| Title | : | The Art of Deception: Controlling the Human Element of Security |
| Author | : | |
| Rating | : | |
| ISBN | : | 076454280X |
| ISBN-10 | : | 9780764542800 |
| Language | : | English |
| Format Type | : | Paperback |
| Number of Pages | : | 352 |
| Publication | : | First published January 1, 2001 |
Kevin Mitnick's exploits as a cyber-desperado and fugitive form one of the most exhaustive FBI manhunts in history and have spawned dozens of articles, books, films, and documentaries. Since his release from federal prison, in 1998, Mitnick has turned his life around and established himself as one of the most sought-after computer security experts worldwide. Now, in The Art of Deception, the world's most notorious hacker gives new meaning to the old adage, "It takes a thief to catch a thief."
Focusing on the human factors involved with information security, Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system. With the help of many fascinating true stories of successful attacks on business and government, he illustrates just how susceptible even the most locked-down information systems are to a slick con artist impersonating an IRS agent. Narrating from the points of view of both the attacker and the victims, he explains why each attack was so successful and how it could have been prevented in an engaging and highly readable style reminiscent of a true-crime novel. And, perhaps most importantly, Mitnick offers advice for preventing these types of social engineering hacks through security protocols, training programs, and manuals that address the human element of security.
The Art of Deception: Controlling the Human Element of Security Reviews
-
The Art of Deception is one of two books by famous hacker Kevin Mitnick, the other being "The Art of Intrusion". Intrusion focuses primarily on physical or technological hacks, while this book focuses almost exclusively on social engineering attacks.
A number of problems prevented this book from being very good. The main problem is simply that Mitnick did not have enough material to fill an entire book. This book would have been better if it were shorter and simply one section in a larger book about security. A great deal of the book feels like padding, the anecdotes about various social engineering attacks seem repetitive and pointless - reading just one is often enough, but Mitnick consistently indulges himself with identical tale after identical tale.
I'm not entirely sure who the audience for this book could really be. It doesn't seem like it's for technical people, because the book goes out of it's way to define what things like "http" mean. The book claims to be geared toward nontechnical people or businesspeople, but the fact of the matter is that the subtle differences between a lot of the social engineering attacks will be missed by nontechnical people. To your average joe, 20 or so of the stories in the book will seem identical, testing the patience of the reader.
The book is also frustrating in its design. It's constructed as a book to help managers and businesspeople manage security at their companies. Every story about a social engineering attack is followed by a "Mitnick Message" where Kevin explains how to prevent the attack from happening to you. In reality, however, the real focus is the story itself - the attackers are consistently painted as the hero of the story, with the hapless victims being drawn as naive morons. It's clear that Mitnick admires the attackers in these tales, and the "Mitnick Message" feels like it's been forced into the book to keep up the ruse that the book is intended for anyone other than wannabe hackers. Mitnick's advice is a restated form of "verify the identity of the caller" in nearly every instance.
The book is, to put it simply, a bore. Reading it was a challenge, and I had to fight the frustration to skim or skip sections nonstop. The Art of Intrusion is far more interesting, and I recommend it over this book without reservation. There is value for businesspeople to read this book, but I imagine it will present a significant challenge to their patience.
As an aside, Mitnick offers terrible advice regarding passwords. He argues that passwords should not consist of a constant combined with a predictable variable, such as "kevin01", "kevin02", "kevin03". I agree. He also says that users should not write down their passwords and tape the paper to their monitor or under their keyboards. I agree again. He also, unfortunately, argues that passwords should expire every month. Well, that's terrible advice. Passwords need to be something people can remember, or they have to write them down. If they are going to be memorable, they can't change constantly. If they change constantly and must still be memorable, people have no choice but to add some predictable pattern to a memorable portion of a password. In short, of options A) Don't write passwords down B) Don't use a simple increment in a password C) Change passwords monthly, security administrators can pick any two. To try for all three is delusion. -
Pubbed almost two decades ago, the technology angle in this book is largely, although not completely, out of date.
