I know it’s not Halloween, but if you want to read a scary book, try The Art of Deception by Kevin Mitnick. I challenge you to not recognize yourself in the role of the mark in at least some of his little vignettes. And when you inevitably do, I challenge you to feel comfortable about the security of your network and corporate secrets.
As far as I know, I have never met Mitnick, and I have never been one of his fans. In his heyday in the early ’90s, he created quite a stir for his hacking exploits and helped give hacking the bad name that it has these days. His activities, some of them at least, got him an offer he could not refuse from U.S. federal authorities: to spend some time in government housing. Since he got out of federal prison in January 2000 he has spent time as a security consultant, radio show host and not being on the Internet (apparently Internet absence is a condition of his parole).
He now has written a how-to book for people who want to break into your secure environment by attacking the weakest link in any security system: the people. As far as I can tell, his aim is to scare the bejesus out of anyone remotely concerned with security – computer security, network security, personal security, etc. – then, when you are paying attention, give you some helpful hints on how not to be a victim.
The basic theme of the book is that the best technical security in the world (and few of us have the wherewithal or clout to have the best technical security in the world) can be rendered irrelevant by a little “social engineering.” If that happens with the best technical systems, just think of what someone practicing what Mitnick teaches would do to your security systems.
Social engineers of the type described in Mitnick’s book basically play on the fact that most people want to be helpful, at least they want to be helpful to someone they see as being a colleague of some kind. A few innocuous phone calls to get some background information and they are ready to be your best buddy and con you out of your shorts and you will never even feel the breeze.
The advice on how to minimize your risks that makes up the last 80 pages of the book is a mixture of what should be obvious and the “Oh gee, I should have thought of that.” That part alone is well worth the price of admission (which is easy to say for me because I got a free review copy). But even after reading all the advice, I do not think I would want to be standing between Mitnick and something he wanted.
Disclaimer: Harvard has at least four schools (you can guess which schools) where an ability to con is not a disadvantage, but the above book report is mine alone.
Bradner is a consultant with Harvard University’s University Information Systems. He can be reached email@example.com.