The Art of Deception
By Kevin D. Mitnick & William L. Simon
352pp. Indianapolis, IN: Wiley Publishing, Inc. $27.50
In 1933 when Franklin Roosevelt appointed the notorious rum runner and stock swindler Joseph Kennedy to head the new Securities and Exchange Commission, he justified his decision with the quip: "Set a fox to catch a fox."
The same logic could be applied to ex-hackers. Having spent countless years breaking into computer systems for fun and profit, hackers need something to do after they get caught. One natural possibility is to start advising companies on how to prevent such hacking.
Kevin Mitnick, the poster child for hacking, has done just that. Thoroughly chastened and apparently rehabilitated (he even thanks his probation officer in the acknowledgements section), Mitnick has penned an engrossing tale of the hacking netherworld. Even more importantly, he lays bare the inherent weakness of any system where human beings are involved.
The book begins by replacing the pejorative word "hacker" with the delicious euphemism "social engineer." As Mitnick defines it: "Social engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology." Put more simply, a social engineer is a con artist.
Mitnick later goes on to justify the nomenclature by asserting that social engineers only target businesses while mere con artists or grifters exploit people. While that may be an attempt to assuage his conscience, it does point to an important problem with any computer system - human beings. As "The Art of Deception" reminds us again and again, computer security is only as good as the person on the other end of the phone.
Indeed, it is positively frightening how many so-called computer security people can be tricked into literally giving away information. Using a whole series of conversations and vignettes, Mitnick gives us a step-by-step script for duping otherwise intelligent employees into giving over passwords, codes and just about anything else an enterprising hacker - er, um, social engineer - might want. The software is just fine apparently, but the wetware needs major work.
So what's the solution? Thankfully Mitnick doesn't just expose all these weaknesses and then leave us hanging. Several chapters are devoted to in-house security and employee training. Some of it is common sense, although common sense isn't all that common, but to the best way to sum it up is in the immortal words of the "X-Files": "Trust no one."
Even with all this excellent advice, the unfortunate truth is that no technology is completely safe. Until human beings can be programmed like hard drives, there will always be someone somewhere who will trust that nice person who just happens to call and hand over the company jewels. At the very least, "The Art of Deception" should be assigned as required reading in every IT department so that employees can be put on guard against the next Mitnick-wannabe.
The bottom line is that in a world fraught with identity theft and corporate espionage, it pays to be careful. Even more importantly, Mitnick shows us how many companies really have no one but themselves to blame for security lapses. The social engineer could not exist without the gullible dupe.