Fortunately, that isn't the primary reason I picked up this book. It's right there in the title. We may as well call is Social Engineering. Others might call it a con. But either way, human psychology being what it is, the underlying vulnerability to network or corporate structures never really goes out of style.
PEBCAK. Problem Exists Between Chair and Computer.
This book does a very serviceable job outlining most of the ways that people can be conned out of information. My favorite is just in looking or acting the part that people expect. I've been hearing that advice from the early Robert A. Heinlein days. People trust others who seem just like them. Confident behavior sends up no red flags.
A lot of this is common sense, but you and I know that Social Engineering is still a growth industry.
Every day, every sector, someone, somewhere is conning us.
A lot of this book is still very timely, but I'm also sure that there are a lot of updated techniques out there. -
Kevin Mitnick, probably the most famous (and controversial) computer hacker of the 1990's, has spent several years of his life on the run, as well as a few years in jail. For years after leaving prison he was forbidden to log on to a computer, a prohibition he appealed successfully. He now runs a computer security business, lectures to large corporations, and has co-authored two books on computer network security.
This book focuses on the human element of computer security. Reminding us that even the most sophisticated high-tech security systems can be rendered worthless if the people running them are not sufficiently vigilant, Mitnick goes on to point out the myriad ways in which human carelessness can contribute to security breaches. An experienced con artist who is well-versed in social engineering techniques can often do far more damage by manipulating people to provide information they shouldn't than by relying on technologically sophisticated hacking methods.
The book is interesting for the most part, though it would have benefited from a 25% reduction in length, and there are some annoying stylistic tics. Throughout the first 14 chapters, each of which reviews a particular type of ‘con’ used by hackers/social engineers to breach computer security, the chapter setup follows the same schema:
(i) an anecdote or vignette, involving fictitious characters but based on actual events, which lays out the deception as it unfolds, following it through to the successful breach (ii) analysis of the ‘con’, focusing specifically on the mistakes or behaviors (at the individual and at the organizational level) which allowed it to succeed (iii) discussion of the changes that would be needed to stop the con from succeeding (e.g. behavior of individual employees, corporate policies and procedures, computer software and hardware). This is actually a pretty decent way to make the points Mitnick wants to get across – starting out with a concrete example of how things go wrong gets attention and motivates the reader to read on to figure out the solution.
One feature of the book which was meant to be helpful started to drive me crazy by about the third chapter. Interspersed throughout each chapter, the authors insert highlighted textboxes of two types: ‘lingo’ – repeating the definition of a concept already adequately defined in the text, or ‘mitnick messages’ – which manage to be irritating beyond the cutesy name, as they do nothing but encapsulate the obvious in language which condescends to the reader. In general, this is not a book you will read for the delights of its prose style (after successfully gaining access to a cache of hidden documents, one hacker is described as spending his evening gleefully “pouring over” the documents); however, the prose is serviceable, managing to avoid lapses into the dreaded corpspeak, for the most part.
For some readers, the most useful part of the book may be its final two chapters. Here the authors lay out, in considerable detail, outlines for recommended corporate information security policies, and an associated training program on information security awareness. Though I am no expert in these areas, the outlines strike me as being commendably thorough – complete enough that they could be fleshed out without too much difficulty to generate a comprehensive set of policies and procedures.
Despite some redundancy, and occasional infelicities of style, this book seemed to me to be interesting, and likely to be practically useful. -
“I went to prison for my hacking. Now people hire me to do the same things I went to prison for, but in a legal and beneficial way.” – Kevin D. Mitnick, Ghost in the Wires: My Adventures as the World's Most Wanted Hacker.
Reading ‘The Art of Deception’ is like hearing it straight from the horse's mouth. Kevin D. Mitnick, one of the legendary cyber desperado turned computer security consultant, takes the reader into the complex, supremely confident – often misunderstood as arrogance and curiosity driven mindset of the hacker world as he describes the human element of computer security. In this book with the help of very plausible scenarios and stories he demonstrates the Art of exploiting the human mind – other wise known as ‘Social Engineering’ - to gain access to computer networks.
