What do you think?
Rate this book
The Art of Deception: Controlling the Human Element of Security
The world's most infamous hacker offers an insider's view of the low-tech threats to high-tech security
Kevin Mitnick's exploits as a cyber-desperado and fugitive form one of the most exhaustive FBI manhunts in history and have spawned dozens of articles, books, films, and documentaries. Since his release from federal prison, in 1998, Mitnick has turned his life around and established himself as one of the most sought-after computer security experts worldwide. Now, in The Art of Deception, the world's most notorious hacker gives new meaning to the old adage, "It takes a thief to catch a thief."
Focusing on the human factors involved with information security, Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system. With the help of many fascinating true stories of successful attacks on business and government, he illustrates just how susceptible even the most locked-down information systems are to a slick con artist impersonating an IRS agent. Narrating from the points of view of both the attacker and the victims, he explains why each attack was so successful and how it could have been prevented in an engaging and highly readable style reminiscent of a true-crime novel. And, perhaps most importantly, Mitnick offers advice for preventing these types of social engineering hacks through security protocols, training programs, and manuals that address the human element of security.
Kevin Mitnick's exploits as a cyber-desperado and fugitive form one of the most exhaustive FBI manhunts in history and have spawned dozens of articles, books, films, and documentaries. Since his release from federal prison, in 1998, Mitnick has turned his life around and established himself as one of the most sought-after computer security experts worldwide. Now, in The Art of Deception, the world's most notorious hacker gives new meaning to the old adage, "It takes a thief to catch a thief."
Focusing on the human factors involved with information security, Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system. With the help of many fascinating true stories of successful attacks on business and government, he illustrates just how susceptible even the most locked-down information systems are to a slick con artist impersonating an IRS agent. Narrating from the points of view of both the attacker and the victims, he explains why each attack was so successful and how it could have been prevented in an engaging and highly readable style reminiscent of a true-crime novel. And, perhaps most importantly, Mitnick offers advice for preventing these types of social engineering hacks through security protocols, training programs, and manuals that address the human element of security.
352 pages, Paperback
First published January 1, 2001
About the author
Kevin D. Mitnick
17 books926 followersKevin David Mitnick, the world's most famous (former) computer hacker, had been the subject of countless news and magazine articles, the idol of thousands of would-be hackers, and a one-time "most wanted" criminal of cyberspace, on the run from the bewildered Feds. A security consultant, he had spoken to audiences at conventions around the world, been on dozens of major national TV and radio shows, and even testified in front of Congress. He was the author of The Art of Deception and The Art of Intrusion.
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 30 of 403 reviews
January 9, 2010
The Art of Deception is one of two books by famous hacker Kevin Mitnick, the other being "The Art of Intrusion". Intrusion focuses primarily on physical or technological hacks, while this book focuses almost exclusively on social engineering attacks.
A number of problems prevented this book from being very good. The main problem is simply that Mitnick did not have enough material to fill an entire book. This book would have been better if it were shorter and simply one section in a larger book about security. A great deal of the book feels like padding, the anecdotes about various social engineering attacks seem repetitive and pointless - reading just one is often enough, but Mitnick consistently indulges himself with identical tale after identical tale.
I'm not entirely sure who the audience for this book could really be. It doesn't seem like it's for technical people, because the book goes out of it's way to define what things like "http" mean. The book claims to be geared toward nontechnical people or businesspeople, but the fact of the matter is that the subtle differences between a lot of the social engineering attacks will be missed by nontechnical people. To your average joe, 20 or so of the stories in the book will seem identical, testing the patience of the reader.
The book is also frustrating in its design. It's constructed as a book to help managers and businesspeople manage security at their companies. Every story about a social engineering attack is followed by a "Mitnick Message" where Kevin explains how to prevent the attack from happening to you. In reality, however, the real focus is the story itself - the attackers are consistently painted as the hero of the story, with the hapless victims being drawn as naive morons. It's clear that Mitnick admires the attackers in these tales, and the "Mitnick Message" feels like it's been forced into the book to keep up the ruse that the book is intended for anyone other than wannabe hackers. Mitnick's advice is a restated form of "verify the identity of the caller" in nearly every instance.
The book is, to put it simply, a bore. Reading it was a challenge, and I had to fight the frustration to skim or skip sections nonstop. The Art of Intrusion is far more interesting, and I recommend it over this book without reservation. There is value for businesspeople to read this book, but I imagine it will present a significant challenge to their patience.
