Hot Best Seller

The Art of Deception: Controlling the Human Element of Security

Availability: Ready to download

The world's most infamous hacker offers an insider's view of the low-tech threats to high-tech security Kevin Mitnick's exploits as a cyber-desperado and fugitive form one of the most exhaustive FBI manhunts in history and have spawned dozens of articles, books, films, and documentaries. Since his release from federal prison, in 1998, Mitnick has turned his life arou The world's most infamous hacker offers an insider's view of the low-tech threats to high-tech security Kevin Mitnick's exploits as a cyber-desperado and fugitive form one of the most exhaustive FBI manhunts in history and have spawned dozens of articles, books, films, and documentaries. Since his release from federal prison, in 1998, Mitnick has turned his life around and established himself as one of the most sought-after computer security experts worldwide. Now, in The Art of Deception, the world's most notorious hacker gives new meaning to the old adage, "It takes a thief to catch a thief." Focusing on the human factors involved with information security, Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system. With the help of many fascinating true stories of successful attacks on business and government, he illustrates just how susceptible even the most locked-down information systems are to a slick con artist impersonating an IRS agent. Narrating from the points of view of both the attacker and the victims, he explains why each attack was so successful and how it could have been prevented in an engaging and highly readable style reminiscent of a true-crime novel. And, perhaps most importantly, Mitnick offers advice for preventing these types of social engineering hacks through security protocols, training programs, and manuals that address the human element of security.


Compare

The world's most infamous hacker offers an insider's view of the low-tech threats to high-tech security Kevin Mitnick's exploits as a cyber-desperado and fugitive form one of the most exhaustive FBI manhunts in history and have spawned dozens of articles, books, films, and documentaries. Since his release from federal prison, in 1998, Mitnick has turned his life arou The world's most infamous hacker offers an insider's view of the low-tech threats to high-tech security Kevin Mitnick's exploits as a cyber-desperado and fugitive form one of the most exhaustive FBI manhunts in history and have spawned dozens of articles, books, films, and documentaries. Since his release from federal prison, in 1998, Mitnick has turned his life around and established himself as one of the most sought-after computer security experts worldwide. Now, in The Art of Deception, the world's most notorious hacker gives new meaning to the old adage, "It takes a thief to catch a thief." Focusing on the human factors involved with information security, Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system. With the help of many fascinating true stories of successful attacks on business and government, he illustrates just how susceptible even the most locked-down information systems are to a slick con artist impersonating an IRS agent. Narrating from the points of view of both the attacker and the victims, he explains why each attack was so successful and how it could have been prevented in an engaging and highly readable style reminiscent of a true-crime novel. And, perhaps most importantly, Mitnick offers advice for preventing these types of social engineering hacks through security protocols, training programs, and manuals that address the human element of security.

30 review for The Art of Deception: Controlling the Human Element of Security

  1. 5 out of 5

    Rod Hilton

    The Art of Deception is one of two books by famous hacker Kevin Mitnick, the other being "The Art of Intrusion". Intrusion focuses primarily on physical or technological hacks, while this book focuses almost exclusively on social engineering attacks. A number of problems prevented this book from being very good. The main problem is simply that Mitnick did not have enough material to fill an entire book. This book would have been better if it were shorter and simply one section in a la The Art of Deception is one of two books by famous hacker Kevin Mitnick, the other being "The Art of Intrusion". Intrusion focuses primarily on physical or technological hacks, while this book focuses almost exclusively on social engineering attacks. A number of problems prevented this book from being very good. The main problem is simply that Mitnick did not have enough material to fill an entire book. This book would have been better if it were shorter and simply one section in a larger book about security. A great deal of the book feels like padding, the anecdotes about various social engineering attacks seem repetitive and pointless - reading just one is often enough, but Mitnick consistently indulges himself with identical tale after identical tale. I'm not entirely sure who the audience for this book could really be. It doesn't seem like it's for technical people, because the book goes out of it's way to define what things like "http" mean. The book claims to be geared toward nontechnical people or businesspeople, but the fact of the matter is that the subtle differences between a lot of the social engineering attacks will be missed by nontechnical people. To your average joe, 20 or so of the stories in the book will seem identical, testing the patience of the reader. The book is also frustrating in its design. It's constructed as a book to help managers and businesspeople manage security at their companies. Every story about a social engineering attack is followed by a "Mitnick Message" where Kevin explains how to prevent the attack from happening to you. In reality, however, the real focus is the story itself - the attackers are consistently painted as the hero of the story, with the hapless victims being drawn as naive morons. It's clear that Mitnick admires the attackers in these tales, and the "Mitnick Message" feels like it's been forced into the book to keep up the ruse that the book is intended for anyone other than wannabe hackers. Mitnick's advice is a restated form of "verify the identity of the caller" in nearly every instance. The book is, to put it simply, a bore. Reading it was a challenge, and I had to fight the frustration to skim or skip sections nonstop. The Art of Intrusion is far more interesting, and I recommend it over this book without reservation. There is value for businesspeople to read this book, but I imagine it will present a significant challenge to their patience. As an aside, Mitnick offers terrible advice regarding passwords. He argues that passwords should not consist of a constant combined with a predictable variable, such as "kevin01", "kevin02", "kevin03". I agree. He also says that users should not write down their passwords and tape the paper to their monitor or under their keyboards. I agree again. He also, unfortunately, argues that passwords should expire every month. Well, that's terrible advice. Passwords need to be something people can remember, or they have to write them down. If they are going to be memorable, they can't change constantly. If they change constantly and must still be memorable, people have no choice but to add some predictable pattern to a memorable portion of a password. In short, of options A) Don't write passwords down B) Don't use a simple increment in a password C) Change passwords monthly, security administrators can pick any two. To try for all three is delusion.

