|
In his mid-1990s flight from the law, über-hacker Kevin D. Mitnick was accused of donning new names, disguises and addresses, all the while continuing a ''hacking spree'' to steal from top-flight computer, Internet and telephone systems.
The first cyber thief to get his mug on a federal Most Wanted poster, Mitnick was his own worst enemy.
After his 2000 release from prison, he now works only the legal side of the street as a security consultant and has authored a book of anecdotal escapades that will surprise and alarm many computer-reliant companies, as well as provide a certain amount of intrigue for individuals with an interest in computers.
The way into many systems is not so much through high-tech wizardry from the outside as it is conning the insiders to open the door, argues The Art of Deception, Controlling the Human Element of Security, co-authored by writer William L. Simon.
Mitnick provides many examples of individuals who verbally worm their way into an organization, its systems, its secrets and its computers.
The predators often start with simple steps, perhaps first calling as a customer, vendor or consultant, gaining simple information like a worker's name, supervisor and vacation days, then adopting that identity and moving up the food chain to an insider with keys to the kingdom.
After assuming the appropriate identity and knowledge, the scammer tricks that insider into either revealing secret information like passwords or performing actions such as downloading disguised spyware that opens up a permanent ''back door'' into a network for him. He or she may pose as a boss, a new employee who needs computer help or a contracted computer tech out to aid the company.
The Art of Deception's steady flow of anecdotes reveals numerous variations on these schemes. They usually work by phone and may take two steps or 10. Players include private investigators, corporate spies and malicious hackers.
The term for these activities, Mitnick says, is ''social engineering.'' He defines this as ``getting people to do things they wouldn't ordinarily do for a stranger.''
How does Mitnick, now in his late 30s, know about social engineering? He practiced it since high school, he says, largely rationalizing his legendary break-ins as pranks or the result of intellectual curiosity. He blames his troubles since teenhood on others, including overzealous prosecutors and unethical media. The sources of the anecdotes generally come from him ''and others,'' he says, with fictionalized details.
The Art of Deception's accounts generally ring true enough to believe, and the lesson is clear: Security starts with low-tech safeguards and the lowest workers. The author offers somewhat unoriginal templates for protective company policies and practices. Use his book as a teaching tool, Mitnick says.
The layman may also find the tales interesting, if eventually repetitive over the course of 346 pages. Moreover, the lack of any consequences to anyone in the book is troubling; it could serve as easily as a handbook for cons as it does a cautionary tale for their potential targets.
The reader must keep in mind that this labor comes from a man who has been arrested several times since his teens, ignited a massive manhunt and even served court-ordered time in rehab for computer ''addiction.'' There are several books about Mitnick if you want a better-rounded picture.
The Art of Deception, $27.50, is available this week in hardback from Wiley.
|
Linear Mode
