BKARTDCP.RVW 20021028 "The Art of Deception", Kevin D. Mitnick/William L. Simon, 2002, 0-471-23712-4, U$27.50/C$39.95/UK#19.95 %A Kevin D. Mitnick %A William L. Simon %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2002 %G 0-471-23712-4 %I John Wiley & Sons, Inc. %O U$27.50/C$39.95/UK#19.95 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0471237124/robsladesinterne %P 352 p. %T "The Art of Deception: Controlling the Human Element of Security" Those in the security field know that Kevin Mitnick does not deserve the reputation he has gained as some kind of technical genius. His gift was skill as a social engineer. Stripped of the five dollar words, this means that he was a plain, old con man, cheat, or fraud. In other words, this is a book about how to fool people. Theoretically, the determined reader should be able to use the book to keep from being conned. In the preface, Mitnick would have us believe that, although he admits to being a fraud and deceiver, he was never a grifter. He never harmed anybody, never obtained a material benefit, and was just curious to see if he could ride the buses for free (at the expense of the transit system) or make calls for free (at the expense of an MCI customer). (The willing moral blindness of these assertions is possibly the most instructive part of the book: it is truly representative of large portions of the blackhat community.) He would have us believe that he is a "changed person": one of the most sought- after computer security experts world-wide, and the world's most famous hacker. Oh, and just in case the authorities are inclined to think that this book runs counter to the injunction that he not profit from the stories of his criminal exploits, the tales are all completely fictional. Trust him. Part one is entitled "Behind the Scenes." Chapter one states that people are security's weakest link. This is a truism well known in the field, but the first account is really about insider fraud, while the remainder are generic fear-mongering. Part two describes the art of the attacker. (At great length.) Chapter two depicts escalation or enumeration through social engineering, and points out that sometimes innocuous information isn't. There is a section on "preventing the con" at the end of each chapter: in this case we are told not to give out information, but not provided with any advice about authenticating callers. Similarly, chapter three says that sometimes attackers just ask for access or information and says to verify callers, but doesn't say how. Chapter four tells you to distrust everyone--which would probably be more damaging to society than social engineering. (Interestingly, yesterday a report came out about studies of "freeloading" in the animal kingdom, which notes that communities with too many non- contributing members tend not to survive. By extension, only societies with an overwhelming majority of trustworthy members exist for any length of time.) The prevention bit tells companies not to have people give credit card information over the phone, but stresses teaching employees about cons rather than policies. At about this point the text, which is very repetitious, throws in some minor technical details. This is enough to remind the professional that the book is designed for the naive user, with extremely lightweight analysis, and implications that would not be useful. There is more repetitive redundancy in chapter six, on the way to some useful information about fraudulent email and really lousy data about viruses and malware, in chapter seven. Chapters eight and nine are simply more of the same stories, which start to get very tedious. Part three is apparently supposed to help us detect intruders. Chapter ten has a little useful advice about having termination procedures. The major points in chapter eleven seem to be about all the people who have been mean to our poor Kevin. Then it is back to the, by now extremely tiresome, con jobs for another three chapters. We are intended to believe that part four will help us protect ourselves and our companies against social engineering. Chapter fifteen is an attempt to convince us that the book should be purchased for all employees. (Nice try, Kev.) There is an arbitrary, and oddly both generic and overly detailed, suggested security policy, in chapter sixteen. So. Security professionals already know about social engineering. It is unlikely in the extreme that even the most head down, don't-talk- to-the-users, socially maladept firewall administrator will learn very much from this book. But, of course, this is not a trade paperback. This is a hardback aimed at the mass market: the non-professionals. Will they learn anything from it? Well, it might be useful for teaching new tricks to those who like to con people (although fraudsters will likely be disappointed at the number of times it is assumed that they know how to reprogram DMS-100 switches: don't try this at home). The prevention sections, as noted, are big on "don't" and short on "how not to." Well, but the book can still be a fascinating read, can't it? Sure. If you're the type of person who finds humour in watching someone fall on his or her face. Over and over and over and over and over and over and over and over and over and over again ... copyright Robert M. Slade, 2002 BKARTDCP.RVW 20021028