  2. 4 out of 5

    David

    Kevin Mitnick, probably the most famous (and controversial) computer hacker of the 1990's, has spent several years of his life on the run, as well as a few years in jail. For years after leaving prison he was forbidden to log on to a computer, a prohibition he appealed successfully. He now runs a computer security business, lectures to large corporations, and has co-authored two books on computer network security. This book focuses on the human element of computer security. Reminding us that eve Kevin Mitnick, probably the most famous (and controversial) computer hacker of the 1990's, has spent several years of his life on the run, as well as a few years in jail. For years after leaving prison he was forbidden to log on to a computer, a prohibition he appealed successfully. He now runs a computer security business, lectures to large corporations, and has co-authored two books on computer network security. This book focuses on the human element of computer security. Reminding us that even the most sophisticated high-tech security systems can be rendered worthless if the people running them are not sufficiently vigilant, Mitnick goes on to point out the myriad ways in which human carelessness can contribute to security breaches. An experienced con artist who is well-versed in social engineering techniques can often do far more damage by manipulating people to provide information they shouldn't than by relying on technologically sophisticated hacking methods. The book is interesting for the most part, though it would have benefited from a 25% reduction in length, and there are some annoying stylistic tics. Throughout the first 14 chapters, each of which reviews a particular type of ‘con’ used by hackers/social engineers to breach computer security, the chapter setup follows the same schema: (i) an anecdote or vignette, involving fictitious characters but based on actual events, which lays out the deception as it unfolds, following it through to the successful breach (ii) analysis of the ‘con’, focusing specifically on the mistakes or behaviors (at the individual and at the organizational level) which allowed it to succeed (iii) discussion of the changes that would be needed to stop the con from succeeding (e.g. behavior of individual employees, corporate policies and procedures, computer software and hardware). This is actually a pretty decent way to make the points Mitnick wants to get across – starting out with a concrete example of how things go wrong gets attention and motivates the reader to read on to figure out the solution. One feature of the book which was meant to be helpful started to drive me crazy by about the third chapter. Interspersed throughout each chapter, the authors insert highlighted textboxes of two types: ‘lingo’ – repeating the definition of a concept already adequately defined in the text, or ‘mitnick messages’ – which manage to be irritating beyond the cutesy name, as they do nothing but encapsulate the obvious in language which condescends to the reader. In general, this is not a book you will read for the delights of its prose style (after successfully gaining access to a cache of hidden documents, one hacker is described as spending his evening gleefully “pouring over” the documents); however, the prose is serviceable, managing to avoid lapses into the dreaded corpspeak, for the most part. For some readers, the most useful part of the book may be its final two chapters. Here the authors lay out, in considerable detail, outlines for recommended corporate information security policies, and an associated training program on information security awareness. Though I am no expert in these areas, the outlines strike me as being commendably thorough – complete enough that they could be fleshed out without too much difficulty to generate a comprehensive set of policies and procedures. Despite some redundancy, and occasional infelicities of style, this book seemed to me to be interesting, and likely to be practically useful.

  3. 5 out of 5

    Pramod Nair

    “I went to prison for my hacking. Now people hire me to do the same things I went to prison for, but in a legal and beneficial way.” – Kevin D. Mitnick, Ghost in the Wires: My Adventures as the World's Most Wanted Hacker. Reading ‘The Art of Deception’ is like hearing it straight from the horse's mouth. Kevin D. Mitnick, one of the legendary cyber desperado turned computer security consultant, takes the reader into the complex, supremely confident – often misunderstood as arrogance and curiosity driven mindset of‘The“I “I went to prison for my hacking. Now people hire me to do the same things I went to prison for, but in a legal and beneficial way.” – Kevin D. Mitnick, Ghost in the Wires: My Adventures as the World's Most Wanted Hacker. Reading ‘The Art of Deception’ is like hearing it straight from the horse's mouth. Kevin D. Mitnick, one of the legendary cyber desperado turned computer security consultant, takes the reader into the complex, supremely confident – often misunderstood as arrogance and curiosity driven mindset of the hacker world as he describes the human element of computer security. In this book with the help of very plausible scenarios and stories he demonstrates the Art of exploiting the human mind – other wise known as ‘Social Engineering’ - to gain access to computer networks. In the forward to this book, Steve Wozniak sums up ‘The Art of Deception’ nicely with these words: The art of Deception shows how vulnerable we all are – government, business, and each of us personally – to the intrusions of the social engineer. In this security-conscious era, we spend huge sums on technology to protect our computer networks and data. This book points out how easy it is to trick insiders and circumvent all this technological protection. In the first three sections of this book the author explains in great details on how attackers gain entry into fortified assets by simply taking advantage of the trusting & sympathizing nature of the human mind. Mitnick covers almost all possible basic attack scenarios, which a real-life attacker uses in conning an unsuspecting computer user for gaining entry into a closed network. By attacking the weakest link in the security apparatus, this book shows how a skilled social engineer can take complete control of a system by pulling the strings on an unsuspecting victim like a master puppeteer and making him do things which favors the attacker. After showing each scenario, Mitnick explains the various factors, which made each scenario work, and gives valuable inputs and strategies on how organizations can prevent each scenario from happening with in their working environment. For those who have a professional interest in corporate security or information security the section titled ‘Raising the Bar’ will be a valuable resource. In this section Mitnick provides a very detailed outline of ‘practical corporate information security policies’ and training methodologies for staff, which in a combined manner can mitigate the risks of an intrusion. Some readers may find the style of writing employed in the book not up to the mark, but as a practical book on analyzing and getting aware of the threat of Social Engineering and as an Information Security Policy reference this book has some valuable content. In the present time you may find more detailed books on Social Engineering, but when this book came out in 2003, it had some sensational content which I still remember reading with great thrill. Some of the technical exploits related to the telephone systems that are mentioned in the book are a bit outdated but the methods and philosophy of exploits that target the human mind is very relevant even today. This book is a recommended read for anyone who is interested in computer security and the hacker subculture.