As an aside, Mitnick offers terrible advice regarding passwords. He argues that passwords should not consist of a constant combined with a predictable variable, such as "kevin01", "kevin02", "kevin03". I agree. He also says that users should not write down their passwords and tape the paper to their monitor or under their keyboards. I agree again. He also, unfortunately, argues that passwords should expire every month. Well, that's terrible advice. Passwords need to be something people can remember, or they have to write them down. If they are going to be memorable, they can't change constantly. If they change constantly and must still be memorable, people have no choice but to add some predictable pattern to a memorable portion of a password. In short, of options A) Don't write passwords down B) Don't use a simple increment in a password C) Change passwords monthly, security administrators can pick any two. To try for all three is delusion.
A number of problems prevented this book from being very good. The main problem is simply that Mitnick did not have enough material to fill an entire book. This book would have been better if it were shorter and simply one section in a larger book about security. A great deal of the book feels like padding, the anecdotes about various social engineering attacks seem repetitive and pointless - reading just one is often enough, but Mitnick consistently indulges himself with identical tale after identical tale.
I'm not entirely sure who the audience for this book could really be. It doesn't seem like it's for technical people, because the book goes out of it's way to define what things like "http" mean. The book claims to be geared toward nontechnical people or businesspeople, but the fact of the matter is that the subtle differences between a lot of the social engineering attacks will be missed by nontechnical people. To your average joe, 20 or so of the stories in the book will seem identical, testing the patience of the reader.
The book is also frustrating in its design. It's constructed as a book to help managers and businesspeople manage security at their companies. Every story about a social engineering attack is followed by a "Mitnick Message" where Kevin explains how to prevent the attack from happening to you. In reality, however, the real focus is the story itself - the attackers are consistently painted as the hero of the story, with the hapless victims being drawn as naive morons. It's clear that Mitnick admires the attackers in these tales, and the "Mitnick Message" feels like it's been forced into the book to keep up the ruse that the book is intended for anyone other than wannabe hackers. Mitnick's advice is a restated form of "verify the identity of the caller" in nearly every instance.
The book is, to put it simply, a bore. Reading it was a challenge, and I had to fight the frustration to skim or skip sections nonstop. The Art of Intrusion is far more interesting, and I recommend it over this book without reservation. There is value for businesspeople to read this book, but I imagine it will present a significant challenge to their patience.
As an aside, Mitnick offers terrible advice regarding passwords. He argues that passwords should not consist of a constant combined with a predictable variable, such as "kevin01", "kevin02", "kevin03". I agree. He also says that users should not write down their passwords and tape the paper to their monitor or under their keyboards. I agree again. He also, unfortunately, argues that passwords should expire every month. Well, that's terrible advice. Passwords need to be something people can remember, or they have to write them down. If they are going to be memorable, they can't change constantly. If they change constantly and must still be memorable, people have no choice but to add some predictable pattern to a memorable portion of a password. In short, of options A) Don't write passwords down B) Don't use a simple increment in a password C) Change passwords monthly, security administrators can pick any two. To try for all three is delusion.
June 14, 2020
Pubbed almost two decades ago, the technology angle in this book is largely, although not completely, out of date.
Fortunately, that isn't the primary reason I picked up this book. It's right there in the title. We may as well call is Social Engineering. Others might call it a con. But either way, human psychology being what it is, the underlying vulnerability to network or corporate structures never really goes out of style.
PEBCAK. Problem Exists Between Chair and Computer.
This book does a very serviceable job outlining most of the ways that people can be conned out of information. My favorite is just in looking or acting the part that people expect. I've been hearing that advice from the early Robert A. Heinlein days. People trust others who seem just like them. Confident behavior sends up no red flags.
A lot of this is common sense, but you and I know that Social Engineering is still a growth industry.
Every day, every sector, someone, somewhere is conning us.
A lot of this book is still very timely, but I'm also sure that there are a lot of updated techniques out there.
Fortunately, that isn't the primary reason I picked up this book. It's right there in the title. We may as well call is Social Engineering. Others might call it a con. But either way, human psychology being what it is, the underlying vulnerability to network or corporate structures never really goes out of style.
PEBCAK. Problem Exists Between Chair and Computer.
