The worlds most celebrated hacker delivers the lowdown on todays most serious security weaknesshuman nature
"Finally someone is on to the real cause of data security breachesstupid humans Mitnick reveals clever tricks of the social engineering trade and shows how to fend them off."
Stephen Manes, Forbes
"A tour de force, a series of tales of how some old-fashioned blarney and high-tech skills can pry any information from anyone. As entertainment, its like reading the climaxes of a dozen complex thrillers, one after the other."
"Mitnick provides hair-raising examples of social engineeringdisgruntled employees stealing top-secret research, smooth-talking con men acquiring data on next-generation explosives for terroristsand explains how to combat it."
Angela Gunn, Time Out New York
"He was the FBIs most-wanted hacker. But in his own eyes, Mitnick was simply a small-time con artist with an incredible memory [and] a knack for social engineering This is Mitnicks account, complete with advice for how to protect yourself from similar attacks. I believe his story."
Simson Garfinkel, Wired
Finally someone is on to the real cause of data security breaches--stupid humans. Notorious hacker Kevin Mit-nick--released from federal prison in January 2000 and still on probation--reveals clever tricks of the "social engineer-ing" trade and shows how to fend them off in The Art of Deception: Controlling the Human Element of Security (Wiley, $27.50).
Most of the book, coauthored by William Simon (not the one running for governor of California), is a series of fictional episodes depicting the many breathtakingly clever ways that hackers can dupe trusting souls into breaching corporate and personal security--information as simple as an unlisted phone number or as complicated as plans for a top-secret product under development. The rest lays out a fairly draconian plan of action for companies that want to strengthen their defenses. Takeaway: You can put all the technology you want around critical information, but all it takes to break through is one dolt who gives up his password to a "colleague" who claims to be working from the Peoria office.
What's useful about this book is its explanation of risks in seemingly innocuous systems few people think about. The caller ID notification that proves you're talking to a top executive of your firm? Easily forged. The password your assistant logs in with? Easily guessed. The memos you tossinto the cheap office shredder? Easily reconstructed. The extension that you call in the IT department? Easily forwarded.
Physical security can be compromised, too. It's not hard to gain access to a building by "piggybacking" your way in the door amid the happy throng returning from lunch. You'd better have confidence in your IT professionals,because they're likely to have access to everything on the corporate system, including your salary and personal informa-tion. Mitnick offers some ideas for plugging these holes, like color-coded ID cards with really big photos.
Implementing the book's security action plan in full seems impossible, but it's a good idea to warn employees from the boss down to the receptionist and janitors not to give out even innocuous information to people claiming to be helpful IT folks without confirming their identity--and to use things like encryption technology as fallbacks. Plenty of would-be Mitnicks--and worse--still ply their trade in spaces cyber and psychological.