  4. 5 out of 5

    Derek

    I suspect that if you're reading for entertainment, then you probably want Mitnick's The Art of Intrusion or Ghost in the Wires instead. This book is split 2/3 and 1/3 between a series of fictionalized anecdotes--based on or representative of real incidents--and a corporate policy guide. The guide, like all such specifications, is deadly dry and would require several readings and much thought to fully internalize. The anecdotes are more interesting than entertaining, and all proceed by the same bas I suspect that if you're reading for entertainment, then you probably want Mitnick's The Art of Intrusion or Ghost in the Wires instead. This book is split 2/3 and 1/3 between a series of fictionalized anecdotes--based on or representative of real incidents--and a corporate policy guide. The guide, like all such specifications, is deadly dry and would require several readings and much thought to fully internalize. The anecdotes are more interesting than entertaining, and all proceed by the same basic pattern: a 'social engineer' (Mitnick's sterile term for what amounts to a con man) manipulates the helpful or easily-influenced into providing information or services which can then be further leveraged to some end. Sections directly relating to computer penetration are substantially less interesting than those that are merely two people on a phone. Mitnick's focus is organizational, not individual, and presupposes an organized, collective effort towards protection based on establishing correct procedure, education, and most of all the directed effort of those in charge. As such I can't help but think that this book is targeted to executives and not to the peon-types on the front lines, who in the anecdotes are the ones who inadvertently give away the keys to the kingdom.

  5. 4 out of 5

    John

    We think of computer hackers as sitting in an isolated room, endlessly probing corporate and private networks from their screen. Actually, almost all deep hacking starts with the manipulation of people to do something that allows the hacker to move to the next level. The Art of Deception tells how Mitnick used "social engineering" skills to get people to unknowingly provide critical assistance, from simply being polite and opening a secure door to setting up restricted user accounts. Having read We think of computer hackers as sitting in an isolated room, endlessly probing corporate and private networks from their screen. Actually, almost all deep hacking starts with the manipulation of people to do something that allows the hacker to move to the next level. The Art of Deception tells how Mitnick used "social engineering" skills to get people to unknowingly provide critical assistance, from simply being polite and opening a secure door to setting up restricted user accounts. Having read this book, I am much more suspicious of any request made online, by phone, or in person by a stranger. Should be required reading for anyone in IT, especially those involved in network security.

  6. 5 out of 5

    James

    So ... Interesting read. Social engineering has been going on a long time and has impacted many corporations, governments, etc. I felt this book did a great job documenting examples of what has taken place as well as provided insights for what you and your organization can do to help prevent, the best that you can, social engineering attacks. This book definitely irritated me as I had not thought about the detailed level of attacks folks have gone through. Thinking back, there have probably been So ... Interesting read. Social engineering has been going on a long time and has impacted many corporations, governments, etc. I felt this book did a great job documenting examples of what has taken place as well as provided insights for what you and your organization can do to help prevent, the best that you can, social engineering attacks. This book definitely irritated me as I had not thought about the detailed level of attacks folks have gone through. Thinking back, there have probably been some times where I had been the person on the receiving end. Wish I had read this about a decade ago as it has some good common sense knowledge to learn from.

  7. 4 out of 5

    Gwanderson

    Human's are like bad Microsoft coding.

  8. 4 out of 5

    Khalid

    In The Art of Deception, [Kevin Mitnick] discusses the thing he's best at: Social Engineering. Social engineering is the term used in computer security to describe the manipulation of humans in order to break through a security barrier, and is sometimes referred to as hacking the mind. In the first chapter of his book, usually referred to as The Lost Chapter (As it wasn't published with the final version of the book), Kevin Mitnick tries to convince his readers that he is innocent – or at least that he is In The Art of Deception, [Kevin Mitnick] discusses the thing he's best at: Social Engineering. Social engineering is the term used in computer security to describe the manipulation of humans in order to break through a security barrier, and is sometimes referred to as hacking the mind. In the first chapter of his book, usually referred to as The Lost Chapter (As it wasn't published with the final version of the book), Kevin Mitnick tries to convince his readers that he is innocent – or at least that he isn't a "criminal". I believe he made good points in this chapter, and wish it was published. The book isn't about Mitnick, though; it's about social engineering. If he was ever on the dark side, he is no longer there. He now works as a security consultant, and this book is designed to help improve security awareness, and help us all avoid being deceived by social engineers. The bulk of this book consists of different stories of social engineers getting their job done, followed by advice on how to avoid such kinds of attacks. Just like any security book, this book can also help the bad guys improve their skills, because it offers many ideas on how you can trick people; however, if the good guys read the book, they would laugh at the bad guys' attempts and say "Ha, I know that one!" No, really! The idea of the book is very interesting, and some of its stories are really smart; however, I must admit that it gets a bit repetitive towards the end. The authors are trying to separate different stories into different chapters, but the differences between the ideas in these stories are sometimes so small. The ideas represented in this book are applicable to more than just computer-related systems (Hey, you don't have to use them to steal money, but they're good to know anyway!); however, due to the fact that information is closely associated with computing nowadays, you'll usually find a lot of technical details in the book. But anyway, as long as you use a computer, you'll most likely be fine reading it! The authors have just completed a new book, The Art of Intrusion. It looks like it is going to be more technical, and more geared toward hacking than social engineering. I probably will give it a try sometime.