In the forward to this book, Steve Wozniak sums up ‘The Art of Deception’ nicely with these words:The art of Deception shows how vulnerable we all are – government, business, and each of us personally – to the intrusions of the social engineer. In this security-conscious era, we spend huge sums on technology to protect our computer networks and data. This book points out how easy it is to trick insiders and circumvent all this technological protection.
In the first three sections of this book the author explains in great details on how attackers gain entry into fortified assets by simply taking advantage of the trusting & sympathizing nature of the human mind. Mitnick covers almost all possible basic attack scenarios, which a real-life attacker uses in conning an unsuspecting computer user for gaining entry into a closed network. By attacking the weakest link in the security apparatus, this book shows how a skilled social engineer can take complete control of a system by pulling the strings on an unsuspecting victim like a master puppeteer and making him do things which favors the attacker. After showing each scenario, Mitnick explains the various factors, which made each scenario work, and gives valuable inputs and strategies on how organizations can prevent each scenario from happening with in their working environment.
For those who have a professional interest in corporate security or information security the section titled ‘Raising the Bar’ will be a valuable resource. In this section Mitnick provides a very detailed outline of ‘practical corporate information security policies’ and training methodologies for staff, which in a combined manner can mitigate the risks of an intrusion.
Some readers may find the style of writing employed in the book not up to the mark, but as a practical book on analyzing and getting aware of the threat of Social Engineering and as an Information Security Policy reference this book has some valuable content. In the present time you may find more detailed books on Social Engineering, but when this book came out in 2003, it had some sensational content which I still remember reading with great thrill. Some of the technical exploits related to the telephone systems that are mentioned in the book are a bit outdated but the methods and philosophy of exploits that target the human mind is very relevant even today.
This book is a recommended read for anyone who is interested in computer security and the hacker subculture. -
Um bom livro sobre aquele hacking moleque, aquele hacking arte, que era muito praticado antigamente. Boas histórias de como os melhores sistemas de segurança podem ser burlados com algumas ligações ou uma busca no lixo. Ele passa por algumas noções de programas e cyberataques (em muito menos detalhes do que o
Social Engineering: The Art of Human Hacking), mas a maior parte do hacking que ele descreve é feita com saliva e astúcia.
Não é um livro tão útil atualmente, especialmente com as mudanças de tecnologia (ele fala o tempo todo sobre como usar fax, por exemplo), mas as pessoas continuam sendo a maior vulnerabilidade. Curti mais pelas histórias mesmo. O final tem uma descrição repetitiva e muito mais detalhada do que fazer para evitar problemas de segurança que ficou especialmente desatualizada e é bem direcionada para empresas. Não teria lido o final se não fosse um audiolivro. -
I suspect that if you're reading for entertainment, then you probably want Mitnick's The Art of Intrusion or Ghost in the Wires instead. This book is split 2/3 and 1/3 between a series of fictionalized anecdotes--based on or representative of real incidents--and a corporate policy guide. The guide, like all such specifications, is deadly dry and would require several readings and much thought to fully internalize.
The anecdotes are more interesting than entertaining, and all proceed by the same basic pattern: a 'social engineer' (Mitnick's sterile term for what amounts to a con man) manipulates the helpful or easily-influenced into providing information or services which can then be further leveraged to some end. Sections directly relating to computer penetration are substantially less interesting than those that are merely two people on a phone.
Mitnick's focus is organizational, not individual, and presupposes an organized, collective effort towards protection based on establishing correct procedure, education, and most of all the directed effort of those in charge. As such I can't help but think that this book is targeted to executives and not to the peon-types on the front lines, who in the anecdotes are the ones who inadvertently give away the keys to the kingdom. -
We think of computer hackers as sitting in an isolated room, endlessly probing corporate and private networks from their screen. Actually, almost all deep hacking starts with the manipulation of people to do something that allows the hacker to move to the next level. The Art of Deception tells how Mitnick used "social engineering" skills to get people to unknowingly provide critical assistance, from simply being polite and opening a secure door to setting up restricted user accounts. Having read this book, I am much more suspicious of any request made online, by phone, or in person by a stranger. Should be required reading for anyone in IT, especially those involved in network security.
