|
The
high tech grifter...
In 1978 Stanley Mark Rifkin earned his way into history
and the Guinness Book of Records by stealing over $10
million from the now defunct Security Pacific National
bank in Los Angeles. It was the largest bank heist and
wire fraud case in history, but you've probably never
heard of Stanley Rifkin. That's because he didn't use a
gun, blow up the vault, sneak in through the sewers, or
even hack the computer system. Acting alone, he simply
used a payphone in the lobby of the bank during normal
business hours to con the personnel in the wire transfer
room into sending millions of dollars to a temporary
account at another bank. Rifkin then transferred the
funds to Switzerland, convert the cash into untraceable
diamonds, and smuggled them back into the United States.
He might have actually gotten away with the heist and remained
anonymous forever if he hadn't bragged to his attorney,
who tipped off the police. In fact, by the time the
police notified the bank, Security Pacific was not even
aware that any funds were missing. Stanley Rifkin's
place in the Guinness Book of Records stood until 1999
when the "Most Notorious Hacker" replaced him.
That hacker was Kevin D. Mitnick, the author of this
book.
Citing Rifkin's heist as
a real world example, Mitnick's
contention is that regardless of the physical security
measures you may have in place, the
weakest link in your defenses is the human
element. Kevin Mitnick became famous for his ability to
hack into almost any system, but in almost every instance,
he achieved his success through fairly non technical
means. He routinely exploited company organizational
charts, impersonated employees and supervisors, sifted
through trash, and even conned technicians out of their
field manuals. He took advantage of people's willingness
to help and their fear of being rude to acquire
seemingly harmless pieces of information and assembled
them into construct that would give him unrestricted
access to the data we wanted. Yes, he was eventually
caught. But while he was at large (and even when he was
locked up in prison), Kevin Mitnick was considered by
law enforcement agencies to be the most dangerous hacker
in the world.
|
|
| |
The
Author
Mitnick's first
foray into social engineering and fraud occurred
at the age of 12 when he figured out how to make
his own bus transfers and ride the public transportation
system for free. In high school, Kevin learned
phone phreaking, or how to manipulate the
telephone company's systems to allow you to make
free long distance phone calls and performing
other pranks. He later turned to computer hacking,
partially by hanging out at a local Radio Shack
and using their PC's and modems to connect to
other computer networks. By the time he was 17,
Kevin graduated
to larger projects prompting his first arrest.
In 1982 his "alleged" hacking of NORAD
inspired the film "Wargames", which in
turn inspired thousands of other teenagers to try
their hand at phone phreaking and hacking.
Kevin's exploits became more
serious in the mid 1980's and he was arrested and
convicted of a number of computer related crimes.
He served a few short sentences, but quickly
violated his parole and spent the majority of his
adult life as a fugitive running from the FBI and
other law enforcement agencies. He survived by
using his "social engineering" skills to
change his identity, get legitimate jobs, and
evade detection. His efforts humiliated and
enraged law enforcement officials, but his undoing
was hacking into Tsutomu Shimomura's computer,
stealing his files, and then taunting
him on his answering machine. The infuriated
Shimomura, a nationally known computer security
expert and senior research fellow at the San Diego
Supercomputer Center, helped the FBI track
down Mitnick using laptop computers and a cell
phone direction finder.
When he was finally
apprehended in 1995, Kevin Mitnick was charged with 14
counts of wire fraud, 8 counts of unlawful
possession of access devices, and one count each
of unauthorized access to a federal computer,
causing damage to a computer, and unlawful
interception of electronic communications. In a
frightening display of the court's ability to
"make an example" of someone, Mitnick
was accused of causing over $80 million in
computer fraud (an absurd and certainly inflated
number) and imprisoned for 4 1/2 years without
a trial while the prosecution "built
their case". (He served eight months of that
time in solitary confinement) By the time he
actually went to trial (where he pled guilty) the
majority of his sentence was commuted to time
served. As a condition of his parole, Kevin is
prohibited from even touching a computer until
2003.
|
|
 |
Publishers
Price:
$27.50 each
Street Price:
$17.50 Bookpool.com |
|
Deconstructing
the Art
To a hacker, the art of "social engineering",
or manipulating people into divulging information, is a
skill that is as important as understanding operating
systems or network protocols. While this high tech
con-game is well known in the hacker community, it is
rarely addressed in corporate security policies or
training programs. And when they are successful, social engineering
exploits are never reported because the "mark"
is completely unaware that they have been conned. The
only real defense against the social engineer is
awareness - understanding how the con works, and how to
identify potential scams. For the uninitiated, this
book is a real eye opener.
