The Art of Deception

Controlling the Human Element of Security

William L. Simon, Kevin D. Mitnick

Publisher: Wiley, 2002, 352 pages

ISBN: 0-7645-4280-X

Keywords: Information Security

Last modified: Nov. 15, 2008, 12:16 a.m.

The world's most infamous hacker offers an insider's view of the low-tech threats to high-tech security

Kevin Mitnick's exploits as a cyber-desperado and fugitive form one of the most exhaustive FBI manhunts in history and have spawned dozens of articles, books, films, and documentaries. Since his release from federal prison, in 1998, Mitnick has turned his life around and established himself as one of the most sought-after computer security experts worldwide. Now, in The Art of Deception, the world's most notorious hacker gives new meaning to the old adage, It takes a thief to catch a thief."

Focusing on the human factors involved with information security, Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system. With the help of many fascinating true stories of successful attacks on business and government, he illustrates just how susceptible even the most locked-down information systems are to a slick con artist impersonating an IRS agent. Narrating from the points of view of both the attacker and the victims, he explains why each attack was so successful and how it could have been prevented in an engaging and highly readable style reminiscent of a true-crime novel. And, perhaps most importantly, Mitnick offers advice for preventing these types of social engineering hacks through security protocols, training programs, and manuals that address the human element of security.