  9. 5 out of 5

    Koen Crolla

    Almost all of this book consists of infinitesimal variations on the same point, communicated through accounts of apparently real events fictionalised by someone who clearly desperately wanted to write short stories instead of ghost-writing for minor celebrities but couldn't find a publisher for them. That every story reads like a bad (and I mean bad) noir film isn't just annoying; it makes them much less credible. It's clear that Mitnick thinks very highly of himself and his accomplishments, oc Almost all of this book consists of infinitesimal variations on the same point, communicated through accounts of apparently real events fictionalised by someone who clearly desperately wanted to write short stories instead of ghost-writing for minor celebrities but couldn't find a publisher for them. That every story reads like a bad (and I mean bad) noir film isn't just annoying; it makes them much less credible. It's clear that Mitnick thinks very highly of himself and his accomplishments, occasionally remembering to point out that it's really easy to defend against social engineering attacks but mostly painting social engineers as omnipotent Supermen who are just better than the common folk who merely work in offices; he also seems to think he's the first person to write a book about defending against these con men, judging by his two chapters of condescending policy recommendations. Maybe he is, to a lot of the people who'd read this book. It's certainly likely that The Art of Deception has done and will continue to do more good than harm, which is more than can be said for most popular books on any kind of security. That doesn't make it any less repetitive, though.

  10. 5 out of 5

    Son Tung

    Kevin D. Mitnick - a former hacker turned security expert - gives an excellent view on security threats posed by human factor in modern world. The common sense that computer geeks are often fat, unpopular with heavy glasses and nerdy faces is not applicable in "Social Engineer" category. Social engineer is someone with talent and understanding for both social behavior and technical command. He/she can infiltrate in a company system by manipulating human psychology (unshakeable confidence, empat Kevin D. Mitnick - a former hacker turned security expert - gives an excellent view on security threats posed by human factor in modern world. The common sense that computer geeks are often fat, unpopular with heavy glasses and nerdy faces is not applicable in "Social Engineer" category. Social engineer is someone with talent and understanding for both social behavior and technical command. He/she can infiltrate in a company system by manipulating human psychology (unshakeable confidence, empathy, guilt, reciprocity) and ofcourse, lingo and insight needed in a great impostor. The funny parts are, sometimes the job can be done by curious individuals or dumpster scavengers. Imagine the work done by industrial spies to create heavy impact spionage ! You will find dialogs which so amazingly similar with those in heist movies. Yep, it is real and complex. It was an enjoyable read for me, some parts are repetitive, i felt like a voice of an old, experienced man keeps echoing: Its all about human, not about fancy technology or machine.

  11. 4 out of 5

    G.M. Lupo

    Kevin Mitnick is probably best known for being a phone phreak and fugitive computer hacker in the late-80s and early 90s, who was the focus of a considerable manhunt. Following his capture and time in prison, he's become an Internet security consultant and turned his talents to helping people avoid the sort of hacks he became famous for perpetrating. This book is a chronicle of numerous social engineering attacks, some hypothetical, some based on real-world examples (which may or may not have be Kevin Mitnick is probably best known for being a phone phreak and fugitive computer hacker in the late-80s and early 90s, who was the focus of a considerable manhunt. Following his capture and time in prison, he's become an Internet security consultant and turned his talents to helping people avoid the sort of hacks he became famous for perpetrating. This book is a chronicle of numerous social engineering attacks, some hypothetical, some based on real-world examples (which may or may not have been carried out by Mitnick himself) and recommendations for how to guard against such attacks. I actually recognize a number of the policies he recommends as being part of the security awareness my company conducts every year for employees, so apparently, someone listened. I must admit I found the anecdotes more interesting than the policy recommendations, though someone tasked with guarding his or her companies assets would no doubt find these of immense value. Definitely worth a read.

  12. 5 out of 5

    Russell

    I found the most valuable sections in this book to be the policy recommendations and information security practices described in the last chapters (despite their age). The anecdotal and fictionalized scenarios were effective up to a point, but there are so many of them that it wore me down and I just started scanning them when I was about 3/4 of the way through. Mitnick's "messages" provided helpful suggestions and contextual gotchas interspersed with the social engineering/con situations, but t I found the most valuable sections in this book to be the policy recommendations and information security practices described in the last chapters (despite their age). The anecdotal and fictionalized scenarios were effective up to a point, but there are so many of them that it wore me down and I just started scanning them when I was about 3/4 of the way through. Mitnick's "messages" provided helpful suggestions and contextual gotchas interspersed with the social engineering/con situations, but the real meat was at the end of the book. I'll probably buy this book simply because of the security policy information and the easy-to-understand business cases that are easily comprehendible due to their storylike nature.

  13. 5 out of 5

    Ayaan

    Table of Contents Part 1 Behind the Scenes Chapter 1 Security's Weakest Link Part 2 The Art of the Attacker Chapter 2 When Innocuous Information Isn't Chapter 3 The Direct Attack: Just Asking for it Chapter 4 Building Trust Chapter 5 "Let Me Help You" Chapter 6 "Can You Help Me?" Chapter 7 Phony Sites and Dangerous Attachments Chapter 8 Using Sympathy, Guilt and Intimidation Chapter 9 The Reverse Sting Part 3 Intruder Table of Contents Part 1 Behind the Scenes Chapter 1 Security's Weakest Link Part 2 The Art of the Attacker Chapter 2 When Innocuous Information Isn't Chapter 3 The Direct Attack: Just Asking for it Chapter 4 Building Trust Chapter 5 "Let Me Help You" Chapter 6 "Can You Help Me?" Chapter 7 Phony Sites and Dangerous Attachments Chapter 8 Using Sympathy, Guilt and Intimidation Chapter 9 The Reverse Sting Part 3 Intruder Alert Chapter 10 Entering the Premises Chapter 11 Combining Technology and Social Engineering Chapter 12 Attacks on the Entry-Level Employee Chapter 13 Clever Cons Chapter 14 Industrial Espionage

  14. 5 out of 5

    Jeff

    Zzzzzzzzzz, Oh sorry..... This was a tough read. Very dry and if you've ever worked in a corporate environment, or IT at all, most of this is simply common sense. Some of the 'examples' used are repeated in Kevin's other book, Ghost in the Wires, which I read before this one. GitW is a good read, this one, not so much.....

