On February 15, 1995, the FBI arrested Kevin Mitnick after a two-week cyber manhunt. He has been described by the U.S. Department of Justice as the most wanted computer criminal in United States history. Mitnick eventually pleaded guilty to an assortment of offenses--including wire fraud, computer fraud and illegally intercepting a wire communication-and served almost five years as a guest of the federal prison system.
Now the country's most well-known and mythologised hacker is giving advice to corporations on how to secure their networks from cyber intruders. While Mitnick denies involvement in many of the cybercrimes attributed to him, or that he intended to use his hacking skills like Dr. Evil, he is eminently qualified for the job.
This fact is well documented in the book he co-authored with writer William Simon that was published this week. In The Art of Deception (John Wiley & Sons, Inc. 2002), Mitnick delivers a detailed look into the subterranean world of hacking. But in this case the hacking is less about technical wizardry. Mitnick's particular gift is in taking advantage of human gullibility through what he calls "social engineering." "Cracking the human firewall is often easy, requires no investment beyond the cost of a phone call, and involves minimal risk," Mitnick writes.
Throughout the book, I got the sense that Mitnick takes pride in his previous hacker exploits, in the same way that Houdini liked to impress audiences with his seemingly impossible underwater escapes. Much of the 340-page book is spent recounting successful cons or intrusions by hackers who manipulate (social engineer) unsuspecting victims into forking over vital pieces of information, such as usernames, passwords and access points.
Each vignette reads like a mini-cybermystery thriller. That literary convention could be the work of Mitnick's co-writer Simon, but the primary author's passion in retelling these stories --of which he likely has a great deal of first-hand knowledge--is palpable. It's no wonder that Mitnick's favorite movie is The Sting.
Along with the vignettes that focus on particular social engineering techniques, such as targeting entry-level employees and playing on peoples' sympathy, Mitnick provides a detailed analysis of each "con" and offers suggestions on how to prevent being victimised.
Mitnick believes that gullibility or a trusting nature is part of the American fabric of life. "We're not trained to be suspicious of each other," Mitnick writes. "We are taught to 'love thy neighbor' and have trust and faith in each other. We know that all people are not kind and honest, but too often we live as if they were. This lovely innocence has been the fabric of the lives of Americans and it's painful to give up." Given the events over the last few years that have eroded trust, I would characterise the issue as one of ignorance rather than an excess of trustworthiness or lovely innocence in our national character.
The final chapters of the book provide a detailed outline of corporate security policies and a program for security awareness and training, including a recommendation to buy a copy of the book for all employees. The information provided in this section-especially related to developing systematic approaches to reducing the risk of social engineering- is quite useful. The corporate security policies outlined in the book are not unique. Other venues, such as CERT's security practices guide, offer more in-depth guidelines.
If Mitnick's goal was to raise awareness about deceptive practices used to compromise computers systems, he has definitely succeeded. The by-product of his literary endeavor is that the various cons described in the book also serve as a classic textbook for budding hackers. That combination should make The Art of Deception a very popular book.
Mitnick says that "a good social engineer plans his attack like a chess game, anticipating the questions his target might ask so he can be ready with the proper answers."
I suppose I have been a willing pawn is his effort to promote his book. Nonetheless, I willingly recommend The Art of Deception. It could save you from embarrassment or an even worse fate.