This book does a very serviceable job outlining most of the ways that people can be conned out of information. My favorite is just in looking or acting the part that people expect. I've been hearing that advice from the early Robert A. Heinlein days. People trust others who seem just like them. Confident behavior sends up no red flags.
A lot of this is common sense, but you and I know that Social Engineering is still a growth industry.
Every day, every sector, someone, somewhere is conning us.
A lot of this book is still very timely, but I'm also sure that there are a lot of updated techniques out there.
March 20, 2008
Kevin Mitnick, probably the most famous (and controversial) computer hacker of the 1990's, has spent several years of his life on the run, as well as a few years in jail. For years after leaving prison he was forbidden to log on to a computer, a prohibition he appealed successfully. He now runs a computer security business, lectures to large corporations, and has co-authored two books on computer network security.
This book focuses on the human element of computer security. Reminding us that even the most sophisticated high-tech security systems can be rendered worthless if the people running them are not sufficiently vigilant, Mitnick goes on to point out the myriad ways in which human carelessness can contribute to security breaches. An experienced con artist who is well-versed in social engineering techniques can often do far more damage by manipulating people to provide information they shouldn't than by relying on technologically sophisticated hacking methods.
The book is interesting for the most part, though it would have benefited from a 25% reduction in length, and there are some annoying stylistic tics. Throughout the first 14 chapters, each of which reviews a particular type of ‘con’ used by hackers/social engineers to breach computer security, the chapter setup follows the same schema:
(i) an anecdote or vignette, involving fictitious characters but based on actual events, which lays out the deception as it unfolds, following it through to the successful breach (ii) analysis of the ‘con’, focusing specifically on the mistakes or behaviors (at the individual and at the organizational level) which allowed it to succeed (iii) discussion of the changes that would be needed to stop the con from succeeding (e.g. behavior of individual employees, corporate policies and procedures, computer software and hardware). This is actually a pretty decent way to make the points Mitnick wants to get across – starting out with a concrete example of how things go wrong gets attention and motivates the reader to read on to figure out the solution.
One feature of the book which was meant to be helpful started to drive me crazy by about the third chapter. Interspersed throughout each chapter, the authors insert highlighted textboxes of two types: ‘lingo’ – repeating the definition of a concept already adequately defined in the text, or ‘mitnick messages’ – which manage to be irritating beyond the cutesy name, as they do nothing but encapsulate the obvious in language which condescends to the reader. In general, this is not a book you will read for the delights of its prose style (after successfully gaining access to a cache of hidden documents, one hacker is described as spending his evening gleefully “pouring over” the documents); however, the prose is serviceable, managing to avoid lapses into the dreaded corpspeak, for the most part.
For some readers, the most useful part of the book may be its final two chapters. Here the authors lay out, in considerable detail, outlines for recommended corporate information security policies, and an associated training program on information security awareness. Though I am no expert in these areas, the outlines strike me as being commendably thorough – complete enough that they could be fleshed out without too much difficulty to generate a comprehensive set of policies and procedures.
Despite some redundancy, and occasional infelicities of style, this book seemed to me to be interesting, and likely to be practically useful.
This book focuses on the human element of computer security. Reminding us that even the most sophisticated high-tech security systems can be rendered worthless if the people running them are not sufficiently vigilant, Mitnick goes on to point out the myriad ways in which human carelessness can contribute to security breaches. An experienced con artist who is well-versed in social engineering techniques can often do far more damage by manipulating people to provide information they shouldn't than by relying on technologically sophisticated hacking methods.
The book is interesting for the most part, though it would have benefited from a 25% reduction in length, and there are some annoying stylistic tics. Throughout the first 14 chapters, each of which reviews a particular type of ‘con’ used by hackers/social engineers to breach computer security, the chapter setup follows the same schema:
(i) an anecdote or vignette, involving fictitious characters but based on actual events, which lays out the deception as it unfolds, following it through to the successful breach (ii) analysis of the ‘con’, focusing specifically on the mistakes or behaviors (at the individual and at the organizational level) which allowed it to succeed (iii) discussion of the changes that would be needed to stop the con from succeeding (e.g. behavior of individual employees, corporate policies and procedures, computer software and hardware). This is actually a pretty decent way to make the points Mitnick wants to get across – starting out with a concrete example of how things go wrong gets attention and motivates the reader to read on to figure out the solution.
