The Art of Deception: Controlling the Human Element of Security
a book by Kevin Mitnick
(our site's book review)
Kevin Mitnick served several years in prison for computer crimes
The Amazon book description on this book says: The world's most infamous hacker offers an insider's view of the low-tech threats to high-tech security. Kevin Mitnick's exploits as a cyber-desperado and fugitive form one of the most exhaustive FBI manhunts in history and have spawned dozens of articles, books, films, and documentaries. Since his release from federal prison, in 1998, Mitnick has turned his life around and established himself as one of the most sought-after computer security experts worldwide. Now, in The Art of Deception: Controlling the Human Element of Security, the world's most notorious hacker, gives new meaning to the old adage, "It takes a thief to catch a thief."
A thief catches another thief—the hooded one is trying to swipe the stolen loot the white-suited guy has behind the door
Mitnick was convicted on these charges: 14 counts of wire fraud, 8 counts of possession of unauthorized access devices, interception of wire or electronic communications, unauthorized access to a federal computer, and causing damage to a computer. But now he teaches cyber security principles and is behaving himself. He also wrote The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers and The Art of Invisibility:The World's Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data.
Focusing on the human factors involved with information security, Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system. With the help of many fascinating true stories of successful attacks on business and government, he illustrates just how susceptible even the most locked-down information systems are to a slick con artist impersonating an IRS agent. Narrating from the points of view of both the attacker and the victims, he explains why each attack was so successful and how it could have been prevented. He writes in an engaging and highly readable style reminiscent of a true-crime novel. And, perhaps most importantly, Mitnick offers advice for preventing these types of social engineering hacks through security protocols, training programs, and manuals that address the human element of security. Note: Social engineering also means a discipline in social science that refers to efforts to influence particular attitudes and social behaviors on a large scale.
An example of a phishing email, disguised as an official email from a (fictional) bank. The sender is attempting to trick the recipient into revealing confidential information by 'confirming' it at the phisher's website. Note the misspelling of the words received and discrepancy as recieved and discrepency. Also note that although the URL of the bank's webpage appears to be legitimate, the hyperlink would actually be pointed at the phisher's webpage.
Considering Mitnick's reputation as a hacker guru, it's ironic that the last point of attack for hackers using social engineering are computers. You con the person and you've circumvented the technology. Why do it the hard way when you can do it the easy way?
It's like the guy who comes to your house wanting to use your phone because there's been a terrible car crash. You want to help, but if your brain is working you'll wonder why he didn't just call 911 with the cellphone whose bulge you've spotted through the peephole even though the phone is not visible. (Hopefully you are wise enough to have a security peephole in the door.) The trouble is, once you've opened the door to the guy, it is way too late.
Hopefully you are wise enough to have security peephole in the door—if not, get one
Mitnick drills in the concept that the bad guys who con like to exploit what he describes as that natural human desire to help others and be a good team player. Here is an example: the old there's-been-an-accident ploy. Home intrusions for robbery or rape often start with a lame excuse like an accident. In a real accident, someone involved, or a witness, will have a phone and call 911. So the proper response to the knock on the door is to tell him THROUGH THE DOOR (without unlocking or opening it) that you're dialing 911 and would he please give you the address of the accident. He'll either walk away or try to kick in the door. So let's hope you have an alarm keypad at the doorway and you hit the audible alarm immediately, and if that doesn't get rid of him, head for your safe room or "safest" room and get the gun most people store there. Lock yourself in that room and if he kicks that door in as well, be ready to open fire as it may save your life. He isn't there to talk politics. You've heard the horror stories. Tip: let it be horror for him, not for you!
Mitnick says that if you con the person, you've circumvented the technology. The would-be attacker has often conned the person and circumvented the technology called a locked door with a dead bolt. He often succeeds with social engineering and he cons the person into opening the door. Who knows what he does to the victims? The point is to never be one.