"The Art of Deception" is
organized into 4 parts. Part 1 is a single chapter
introduction that relates Rifkin's $10 million bank heist,
Mitnick's background, and the basic elements of social
engineering. Parts 2 and 3 make a up the majority of the
book spanning 13 of its 16 chapters. Here, the authors
relate "fictional"
stories and phone transcripts that show how a hacker
can manipulate employees into revealing seemingly
innocent pieces of information that are later used
(sometimes in an ongoing basis) to extend the con, gain
more access, steal information, "borrow"
company resources, and otherwise defraud companies or
individuals out of just about anything.
The stories are very basic examples of social
engineering that are designed to raise awareness, not to
turn the average reader into a social engineer
overnight. Despite the authors repeated assertions that
these accounts are purely fictional, and that some seem almost
too simple to be real, those familiar with
Kevin's exploits may recognize a variety of tactics
that he is likely to have used himself. (Something to
keep in mind if you doubt the effectiveness of some of
the examples used.) The majority of the tactics described focus
on impersonating someone who should have legitimate
access to the data, but for one reason or another can't
get to it. The hacker then enlists the aide of a helpful
but unsuspecting employee to retrieve the information
for them. In many cases, this is a process that involves
a number of employees, all of whom provide small bits of
seemingly unimportant information that become pieces in
a large puzzle.
Mitnick demonstrates how social engineers
acquire internal phone numbers, passwords, learn the company lingo,
gain access to company networks and
defeat (or bypass) complex security measures. He
analyses the attacks from both the attackers and victims
perspective and offers advice on how to protect your
environment from similar attacks. To ensure that
non-technical readers aren't lost, the authors use a
minimum of technical jargon, and clearly define terms
that are crucial to understanding the material. Kevin
also includes a number of "Mitnick Messages"
throughout these chapters that highlight important
points as well as counter-measures to use to avoid these
attacks.
For the security
administrator, Part 4 is the real jewel of the book. In
these 2 chapters, Mitnick provides a number of sample
security policies and procedures, including data
classification categories, verification and
authentication procedures, guidelines for awareness
training, methods of identifying a social engineering
attacks, warning signs, and flowcharts for responding to
requests for information or action. Included with every
security policies is a follow up paragraph of
explanations and notes that outline the potential
vulnerabilities in the policy. For example, an over
reliance on the caller ID function can be exploited by a
hacker who can gain physical access to the phone closet.
(Incidentally, this is not as difficult as it
sounds.)
Overall
Impressions
To his critics, "The Art of Deception" is just another con game by
Mitnick - an extension of his original social
engineering exploits in an attempt to legitimize himself
and make a profit. To his fans, Kevin has turned over a
new leaf and is trying to make amends by raising
awareness of the tactics used by hackers and other con
artists. To us, this book clearly seems like an act of
redemption for Kevin who claims that all of his hacking
exploits were motivated by curiosity and not criminal
intent. Certainly Mitnick was bright enough and talented
enough to outright steal $80 million and leave the
country unopposed if he desired. Now that Kevin has paid
his dues to society and put the past behind him, we hope
that he will continue to write, lecture and teach to the
"white hat" security community, and this book
is certainly a good start.
As a preventive measure
and awareness tool, "The Art of Deception" is certainly worth its
$27.50 cover price. Administrators and
non-technical readers will find it engaging,
entertaining, easy to read, and informative without
being alarmist. For those responsible for information
security, the book will provide some valuable templates
for updating your security policies and designing
informational seminars for your employees. Social
engineering as a security threat is already under
estimated and under reported. Educating your users and
raising awareness goes beyond simply trying to foil a curious or even
malicious hacker. Corporate espionage, identify theft,
bank fraud, and other con games are rampant on a global
scale. To the professional con
man, the easiest person to swindle is the person who
thinks they can't be swindled. To the smug who think
they could never be compromised by a social engineer,
ignore this book at your peril.
Disclaimer:
To ensure that our reviews are impartial,
LabMice.net does not receive direct commissions on book
sales. In addition, we do not accept advertising revenue
or other compensation from book publishers
|
|
