- The Windows 2000\XP\.NET Resource Index
Home | About Us | Search |

Last Updated January 22, 2004

The Art of Deception: Controlling the Human Element of Security

As administrators we often rely on technology alone to keep our data safe. Firewalls, biometrics, intrusion detection software, event logging, and antivirus software help us watch over our networks. Additional monitoring software helps us look for patterns in behavior, elevated access privileges, failed login attempts, and other clues that a hacker is "rattling the doors and windows" looking for a way in. But what about your phone system? How would you know if hackers were manipulating your own employees into divulging their passwords, or e-mailing your company's most sensitive data to your competitors. Sound far fetched? These were the tactics of the world's most notorious hacker, Kevin Mitnick. Now that he's been released from prison, Mitnick is attempting to redeem himself by sharing the social engineering tactics that enabled him to break into some the most "secure" computer systems in the world. 
HomeBook ReviewsSecurity
The high tech grifter...
In 1978 Stanley Mark Rifkin earned his way into history and the Guinness Book of Records by stealing over $10 million from the now defunct Security Pacific National bank in Los Angeles. It was the largest bank heist and wire fraud case in history, but you've probably never heard of Stanley Rifkin. That's because he didn't use a gun, blow up the vault, sneak in through the sewers, or even hack the computer system. Acting alone, he simply used a payphone in the lobby of the bank during normal business hours to con the personnel in the wire transfer room into sending millions of dollars to a temporary account at another bank. Rifkin then transferred the funds to Switzerland, convert the cash into untraceable diamonds, and smuggled them back into the United States. He might have actually gotten away with the heist and remained anonymous forever if he hadn't bragged to his attorney, who tipped off the police. In fact, by the time the police notified the bank, Security Pacific was not even aware that any funds were missing. Stanley Rifkin's place in the Guinness Book of Records stood until 1999 when the "Most Notorious Hacker" replaced him. That hacker was Kevin D. Mitnick, the author of this book.

Citing Rifkin's heist as a real world example, Mitnick's contention is that regardless of the physical security measures you may have in place, the weakest link in your defenses is the human element. Kevin Mitnick became famous for his ability to hack into almost any system, but in almost every instance, he achieved his success through fairly non technical means. He routinely exploited company organizational charts, impersonated employees and supervisors, sifted through trash, and even conned technicians out of their field manuals. He took advantage of people's willingness to help and their fear of being rude to acquire seemingly harmless pieces of information and assembled them into construct that would give him unrestricted access to the data we wanted. Yes, he was eventually caught. But while he was at large (and even when he was locked up in prison), Kevin Mitnick was considered by law enforcement agencies to be the most dangerous hacker in the world. 


The Author
Mitnick's first foray into social engineering and fraud occurred at the age of 12 when he figured out how to make his own bus transfers and ride the public transportation system for free. In high school, Kevin learned phone phreaking, or how to manipulate the telephone company's systems to allow you to make free long distance phone calls and performing other pranks. He later turned to computer hacking, partially by hanging out at a local Radio Shack and using their PC's and modems to connect to other computer networks. By the time he was 17, Kevin graduated to larger projects prompting his first arrest. In 1982 his "alleged" hacking of NORAD inspired the film "Wargames", which in turn inspired thousands of other teenagers to try their hand at phone phreaking and hacking.

Kevin's exploits became more serious in the mid 1980's and he was arrested and convicted of a number of computer related crimes. He served a few short sentences, but quickly violated his parole and spent the majority of his adult life as a fugitive running from the FBI and other law enforcement agencies. He survived by using his "social engineering" skills to change his identity, get legitimate jobs, and evade detection. His efforts humiliated and enraged law enforcement officials, but his undoing was hacking into Tsutomu Shimomura's computer, stealing his files, and then taunting him on his answering machine. The infuriated Shimomura, a nationally known computer security expert and senior research fellow at the San Diego Supercomputer Center,  helped the FBI track down Mitnick using laptop computers and a cell phone direction finder. 

When he was finally apprehended in 1995, Kevin Mitnick was charged with 14 counts of wire fraud, 8 counts of unlawful possession of access devices, and one count each of unauthorized access to a federal computer, causing damage to a computer, and unlawful interception of electronic communications. In a frightening display of the court's ability to "make an example" of someone, Mitnick was accused of causing over $80 million in computer fraud (an absurd and certainly inflated number) and imprisoned for 4 1/2 years without a trial while the prosecution "built their case". (He served eight months of that time in solitary confinement) By the time he actually went to trial (where he pled guilty) the majority of his sentence was commuted to time served. As a condition of his parole, Kevin is prohibited from even touching a computer until 2003.