  15. 4 out of 5

    Stefan

    While the book demonstrates the basic concept of social engineering quite well, it would never have got so much attention if Mitnick's name wasn't on the cover. It's okay, but it's not extraordinary.

  16. 5 out of 5

    James

    This one had been sitting on my shelf for a loooong time. As a nerdy kid growing up I was fascinated by computers and the then-emerging Internet. Dial-up to AOL and local BBSes had me feeling pretty fly. I remember stumbling onto the "Anarchist Cookbook", and finding a few issues of the hacker magazine 2600 at a Barnes and Noble. The checkout lady gave me a concerned frown and told me to be careful. Haha, joke was on her! I had no idea what I was reading. Except for the parts a This one had been sitting on my shelf for a loooong time. As a nerdy kid growing up I was fascinated by computers and the then-emerging Internet. Dial-up to AOL and local BBSes had me feeling pretty fly. I remember stumbling onto the "Anarchist Cookbook", and finding a few issues of the hacker magazine 2600 at a Barnes and Noble. The checkout lady gave me a concerned frown and told me to be careful. Haha, joke was on her! I had no idea what I was reading. Except for the parts about Kevin Mitnick, the world's greatest hacker. There was apparently some big "Free Kevin!" movement for this guy who hacked and stole information from big companies and was thrown into a dark jail cell with no communication with the rest of the world because they were afraid of what he was capable of. Except he never hurt anyone or truly damaged or broke anything, he just got caught having fun digitally trespassing. The day came when he was finally released from prison, and I remember gleefully watching him on ZNet TV on an episode of the Screensaver's being allowed to access the Internet for the first time. This was the ultimate "We did it Reddit!" about 10 years before Reddit even existed. When I recently had to take an online training class at work about social engineers trying to trick you into giving up valuable proprietary information, there were cute little video segments featuring my old friend Kevin. Holy crap! That guy! My old hero! I changed my AIM status to support you! Oh wait, I bought your first book when it came out and I never read it! Let's do this! I regret that I did not read it then. While a lot of the information it provides is still quite valuable and true, it's almost commonplace in any workplace setting these days. That's not to say social engineers have given up and hung up their hats, it's likely more prevalent than ever, but this is the Social Engineering 101 book for people taking the on-ramp to the Information Superhighway for the very first time in the early 2000s. It features advice in there like don't keep your passwords written down next to locked computers (there are a few X-Files episodes where Mulder and Scully can be thankful the monsters they were investigating didn't read this book), make those passwords a little more secure by being longer than 8 characters, don't let someone convince you to attach a dial-up modem to your computer or network, and don't set your modem to auto-answer lest a bored Matthew Broderick finds it. The main point behind this book is still very true today: It doesn't matter how sophisticated your technologically amazing security systems are, gullible super-friendly happy-to-help human beings are always your weakest link. I'm convinced that if the Chinese have any engineering blueprints of our latest warfighters, they probably got it from having a young-looking spy with a goofy grin pretend to need help writing a book report. But it's less embarrassing to blame faceless hackers. The best parts of the book were the little story vignettes that demonstrated how a person can make a few seemingly innocent phone calls asking for tidbits of information that lead to the mother-load. The first call could be person pretending to be a customer needing some advice. The next phone call could be to the receptionist with that little bit of gained knowledge to sound like an employee at another location. That receptionist will provide information that a manager could use, and suddenly Gary in accounting needs to send over the latest financial projections STAT. Fax would work best, e-mail has been acting weird. I especially enjoyed the story about how young Kevin and a friend of his in high school went to a tech convention and managed to thwart a super-secure system in development. Not through hacking so much as waiting for the employees to all leave the system un-attended during lunch, sweet-talking a promoter, using slight of hand and lock-picking a cabinet, and switching around some network cables. Kind of silly to build the vault door out of titanium if the surrounding walls are made from cardboard. The last chunk of the book is just lists and simple paragraphs of kind of boring now-cliche advice that those working in security should know by heart. It becomes an undergrad textbook, basically. I say all of this but find myself wanting to read the other books Kevin's since published as I'm sure he's got a wealth of ideas and knowledge about what social engineers might be up to today. And it's when you don't think you can be fooled is when you are most likely to be.