-
Ein Gespräch, das vielleicht stattfinden könnte oder vielleicht schon stattgefunden hat:
Das Telefon in der Buchhandlung klingelt.
"Hallo, hier ist Jari von der Buchhandlung Soundso."
"Ja, hallo, hier ist Klaus von der Filiale am Ende der Stadt. Du, hier ist etwas ziemlich schief gelaufen und der Kunde tobt. Sein bestelltes Buch hätte hier bei uns sein sollen, ist es aber nicht. Er hat auch schon bezahlt und braucht es dringend jetzt. Ihr habt doch noch eines vorrätig, nicht wahr?"
"Haben wir, ja."
"Super! Könntest du es für den Kunden zur Seite legen? Er holt es gleich ab. Bezahlt hat er schon, das habe ich alles schon überprüft. Gib es ihm einfach mit, ok?"
Etwas später erscheint der Kunde, nimmt sein Buch und verschwindet. Später stellt sich heraus, dass es in der Filiale am Ende der Stadt gar keinen Mitarbeiter mit dem Namen Klaus gibt. Das Buch ist natürlich auch nie bezahlt worden.
Das ist ein relativ harmloses Beispiel, wie Social Engineers Menschen ausnutzen, um an Informationen und/oder Gratisprodukte zu kommen. Ein einzelnes Buch mag ein Geschäft nicht schwer treffen, doch die von Mitnick angeführten Beispiele zeigen auf, wie auf eine ähnliche Art und Weise Schaden in Millionenhöhe entstehen kann. So wurde einer Firma die Arbeit von zwei Jahren innerhalb kürzester Zeit zunichte gemacht, indem alle Unterlagen ihres neuen Produktes geklaut und an eine andere Firma weiterverkauft wurden. Und das einfach, indem jemand danach gefragt hat.
Eindrücklich auch das Beispiel der Wette des Vaters mit seinem Sohn. Der Vater geht relativ lax mit seinen Kreditkartenangaben um. "Die sind doch gut geschützt", denkt er. Der Sohn sieht das anders und meint, er könne alle relevanten Informationen erhalten, ohne dass er vom Tisch aufstehen müsse. Innerhalb von 10 Minuten. Top, die Wette gilt. Der Sohn zückt sein Telefon, wendet seine Fähigkeiten als Social Engineer an und erhält nicht nur die Kreditkartennummer und Ablaufdatum, sondern auch das Geburtsdatum des Vaters. Alles, in dem er einfach danach gefragt hat.
Auch finden sich Geschichten darüber, wie Informationen aus Hochsicherheitsgefängnissen oder von hohen Ämtern entwendet wurden. Also von Orten, an denen man mit einer hohen Anforderung an die Sicherheit rechnet.
Mitnick zeigt uns in seinem Buch die Tricks und Kniffe der Angreifer und hängt dem Leser ein gutes Werkzeug aus, wann er aufmerksam und vorsichtig werden sollte. Im Grossen und Ganzen wendet sich der Autor an die Führungsetage einer grösseren Firma, die die Möglichkeit hat, Änderungen und Regeln in Bezug auf die Sicherheit durchzuführen. Aber auch als einfacher Angestellter (wie ich es bin) erfährt man viel darüber, was eine gut gemeinte Auskunft alles anrichten kann.
Zwar hat das Buch schon ein paar Jährchen auf dem Buckel (Originalausgabe erschien 2002), aber an der grundsätzlichen Aussage Mitnicks hat sich nichts geändert. Die Medien mögen andere sein, vielleicht auch die Quellen der Angriffe, aber da das Handwerk der Social Engineers auf den Menschen abzielt, sind diese Vorgehensweisen noch immer dieselben.
Auch ich habe schon arglos Informationen weitergegeben. Dies wird nun nicht mehr vorkommen. Man mag denken "Wieso sollte jemand ein so kleines Geschäft wie unseres angreifen wollen?", aber genau mit dieser Haltung rechnen die Angreifer. Niemand geht davon aus, dass der freundliche Herr am Telefon, der so sehr in der Misere steckt, gar nicht der ist, der er zu sein scheint. Es geht dabei nicht um Informationen wie "wo finde ich die Post?", sondern um Daten, die man nicht einfach blindlings jemandem anvertrauen sollte.