  • Foreword
  • Preface
  • Introduction
  • Part 1 Behind the Scenes
    • Chapter 1 Security's Weakest Link
      • The Human Factor
      • A Classic Case of Deception
        • Code Breaking
        • There's This Swiss Bank Account
        • Achieving Closure
      • The Nature of the Threat
        • A Growing Concern
        • Deceptive Practices
      • Abuse of Trust
        • Our National Character
        • Organizational Innocence
      • Terrorists and Deception
      • About This Book
  • Part 2 The Art of the Attacker
    • Chapter 2 When Innocuous Information Isn't
      • The Hidden Value of Information
      • CreditChex
        • Private Investigator at Work
        • Analyzing the Con
      • The Engineer Trap
        • Analyzing the Con
      • More "Worthless" Info
      • Preventing the Con
    • Chapter 3 The Direct Attack: Just Asking for It
      • An MLAC Quickie
        • Number, Please
        • Analyzing the Con
      • Young Man On the Run
      • On the Doorstep
        • Loop-Around Deception
        • Stevie's Scam
      • Gas Attack
        • Janie Acton's Story
        • Art Sealy'sResearch Project
        • Analyzing the Con
      • Preventing the Con
    • Chapter 4 Building Trust
      • Trust: The Key to Deception
        • Doyle Lonnegan's Story
        • Analyzing the Con
      • Variation On a Theme: Card Capture
        • Surprise, Dad
        • Analyzing the Con
      • The One-Cent Cell Phone
        • Analyzing the Con
      • Hacking Into the Feds
        • Tapping Into the System
        • Analyzing the Con
      • Preventing the Con
        • Protect Your Customers
        • Trust Wisely
        • What Belongs on Your Intranet?
    • Chapter 5 Let Me Help You
      • The Network Outage
        • The Attacker's Story
        • Analyzing the Con
      • A Little Help for the New Gal
        • Analyzing the Con
      • Not as Safe as You Think
        • Steve Cramer's Story
        • Craig Cogburne's Story
        • Getting Inside
        • Analyzing the Con
      • Preventing the Con
        • Educate, Educate, and Educate …
        • Keeping Sensitive Information Safe
        • Consider the Source
        • Forget Nobody
    • Chapter 6 Can You Help Me?
      • The Out-Of-Towner
        • Keeping Up with the Joneses
        • A Business Trip
        • Analyzing the Con
      • Speakeasy Security
        • I Saw It at the Movies
        • Fooling the Phone Company
      • The Careless Computer Manager
        • Tuning In
        • Danny the Eavesdropper
        • Storming the Fortress
        • An Inside Job
        • Analyzing the Con
      • Preventing the Con
    • Chapter 7 Phony Sites and Dangerous Attachments
      • "Wouldn't You Like a Free (Blank)"
        • It Came in the Email
        • Spotting Malicious Software
      • Message from a Friend
      • Variations on a Theme
        • Merry Christmas
        • Analyzing the Con
      • Variations on the Variation
        • The Missing Link
        • Be Alert
        • Becoming Virus Savvy
    • Chapter 8 Using Sympathy, Guilt, and Intimidation
      • A Visit to the Studio
        • David Harold's Story
        • Analyzing the Con
      • "Do It Now"
        • Doug's Story
        • Linda's Story
        • Analyzing the Con
      • "Mr. Bigg Wants This"
        • Scott's Story
        • Analyzing the Con
      • What the Social Security Administration Knows About You
        • Keith carter's Story
        • Analyzing the Con
      • One Simple Call
        • Mary H's Phone Call
        • Peter's Story
        • Analyzing the Con
      • The Police Raid
        • Search Warrant, Please
        • Scamming the Police
        • Covering His Tracks
        • Analyzing the Con
      • Turning the Tables
        • Graduating — Without Honors
        • Logging In to Trouble
        • The Helpful Registrar
        • Analyzing the Con
      • Preventing the Con
        • Protecting Data
        • About Passwords
        • A Central Reporting Point
        • Protect Your Network
        • Training Tips
    • Chapter 9 The Reverse Sting
      • The Art of Friendly Persuasion
        • Angela's Caller
        • Vince Capelli's Tale
        • Analyzing the Con
      • Cops as Dupes
        • Eric's Sting
        • The Switch
        • A Call to DMV
        • Analyzing the Con
      • Preventing the Con
  • Part 3 Intruder Alert
    • Chapter 10 Entering the Premises
      • The Embarrassed Security Guard
        • The Security Guard's Story
        • Joe Harper's Story
        • Analyzing the Con
      • Dumpster Diving
        • Cash for Trash
        • Analyzing the Con
      • The Humiliated Boss
        • Planting the Bomb
        • Surprising George
        • Analyzing the Con
      • The Promotion Seeker
        • Anthony's Story
        • Analyzing the Con
      • Snooping on Kevin
        • Analyzing the Con
      • Preventing the Con
        • Protection After Hours
        • Treating Trash with Respect
        • Saying Good-Bye to Employees
        • Don't Forget Anybody
        • Secure IT!
    • Chapter 11 Combining Technology and Social Engineering
      • Hacking Behind Bars
        • Calling Ma Bell …
        • Finding Gondorff
        • Synchronize Your Watches
        • Analyze the Con
      • The Speedy Download
      • Easy Money
        • Cash on the Line
        • Taking Up the Challenge
      • The Dictionary as an Attack Tool
        • The Password Attack
        • Faster Than You Think
        • Analyzing the Con
      • Preventing the Con
        • Just Say No
        • Cleaning Up
        • Pass It On: Protect Your Passwords
    • Chapter 12 Attacks on the Entry-Level Employee
      • The Helpful Security Guard
        • Elliot's View
        • Bill's Story
        • Analyzing the Con
      • The Emergency Patch
        • A Helpful Call
        • Analyzing the Con
      • The New Girl