One feature of the book which was meant to be helpful started to drive me crazy by about the third chapter. Interspersed throughout each chapter, the authors insert highlighted textboxes of two types: ‘lingo’ – repeating the definition of a concept already adequately defined in the text, or ‘mitnick messages’ – which manage to be irritating beyond the cutesy name, as they do nothing but encapsulate the obvious in language which condescends to the reader. In general, this is not a book you will read for the delights of its prose style (after successfully gaining access to a cache of hidden documents, one hacker is described as spending his evening gleefully “pouring over” the documents); however, the prose is serviceable, managing to avoid lapses into the dreaded corpspeak, for the most part.
For some readers, the most useful part of the book may be its final two chapters. Here the authors lay out, in considerable detail, outlines for recommended corporate information security policies, and an associated training program on information security awareness. Though I am no expert in these areas, the outlines strike me as being commendably thorough – complete enough that they could be fleshed out without too much difficulty to generate a comprehensive set of policies and procedures.
Despite some redundancy, and occasional infelicities of style, this book seemed to me to be interesting, and likely to be practically useful.
May 23, 2015
“I went to prison for my hacking. Now people hire me to do the same things I went to prison for, but in a legal and beneficial way.” – Kevin D. Mitnick, Ghost in the Wires: My Adventures as the World's Most Wanted Hacker.
Reading ‘The Art of Deception’ is like hearing it straight from the horse's mouth. Kevin D. Mitnick, one of the legendary cyber desperado turned computer security consultant, takes the reader into the complex, supremely confident – often misunderstood as arrogance and curiosity driven mindset of the hacker world as he describes the human element of computer security. In this book with the help of very plausible scenarios and stories he demonstrates the Art of exploiting the human mind – other wise known as ‘Social Engineering’ - to gain access to computer networks.
In the forward to this book, Steve Wozniak sums up ‘The Art of Deception’ nicely with these words:
In the first three sections of this book the author explains in great details on how attackers gain entry into fortified assets by simply taking advantage of the trusting & sympathizing nature of the human mind. Mitnick covers almost all possible basic attack scenarios, which a real-life attacker uses in conning an unsuspecting computer user for gaining entry into a closed network. By attacking the weakest link in the security apparatus, this book shows how a skilled social engineer can take complete control of a system by pulling the strings on an unsuspecting victim like a master puppeteer and making him do things which favors the attacker. After showing each scenario, Mitnick explains the various factors, which made each scenario work, and gives valuable inputs and strategies on how organizations can prevent each scenario from happening with in their working environment.
For those who have a professional interest in corporate security or information security the section titled ‘Raising the Bar’ will be a valuable resource. In this section Mitnick provides a very detailed outline of ‘practical corporate information security policies’ and training methodologies for staff, which in a combined manner can mitigate the risks of an intrusion.
Some readers may find the style of writing employed in the book not up to the mark, but as a practical book on analyzing and getting aware of the threat of Social Engineering and as an Information Security Policy reference this book has some valuable content. In the present time you may find more detailed books on Social Engineering, but when this book came out in 2003, it had some sensational content which I still remember reading with great thrill. Some of the technical exploits related to the telephone systems that are mentioned in the book are a bit outdated but the methods and philosophy of exploits that target the human mind is very relevant even today.
This book is a recommended read for anyone who is interested in computer security and the hacker subculture.
Reading ‘The Art of Deception’ is like hearing it straight from the horse's mouth. Kevin D. Mitnick, one of the legendary cyber desperado turned computer security consultant, takes the reader into the complex, supremely confident – often misunderstood as arrogance and curiosity driven mindset of the hacker world as he describes the human element of computer security. In this book with the help of very plausible scenarios and stories he demonstrates the Art of exploiting the human mind – other wise known as ‘Social Engineering’ - to gain access to computer networks.
In the forward to this book, Steve Wozniak sums up ‘The Art of Deception’ nicely with these words:
The art of Deception shows how vulnerable we all are – government, business, and each of us personally – to the intrusions of the social engineer. In this security-conscious era, we spend huge sums on technology to protect our computer networks and data. This book points out how easy it is to trick insiders and circumvent all this technological protection.