Jemand möchte ein Passwort wissen? Vorsicht ist geboten! Etwas herunterladen? Lieber erst vergewissern, dass man wirklich mit jemandem aus der IT spricht!
Nach der Lektüre dieses Buches werde ich vorsichtiger sein, auch unseren Kunden zuliebe. Ich möchte nämlich nicht, dass deren Daten in die Finger irgendwelcher Krimineller geraten! Ausserdem muss ich dringend meine Passwörter ändern... -
The book reveals a specter of tricks so called "social engineers" use to obtain information they are not supposed to have access to. Although technical means play a significant role, the most emphasis is placed on human element. The deceit schemes are split into multiple steps in which people are tricked into submitting seemingly insignificant information. But when put together those insignificant elements result in a loss of valuable information.
I must admit that some trickery schemes seemed fascinating to me. The ingenuity and the aspiration to find ways around seemingly fail-safe system deserves admiration. On the other hand, most "social engineers" are imitators, the real geniuses among them are rare.
I put the term "social engineer" in quotation marks because I don't think it is a right term for naming deceitful practices described in this book.
The real meaning of a term "social engineering" I would demonstrate by one Sufi story from Idries Shah's book "A veiled gazelle".
In this story a traveling Sufi master once encountered peasants who argued on who should farm a certain piece of land. The master approached peasants and in some ways know only to him (!) persuaded those people to submit the land to him. He settled there and after several years, when peasants learned to work the land by sharing it, the master gave the land back. This is a social engineering.
What happened here was that the master manipulated people to establish practices that were beneficial to the community. After achieving his goal he returned the property he obtained by trickery.
An example of social engineering in a context of this book could be an effort to grow awareness of deceitful practices.
So, how do we name those so called "social engineers"? Tricksters, swindlers, grifters or just thieves.
Does the book teach how to become a "social engineer"? Well, for people with a certain mindset and loose moral restraints - maybe.
But the real value of this book is bringing into awareness existence of deceitful practices, explaining how to recognize them and giving an outline of procedures that help protecting your information. -
Технически остаряла, едно и също се повтаря до втръсване.
-
Almost all of this book consists of infinitesimal variations on the same point, communicated through accounts of apparently real events fictionalised by someone who clearly desperately wanted to write short stories instead of ghost-writing for minor celebrities but couldn't find a publisher for them. That every story reads like a bad (and I mean bad) noir film isn't just annoying; it makes them much less credible.
It's clear that Mitnick thinks very highly of himself and his accomplishments, occasionally remembering to point out that it's really easy to defend against social engineering attacks but mostly painting social engineers as omnipotent Supermen who are just better than the common folk who merely work in offices; he also seems to think he's the first person to write a book about defending against these con men, judging by his two chapters of condescending policy recommendations. Maybe he is, to a lot of the people who'd read this book. It's certainly likely that The Art of Deception has done and will continue to do more good than harm, which is more than can be said for most popular books on any kind of security.
That doesn't make it any less repetitive, though. -
This book is really creepy.
It serves as a how-to, and to a lesser extent a how-to-prevent, book on social engineering attacks. Most professionals in the industry understand that attacks are rarely purely technology-based. Much more often companies are compromised through a combination of human and computer vulnerabilities.
This book focuses on the human component of such attacks and is written from the perspective of someone who was extremely effective at executing such attacks. Though I was already somewhat aware of these dangers and aware of many of the techniques, this book was an eye-opener.
For those working in IT or technical departments, this book is certainly a should-read. It is also written in such a way as to be full of interesting stories for the non-technically minded. -
So ... Interesting read. Social engineering has been going on a long time and has impacted many corporations, governments, etc. I felt this book did a great job documenting examples of what has taken place as well as provided insights for what you and your organization can do to help prevent, the best that you can, social engineering attacks.
