You are previewing The Art of Deception: Controlling the Human Element of Security.
O'Reilly logo
The Art of Deception: Controlling the Human Element of Security

Book Description

The world's most infamous hacker offers an insider's view of the low-tech threats to high-tech security

Kevin Mitnick's exploits as a cyber-desperado and fugitive form one of the most exhaustive FBI manhunts in history and have spawned dozens of articles, books, films, and documentaries. Since his release from federal prison, in 1998, Mitnick has turned his life around and established himself as one of the most sought-after computer security experts worldwide. Now, in The Art of Deception, the world's most notorious hacker gives new meaning to the old adage, "It takes a thief to catch a thief."

Focusing on the human factors involved with information security, Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system. With the help of many fascinating true stories of successful attacks on business and government, he illustrates just how susceptible even the most locked-down information systems are to a slick con artist impersonating an IRS agent. Narrating from the points of view of both the attacker and the victims, he explains why each attack was so successful and how it could have been prevented in an engaging and highly readable style reminiscent of a true-crime novel. And, perhaps most importantly, Mitnick offers advice for preventing these types of social engineering hacks through security protocols, training programs, and manuals that address the human element of security.

Table of Contents

  1. Copyright
  2. Social Engineering
  3. foreword
  4. preface
    1. STARTING OUT
      1. From Phone Phreak to Hacker
      2. Becoming a Social Engineer
    2. FINAL THOUGHTS
  5. introduction
  6. 1. behind the scenes
    1. 1. Security's Weakest Link
      1. 1.1. THE HUMAN FACTOR
      2. 1.2. A CLASSIC CASE OF DECEPTION
      3. 1.3. THE NATURE OF THE THREAT
      4. 1.4. ABUSE OF TRUST
      5. 1.5. TERRORISTS AND DECEPTION
      6. 1.6. ABOUT THIS BOOK
  7. 2. the art of the attacker
    1. 2. When Innocuous Information Isn't
      1. 2.1. THE HIDDEN VALUE OF INFORMATION
      2. 2.2. CREDITCHEX
      3. 2.3. THE ENGINEER TRAP
      4. 2.4. MORE "WORTHLESS" INFO
      5. 2.5. PREVENTING THE CON
    2. 3. The Direct Attack: Just Asking for It
      1. 3.1. AN MLAC QUICKIE
      2. 3.2. YOUNG MAN ON THE RUN
      3. 3.3. ON THE DOORSTEP
      4. 3.4. GAS ATTACK
      5. 3.5. PREVENTING THE CON
    3. 4. Building Trust
      1. 4.1. TRUST: THE KEY TO DECEPTION
      2. 4.2. VARIATION ON A THEME: CARD CAPTURE
      3. 4.3. THE ONE-CENT CELL PHONE
      4. 4.4. HACKING INTO THE FEDS
      5. 4.5. PREVENTING THE CON
    4. 5. "Let Me Help You"
      1. 5.1. THE NETWORK OUTAGE
      2. 5.2. A LITTLE HELP FOR THE NEW GAL
      3. 5.3. NOT AS SAFE AS YOU THINK
      4. 5.4. PREVENTING THE CON
    5. 6. "Can You Help Me?"
      1. 6.1. THE OUT-OF-TOWNER
      2. 6.2. SPEAKEASY SECURITY
      3. 6.3. THE CARELESS COMPUTER MANAGER
