The Art of Deception

Controlling the Human Element of Security

Publisher: Wiley, 2002, 352 pages

ISBN: 0-7645-4280-X

Last modified: Nov. 15, 2008, 12:16 a.m.

Synopsis

The world's most infamous hacker offers an insider's view of the low-tech threats to high-tech security

Kevin Mitnick's exploits as a cyber-desperado and fugitive form one of the most exhaustive FBI manhunts in history and have spawned dozens of articles, books, films, and documentaries. Since his release from federal prison, in 1998, Mitnick has turned his life around and established himself as one of the most sought-after computer security experts worldwide. Now, in The Art of Deception, the world's most notorious hacker gives new meaning to the old adage, It takes a thief to catch a thief."

Focusing on the human factors involved with information security, Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system. With the help of many fascinating true stories of successful attacks on business and government, he illustrates just how susceptible even the most locked-down information systems are to a slick con artist impersonating an IRS agent. Narrating from the points of view of both the attacker and the victims, he explains why each attack was so successful and how it could have been prevented in an engaging and highly readable style reminiscent of a true-crime novel. And, perhaps most importantly, Mitnick offers advice for preventing these types of social engineering hacks through security protocols, training programs, and manuals that address the human element of security.

Foreword
Preface
Introduction
Part 1 Behind the Scenes

Chapter 1 Security's Weakest Link

The Human Factor
A Classic Case of Deception

Code Breaking
There's This Swiss Bank Account
Achieving Closure

The Nature of the Threat

A Growing Concern
Deceptive Practices

Abuse of Trust

Our National Character
Organizational Innocence

Terrorists and Deception
About This Book

Part 2 The Art of the Attacker

Chapter 2 When Innocuous Information Isn't

The Hidden Value of Information
CreditChex

Private Investigator at Work
Analyzing the Con

The Engineer Trap

Analyzing the Con

More "Worthless" Info
Preventing the Con

Chapter 3 The Direct Attack: Just Asking for It

An MLAC Quickie

Number, Please
Analyzing the Con

Young Man On the Run
On the Doorstep

Loop-Around Deception
Stevie's Scam

Gas Attack

Janie Acton's Story
Art Sealy'sResearch Project
Analyzing the Con

Preventing the Con

Chapter 4 Building Trust

Trust: The Key to Deception

Doyle Lonnegan's Story
Analyzing the Con

Variation On a Theme: Card Capture

Surprise, Dad
Analyzing the Con

The One-Cent Cell Phone

Analyzing the Con

Hacking Into the Feds

Tapping Into the System
Analyzing the Con

Preventing the Con

Protect Your Customers
Trust Wisely
What Belongs on Your Intranet?

Chapter 5 Let Me Help You

The Network Outage

The Attacker's Story
Analyzing the Con

A Little Help for the New Gal

Analyzing the Con

Not as Safe as You Think

Steve Cramer's Story
Craig Cogburne's Story
Getting Inside
Analyzing the Con

Preventing the Con

Educate, Educate, and Educate …
Keeping Sensitive Information Safe
Consider the Source
Forget Nobody

Chapter 6 Can You Help Me?

The Out-Of-Towner

Keeping Up with the Joneses
A Business Trip
Analyzing the Con

Speakeasy Security

I Saw It at the Movies
Fooling the Phone Company

The Careless Computer Manager

Tuning In
Danny the Eavesdropper
Storming the Fortress
An Inside Job
Analyzing the Con

Preventing the Con

Chapter 7 Phony Sites and Dangerous Attachments

"Wouldn't You Like a Free (Blank)"

It Came in the Email
Spotting Malicious Software

Message from a Friend
Variations on a Theme

Merry Christmas
Analyzing the Con

Variations on the Variation

The Missing Link
Be Alert
Becoming Virus Savvy

Chapter 8 Using Sympathy, Guilt, and Intimidation

A Visit to the Studio

David Harold's Story
Analyzing the Con

"Do It Now"

Doug's Story
Linda's Story
Analyzing the Con

"Mr. Bigg Wants This"

Scott's Story
Analyzing the Con

What the Social Security Administration Knows About You

Keith carter's Story
Analyzing the Con

One Simple Call

Mary H's Phone Call
Peter's Story
Analyzing the Con

The Police Raid

Search Warrant, Please
Scamming the Police
Covering His Tracks
Analyzing the Con

Turning the Tables

Graduating — Without Honors
Logging In to Trouble
The Helpful Registrar
Analyzing the Con

Preventing the Con

Protecting Data
About Passwords
A Central Reporting Point
Protect Your Network
Training Tips

Chapter 9 The Reverse Sting

The Art of Friendly Persuasion

Angela's Caller
Vince Capelli's Tale
Analyzing the Con

Cops as Dupes

Eric's Sting
The Switch
A Call to DMV
Analyzing the Con

Preventing the Con

Part 3 Intruder Alert

Chapter 10 Entering the Premises

The Embarrassed Security Guard

The Security Guard's Story
Joe Harper's Story
Analyzing the Con

Dumpster Diving

Cash for Trash
Analyzing the Con

The Humiliated Boss

Planting the Bomb
Surprising George
Analyzing the Con

The Promotion Seeker

Anthony's Story
Analyzing the Con

Snooping on Kevin

Analyzing the Con

Preventing the Con

Protection After Hours
Treating Trash with Respect
Saying Good-Bye to Employees
Don't Forget Anybody
Secure IT!