This book definitely irritated me as I had not thought about the detailed level of attacks folks have gone through. Thinking back, there have probably been some times where I had been the person on the receiving end. Wish I had read this about a decade ago as it has some good common sense knowledge to learn from. -
Eğlenceli ve en önemlisi de gerçek... Kesinlikle teknik ve zorlayıcı karmaşık değil. Herkes Hacker olabilir, yeter ki biraz kafası çalışsın seviyesinde anlatıyor... Özellikle olay anlatımları çok başarılı...
-
For a person who's the best hacker in the US and a book on social engineering, there's an obvious lack in knowledge of marketing. It's mainly for business leaders, business leaders that don't know what Trojan, http is. At the same time you're not able to make a difference between a dozen of similar stories with a same message if you don't know what a Trojan is, if you do have technological know-how the book is way too basic. And then you have a summary at the end. Could've been done better
-
The Art do Deception is a great book because it points to the single issue with security - humans. The human element is a massive problem because unlike AI, humans rely on hunches and benefit of the doubt as part of their judgement. Eye opening
-
Me crucé con este libro (está en la mula, por supuesto) y me lo he devorado en dos días. Hay una segunda parte, The Art of Intrusion, que parece que está incluso mejor.
Kevin Mitnick se hizo bastante famoso, para su desgracia, cuando le condenaron a unos cuantos años de cárcel por diversos delitos contra la seguridad electrónica de varias empresas y agencias estatales norteamericanas (nada grave según él, el holocausto informático según el fiscal). La Wikipedia (
Kevin Mitnick,
Kevin Mitnick
) cuenta su historia por encima. El caso es que él está convencido de que le tomaron como cabeza de turco, tanto los periodistas como el sistema judicial. Este libro no es una biografía, sino un repaso a los métodos de lo que se ha dado en llamar “ingeniería social”, o el arte de sonsacar información importante a la gente que la tiene sin que estos se alarmen. El libro consiste en un montón de casos (supuestamente verídicos) en los que una persona ajena a cualquier empresa u organización acaba por obtener gran cantidad de información. Kevin Mitnick [KM] habla de detectives privados, de estudiantes de instituto con mucho tiempo libre e incluso de una nueva figura, en el borde de la legalidad, llamada “brokers de información”, especialistas todos ellos en encontrar información que supuestamente no debe ser divulgada al público.
Los casos son realmente entretenidos de leer. Muchas de las veces uno piensa “no, eso no me podría pasar a mí”, pero eso justo es lo que dice KM que piensa todo el mundo. Y sin embargo pasa constantemente, según él. En cada caso que relata termina instruyendo acerca de cómo algunas políticas de difusión de información dentro de la empresa, bien instauradas, podrían evitar la gran mayoría, si no todos, los escapes de información debidos a ataques mediante ingeniería social.
El último capítulo es algo más soso y se dedica íntegramente a resumir de manera estructurada todos los pasos que cualquier organización, ya sea privada o gubernamental, debería dar para establecer políticas claras e inatacables que minimicen el flujo de información importante al exterior.
El libro es muy entretenido y se lee rápidamente. Deja (al menos a mí) con muchas ganas de seguir leyendo sobre el tema, por lo que rápidamente “localicé” el siguiente libro del mismo autor, que ya ando devorando. Mi nota: Muy interesante.
-
In The Art of Deception, [Kevin Mitnick] discusses the thing he's best at: Social Engineering. Social engineering is the term used in computer security to describe the manipulation of humans in order to break through a security barrier, and is sometimes referred to as hacking the mind.
In the first chapter of his book, usually referred to as The Lost Chapter (As it wasn't published with the final version of the book), Kevin Mitnick tries to convince his readers that he is innocent – or at least that he isn't a "criminal". I believe he made good points in this chapter, and wish it was published.
The book isn't about Mitnick, though; it's about social engineering. If he was ever on the dark side, he is no longer there. He now works as a security consultant, and this book is designed to help improve security awareness, and help us all avoid being deceived by social engineers.
The bulk of this book consists of different stories of social engineers getting their job done, followed by advice on how to avoid such kinds of attacks. Just like any security book, this book can also help the bad guys improve their skills, because it offers many ideas on how you can trick people; however, if the good guys read the book, they would laugh at the bad guys' attempts and say "Ha, I know that one!" No, really!