Publishers Price:
$27.50 each
Street Price:

Deconstructing the Art
To a hacker, the art of "social engineering", or manipulating people into divulging information, is a skill that is as important as understanding operating systems or network protocols. While this high tech con-game is well known in the hacker community, it is rarely addressed in corporate security policies or training programs. And when they are successful, social engineering exploits are never reported because the "mark" is completely unaware that they have been conned. The only real defense against the social engineer is awareness - understanding how the con works, and how to identify potential scams. For the uninitiated, this book is a real eye opener.

"The Art of Deception" is organized into 4 parts. Part 1 is a single chapter introduction that relates Rifkin's $10 million bank heist, Mitnick's background, and the basic elements of social engineering. Parts 2 and 3 make a up the majority of the book spanning 13 of its 16 chapters. Here, the authors relate "fictional" stories and phone transcripts that show how a hacker can manipulate employees into revealing seemingly innocent pieces of information that are later used (sometimes in an ongoing basis) to extend the con, gain more access, steal information, "borrow" company resources, and otherwise defraud companies or individuals out of just about anything. 

The stories are very basic examples of social engineering that are designed to raise awareness, not to turn the average reader into a social engineer overnight. Despite the authors repeated assertions that these accounts are purely fictional, and that some seem almost too simple to be real, those familiar with Kevin's exploits may recognize a variety of tactics that he is likely to have used himself. (Something to keep in mind if you doubt the effectiveness of some of the examples used.) The majority of the tactics described focus on impersonating someone who should have legitimate access to the data, but for one reason or another can't get to it. The hacker then enlists the aide of a helpful but unsuspecting employee to retrieve the information for them. In many cases, this is a process that involves a number of employees, all of whom provide small bits of seemingly unimportant information that become pieces in a large puzzle. 

Mitnick demonstrates how social engineers acquire internal phone numbers, passwords, learn the company lingo, gain access to company networks and defeat (or bypass) complex security measures. He analyses the attacks from both the attackers and victims perspective and offers advice on how to protect your environment from similar attacks. To ensure that non-technical readers aren't lost, the authors use a minimum of technical jargon, and clearly define terms that are crucial to understanding the material. Kevin also includes a number of "Mitnick Messages" throughout these chapters that highlight important points as well as counter-measures to use to avoid these attacks. 

For the security administrator, Part 4 is the real jewel of the book. In these 2 chapters, Mitnick provides a number of sample security policies and procedures, including data classification categories, verification and authentication procedures, guidelines for awareness training, methods of identifying a social engineering attacks, warning signs, and flowcharts for responding to requests for information or action. Included with every security policies is a follow up paragraph of explanations and notes that outline the potential vulnerabilities in the policy. For example, an over reliance on the caller ID function can be exploited by a hacker who can gain physical access to the phone closet. (Incidentally, this is not as difficult as it sounds.) 

Overall Impressions
To his critics, "The Art of Deception" is just another con game by Mitnick - an extension of his original social engineering exploits in an attempt to legitimize himself and make a profit. To his fans, Kevin has turned over a new leaf and is trying to make amends by raising awareness of the tactics used by hackers and other con artists. To us, this book clearly seems like an act of redemption for Kevin who claims that all of his hacking exploits were motivated by curiosity and not criminal intent. Certainly Mitnick was bright enough and talented enough to outright steal $80 million and leave the country unopposed if he desired. Now that Kevin has paid his dues to society and put the past behind him, we hope that he will continue to write, lecture and teach to the "white hat" security community, and this book is certainly a good start. 

As a preventive measure and awareness tool, "The Art of Deception" is certainly worth its $27.50 cover price. Administrators and non-technical readers will find it engaging, entertaining, easy to read, and informative without being alarmist. For those responsible for information security, the book will provide some valuable templates for updating your security policies and designing informational seminars for your employees. Social engineering as a security threat is already under estimated and under reported. Educating your users and raising awareness goes beyond simply trying to foil a curious or even malicious hacker. Corporate espionage, identify theft, bank fraud, and other con games are rampant on a global scale. To the professional con man, the easiest person to swindle is the person who thinks they can't be swindled. To the smug who think they could never be compromised by a social engineer, ignore this book at your peril. 

To ensure that our reviews are impartial, does not receive direct commissions on book sales. In addition, we do not accept advertising revenue or other compensation from book publishers


Send us your feedback!
If you have any questions, comments, or suggestions that would help us improve this page, please drop us a line and let us know!

This site and its contents are Copyright 1999-2003 by Microsoft, NT, BackOffice, MCSE, and Windows are registered trademarks of Microsoft Corporation. Microsoft Corporation in no way endorses or is affiliated with The products referenced in this site are provided by parties other than makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be directed to the appropriate manufacturer or vendor.