However, with less than three months of parole remaining, he has been allowed access to a word processor and the result is a penetrating insight into the forgotten side of computer security, the world of the social engineers – hackers who exploit human weaknesses to achieve their objectives.
Although the book mentions issues of firewalls, intrusion detection and IT staff in passing, this is not a volume dealing with IT structure. It is not concerned with technical detail but with the human side of the security equation: how hackers use staff to bypass security hardware and software. And Mitnick supports each of his observations with case studies and analyses.
The author points out that corporate IT infrastructures are defenceless against the simple-minded employee who tapes this week’s password to a computer monitor in full view. Chains of command may be compromised and subverted if a friendly receptionist helps a plausible stranger. Firewalls may easily be bypassed if a visitor is allowed free time in a meeting room.
Mitnick recounts how as a boy he created his own bus tickets to ride the Los Angeles bus system for free. Observing the hole-punches made in transit tickets and questioning drivers provided him with the information he needed to manufacture his own tickets. Hacking into computer systems was an obvious next step.
The techniques of social engineering can be broken down into several distinct phases, which Mitnick details. During the observation phase, a target organisation is identified and then researched thoroughly. Information may be gleaned from company Web sites, or by eavesdropping on technical staff talking in newsgroups and chat rooms. Even corporate directories may be a useful source of information.
In the questioning phase, the social engineer has already mapped out the target structure and identified what is required to achieve the goal, be it software, personal data or intellectual property. They may then attempt to make contact with employees at the target organisation, perhaps assuming a false identity supported by bogus email and voice messaging services. The objective is to garner enough information to gain access.
The final phase is to stage the attack – either in person or through technology. In most cases, attacks are made at a distance. If hackers are aware of the security protocols needed to access information, they are likely to encounter few checks. The book cites the example of a police information line, which could be used by anybody who knew the phone number and an officer number.
It is the final 80 pages that security managers will find most useful. The author lists a raft of security practices that managers can pick and mix to suit their needs. A security checklist is also provided.
At 350 pages there is a lot to digest here, although some of the examples Mitnick gives cover similar ground. But the analysis of individual cases is carried out thoroughly. Ultimately, the value of the book is that it may encourage security managers to be more assiduous in teaching their staff to check the identities of the people they deal with, and better corporate security will be the result.
Excerpts from The Art of Deception by Kevin Mitnick and William L Simon, published by Wiley Publishing; £19.95; ISBN 0 471 23712 4
‘Once a social engineer knows how things work inside the targeted company, it becomes easy to use that knowledge to develop a rapport with legitimate employees
‘The more a social engineer can make his contact seem like business as usual, the more he allays suspicion’
‘Corporate security policies should discourage deviation from procedure through a system of rewards and consequences’
‘Teach your employees how to choose passwords that truly protect your assets’