In the first three sections of this book the author explains in great details on how attackers gain entry into fortified assets by simply taking advantage of the trusting & sympathizing nature of the human mind. Mitnick covers almost all possible basic attack scenarios, which a real-life attacker uses in conning an unsuspecting computer user for gaining entry into a closed network. By attacking the weakest link in the security apparatus, this book shows how a skilled social engineer can take complete control of a system by pulling the strings on an unsuspecting victim like a master puppeteer and making him do things which favors the attacker. After showing each scenario, Mitnick explains the various factors, which made each scenario work, and gives valuable inputs and strategies on how organizations can prevent each scenario from happening with in their working environment.
For those who have a professional interest in corporate security or information security the section titled ‘Raising the Bar’ will be a valuable resource. In this section Mitnick provides a very detailed outline of ‘practical corporate information security policies’ and training methodologies for staff, which in a combined manner can mitigate the risks of an intrusion.
Some readers may find the style of writing employed in the book not up to the mark, but as a practical book on analyzing and getting aware of the threat of Social Engineering and as an Information Security Policy reference this book has some valuable content. In the present time you may find more detailed books on Social Engineering, but when this book came out in 2003, it had some sensational content which I still remember reading with great thrill. Some of the technical exploits related to the telephone systems that are mentioned in the book are a bit outdated but the methods and philosophy of exploits that target the human mind is very relevant even today.
This book is a recommended read for anyone who is interested in computer security and the hacker subculture.
August 10, 2016
I suspect that if you're reading for entertainment, then you probably want Mitnick's The Art of Intrusion or Ghost in the Wires instead. This book is split 2/3 and 1/3 between a series of fictionalized anecdotes--based on or representative of real incidents--and a corporate policy guide. The guide, like all such specifications, is deadly dry and would require several readings and much thought to fully internalize.
The anecdotes are more interesting than entertaining, and all proceed by the same basic pattern: a 'social engineer' (Mitnick's sterile term for what amounts to a con man) manipulates the helpful or easily-influenced into providing information or services which can then be further leveraged to some end. Sections directly relating to computer penetration are substantially less interesting than those that are merely two people on a phone.
Mitnick's focus is organizational, not individual, and presupposes an organized, collective effort towards protection based on establishing correct procedure, education, and most of all the directed effort of those in charge. As such I can't help but think that this book is targeted to executives and not to the peon-types on the front lines, who in the anecdotes are the ones who inadvertently give away the keys to the kingdom.
The anecdotes are more interesting than entertaining, and all proceed by the same basic pattern: a 'social engineer' (Mitnick's sterile term for what amounts to a con man) manipulates the helpful or easily-influenced into providing information or services which can then be further leveraged to some end. Sections directly relating to computer penetration are substantially less interesting than those that are merely two people on a phone.
Mitnick's focus is organizational, not individual, and presupposes an organized, collective effort towards protection based on establishing correct procedure, education, and most of all the directed effort of those in charge. As such I can't help but think that this book is targeted to executives and not to the peon-types on the front lines, who in the anecdotes are the ones who inadvertently give away the keys to the kingdom.
November 10, 2016
Um bom livro sobre aquele hacking moleque, aquele hacking arte, que era muito praticado antigamente. Boas histórias de como os melhores sistemas de segurança podem ser burlados com algumas ligações ou uma busca no lixo. Ele passa por algumas noções de programas e cyberataques (em muito menos detalhes do que o Social Engineering: The Art of Human Hacking), mas a maior parte do hacking que ele descreve é feita com saliva e astúcia.
Não é um livro tão útil atualmente, especialmente com as mudanças de tecnologia (ele fala o tempo todo sobre como usar fax, por exemplo), mas as pessoas continuam sendo a maior vulnerabilidade. Curti mais pelas histórias mesmo. O final tem uma descrição repetitiva e muito mais detalhada do que fazer para evitar problemas de segurança que ficou especialmente desatualizada e é bem direcionada para empresas. Não teria lido o final se não fosse um audiolivro.
Não é um livro tão útil atualmente, especialmente com as mudanças de tecnologia (ele fala o tempo todo sobre como usar fax, por exemplo), mas as pessoas continuam sendo a maior vulnerabilidade. Curti mais pelas histórias mesmo. O final tem uma descrição repetitiva e muito mais detalhada do que fazer para evitar problemas de segurança que ficou especialmente desatualizada e é bem direcionada para empresas. Não teria lido o final se não fosse um audiolivro.