      4. 6.4. PREVENTING THE CON
    6. 7. Phony Sites and Dangerous Attachments
      1. 7.1. "WOULDN'T YOU LIKE A FREE (BLANK)?"
      2. 7.2. MESSAGE FROM A FRIEND
      3. 7.3. VARIATIONS ON A THEME
      4. 7.4. VARIATIONS ON THE VARIATION
    7. 8. Using Sympathy, Guilt, and Intimidation
      1. 8.1. A VISIT TO THE STUDIO
      2. 8.2. "DO IT NOW"
      3. 8.3. "MR. BIGG WANTS THIS"
      4. 8.4. WHAT THE SOCIAL SECURITY ADMINISTRATION KNOWS ABOUT YOU
      5. 8.5. ONE SIMPLE CALL
      6. 8.6. THE POLICE RAID
      7. 8.7. TURNING THE TABLES
      8. 8.8. PREVENTING THE CON
    8. 9. The Reverse Sting
      1. 9.1. THE ART OF FRIENDLY PERSUASION
      2. 9.2. COPS AS DUPES
      3. 9.3. PREVENTING THE CON
  8. 3. intruder alert
    1. 10. Entering the Premises
      1. 10.1. THE EMBARRASSED SECURITY GUARD
      2. 10.2. DUMPSTER DIVING
      3. 10.3. THE HUMILIATED BOSS
      4. 10.4. THE PROMOTION SEEKER
      5. 10.5. SNOOPING ON KEVIN
      6. 10.6. PREVENTING THE CON
    2. 11. Combining Technology and Social Engineering
      1. 11.1. HACKING BEHIND BARS
      2. 11.2. THE SPEEDY DOWNLOAD
      3. 11.3. EASY MONEY
      4. 11.4. THE DICTIONARY AS AN ATTACK TOOL
      5. 11.5. PREVENTING THE CON
    3. 12. Attacks on the Entry-Level Employee
      1. 12.1. THE HELPFUL SECURITY GUARD
      2. 12.2. THE EMERGENCY PATCH
      3. 12.3. THE NEW GIRL
      4. 12.4. PREVENTING THE CON
    4. 13. Clever Cons
      1. 13.1. THE MISLEADING CALLER ID
      2. 13.2. VARIATION: THE PRESIDENT OF THE UNITED STATES IS CALLING
      3. 13.3. THE INVISIBLE EMPLOYEE
      4. 13.4. THE HELPFUL SECRETARY
      5. 13.5. TRAFFIC COURT
      6. 13.6. SAMANTHA'S REVENGE
      7. 13.7. PREVENTING THE CON
    5. 14. Industrial Espionage
      1. 14.1. VARIATION ON A SCHEME
      2. 14.2. THE NEW BUSINESS PARTNER
      3. 14.3. LEAPFROG
      4. 14.4. PREVENTING THE CON
  9. 4. raising the bar
    1. 15. Information Security Awareness and Training
      1. 15.1. SECURITY THROUGH TECHNOLOGY, TRAINING, AND PROCEDURES
      2. 15.2. UNDERSTANDING HOW ATTACKERS TAKE ADVANTAGE OF HUMAN NATURE
      3. 15.3. CREATING TRAINING AND AWARENESS PROGRAMS
      4. 15.4. TESTING
      5. 15.5. ONGOING AWARENESS
      6. 15.6. WHAT'S IN IT FOR ME?
    2. 16. Recommended Corporate Information Security Policies
      1. 16.1. WHAT IS A SECURITY POLICY?
      2. 16.2. DATA CLASSIFICATION
      3. 16.3. VERIFICATION AND AUTHORIZATION PROCEDURES
      4. 16.4. MANAGEMENT POLICIES
      5. 16.5. INFORMATION TECHNOLOGY POLICIES
      6. 16.6. POLICIES FOR ALL EMPLOYEES
      7. 16.7. POLICIES FOR TELECOMMUTERS
      8. 16.8. POLICIES FOR HUMAN RESOURCES
      9. 16.9. POLICIES FOR PHYSICAL SECURITY
      10. 16.10. POLICIES FOR RECEPTIONISTS
      11. 16.11. POLICIES FOR THE INCIDENT REPORTING GROUP
  10. Security at a Glance
    1. IDENTIFYING A SECURITY ATTACK
    2. VERIFICATION AND DATA CLASSIFICATION
  11. sources
    1. CHAPTER 1
    2. CHAPTER 2
    3. CHAPTER 16
    4. CHAPTER 17
  12. Acknowledgments
    1. FROM KEVIN MITNICK
    2. FROM BILL SIMON