Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "The Art of Deception", Kevin D. Mitnick/William L. Simon

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKARTDCP.RVW 20021028 The Art of Deception , Kevin D. Mitnick/William L. Simon, 2002, 0-471-23712-4, U$27.50/C$39.95/UK#19.95 %A Kevin D. Mitnick %A
    Message 1 of 1 , Dec 12, 2002
      BKARTDCP.RVW 20021028

      "The Art of Deception", Kevin D. Mitnick/William L. Simon, 2002,
      0-471-23712-4, U$27.50/C$39.95/UK#19.95
      %A Kevin D. Mitnick
      %A William L. Simon
      %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
      %D 2002
      %G 0-471-23712-4
      %I John Wiley & Sons, Inc.
      %O U$27.50/C$39.95/UK#19.95 416-236-4433 fax: 416-236-4448
      %O http://www.amazon.com/exec/obidos/ASIN/0471237124/robsladesinterne
      %P 352 p.
      %T "The Art of Deception: Controlling the Human Element of Security"

      Those in the security field know that Kevin Mitnick does not deserve
      the reputation he has gained as some kind of technical genius. His
      gift was skill as a social engineer. Stripped of the five dollar
      words, this means that he was a plain, old con man, cheat, or fraud.
      In other words, this is a book about how to fool people.
      Theoretically, the determined reader should be able to use the book to
      keep from being conned.

      In the preface, Mitnick would have us believe that, although he admits
      to being a fraud and deceiver, he was never a grifter. He never
      harmed anybody, never obtained a material benefit, and was just
      curious to see if he could ride the buses for free (at the expense of
      the transit system) or make calls for free (at the expense of an MCI
      customer). (The willing moral blindness of these assertions is
      possibly the most instructive part of the book: it is truly
      representative of large portions of the blackhat community.) He would
      have us believe that he is a "changed person": one of the most sought-
      after computer security experts world-wide, and the world's most
      famous hacker. Oh, and just in case the authorities are inclined to
      think that this book runs counter to the injunction that he not profit
      from the stories of his criminal exploits, the tales are all
      completely fictional. Trust him.

      Part one is entitled "Behind the Scenes." Chapter one states that
      people are security's weakest link. This is a truism well known in
      the field, but the first account is really about insider fraud, while
      the remainder are generic fear-mongering.

      Part two describes the art of the attacker. (At great length.)
      Chapter two depicts escalation or enumeration through social
      engineering, and points out that sometimes innocuous information
      isn't. There is a section on "preventing the con" at the end of each
      chapter: in this case we are told not to give out information, but not
      provided with any advice about authenticating callers. Similarly,
      chapter three says that sometimes attackers just ask for access or
      information and says to verify callers, but doesn't say how. Chapter
      four tells you to distrust everyone--which would probably be more
      damaging to society than social engineering. (Interestingly,
      yesterday a report came out about studies of "freeloading" in the
      animal kingdom, which notes that communities with too many non-
      contributing members tend not to survive. By extension, only
      societies with an overwhelming majority of trustworthy members exist
      for any length of time.) The prevention bit tells companies not to
      have people give credit card information over the phone, but stresses
      teaching employees about cons rather than policies. At about this
      point the text, which is very repetitious, throws in some minor
      technical details. This is enough to remind the professional that the
      book is designed for the naive user, with extremely lightweight
      analysis, and implications that would not be useful. There is more
      repetitive redundancy in chapter six, on the way to some useful
      information about fraudulent email and really lousy data about viruses
      and malware, in chapter seven. Chapters eight and nine are simply
      more of the same stories, which start to get very tedious.

      Part three is apparently supposed to help us detect intruders.
      Chapter ten has a little useful advice about having termination
      procedures. The major points in chapter eleven seem to be about all
      the people who have been mean to our poor Kevin. Then it is back to
      the, by now extremely tiresome, con jobs for another three chapters.

      We are intended to believe that part four will help us protect
      ourselves and our companies against social engineering. Chapter
      fifteen is an attempt to convince us that the book should be purchased
      for all employees. (Nice try, Kev.) There is an arbitrary, and oddly
      both generic and overly detailed, suggested security policy, in
      chapter sixteen.

      So. Security professionals already know about social engineering. It
      is unlikely in the extreme that even the most head down, don't-talk-
      to-the-users, socially maladept firewall administrator will learn very
      much from this book. But, of course, this is not a trade paperback.
      This is a hardback aimed at the mass market: the non-professionals.
      Will they learn anything from it? Well, it might be useful for
      teaching new tricks to those who like to con people (although
      fraudsters will likely be disappointed at the number of times it is
      assumed that they know how to reprogram DMS-100 switches: don't try
      this at home). The prevention sections, as noted, are big on "don't"
      and short on "how not to."

      Well, but the book can still be a fascinating read, can't it? Sure.
      If you're the type of person who finds humour in watching someone fall
      on his or her face. Over and over and over and over and over and over
      and over and over and over and over again ...

      copyright Robert M. Slade, 2002 BKARTDCP.RVW 20021028

      rslade@... rslade@... slade@... p1@...
      Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
      Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
      December 16, 2002 December 20, 2002 San Francisco, CA
      February 10, 2003 February 14, 2003 St. Louis, MO
      March 31, 2003 April 4, 2003 Indianapolis, IN
    Your message has been successfully submitted and would be delivered to recipients shortly.