The idea of the book is very interesting, and some of its stories are really smart; however, I must admit that it gets a bit repetitive towards the end. The authors are trying to separate different stories into different chapters, but the differences between the ideas in these stories are sometimes so small.
The ideas represented in this book are applicable to more than just computer-related systems (Hey, you don't have to use them to steal money, but they're good to know anyway!); however, due to the fact that information is closely associated with computing nowadays, you'll usually find a lot of technical details in the book. But anyway, as long as you use a computer, you'll most likely be fine reading it!
The authors have just completed a new book, The Art of Intrusion. It looks like it is going to be more technical, and more geared toward hacking than social engineering. I probably will give it a try sometime. -
America's greatest hacker, not America's greatest storyteller. If one were to treat the book as a piece of code, debugging it to remove the duplication and redundancies would make it a far more pleasant and informative read.
That aside, hacking is a timeless skill which only serves to make me moist. 3/5 -
Kevin D. Mitnick - a former hacker turned security expert - gives an excellent view on security threats posed by human factor in modern world.
The common sense that computer geeks are often fat, unpopular with heavy glasses and nerdy faces is not applicable in "Social Engineer" category. Social engineer is someone with talent and understanding for both social behavior and technical command. He/she can infiltrate in a company system by manipulating human psychology (unshakeable confidence, empathy, guilt, reciprocity) and ofcourse, lingo and insight needed in a great impostor. The funny parts are, sometimes the job can be done by curious individuals or dumpster scavengers. Imagine the work done by industrial spies to create heavy impact spionage !
You will find dialogs which so amazingly similar with those in heist movies. Yep, it is real and complex.
It was an enjoyable read for me, some parts are repetitive, i felt like a voice of an old, experienced man keeps echoing: Its all about human, not about fancy technology or machine. -
Kevin Mitnick is probably best known for being a phone phreak and fugitive computer hacker in the late-80s and early 90s, who was the focus of a considerable manhunt. Following his capture and time in prison, he's become an Internet security consultant and turned his talents to helping people avoid the sort of hacks he became famous for perpetrating. This book is a chronicle of numerous social engineering attacks, some hypothetical, some based on real-world examples (which may or may not have been carried out by Mitnick himself) and recommendations for how to guard against such attacks. I actually recognize a number of the policies he recommends as being part of the security awareness my company conducts every year for employees, so apparently, someone listened. I must admit I found the anecdotes more interesting than the policy recommendations, though someone tasked with guarding his or her companies assets would no doubt find these of immense value. Definitely worth a read.
-
I found the most valuable sections in this book to be the policy recommendations and information security practices described in the last chapters (despite their age). The anecdotal and fictionalized scenarios were effective up to a point, but there are so many of them that it wore me down and I just started scanning them when I was about 3/4 of the way through. Mitnick's "messages" provided helpful suggestions and contextual gotchas interspersed with the social engineering/con situations, but the real meat was at the end of the book. I'll probably buy this book simply because of the security policy information and the easy-to-understand business cases that are easily comprehendible due to their storylike nature.
-
Zzzzzzzzzz, Oh sorry..... This was a tough read. Very dry and if you've ever worked in a corporate environment, or IT at all, most of this is simply common sense.
Some of the 'examples' used are repeated in Kevin's other book, Ghost in the Wires, which I read before this one. GitW is a good read, this one, not so much..... -
While the book demonstrates the basic concept of social engineering quite well, it would never have got so much attention if Mitnick's name wasn't on the cover. It's okay, but it's not extraordinary.
-
Very interesting book! I learnt a lot about social engineering and technology although I didn't have any pre-knowledge about it.
-
I started to read this book last night and turned sleepless due to some similarity that i have encountered in the morning. A mail came to my email box saying someone in Ukraine using my email address to sign in a so called Gaijin. Net. they suspect it could be a hacking so sending me a mail to verify. "Someone signed in to your account using the device through the Windows app" as title.