        • Kurt Dillon's Story
        • Analyzing the Con
      • Preventing the Con
        • Deceiving the Unwary
        • Beware Spyware
    • Chapter 13 Clever Cons
      • The Misleading Caller ID
        • Linda's Phone Call
        • Jack's Story
        • Analyzing the Con
      • Variation: The President of the United States is Calling
      • The Invisible Employee
        • Shirley Attacks
        • Analyzing the Con
      • The Helpful Secretary
      • Traffic Court
        • The Con
        • Analyzing the Con
      • Samantha's Revenge
        • Payback
        • Analyzing the Con
      • Preventing the Con
    • Chapter 14 Industrial Espionage
      • Variation on a Scheme
        • Class Action
        • Pete's Attack
        • Analyzing the Con
      • The New Business Partner
        • Jessica's Story
        • Sammy Sanford's Story
        • Analyzing the Con
      • Leapfrog
        • Doing Their Homework
        • Setting Up the Victim
        • Analyzing the Con
      • Preventing the Con
        • Safety Off-Site
        • Who Is That?
  • Part 4 Raising the Bar
    • Chapter 15 Information Security Awareness and Training
      • Security Through Technology, Training, and Procedures
      • Understanding How Attackers Take Advantage of Human Nature
        • Authority
        • Liking
        • Reciprocation
        • Consistency
        • Social Validation
        • Scarcity
      • Creating Training and Awareness Programs
        • Goals
        • Establishing the Training and Awareness Program
        • Structure of the Training
        • Training Course Contents
      • Testing
      • Ongoing Awareness
      • What's In It For Me?
    • Chapter 16 Recommended Corporate Information Security Policies
      • What is a Security Policy
        • Steps to Developing a Program
        • How to Use These Policies
      • Data Classification
        • Classification Categories and Definitions
        • Classified Data Terminology
      • Verification and Authorization Procedures
        • Requests from a Trusted Person
        • Requests from an Unverified Person
        • Step One: Verification of Identity
        • Step Two: Verification of Employment Status
        • Step Three: Verification of Need to Know
      • Management Policies
        • Data Classification Policies
          • 1-1 Assign Data Classification
          • 1-2 Publish Classified Handling Procedures
          • 1-3 Label All Items
        • Information Disclosure
          • 2-1 Employee Verification Procedure
          • 2-2 Release of Information to Third Parties
          • 2-3 Distribution of Confidential Information
          • 2-4 Distribution of Private Information
          • 2-5 Distribution of Internal Information
          • 2-6 Discussing Sensitive Information Over the Telephone
          • 2-7 Lobby or Reception Personnel Procedures
          • 2-8 Transfer of Software to Third Parties
          • 2-9 Sales and Marketing Qualification of Customer Leads
          • 2-10 Transfer of Files and Data
        • Phone Administration
          • 3-1 Call Forwarding on Dial-Up or Fax Numbers
          • 3-2 Caller ID
          • 3-3 Courtesy Phones
          • 3-4 Manufacturer Default Passwords Shipped with Phone Systems
          • 3-5 Department Voice Mailboxes
          • 3-6 Verification of Telephone System Vendor
          • 3-7 Configuration of Phone System
          • 3-8 Call Trace Feature
          • 3-9 Automated Phone Systems
          • 3-10 Voice Mailboxes to Become Disabled after Successive Invalid Access Attempts
          • 3-11 Restricted Telephone Extensions
        • Miscellaneous
          • 4-1 Employee Badge Design
          • 4-2 Access Rights Review When Changing Position or Responsibilities
          • 4-3 Special Identification for Nonemployees
          • 4-4 Disabling Computer Accounts for Contractors
          • 4-5 Incident Reporting Organization
          • 4-6 Incident Reporting Hotline
          • 4-7 Sensitive Areas Must Be Secured
          • 4-8 Network and Phone Cabinets
          • 4-9 Intracompany Mail Bins
          • 4-10 The Company Bulletin Board
          • 4-11 Computer Center Entrance
          • 4-12 Customer Accounts with Service Providers
          • 4-13 Departmental Contact Person
          • 4-14 Customer Passwords
          • 4-15 Vulnerability Testing
          • 4-16 Display of Company Confidential Information
          • 4-17 Security Awareness Training
          • 4-18 Security Training Course for Computer Access
          • 4-19 Employee Badge Must Be Color-Coded
      • Information Technology Policies
        • General
          • 5-1 IT Department Employee Contact Information
          • 5-2 Technical Support Requests
        • Help Desk
          • 6-1 Remote Access Procedures
          • 6-2 Resetting Paswords
          • 6-3 Changing Access Privileges
          • 6-4 New Account Authorization
          • 6-5 Delivery of New Passwords
          • 6-6 Disabling an Account
          • 6-7 Disabling Network Ports or Devices
          • 6-8 Disclosure of Procedures for Wireless Access
          • 6-9 User Trouble Tickets
          • 6-10 Initiating Execute Commands or Running Programs
        • Computer Administration
          • 7-1 Changing Global Access Rights
          • 7-2 Remote Access Requests
          • 7-3 Resetting Privileged Account Passwords
          • 7-4 Outside Support Personnel Remote Access
          • 7-5 Strong Authentication for Remote Access to Corporate Systems
          • 7-6 Operating System Configuration
          • 7-7 Mandatory Expiration
          • 7-8 Generic Email Addresses
          • 7-9 Contact Information for Domain Registrations
          • 7-10 Installation of Security and Operating System Updates
          • 7-11 Contact Information on Web Sites
          • 7-12 Creation of Privileged Accounts
          • 7-13 Guest Accounts