Chapter 11 Combining Technology and Social Engineering

Hacking Behind Bars

Calling Ma Bell …
Finding Gondorff
Synchronize Your Watches
Analyze the Con

The Speedy Download
Easy Money

Cash on the Line
Taking Up the Challenge

The Dictionary as an Attack Tool

The Password Attack
Faster Than You Think
Analyzing the Con

Preventing the Con

Just Say No
Cleaning Up
Pass It On: Protect Your Passwords

Chapter 12 Attacks on the Entry-Level Employee

The Helpful Security Guard

Elliot's View
Bill's Story
Analyzing the Con

The Emergency Patch

A Helpful Call
Analyzing the Con

The New Girl

Kurt Dillon's Story
Analyzing the Con

Preventing the Con

Deceiving the Unwary
Beware Spyware

Chapter 13 Clever Cons

The Misleading Caller ID

Linda's Phone Call
Jack's Story
Analyzing the Con

Variation: The President of the United States is Calling
The Invisible Employee

Shirley Attacks
Analyzing the Con

The Helpful Secretary
Traffic Court

The Con
Analyzing the Con

Samantha's Revenge

Payback
Analyzing the Con

Preventing the Con

Chapter 14 Industrial Espionage

Variation on a Scheme

Class Action
Pete's Attack
Analyzing the Con

The New Business Partner

Jessica's Story
Sammy Sanford's Story
Analyzing the Con

Leapfrog

Doing Their Homework
Setting Up the Victim
Analyzing the Con

Preventing the Con

Safety Off-Site
Who Is That?

Part 4 Raising the Bar

Chapter 15 Information Security Awareness and Training

Security Through Technology, Training, and Procedures
Understanding How Attackers Take Advantage of Human Nature

Authority
Liking
Reciprocation
Consistency
Social Validation
Scarcity

Creating Training and Awareness Programs

Goals
Establishing the Training and Awareness Program
Structure of the Training
Training Course Contents

Testing
Ongoing Awareness
What's In It For Me?

Chapter 16 Recommended Corporate Information Security Policies

What is a Security Policy

Steps to Developing a Program
How to Use These Policies

Data Classification

Classification Categories and Definitions
Classified Data Terminology

Verification and Authorization Procedures

Requests from a Trusted Person
Requests from an Unverified Person
Step One: Verification of Identity
Step Two: Verification of Employment Status
Step Three: Verification of Need to Know

Management Policies

Data Classification Policies

1-1 Assign Data Classification
1-2 Publish Classified Handling Procedures
1-3 Label All Items

Information Disclosure

2-1 Employee Verification Procedure
2-2 Release of Information to Third Parties
2-3 Distribution of Confidential Information
2-4 Distribution of Private Information
2-5 Distribution of Internal Information
2-6 Discussing Sensitive Information Over the Telephone
2-7 Lobby or Reception Personnel Procedures
2-8 Transfer of Software to Third Parties
2-9 Sales and Marketing Qualification of Customer Leads
2-10 Transfer of Files and Data

Phone Administration

3-1 Call Forwarding on Dial-Up or Fax Numbers
3-2 Caller ID
3-3 Courtesy Phones
3-4 Manufacturer Default Passwords Shipped with Phone Systems
3-5 Department Voice Mailboxes
3-6 Verification of Telephone System Vendor
3-7 Configuration of Phone System
3-8 Call Trace Feature
3-9 Automated Phone Systems
3-10 Voice Mailboxes to Become Disabled after Successive Invalid Access Attempts
3-11 Restricted Telephone Extensions

Miscellaneous

4-1 Employee Badge Design
4-2 Access Rights Review When Changing Position or Responsibilities
4-3 Special Identification for Nonemployees
4-4 Disabling Computer Accounts for Contractors
4-5 Incident Reporting Organization
4-6 Incident Reporting Hotline
4-7 Sensitive Areas Must Be Secured
4-8 Network and Phone Cabinets
4-9 Intracompany Mail Bins
4-10 The Company Bulletin Board
4-11 Computer Center Entrance
4-12 Customer Accounts with Service Providers
4-13 Departmental Contact Person
4-14 Customer Passwords
4-15 Vulnerability Testing
4-16 Display of Company Confidential Information
4-17 Security Awareness Training
4-18 Security Training Course for Computer Access
4-19 Employee Badge Must Be Color-Coded

Information Technology Policies

General

5-1 IT Department Employee Contact Information
5-2 Technical Support Requests

Help Desk

6-1 Remote Access Procedures
6-2 Resetting Paswords
6-3 Changing Access Privileges
6-4 New Account Authorization
6-5 Delivery of New Passwords
6-6 Disabling an Account
6-7 Disabling Network Ports or Devices
6-8 Disclosure of Procedures for Wireless Access
6-9 User Trouble Tickets
6-10 Initiating Execute Commands or Running Programs