"
This email was sent to you for security reasons. We were not able to determine whether the previous login to the system was performed using this device or application. Maybe you did it using a new computer, phone or browser. If you did not perform such actions, then there is a high possibility that your account has been hacked. Please read this article .
The message is generated automatically and does not require a response.
Unsubscribe from these notifications "
I actually went to check out, according to their instruction that if i didn't create an account i should block it. but when i click block. It asked me to verify with my real email address even I needed to key in my password. I stopped there, didn't go on.
Why should i hand in my password of mail address to some hackers just like that, but it really happens to everyone that under panic we would actually just react without thinking.
In the era of technology, we are easily to become the victims of hackers. I am so fed up with credit cards hacking coz saw many people sharing this experience and find it ruins your good mood specially while you travel.
With some technique of psychology, doing favors, human networking, they get their target easily. We all need to be careful!
序
人类天生就有一种探索周围环境的内在动力,作为年轻人,我和凯文•米特尼克(Kevin Mitnick)对这个世界有着无比的好奇心并渴望证明自己的能力。我们努力学习新事物、解决难题并赢得比赛,但同时这个世界又告诉我们一个行为规则――不要过于放任自己对探索自由的强烈渴望。可对于最大胆的科学家和企业家,还有像凯文•米特尼克这样的人来说,跟随内心的这种渴望会带来极大的兴奋,并使他们完成别人认为是无法做到的事情。
凯文•米特尼克是我认识的人中最杰出的一个。只要你问他,他便会坦率的告诉你他曾经做过的事――社会工程学――包括骗人。但凯文已经不再是一个社会工程师了,即便在他曾经是的时候,他的动机也绝不是发财和伤害他人。这并不是说这个社会不存在利用社会工程学而给他人带来真正伤害的危险的破坏者,事实上,凯文写这本书的目的就是要提醒大家警惕这些罪犯。
《欺骗的艺术》将会展示政府、企业和我们每一个人,在社会工程师的入侵面前是多么的脆弱和易受攻击。在这个重视信息安全的时代,我们在技术上投入大量的资金来保护我们的计算机网络和数据,而这本书会指出,骗取内部人员的信任和绕过所有技术上的保护是多么的轻而易举。无论你是在政府还是在企业,这本书都如同一个清晰、明确的路标,它将帮助你弄清社会工程师的手段,并且挫败他们的阴谋。
以小说故事的形式展开叙述,不仅有趣,还具有启发性,凯文和合著人比尔•西蒙将把社会工程学这一不为人知的地下世界展现在你的面前。在每个故事叙述之后,他们还将提供一个实用的技术指南来帮助你提防他们在书中所描述的威胁和泄露。
技术上的安全防护会留下很大的漏洞,凯文这样的人可以帮助我们去堵住它。阅读此书,你会发现我们所有的人都终将需要得到“米特尼克”(译者注:指凯文•米特尼克这样的人)的指导。
史蒂夫•沃尼亚克
作者: KEVIN D.MITNICK & William L.Simon -
Interesting at first, but very repetitive. Mitnick, who claims his career as a hacker was passed solely on manipulating people to gain information and access, shares stories of others who did the same. These mostly include private investigators, with at least one pair of curious teenagers and a few bits of corporate espionage. The modus operandi in all the cases is very similar: the actor engages in background research to learn a few names and some of the lingo of the business, then makes phone calls to different people and departments within the company. Information is solicited under false pretense from various people, then combined to gain further access or the answers. Mitnick refers to this as social engineering, and it's obvious from his collection that a high degree of charisma is required to gain the trust or goodwill of subjects; Mitnick also points out how the actors manipulate the people they're interacting with, pushing buttons for sympathy and fear. There are very few cases included here of people working in person; the simplest case involved a man studying a business to find out when the office staff left, and when the janitors arrived. He then approached the place in a suit and briefcase, and pretended to be an office worker who needed to run in and get a few things from his office -- allowing him free run of the place. Mitnick ends each section, and the book in total, with advice on how to secure and compartmentalize information so employees don't accidentally give the farm away. This includes strict policies and training to control the flow of information, emphasizing the need to verify the identity and need of people requesting information.
