Deception Lessons from a Pro


By Alex Salkever It takes a thief to catch a thief. That's the operative assumption behind The Art of Deception (John Wiley & Sons), a compendium of cons compiled by well-known computer break-in artist Kevin D. Mitnick, co-written with William L. Simon. Read closely and you, too, can learn quick, easy, and invariably dirty methods to purloin supposedly confidential information.

Deception 101 includes: how to perpetrate wire fraud by deceiving bank personel, how to steal someone's credit-card number by conning a video-store employee, how to dupe U.S. government clerks into handing out Social Security numbers, and even how to convince the staff of the local District Attorney's office to fax an arraignment to a copy shop where a crook on the lam can check out the charges against him and assess whether he really wants to go for the Big Sleep.

Sure sounds pretty sleazy -- but also supremely educational. All told, it's a sexy way to hammer home an increasingly relevant point: The weakest link in the information-security chain remains human nature. That's not a new point of view. Any information-security pro will agree that the best security technology can't prevent a skillful con artist from scoring the keys to a company's digital kingdom from unschooled and unsuspecting employees.

PHONE PHREAKS. While much of the information compiled in the book seems intuitive in hindsight, what makes it sing is the clear inside knowledge that Mitnick brings to the table and the fun presentation of a topic that could hardly be duller when reading about it in the corporate manual.

For the uninitiated, a quick bio of the author is in order. Mitnick is one of North America's foremost "social engineers." That's basically a fancy word for a con artist, albeit with a techno twist. (Mitnick himself puts grifters and social engineers in the same class of crooks.) As a teenager in Los Angeles, Mitnick cut his teeth by joining a gang of "phone phreaks" who routinely infiltrated and manipulated the public telephone system, not to mention breaking into phone company buildings. From there, he graduated to sneaking into restricted computer networks at some of the world's largest corporations, including Sun, Motorola, Novell, Nokia, and Qualcomm.

His antics came at a cost. Mitnick was convicted or plead guilty five times since the 1980s to crimes resulting from his hacking habits and social engineering forays. The first four convictions came with token jail time or probation, but for the final conviction from a 1995 arrest, Mitnick spent five years in jail and has spent the last three on probation. A judicial order forbids him from using the Internet.

NOT A GEEK BIBLE. Mitnick states in the book that what he did was wrong but claims he was motivated by curiousity and not malice or the lure of making easy money. (He also buries a blast at "unethical journalists and overzealous government prosecutors" in the acknowledgments section, and his publisher deleted a similar broadside that was to be his first chapter right before the initial production run.) Ironically, today Mitnick runs a security consultancy in Los Angeles, Defensive Thinking.

Whatever the case, the book does a stellar job living up to its none-too-presumptious title. If you want to be a grifter -- or to guard yourself against them -- The Art of Deception deserves a prominent place on the shelf. This is no geek bible, mind you. Mitnick clearly has strong technology skills -- you can't hack into NORAD without them. But by his own admission, Mitnick's real expertise was his ability to trick people over the phone (or occassionly in person) into giving him key tidbits such as passwords or inside information about how corporate networks were configured.

That's what he mostly covers in the book. It's written in entertaining, laymen's terms with no computerese and only the lightest treatment of the technical minutiae that lies behind many of the attacks he describes. Mitnick starts by illustrating how con artists and social engineers piece together one or two bits of seemingly useless information and employ it to gain the trust of someone inside an organization.

ILLUSION OF AUTHORITY. He outlines how a social engineer might be able to glean bank lingo for credit-check queries in a first call to a random teller. In a second call, he can use that lingo to convince a different bank employee to give up a key code number used to validate credit checks. Then the social engineer could make a third call to the credit-checking company itself to locate where an unsuspecting person is holding assets.

Such a skill set might not warm a mother's heart, but it would obviously be useful to, say, a private investigator looking for hidden assets or a corporate espionage specialist trying to glean deal information. And this is just the start of a tour through the world of social engineering.

Readers learn how social hackers use the illusion of authority to intimidate low-ranking employees into coughing up vital info or how these con artists create the illusion of a crisis ("Somebody stole my laptop, can you please help me get into the network!") to gain sympathy. In more advanced episodes, Mitnick even explains how a committed social hacker can parlay one piece of secret information that he doesn't need into convincing a mark to give him the tidbit he does need (Look, if I have this code, I obviously have the other one. But I happened to spill coffee on my code sheet today...).

PERFECT DETAILS. Along the way, Mitnick outlines the meticulous planning and information gathering that really complex social engineering forays need to succeed. In many of the dozens of examples, I had to wince because I had been in similar situations and now wonder whether I had been socially hacked. As in any great set of tales, the details make the difference.

When Mitnick walks you through a caper involving the Social Security Administration, he details the codes, databases, and even pronunciation of acronyms as well as a place online where anyone can read a manual outlining the inner workings and protocols of that faceless organization. While he claims most of his illustrations are made up and include fictional names and characters, it's no big leap to conclude that the perfect details probably came from years of practice.

Many readers will want to skip the last portion of the book, a dry set of recomendations on information-security policy for organizations. To me, the rules mostly sounded prudent, although at times Mitnick's prescriptions are Draconian enough (passwords must never be shared, period) to make me think corporations hewing tightly to his line wouldn't grind to a halt.

The last section aside, the book lives up to its title. And although I'm not sure I would hire Mitnick to protect my corporation and sleep well at night, I certainly would reccomend this book to my employees, to my boss, and even to my mother -- or to just about anyone who wants to better protect themselves from the social engineers in this age of diminishing privacy and rising identity theft. Salkever is Technology editor for BusinessWeek Online and covers computer security issues weekly in his Security Net column


Best LBO Ever
LIMITED-TIME OFFER SUBSCRIBE NOW
 
blog comments powered by Disqus