable reading for anyone interested in how all that supposedly secret information gets into the wrong hands.
"The Art of Deception," Kevin D. Mitnick and William L. Simon, 2002, Wiley Publishing Inc., Indianapolis, Ind.