February 4, 2015
Almost all of this book consists of infinitesimal variations on the same point, communicated through accounts of apparently real events fictionalised by someone who clearly desperately wanted to write short stories instead of ghost-writing for minor celebrities but couldn't find a publisher for them. That every story reads like a bad (and I mean bad) noir film isn't just annoying; it makes them much less credible.
It's clear that Mitnick thinks very highly of himself and his accomplishments, occasionally remembering to point out that it's really easy to defend against social engineering attacks but mostly painting social engineers as omnipotent Supermen who are just better than the common folk who merely work in offices; he also seems to think he's the first person to write a book about defending against these con men, judging by his two chapters of condescending policy recommendations. Maybe he is, to a lot of the people who'd read this book. It's certainly likely that The Art of Deception has done and will continue to do more good than harm, which is more than can be said for most popular books on any kind of security.
That doesn't make it any less repetitive, though.
It's clear that Mitnick thinks very highly of himself and his accomplishments, occasionally remembering to point out that it's really easy to defend against social engineering attacks but mostly painting social engineers as omnipotent Supermen who are just better than the common folk who merely work in offices; he also seems to think he's the first person to write a book about defending against these con men, judging by his two chapters of condescending policy recommendations. Maybe he is, to a lot of the people who'd read this book. It's certainly likely that The Art of Deception has done and will continue to do more good than harm, which is more than can be said for most popular books on any kind of security.
That doesn't make it any less repetitive, though.
August 26, 2011
We think of computer hackers as sitting in an isolated room, endlessly probing corporate and private networks from their screen. Actually, almost all deep hacking starts with the manipulation of people to do something that allows the hacker to move to the next level. The Art of Deception tells how Mitnick used "social engineering" skills to get people to unknowingly provide critical assistance, from simply being polite and opening a secure door to setting up restricted user accounts. Having read this book, I am much more suspicious of any request made online, by phone, or in person by a stranger. Should be required reading for anyone in IT, especially those involved in network security.
September 6, 2022
America's greatest hacker, not America's greatest storyteller. If one were to treat the book as a piece of code, debugging it to remove the duplication and redundancies would make it a far more pleasant and informative read.
That aside, hacking is a timeless skill which only serves to make me moist. 3/5
That aside, hacking is a timeless skill which only serves to make me moist. 3/5
January 12, 2019
Ein Gespräch, das vielleicht stattfinden könnte oder vielleicht schon stattgefunden hat:
Das Telefon in der Buchhandlung klingelt.
"Hallo, hier ist Jari von der Buchhandlung Soundso."
"Ja, hallo, hier ist Klaus von der Filiale am Ende der Stadt. Du, hier ist etwas ziemlich schief gelaufen und der Kunde tobt. Sein bestelltes Buch hätte hier bei uns sein sollen, ist es aber nicht. Er hat auch schon bezahlt und braucht es dringend jetzt. Ihr habt doch noch eines vorrätig, nicht wahr?"
"Haben wir, ja."
"Super! Könntest du es für den Kunden zur Seite legen? Er holt es gleich ab. Bezahlt hat er schon, das habe ich alles schon überprüft. Gib es ihm einfach mit, ok?"
Etwas später erscheint der Kunde, nimmt sein Buch und verschwindet. Später stellt sich heraus, dass es in der Filiale am Ende der Stadt gar keinen Mitarbeiter mit dem Namen Klaus gibt. Das Buch ist natürlich auch nie bezahlt worden.
Das ist ein relativ harmloses Beispiel, wie Social Engineers Menschen ausnutzen, um an Informationen und/oder Gratisprodukte zu kommen. Ein einzelnes Buch mag ein Geschäft nicht schwer treffen, doch die von Mitnick angeführten Beispiele zeigen auf, wie auf eine ähnliche Art und Weise Schaden in Millionenhöhe entstehen kann. So wurde einer Firma die Arbeit von zwei Jahren innerhalb kürzester Zeit zunichte gemacht, indem alle Unterlagen ihres neuen Produktes geklaut und an eine andere Firma weiterverkauft wurden. Und das einfach, indem jemand danach gefragt hat.