UPS or FedEx or USPS delivery
Package delivery people rarely need signatures, but if they do, make darn sure you are expecting such a package and you see a UPS or FedEx or USPS uniform through the peephole. Unexpected packages are a red flag and ones that need signatures are a frantically waving red flag. Keep looking through the door as you ask him to read the shipping label—both the To and the From. If it sounds okay, have him step back 10 paces, leaving the package and signature clipboard by the doorframe. Quickly open up and sign it, put down the clipboard, and then relock the door, being ready to slam and lock the door at the slightest hint of movement from the guy. If it doesn't sound okay, tell him through the door to take it away and return it to the sender. See UPS and FedEx warning: Beware of deliveries you didn’t order, by Theo Thimou.
Tell your child to avoid the "could you help me find my cat Foofoo" scam by simply refusing to talk to strangers and opting to run away when they try to victimize your kid. There are lots of scams used by predators online to groom unsuspecting children into being victimized. Make sure your kids know about this stuff as well as never giving anyone any personal information online. Be with them as they sign up for an app or game to insure the information asked for doesn't cross a line or invade privacy. Warn them about making friends on social media that start acting too inquisitive or seductive or creepy. Even though the online person says he's a certain sex and age, he may just as easily be a middle-aged creep hoping to get the kid to trust him and later to meet him. You want your kid to be alert but not paranoid, careful but not fearful.
Here is the REAL Nigerian Princess, and 'she' is laughing at you!
It's not enough not to avoid falling for the infamous Nigerian Princess scam. You must also avoid the "there's been an accident" scam or "there's a package you need to sign for" scam.
Note: The Nigerian Princess scam: an email says that someone is in prison unjustly/kidnapped/exiled. They’re rich, but they can’t get to their money right now. If you help them out, they’ll reward you once they’re free. Of course, what actually happens is they run off with the money and you’re left feeling like a sucker. Or, someone who claims to be a government official or member of a royal family, requests assistance in transferring millions of dollars of excess money out of Nigeria and promises to pay the person for his or her help. The message is always of an “urgent, private” nature.
People like to feel that they've gotten smiled upon by God, who is answering their prayers
Common sense says that if someone, or something, or some offer, or some "gift" seems too good to be true, it probably is. People are social animals who want to be liked. So they fall for cons of various types that attempt to exploit their age, naivete, inexperience or willingness to share personal information, or willingness to click on a link in an email. People also like to feel that they've just gotten really lucky, gotten a lot of something for nothing, received the windfall they believe is due them, and gotten smiled upon by God, who is answering their prayers.
Google doesn't operate from dialog boxes like this, and Chrome doesn't use this method to encourage updates, since they know that scammers would exploit such dialogs by making fakes
People also get fooled with software update scams, where you land on a site that tells you your computer is compromised so you need to get a free scan or PC fixer or new anti-malware software. Or you need to update your media player, etc. The problem is the dialog box is a booby trap, so whether you click the yes or the no or the x in the upper right corner, malware is downloaded into your computer or ransomware gets installed. So when you see such a dialog, do not fall for it. Press Ctrl Alt Delete to get to the Windows Task Manager and go to the Applications tab and press the End Task button until the web page is dumped. Social engineering uses the logic that if you see something suspicious you'll want to click No or press the exit x. Or you might even fall for their come-on and click Yes. Regardless of your decision, you'll be screwed. The idea is to make you believe there are only three possible responses. Wrong. There are four. And the Windows Task Manager is the ONLY correct one (unless your idea of a good time is shelling out $300 to a ransomware criminal who probably won't unencrypt your files even if you pay the dough).
When some bothersome sales outfit you know (con artists use known company names and products in their emails) keeps plaguing you with email sales pieces, you want them to quit. So you click the unsubscribe link. Welcome to malware city where you'll meet Ransom Ron, a wealthy criminal. Why is he wealthy? Because people like you keep clicking the unsubscribe link so he can serve you a hearty meal of file encryption! The antacid tablet you'll need after such a nasty meal will set you back about $300! But it won't even work, so you'd better have everything backed up on a usually-off external drive (if it is usually on, it will get the Ransomware as well, since it is easy for a hacker to encrypt external drives as well). Lesson to learn: don't click links in emails. It may appear to be from Sears, Microsoft, or your bank, but such companies don't operate from email link clicking, so just don't do it. Attachments? Don't open them. If they're photos from friends that you thoroughly trust, open them, but otherwise don't, since this is an easy way to distribute malware. Lesson to learn: don't open attachments in emails.
Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. Spear phishing is an email-spoofing attack that targets a specific organization or individual, seeking unauthorized access to sensitive information.
A confidence trick (synonyms include confidence game, confidence scheme, ripoff, scam and stratagem) is an attempt to defraud a person or group after first gaining their confidence, used in the classical sense of trust. Confidence tricks exploit characteristics of the human psyche, such as credulity, naïveté, compassion, vanity, irresponsibility, and greed. Mitnick's book stresses the human element as the weakness that gets exploited by social engineering tactics employing getting the victim's trust and then exploiting that trust. In his book, you meet Mitnick as an old-fashioned hacker stereotype: a socially challenged, obsessive loser addicted to an intoxicating sense of power that comes from stalking and spying.
Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons
"Much of Mitnick's security advice sounds practical until you think about implementation, when you realize that more effective security means reducing organizational efficiency—an impossible trade in competitive business. . . . Mitnick shows how easily security is breached by trust, but without trust people can't live and work together."—Steve Patient
"Mitnick is the most famous computer hacker in the world. Since his first arrest in 1981, at age 17, he has spent nearly half his adult life either in prison or as a fugitive. He has been the subject of three books and his alleged 1982 hack into NORAD inspired the movie War Games. Since his plea-bargain release in 2000, he says he has reformed and is devoting his talents to helping computer security. It's not clear whether this book is a means toward that end or a, wink-wink, fictionalized account of his exploits, with his name changed to protect his parole terms. Either way, it's a tour de force, a series of tales of how some old-fashioned blarney and high-tech skills can pry any information from anyone."—Publishers Weekly
FBI arrests Mitnick in 1995
"...focuses on teaching companies how to defeat someone like him…full of specific examples of the ways apparently innocent bits of information can be stitched together to mount a comprehensive attack on an organization's most prized information..."—New Scientist
Cyber security takes work, knowledge, persistence, and computer savvy
The Art of Deception: Controlling the Human Element of Security focuses not on the computer hacking aspects of security, but on the weakest link when it comes to security—the human element. Most of the book consists of stories of social engineering in which you get someone to do what you want without their realizing it, which entails a loss for them and a gain for you. Mitnick is an expert at exploiting social engineering techniques. He furnishes a set of practical security precautions, many of which are common sense. The stories he chooses to share are interesting because of their daring and setup and because of their simplicity. This book illustrates various techniques for bypassing established corporate physical and information security policies for nefarious purposes. Give the book to a corporate manager and create for him or her a wake-up call about security.
Mitnick's take on privacy: "RT: . . . And talking about Edward Snowden, is he a hero or a traitor from your point of view?
Kevin Mitnick: I think he’s a whistleblower, I don’t look at him as a traitor. I’m actually glad that he revealed what the National Security Agency did, at least against Americans, by violating our constitutional rights to privacy." (Source: Use VPN! Former 'Most Wanted Hacker' Mitnick talks Snowden, NSA, and privacy, RT editor)
Whistleblower Edward Snowden is a hero, in our view, for exposing the NSA screwing over Americans by violating our constitutional rights to privacy
See also: The Shadow Factory: The NSA from 9/11 to the Eavesdropping on America, by James Bamford, who said "I don’t mind if you spy on terrorists. But we live in a democracy. There’s got to be a buffer here between the people who are targeting the terrorists and the American public."
Mitnick is the prototypical silver-tongued devil
Even the most sophisticated high-tech security systems can be rendered irrelevant if the people managing them are not sufficiently knowledgeable and vigilant. Mitnick focuses on the myriad ways in which human carelessness or ignorance can contribute to security breaches. An experienced con artist who is experienced in social engineering techniques can often do far worse damage by manipulating people to provide information they shouldn't be sharing than by relying on technologically sophisticated hacking methods. The con knows how to talk to elicit trust and then he exploits that trust to get key information that will let him do nasty things to the company or get money out of people. Mitnick is the prototypical silver-tongued devil.