  17. 5 out of 5

    YHC

    I started to read this book last night and turned sleepless due to some similarity that i have encountered in the morning. A mail came to my email box saying someone in Ukraine using my email address to sign in a so called Gaijin. Net. they suspect it could be a hacking so sending me a mail to verify. "Someone signed in to your account using the device through the Windows app" as title. " This email was sent to you for security reasons. We were not able to determine whether the previous login to I started to read this book last night and turned sleepless due to some similarity that i have encountered in the morning. A mail came to my email box saying someone in Ukraine using my email address to sign in a so called Gaijin. Net. they suspect it could be a hacking so sending me a mail to verify. "Someone signed in to your account using the device through the Windows app" as title. " This email was sent to you for security reasons. We were not able to determine whether the previous login to the system was performed using this device or application. Maybe you did it using a new computer, phone or browser. If you did not perform such actions, then there is a high possibility that your account has been hacked. Please read this article . The message is generated automatically and does not require a response. Unsubscribe from these notifications " I actually went to check out, according to their instruction that if i didn't create an account i should block it. but when i click block. It asked me to verify with my real email address even I needed to key in my password. I stopped there, didn't go on. Why should i hand in my password of mail address to some hackers just like that, but it really happens to everyone that under panic we would actually just react without thinking. In the era of technology, we are easily to become the victims of hackers. I am so fed up with credit cards hacking coz saw many people sharing this experience and find it ruins your good mood specially while you travel. With some technique of psychology, doing favors, human networking, they get their target easily. We all need to be careful! 序 人类天生就有一种探索周围环境的内在动力,作为年轻人,我和凯文•米特尼克(Kevin Mitnick)对这个世界有着无比的好奇心并渴望证明自己的能力。我们努力学习新事物、解决难题并赢得比赛,但同时这个世界又告诉我们一个行为规则――不要过于放任自己对探索自由的强烈渴望。可对于最大胆的科学家和企业家,还有像凯文•米特尼克这样的人来说,跟随内心的这种渴望会带来极大的兴奋,并使他们完成别人认为是无法做到的事情。 凯文•米特尼克是我认识的人中最杰出的一个。只要你问他,他便会坦率的告诉你他曾经做过的事――社会工程学――包括骗人。但凯文已经不再是一个社会工程师了,即便在他曾经是的时候,他的动机也绝不是发财和伤害他人。这并不是说这个社会不存在利用社会工程学而给他人带来真正伤害的危险的破坏者,事实上,凯文写这本书的目的就是要提醒大家警惕这些罪犯。 《欺骗的艺术》将会展示政府、企业和我们每一个人,在社会工程师的入侵面前是多么的脆弱和易受攻击。在这个重视信息安全的时代,我们在技术上投入大量的资金来保护我们的计算机网络和数据,而这本书会指出,骗取内部人员的信任和绕过所有技术上的保护是多么的轻而易举。无论你是在政府还是在企业,这本书都如同一个清晰、明确的路标,它将帮助你弄清社会工程师的手段,并且挫败他们的阴谋。 以小说故事的形式展开叙述,不仅有趣,还具有启发性,凯文和合著人比尔•西蒙将把社会工程学这一不为人知的地下世界展现在你的面前。在每个故事叙述之后,他们还将提供一个实用的技术指南来帮助你提防他们在书中所描述的威胁和泄露。 技术上的安全防护会留下很大的漏洞,凯文这样的人可以帮助我们去堵住它。阅读此书,你会发现我们所有的人都终将需要得到“米特尼克”(译者注:指凯文•米特尼克这样的人)的指导。 史蒂夫•沃尼亚克 作者: KEVIN D.MITNICK & William L.Simon

  18. 5 out of 5

    Stephen

    Interesting at first, but very repetitive. Mitnick, who claims his career as a hacker was passed solely on manipulating people to gain information and access, shares stories of others who did the same. These mostly include private investigators, with at least one pair of curious teenagers and a few bits of corporate espionage. The modus operandi in all the cases is very similar: the actor engages in background research to learn a few names and some of the lingo of the business, then makes phone Interesting at first, but very repetitive. Mitnick, who claims his career as a hacker was passed solely on manipulating people to gain information and access, shares stories of others who did the same. These mostly include private investigators, with at least one pair of curious teenagers and a few bits of corporate espionage. The modus operandi in all the cases is very similar: the actor engages in background research to learn a few names and some of the lingo of the business, then makes phone calls to different people and departments within the company. Information is solicited under false pretense from various people, then combined to gain further access or the answers. Mitnick refers to this as social engineering, and it's obvious from his collection that a high degree of charisma is required to gain the trust or goodwill of subjects; Mitnick also points out how the actors manipulate the people they're interacting with, pushing buttons for sympathy and fear. There are very few cases included here of people working in person; the simplest case involved a man studying a business to find out when the office staff left, and when the janitors arrived. He then approached the place in a suit and briefcase, and pretended to be an office worker who needed to run in and get a few things from his office -- allowing him free run of the place. Mitnick ends each section, and the book in total, with advice on how to secure and compartmentalize information so employees don't accidentally give the farm away. This includes strict policies and training to control the flow of information, emphasizing the need to verify the identity and need of people requesting information.

  19. 5 out of 5

    Ilya Nepomnyashchiy

    (Note: it's my understanding that there's some [well-deserved] controversy around Mitnick in the Infosec community, but my hope is to stay out of that and merely review the book) Kevin Mitnick's book on social engineering, The Art of Deception, is a mix of lightly fictionalized anecdotes about successful social engineering schemes and a set of recommendations for any organization's security policy for thwarting them. Given Mitnick's background as a hacker, there is necessarily a sligh (Note: it's my understanding that there's some [well-deserved] controversy around Mitnick in the Infosec community, but my hope is to stay out of that and merely review the book) Kevin Mitnick's book on social engineering, The Art of Deception, is a mix of lightly fictionalized anecdotes about successful social engineering schemes and a set of recommendations for any organization's security policy for thwarting them. Given Mitnick's background as a hacker, there is necessarily a slight technological bent, but many of the cons hardly require any technology more complicated than a phone call. The sections on possible social engineering techniques are very illuminating and pretty entertaining. They're a good illustration of how unsuspecting victims can easily be duped into giving up information and how that information can snowball into stealing something truly valuable or damaging. Many of the technological sections of the book read a little bit outdated. Employees can and should have their own 2-factor tokens, making a companywide shared secret somewhat obsolete. The common consensus is that passwords should not be required to change every 30 days. I'm not aware of any company that uses anonymous FTP servers to share data. Nevertheless, one can easily look past these sorts of things (the book is nearly old enough to vote at this point), since the technology isn't the main point. Overall, the book is a compelling and educational read. I'm not about to start recommending it to anyone and it's not the most thrilling of reads but you'll probably be better off for having read it.

