Privacy & Individual Rights
Commerce, Security, & the Law
Net Culture, Art, & Literature
International Affairs & National Security
Ethics, Rhetoric, & Metaphysics
Science Fiction Other Resources
Other Book Review Sites
Computer security is a major concern of large and small companies alike. But most IT managers don’t realize that while computers can be protected with firewalls, antivirus software, and stringent access policies, the one element that is hardest to control is the people who work with them. As former hacker Kevin Mitnick says, “the human factor is truly security’s weakest link.”
The Art of Deception is Mitnick’s treatise on social engineering, or the art of “getting people to do things they wouldn’t ordinarily do for a stranger”. Mitnick, who recently spent a few years in a very small room because of his actions, is certainly a master at this, and the book gives a litany of anecdotes telling how people, with just a few innocent questions, can get access to some of the most “secure” computer systems.
The book is written in a conversational tone - it almost sounds like someone is sitting next to you at a bar, telling you war stories. And stories they are. From the simplest tales of people pretending to be co-workers, and asking for important information, to more complex scams involving a series of carefully-scripted phone calls, or stories on getting past guards with smooth talk, Mitnick shows that, in many cases, hackers don’t need to sweat their nights away in dark rooms lit only by the bluish light of their monitors, fueled by gallons of coffee. It can often be as easy as calling up and just asking for a user name and password.
Many readers may thing that this idea is ludicrous, that they’d never give such information out to strangers. On an absolute level this is true, but Mitnick shows that nothing is so absolute, and how context is essential. One story, for example, relates how someone called the Social Security office to get some financial information on a person. Through a diligent awareness of the lingo of these civil servants, the caller can sound so authentic that it would almost be surprising to not get what they wanted. Often, the social engineer presents him or herself as a person in a fix, looking for help - their computer is down, their fax machine doesn’t work, or they can’t get network access. The people they call are taken in by their inherent desire to be helpful, especially to so-called co-workers.
These stories wear a little thin after a while, but the reward comes in the final chapter - about 70 pages long - which gives detailed examples of security policies that can, and should, be applied in companies. Mitnick looks at the fine points, and, if you have read all the stories preceding this chapter, you will see just how these policies car stop many of the cons he presents.
The Art of Deception gives a good overview of one of the most neglected aspects of computer security, with concrete examples and solutions to protect companies from social engineers. If you have never considered this issue, the book may be a wake up call - some of the examples show just how easy it is to get the goods, and just how gullible people can be. Don’t be one of them.
-- Kirk McElhearn
Kirk McElhearn (email@example.com) is a freelance writer and translator living in a village in the French Alps. You can find out all about him at his web site, http://www.mcelhearn.com.