Computer Administration

7-1 Changing Global Access Rights
7-2 Remote Access Requests
7-3 Resetting Privileged Account Passwords
7-4 Outside Support Personnel Remote Access
7-5 Strong Authentication for Remote Access to Corporate Systems
7-6 Operating System Configuration
7-7 Mandatory Expiration
7-8 Generic Email Addresses
7-9 Contact Information for Domain Registrations
7-10 Installation of Security and Operating System Updates
7-11 Contact Information on Web Sites
7-12 Creation of Privileged Accounts
7-13 Guest Accounts
7-14 Encryption of Off-Site Backup Data
7-15 Visitor Access to Network Connections
7-16 Dial-In Modems
7-17 Antivirus Software
7-18 Incoming Email Attachments (High Security Requirements)
7-19 Authentication of Software
7-20 Default Passwords
7-21 Invalid Access Attempts Lockout (Low to Medium Security)
7-22 Invalid Access Attempts Account Disabled (High Security)
7-23 Periodic Change of Privileged Account Passwords
7-24 Periodic Change of User Passwords
7-25 New Account Password Set Up
7-26 Boot-Up Passwords
7-27 Password Requirements for Privileged Accounts
7-28 Wireless Access Points
7-29 Updating Antivirus Pattern Files

Computer Operations

8-1 Entering Commands and or Running Programs
8-2 Workers with Privileged Accounts
8-3 Internal Systems Information
8-4 Disclosure of Passwords
8-5 Electronic Media
8-6 Backup Media

Policies for All Employees

General

9-1 Reporting Suspicious Calls
9-2 Documenting Suspicious Calls
9-3 Disclosure of Dial-Up Numbers
9-4 Corporate ID Badges
9-5 Challenging ID Badge Violations
9-6 Piggybacking (Passing Through Secure Entrances)
9-7 Shredding Sensitive Documents
9-8 Personal Identifiers
9-9 Organization Charts
9-10 Private Information About Employees

Computer Use

10-1 Entering Commands Into a Computer
10-2 Internal Naming Conventions
10-3 Requests to Run Programs
10-4 Downloading or Installing Software
10-5 Plain Text Passwords and Email
10-6 Security-Related Software
10-7 Installation of Modems
10-8 Modems and Auto-Answer Settings
10-9 Cracking Tools
10-10 Posting Company Information on Line
10-11 Floppy Disks and Other Electronic Media
10-12 Discard Removable Media
10-13 Password-Protected Screen Savers
10-14 Disclosure or Sharing of Passwords Statement

Email Use

11-1 Email Attachments
11-2 Automatic Forwarding to External Addresses
11-3 Forwarding Emails
11-4 Verifying Email

Phone Use

12-1 Participating in Telephone Surveys
12-2 Disclosure of Internal Telephone Numbers
12-3 Passwords in Voice Mail Messages

Fax Use

13-1 Relaying Faxes
13-2 Verification of Faxed Authorizations
13-3 Sending Sensitive Information by Fax
13-4 Faxing Passwords Prohibited

Voice Mail Use

14-1 Voice Mail Passwords
14-2 Passwords on Multiple Systems
14-3 Setting Voice Mail Passwords
14-4 Mail Message Marked as "Old"
14-5 External Voice Mail Greetings
14-6 Voice Mail Password Patterns
14-7 Confidential or Private Information

Passwords

15-1 Telephone Security
15-2 Revealing Computer Passwords
15-3 Internet Passwords
15-4 Passwords on Multiple Systems
15-5 Reusing Passwords
15-6 Password Patterns
15-7 Choosing Passwords
15-8 Writing Passwords Down
15-9 Plaintext Passwords in Computer Files

Policies for Telecommuters

16-1 Thin Clients
16-2 Security Software for Telecommuter Computer Systems

Policies for Human Resources

17-1 Departing Employees
17-2 IT Department Notification
17-3 Confidential Information Used in Hiring Process
17-4 Employee Personal Information
17-5 Background Checks

Policies for Physical Security

18-1 Identification for Nonemployees
18-2 Visitor Identification
18-3 Escorting Visitors
18-4 Temporary Badges
18-5 Emergency Evacuation
18-6 Visitors in Mail Room
18-7 Vehicle License Plate Numbers
18-8 Trash Dumpsters

Policies for Receptionists

19-1 Internal Directory
19-2 Telephone Numbers for Specific Departments/Groups
19-3 Relaying Information
19-4 Items Left for Pickup

Policies for the Incident Reporting Group

20-1 Incident Reporting Group
20-2 Attacks in Progress

Security at a Glance

Identifying a Security Attack

The Social Engineering Cycle
Common Social Engineering Methods
Warning Signs of an Attack
Common Targets of Attacks
Factors That Make Companies More Vulnerable to Attacks

Verification and Data Classification

Verification of Identity Procedure
Verification of Employment Status Procedure
Procedure to Determine Need to Know
Criteria for Verifying Non-Employees
Data Classification

Reviews