  20. 4 out of 5

    Sobczak Julien

    True stories demonstrating why we stay indisputably the security's weakest link. It so common to hear that we, humans, are the bigger threat in security. But before reading this book, I was seriously underestimating how difficult, if not impossible, it is to mitigate social engineering attacks. This book helped me consider how we are “designed” to be an excellent target for attackers. We are eager to trust and cooperate. As Kevin Mitnick says: “People are not stupid, they are ignor True stories demonstrating why we stay indisputably the security's weakest link. It so common to hear that we, humans, are the bigger threat in security. But before reading this book, I was seriously underestimating how difficult, if not impossible, it is to mitigate social engineering attacks. This book helped me consider how we are “designed” to be an excellent target for attackers. We are eager to trust and cooperate. As Kevin Mitnick says: “People are not stupid, they are ignorant.” This book will raise your awareness about the most serious threats, so that you will be less likely to be exploited in this way. You will learn definitions of social engineering terminology, and words of wisdom to help strengthen your security strategy, either if you are an individual or a corporation. Most security books focus on the hardware or software to secure your systems. The Art of Deception is different. This may seem obvious for some, but security is an illusion and even the best training and technologies are not enough. I really became aware of this with this book. I recommend that you add it on your reading list. It’s a captivating book consisting for the most part of eye-opening and educational stories. Like other Kevin Mitnick’s books, it is co-authored by William L. Simon, a professional writer that turns the greatest teachings present in the head of brilliant human beings into enjoyable books. The book was written fifteen years ago (it’s the first book by Kevin Mitnick), and if technologies have changed, social engineering principles haven’t.

  21. 5 out of 5

    TL Kett

    This book is an oldie but a goodie. Keeping in mind that it was published in 2002, some of the specific advice is a little outdated, but most of the underlying concepts are still applicable simply because human nature doesn't change that quickly. The anecdotes can get repetitive, but they're all trying to drive the same points home about the true value of information and not giving it away just because someone on the other end of the phone or email is asking for it. For those who alre This book is an oldie but a goodie. Keeping in mind that it was published in 2002, some of the specific advice is a little outdated, but most of the underlying concepts are still applicable simply because human nature doesn't change that quickly. The anecdotes can get repetitive, but they're all trying to drive the same points home about the true value of information and not giving it away just because someone on the other end of the phone or email is asking for it. For those who already know and live this, the book may seem dull after a few scenarios, but each one demonstrates different ways of getting information. The sections at the end about designing a training program and the template for organisational policy tie everything together neatly and offer a few final nuggets of information about attackers and their methods. I personally liked the explanations for different security practices and policies, and feel like it taught me more about why one of my old workplaces was set up the way it was than my induction training ever did. If you're interested in cyber security or becoming a professional in this space, this book is a good starting point on the human element of information security.

  22. 4 out of 5

    John

    This had been on my to read shelf for quite some time so happy to finally give it a read. Unfortunately this book has aged considerably. There are dozens of case studies throughout which discuss social engineering situations that have occurred and why they were successful, and for a non technical person, they may be interesting or at least informative as to what's possible - although these aren't the types of people who would be reading this book. So I am a bit confused to the target audience. A This had been on my to read shelf for quite some time so happy to finally give it a read. Unfortunately this book has aged considerably. There are dozens of case studies throughout which discuss social engineering situations that have occurred and why they were successful, and for a non technical person, they may be interesting or at least informative as to what's possible - although these aren't the types of people who would be reading this book. So I am a bit confused to the target audience. Almost every security compromise that he goes through has been mitigated for years by any company with even a half-assed sec policy. Many of them are, simply, no longer possible. Most valuable part of the book is likely the last few chapters which focus on baselines for solid and proper infosec policies for any business. These have not aged and still make sense. This section of the book is very thorough and a good reference for IT and sec managers.

  23. 5 out of 5

    Mihai

    I've finished it thinking, as any other Joe would do, that this book is nothing more than a log list of examples on how one can be fooled if he is not smart enough, followed by some other basic examples on how the same victim (being that a person or a corporation/firm) can be protected against the damages done by a possible attacker. But it also took me a couple of minutes to figure out that, in this we-all-want-to-fit-in world, a chink in our personal intelligence armour is not so hard to I've finished it thinking, as any other Joe would do, that this book is nothing more than a log list of examples on how one can be fooled if he is not smart enough, followed by some other basic examples on how the same victim (being that a person or a corporation/firm) can be protected against the damages done by a possible attacker. But it also took me a couple of minutes to figure out that, in this we-all-want-to-fit-in world, a chink in our personal intelligence armour is not so hard to spot and exploit, not only that, but another perpetrator called the Internet, also compounds our smugness and the feeling of know-it-all. And that is dangerous. Mitnick taught us that we should not think that technology is a limitless power, impossible to break, that automation will fix any gap. Tech works for us and with us and we, as it, are prone to banal errors. A must read even today, especially by those who think that it cannot happen to them.

  24. 4 out of 5

    Aron

    As the title suggests, the focus of this book is social engineering-based security threats. While I think it's generally accepted that this is the least controllable and therefore weakest element of security, if you're wondering how this ballooned into 350 pages...well, I am, too. The summary of pretty much every story in every chapter is "be sure to conclusively verify the identity of anyone you're giving information to." While I picked this up completely voluntarily, reading it was As the title suggests, the focus of this book is social engineering-based security threats. While I think it's generally accepted that this is the least controllable and therefore weakest element of security, if you're wondering how this ballooned into 350 pages...well, I am, too. The summary of pretty much every story in every chapter is "be sure to conclusively verify the identity of anyone you're giving information to." While I picked this up completely voluntarily, reading it was a chore. It wasn't until the final chapter that I gave up and started skimming. That chapter is 70 pages of recommendations for corporate security policies. Good luck. If I hadn't read Ghost in the Wires (a memoir and a much better book, by the way), at least the overabundant and repetitive examples would have been fresh, but as it turns out, most of them are taken directly from his experiences.

