Mitnick, Kevin D. and William L. Simon.. The Art of Deception: Controlling the Human Element of Security. Indianapolis, IN: Wiley Publishing. 2002.

ISBN: 0471237124

The Art of Deception at Amazon and Barnes and Noble and Half.com

Kevin Mitnick is arguably the most famous (or infamous) computer criminal in the world. This is the first book written by him, although there have been several written about his exploits. In his time in jail, he has switched hats from black to white, and is now a security consultant. Not surprisingly then, this book is designed to allow companies to uncover holes in their security that are open to exploits by hackers. The twist is that none of the security holes described by Mitnick have anything to do with hacking telephones or computers. All of the security problems described and evaluated have to do with social engineering: ie, hacking people. Whether it is a major corporation or an individual, the easiest way to get information appears to be to just ask the right person for it.

The book is arranged logically, with the various chapters dedicated to the underlying tools of social engineering: trust, sympathy, guilt, intimidation and the other flaws of human psychology that social engineers twist to get what they want. Each of the chapters follows a similar pattern, and shows you first the con itself, then goes on to explain the motive, preparation for the con from the perspective of the con man, and finally the reasons that the con is successful and why people fall for it. The last section of each chapter evaluates the weaknesses exploited, and how the con could be prevented in the future.

Most of the cons illustrated by Mitnick are complex enough that the ordinary person probably wouldn't think of them. They involve phone calls to gather data, switching identies on the fly, and lots of quick thinking on the part of the engineer to keep from getting caught. Calling one branch of a business simply to gather names and information, then calling a second branch of the same business, now armed with enough data to impersonate one of the names you gathered during the first call is a common tactic. Much can be learned by being an assumed "insider," and Mitnick harps on this issue repeatedly throughout the book.

The final chapter is concerned with a very detailed outline of various types of security policies for a corporation, although they are certainly applicable to many types of organizations. It discusses nearly every aspect of security, from identification of appropriate security levels for information to proper password procedures and gives a step by step method for ensuring minimal risk from social engineers.

The book itself is very well laid out, with sidebars and asides that explain any technical language or slang. It is written for someone who is a complete novice in the security field, and is likely to scare a CEO or upper manager into making major revisions in their security policy. Mitnick makes a very compelling case that most people are capable of being manipulated by a skilled social engineer into almost anything.

That being said, the book has its weaknesses. It is, at it's core, nothing more than a series of examples of lack of authentication. Failure to authenticate is the major flaw in nearly every case shown...failing to check credentials, failing to verify identity, failing to do a million small things that would expose the social engineer as a fake. One or two examples of this would have been sufficient, in my opinion. 5 or 6 of them, even when they vary in overall detail, is unnecessary. The space would have been better spent in analyzing the psychology of the con more thoroughly, or perhaps analyzing different types of organizations and how they would deal with security differently. A university, for example, is very different than a privately held corporation, which is very different again from a publicly held corporation in the amount and type of information they harbor. It would have been useful for each of these (and potentially many other) types to have been discussed and analyzed.

One of the more interesting things about this book is, quite honestly, that it was written by Mitnick. He has attained a sort of legendary status online, with a vast number of people involved in 2600's "Free Kevin" campaign while he was incarcerated. The foreword to the book was written by Steve Wozniak (one of the founders of Apple computers, and the designer of the first Macintosh). He just days ago (January 21st, 2003) came off of parole and is legally allowed to use a computer for the first time in 8 years. To hear his "voice" in the book is a novelty, and is itself a reason to purchase it if you are interested in his story. Even the publishing of the book was done with some controversy. The original chapter 1 of the book is now a heavily edited preface...but somehow, the original untouched-by-editors version showed up online months before the book was ever published.

In conclusion, I think that this is a valuable book for the security novice or someone unitiated in the ways of the social engineer. It is equally interesting for someone who simply wishes to hear Kevin in his own words. It is not by any means a definitive work on the subject of social engineering, and should be used with this in mind in an academic setting.