          • 7-14 Encryption of Off-Site Backup Data
          • 7-15 Visitor Access to Network Connections
          • 7-16 Dial-In Modems
          • 7-17 Antivirus Software
          • 7-18 Incoming Email Attachments (High Security Requirements)
          • 7-19 Authentication of Software
          • 7-20 Default Passwords
          • 7-21 Invalid Access Attempts Lockout (Low to Medium Security)
          • 7-22 Invalid Access Attempts Account Disabled (High Security)
          • 7-23 Periodic Change of Privileged Account Passwords
          • 7-24 Periodic Change of User Passwords
          • 7-25 New Account Password Set Up
          • 7-26 Boot-Up Passwords
          • 7-27 Password Requirements for Privileged Accounts
          • 7-28 Wireless Access Points
          • 7-29 Updating Antivirus Pattern Files
        • Computer Operations
          • 8-1 Entering Commands and or Running Programs
          • 8-2 Workers with Privileged Accounts
          • 8-3 Internal Systems Information
          • 8-4 Disclosure of Passwords
          • 8-5 Electronic Media
          • 8-6 Backup Media
      • Policies for All Employees
        • General
          • 9-1 Reporting Suspicious Calls
          • 9-2 Documenting Suspicious Calls
          • 9-3 Disclosure of Dial-Up Numbers
          • 9-4 Corporate ID Badges
          • 9-5 Challenging ID Badge Violations
          • 9-6 Piggybacking (Passing Through Secure Entrances)
          • 9-7 Shredding Sensitive Documents
          • 9-8 Personal Identifiers
          • 9-9 Organization Charts
          • 9-10 Private Information About Employees
        • Computer Use
          • 10-1 Entering Commands Into a Computer
          • 10-2 Internal Naming Conventions
          • 10-3 Requests to Run Programs
          • 10-4 Downloading or Installing Software
          • 10-5 Plain Text Passwords and Email
          • 10-6 Security-Related Software
          • 10-7 Installation of Modems
          • 10-8 Modems and Auto-Answer Settings
          • 10-9 Cracking Tools
          • 10-10 Posting Company Information on Line
          • 10-11 Floppy Disks and Other Electronic Media
          • 10-12 Discard Removable Media
          • 10-13 Password-Protected Screen Savers
          • 10-14 Disclosure or Sharing of Passwords Statement
        • Email Use
          • 11-1 Email Attachments
          • 11-2 Automatic Forwarding to External Addresses
          • 11-3 Forwarding Emails
          • 11-4 Verifying Email
        • Phone Use
          • 12-1 Participating in Telephone Surveys
          • 12-2 Disclosure of Internal Telephone Numbers
          • 12-3 Passwords in Voice Mail Messages
        • Fax Use
          • 13-1 Relaying Faxes
          • 13-2 Verification of Faxed Authorizations
          • 13-3 Sending Sensitive Information by Fax
          • 13-4 Faxing Passwords Prohibited
        • Voice Mail Use
          • 14-1 Voice Mail Passwords
          • 14-2 Passwords on Multiple Systems
          • 14-3 Setting Voice Mail Passwords
          • 14-4 Mail Message Marked as "Old"
          • 14-5 External Voice Mail Greetings
          • 14-6 Voice Mail Password Patterns
          • 14-7 Confidential or Private Information
        • Passwords
          • 15-1 Telephone Security
          • 15-2 Revealing Computer Passwords
          • 15-3 Internet Passwords
          • 15-4 Passwords on Multiple Systems
          • 15-5 Reusing Passwords
          • 15-6 Password Patterns
          • 15-7 Choosing Passwords
          • 15-8 Writing Passwords Down
          • 15-9 Plaintext Passwords in Computer Files
      • Policies for Telecommuters
          • 16-1 Thin Clients
          • 16-2 Security Software for Telecommuter Computer Systems
      • Policies for Human Resources
          • 17-1 Departing Employees
          • 17-2 IT Department Notification
          • 17-3 Confidential Information Used in Hiring Process
          • 17-4 Employee Personal Information
          • 17-5 Background Checks
      • Policies for Physical Security
          • 18-1 Identification for Nonemployees
          • 18-2 Visitor Identification
          • 18-3 Escorting Visitors
          • 18-4 Temporary Badges
          • 18-5 Emergency Evacuation
          • 18-6 Visitors in Mail Room
          • 18-7 Vehicle License Plate Numbers
          • 18-8 Trash Dumpsters
      • Policies for Receptionists
          • 19-1 Internal Directory
          • 19-2 Telephone Numbers for Specific Departments/Groups
          • 19-3 Relaying Information
          • 19-4 Items Left for Pickup
      • Policies for the Incident Reporting Group
          • 20-1 Incident Reporting Group
          • 20-2 Attacks in Progress
  • Security at a Glance
    • Identifying a Security Attack
      • The Social Engineering Cycle
      • Common Social Engineering Methods
      • Warning Signs of an Attack
      • Common Targets of Attacks
      • Factors That Make Companies More Vulnerable to Attacks
    • Verification and Data Classification
      • Verification of Identity Procedure
      • Verification of Employment Status Procedure
      • Procedure to Determine Need to Know
      • Criteria for Verifying Non-Employees
      • Data Classification

Reviews

The Art of Deception

Reviewed by Roland Buresund

OK ***** (5 out of 10)

Last modified: May 21, 2007, 3:25 a.m.

OK, after refusing to buy this book for nearly two years, I relented and bought it. Why? I did not intend to make Mitnick a rich person, nor did I believe he had something worthwhile to say.

To be truthful, the book could have been worse. The writing is OK and the message is worth telling. Unfortunately, it could have been told in 50 pages instead of 300+ pages, so you become bored very easily while reading this book.

You should probably have read it, but it is no way a classic.

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required

captcha

required