  25. 4 out of 5

    James Taylor

    Infamous social engineer Kevin Mitnick takes you through numerous stories of social engineers gaining access to important information using many techniques of deception. The most insecure part of a computer system is the people using it, and these stories describe how that aspect can be exploited. At the end of the book, there's a summary of problems and solutions which he recommends companies apply. I felt the stories got a bit repetitive as many were similar, and I think half of them could hav Infamous social engineer Kevin Mitnick takes you through numerous stories of social engineers gaining access to important information using many techniques of deception. The most insecure part of a computer system is the people using it, and these stories describe how that aspect can be exploited. At the end of the book, there's a summary of problems and solutions which he recommends companies apply. I felt the stories got a bit repetitive as many were similar, and I think half of them could have been cut to make the book more concise; it did begin to drag by the halfway point. A few stories sounded a bit vague/unbelievable too (I think there was one example where the engineer physically got into an office, and coincidentally, the computer he wanted access to had no password. If it did have a password, then the entire plan would have failed.).

  26. 4 out of 5

    Elwin Kline

    After reading Ghost in the Wires by Kevin, I immediately purchased all of his follow-up books: Art of Deception, Art of Intrusion, and Art of Invisibility and went through all of the relatively quickly. Of the three, this one was my least favorite. This book feels like an entry level introduction to information security that you would mass produce and provide to all of your employees within your organization. At the time of reading this book, I had well over a decade of relative exper After reading Ghost in the Wires by Kevin, I immediately purchased all of his follow-up books: Art of Deception, Art of Intrusion, and Art of Invisibility and went through all of the relatively quickly. Of the three, this one was my least favorite. This book feels like an entry level introduction to information security that you would mass produce and provide to all of your employees within your organization. At the time of reading this book, I had well over a decade of relative experience and six professional IT certifications. So from that perspective, this book was on the boring side because it didn't teach me anything new. I would only recommend this book to people who are interested in information security and only have minimal knowledge and certainly not to anyone who had any IT certifications.

  27. 5 out of 5

    Aldwin Susantio

    Social engineer is a person that tries to get secret information by influencing another person behavior. Social engineer is a common 'profession' in fraud and organization espionage. Usually, social engineer would convince a person to give little information that is harmless by itself, but it is important key to gain access to more essential information. Social engineer could also trick his victim by impersonating fellow employee or manager, so the victim voluntarily give confidental information Social engineer is a person that tries to get secret information by influencing another person behavior. Social engineer is a common 'profession' in fraud and organization espionage. Usually, social engineer would convince a person to give little information that is harmless by itself, but it is important key to gain access to more essential information. Social engineer could also trick his victim by impersonating fellow employee or manager, so the victim voluntarily give confidental information to him. Kevin Mitnick gives us abundant scenarios where social engineer perform his 'magic' to make another person his puppet. At the end, the book provides you a few suggestion to prevent employees to be conned.

  28. 4 out of 5

    Jenny Thompson

    The core content is interesting, but the structure is almost designed to bore. I think it's all the time the authors spend pretending that this book is not a "how-to" for would be social engineers. The stories about various attacks are informative, but then each is followed by pages of rather infantilizing explanations of how the con worked/could have been prevented. Then the last two chapters basically just repeat that information all over again - at length. Of course, the parts about preventin The core content is interesting, but the structure is almost designed to bore. I think it's all the time the authors spend pretending that this book is not a "how-to" for would be social engineers. The stories about various attacks are informative, but then each is followed by pages of rather infantilizing explanations of how the con worked/could have been prevented. Then the last two chapters basically just repeat that information all over again - at length. Of course, the parts about preventing social engineers were important, but they were also incredibly repetitive. If the authors had cut down the redundant content, I think this book would have been about a hundred pages shorter.

  29. 5 out of 5

    Roger Boyle

    H bought this as fuel for her course. I picked it up N times and read a few pages at random. I think I've got the picture. Mitnick is of course a celebrity of a kind. This book is a stream of anecdotes about deception which presumably he has, in some way, exercised. There's a definite satisfaction in learning how some of this is done, especially when a psycho-magician is also a tech-wizard, so if you like that sort of thing ... He has a ghost writer alongside so I deduce English prose H bought this as fuel for her course. I picked it up N times and read a few pages at random. I think I've got the picture. Mitnick is of course a celebrity of a kind. This book is a stream of anecdotes about deception which presumably he has, in some way, exercised. There's a definite satisfaction in learning how some of this is done, especially when a psycho-magician is also a tech-wizard, so if you like that sort of thing ... He has a ghost writer alongside so I deduce English prose is not is strong suit. He also gives succinct advice on ow not to fall for these spoofs, but we might summarise as "Don't be a dickhead". Eventually I had had enough of it, tough.

  30. 5 out of 5

    Jami

    I enjoyed Kevin's Ghost in the Wires, so I picked this one up; I was not disappointed. The book was interesting, and I definitely picked up some ideas. While I don't plan on becoming totally invisible (I guess I wouldn't be writing this review if I was!) and taking all of the steps he recommends, I will implement some of the recommendations. While I always enjoy Ray Porter as a narrator, the content of this book probably would lend itself better to print format if you want to use all of the tool I enjoyed Kevin's Ghost in the Wires, so I picked this one up; I was not disappointed. The book was interesting, and I definitely picked up some ideas. While I don't plan on becoming totally invisible (I guess I wouldn't be writing this review if I was!) and taking all of the steps he recommends, I will implement some of the recommendations. While I always enjoy Ray Porter as a narrator, the content of this book probably would lend itself better to print format if you want to use all of the tools in the book. Some of them have steps or instructions that are probably better followed in print. For my purposes, audio was fine.

Add a review

Your email address will not be published. Required fields are marked *

Loading...
We use cookies to give you the best online experience. By using our website you agree to our use of cookies in accordance with our cookie policy.