Mitnick jumps from one type of con to the next, showing how and why it worked, then he provides an interesting discussion of the changes that would be needed to stop the con from succeeding
Mitnick jumps from one type of con to the next, showing how and why it worked, then he provides an interesting discussion of the changes that would be needed to stop the con from succeeding. Examples of things to alter are behavior of individual employees, company policies and procedures, and computer software and hardware. Mitnick recommends various corporate information security policies, and an associated training program about information security awareness.
We were surprised so much of the book related to exploiting of phone systems (he probably got the idea from Apple co-founders Steve Wozniak and Steve Jobs who were doing that in the 1970s). Every con example boils down to this: people are gullible and dumb, and if you display any sort of confidence, you're more likely to be believed. Mitnick oozed confidence, but was weak in the morals and judgment department. But now he's either reformed or so sly and stealthy no one can catch him conning anyone. However, his security company is raking in the dough so why color outside the lines? The only question that remains about his book is: Is he bragging? Our take: yes.
"One of my favorite stories is when Kevin [Mitnick] tells a bank officer he can hack his bank. The guy disagrees—and Kevin proceeds to put virus infected software on a few thumb drives and then tosses them around the parking area and the place where people smoke their cancer sticks. Soon people find the thumb drives and take them in the bank and plug them into their work computer…boom—access." (Source: The Art of Deception: Controlling the Human Element of Security , Tom Altman)
A massive cyber security incident at Equifax, one of the largest credit reporting agencies in the United States, exposed private information belonging to 143 million people. That is nearly half of the U.S. population. The best action to take is a credit freeze at all 3 credit monitoring agencies: Experian, Equifax and TransUnion. If they try to charge you at Equifax, complain, telling them that is unfair since it was their irresponsibility that caused the breach. Insist on a free freeze.
How did the breach happen? Much is still unknown. But it came down to a flaw in a tool designed to build web applications, the company said in a press release this week. And Equifax admitted it was aware of the security flaw a full two months before the company says hackers first gained accessed to its data. Some of the information hackers had access to includes names, Social Security numbers, birth dates, addresses and some driver's license numbers. The defective tool is called Apache Struts, and it's used by many large businesses and government organizations. Equifax used it to support its online dispute portal—where Equifax (EFX) customers go to log issues with their credit reports. The flaw allowed hackers to take control of a website. (Source: How the Equifax data breach happened: What we know now, Jackie Wattles and Selena Larson)
Computer bugs—hacker heaven but programmer hell
There are similar holes/bugs/errors in other apps, operating systems, tools, browsers, etc. Hackers use these holes for exploits until the hole/bug/error is discovered and fixed, then move on to exploit a different vulnerability. Programmers end up being reactive and hackers proactive, and all of us law abiding citizens wish it could be the other way around.
Trump said he'd Make America Great Again, but most of us knew he really meant Make American Oligarchs Even Richer Again
Mitnick brings into focus "the best techniques for influencing your way to success in this post-truth, deception-ridden world". For example, Trump pretended to be a politician when he was merely a reality show king playing at being a political candidate—but the deception worked and now he's doing on-the-job training in the White House, which has most of the world nervous. If Trump messes up as president, did he really "influence his way to success" or did he really fake it to make it to get more power but now he's clueless how to use the power? With one exception: He is trying to change the tax code so he will pay a lot less taxes. Saving millions of dollars can be considered a success, but that's surely the most self-centered, self-serving, and narcissistic view of the U.S. presidency ever!
"Required reading for IT professionals, this book is highly recommended for public, academic, and corporate libraries."—Library Journal
"Mitnick outlines dozens of social engineering scenarios in his book, dissecting the ways attackers can easily exploit what he describes as 'that natural human desire to help others and be a good team player.'"—Wired