Book Review: The Art of Deception

Reviewed by Emmanuel Goldstein

The Art of Deception by Kevin Mitnick and William Simon, Wiley Publishing

I wanted to avoid writing this review since I knew I'd be biased.  But since the book wasn't even finished at the time we were going to press, this was really the only way to get something in by the time it hit the shelves.

Let me start with a quote that pretty much sums up what The Art of Deception is about:

"A company may have purchased the best security technologies that money can buy, trained their people so well that they lock up all their secrets before going home at night, and hired building guards from the best security firm in the business...  That company is still totally vulnerable."

It's a simple premise but one most of us don't really consider - regardless of which side we're coming from.  What Mitnick and co-author William Simon accomplish here is to wake people up with painfully explicit examples of just how successful social engineering is accomplished.  I've been involved in various aspects of social engineering since I was 3 and there were a bunch of tactics here that I had never thought of that were pretty damn ingenious.

The Art of Deception is sheer information which, like always, can be used for good or for evil.  Those in the hacking world will be fascinated by the specifics of the info given - this is not the usual bullshit security book that gives mere hints of what could be done if such and such were to happen.  Everything from the names of phone company systems to databases to computer applications to existing websites with helpful tools are given in meticulous detail.  Those in the corporate world will cling to this guide like a holy grail because the details, tips, and examples will really save their asses if they choose to take them seriously.

Mitnick continually ups the ante, at one point even going so far as to show how a bank could be robbed just by a series of deceptions on the telephone - again giving enough specific details to ensure a flurry of internal memos at every bank in the country once this book is out.  Details on how social engineering can be used to steal employees, get free merchandise in stores, conduct private eye investigations, even con the cops will no doubt provide fodder for many movie and TV plots in the near future.  And no matter what security may be implemented to prevent such things from occurring in the future, as long as there are human beings involved somewhere in the equation, it's always going to be possible to find a way through.  Always.  Even a computer that's turned off isn't safe as Mitnick demonstrates.  Nor are those SecurID cards that change their six-digit numbers once a minute.

A psychologist would have a field day with the human reactions demonstrated in this book, something Mitnick has a keen understanding of.  For instance, if you ask an employee to "fetch" something for you, odds are s/he will resist since "nobody wants to be told to fetch something."  It's how you speak to your dog, after all!  But by using that syntax, you can almost ensure that the employee will opt to handle the situation in a different - and less secure - manner.

And one important point about social engineering which so many people don't think about is the importance of cleaning up any suspicious trail.  If you manage to achieve your objective, put everything back neatly so that your ruse will never be uncovered.  This is a theme that the book keeps coming back to.

Since I really need to find something to criticize, I'll go with this: not enough time is spent on what happens when social engineering fails.  I think it would have been interesting to show a scenario where the social engineer was completely busted and then somehow managed to turn around and succeed anyway, perhaps even using the same person!  It happens all the time.

It's fascinating to realize that this book was put together by somebody who had been completely isolated from society for five years and who, to this day, isn't even allowed to use the Internet.  Despite all of the attempts to keep Mitnick away from the technology he's always been so fascinated with, he managed to learn about it anyway and in The Art of Deception he skillfully demonstrates his keen knowledge and interest in all the latest developments.  It's pretty damn ironic to be told which website contains valuable information by someone who isn't even allowed to go there themselves.  And it's pretty inspirational too - if Mitnick can manage to put out this wealth of information with all of the constraints that were placed on him, it shows just how strong that hacker spirit really is.

There was one chapter in particular that really stood out for me.  This was the one where Mitnick told his side of the story - of the despair and frustration of being demonized in the media and locked away for five years.  He told of his anger towards John Markoff, the (((New York Times))) reporter who wrote articles about Mitnick that seemed to demonize him and who later went on to write a book which turned into a movie - all while Mitnick languished in jail.  I think in a way it was therapeutic for Mitnick to get his anger out at last and certainly about time that the public got to hear his words.

But these are words you won't be hearing.  Markoff's lawyers sent the book publishers a threatening letter that was about as long as the chapter itself and Wiley is no longer printing that part of the book.  (They claim to have reached this decision independently.)  It's sad and ironic that once again Mitnick is being frustrated in getting his version of the facts to the public.  Regardless of where you stand on the Mitnick issue, he has certainly earned the right to speak his piece and, yes, even show some anger.  And those who want to counter what he says shouldn't be silenced either.

One thing this book teaches us is that determination wins in the end.  "There is no technology in the world that can prevent a social engineering attack."  Let's hope that same determination eventually gets Mitnick's story told.