Eindrücklich auch das Beispiel der Wette des Vaters mit seinem Sohn. Der Vater geht relativ lax mit seinen Kreditkartenangaben um. "Die sind doch gut geschützt", denkt er. Der Sohn sieht das anders und meint, er könne alle relevanten Informationen erhalten, ohne dass er vom Tisch aufstehen müsse. Innerhalb von 10 Minuten. Top, die Wette gilt. Der Sohn zückt sein Telefon, wendet seine Fähigkeiten als Social Engineer an und erhält nicht nur die Kreditkartennummer und Ablaufdatum, sondern auch das Geburtsdatum des Vaters. Alles, in dem er einfach danach gefragt hat.
Auch finden sich Geschichten darüber, wie Informationen aus Hochsicherheitsgefängnissen oder von hohen Ämtern entwendet wurden. Also von Orten, an denen man mit einer hohen Anforderung an die Sicherheit rechnet.
Mitnick zeigt uns in seinem Buch die Tricks und Kniffe der Angreifer und hängt dem Leser ein gutes Werkzeug aus, wann er aufmerksam und vorsichtig werden sollte. Im Grossen und Ganzen wendet sich der Autor an die Führungsetage einer grösseren Firma, die die Möglichkeit hat, Änderungen und Regeln in Bezug auf die Sicherheit durchzuführen. Aber auch als einfacher Angestellter (wie ich es bin) erfährt man viel darüber, was eine gut gemeinte Auskunft alles anrichten kann.
Zwar hat das Buch schon ein paar Jährchen auf dem Buckel (Originalausgabe erschien 2002), aber an der grundsätzlichen Aussage Mitnicks hat sich nichts geändert. Die Medien mögen andere sein, vielleicht auch die Quellen der Angriffe, aber da das Handwerk der Social Engineers auf den Menschen abzielt, sind diese Vorgehensweisen noch immer dieselben.
Auch ich habe schon arglos Informationen weitergegeben. Dies wird nun nicht mehr vorkommen. Man mag denken "Wieso sollte jemand ein so kleines Geschäft wie unseres angreifen wollen?", aber genau mit dieser Haltung rechnen die Angreifer. Niemand geht davon aus, dass der freundliche Herr am Telefon, der so sehr in der Misere steckt, gar nicht der ist, der er zu sein scheint. Es geht dabei nicht um Informationen wie "wo finde ich die Post?", sondern um Daten, die man nicht einfach blindlings jemandem anvertrauen sollte.
Jemand möchte ein Passwort wissen? Vorsicht ist geboten! Etwas herunterladen? Lieber erst vergewissern, dass man wirklich mit jemandem aus der IT spricht!
Nach der Lektüre dieses Buches werde ich vorsichtiger sein, auch unseren Kunden zuliebe. Ich möchte nämlich nicht, dass deren Daten in die Finger irgendwelcher Krimineller geraten! Ausserdem muss ich dringend meine Passwörter ändern...
Das Telefon in der Buchhandlung klingelt.
"Hallo, hier ist Jari von der Buchhandlung Soundso."
"Ja, hallo, hier ist Klaus von der Filiale am Ende der Stadt. Du, hier ist etwas ziemlich schief gelaufen und der Kunde tobt. Sein bestelltes Buch hätte hier bei uns sein sollen, ist es aber nicht. Er hat auch schon bezahlt und braucht es dringend jetzt. Ihr habt doch noch eines vorrätig, nicht wahr?"
"Haben wir, ja."
"Super! Könntest du es für den Kunden zur Seite legen? Er holt es gleich ab. Bezahlt hat er schon, das habe ich alles schon überprüft. Gib es ihm einfach mit, ok?"
Etwas später erscheint der Kunde, nimmt sein Buch und verschwindet. Später stellt sich heraus, dass es in der Filiale am Ende der Stadt gar keinen Mitarbeiter mit dem Namen Klaus gibt. Das Buch ist natürlich auch nie bezahlt worden.
Das ist ein relativ harmloses Beispiel, wie Social Engineers Menschen ausnutzen, um an Informationen und/oder Gratisprodukte zu kommen. Ein einzelnes Buch mag ein Geschäft nicht schwer treffen, doch die von Mitnick angeführten Beispiele zeigen auf, wie auf eine ähnliche Art und Weise Schaden in Millionenhöhe entstehen kann. So wurde einer Firma die Arbeit von zwei Jahren innerhalb kürzester Zeit zunichte gemacht, indem alle Unterlagen ihres neuen Produktes geklaut und an eine andere Firma weiterverkauft wurden. Und das einfach, indem jemand danach gefragt hat.
Eindrücklich auch das Beispiel der Wette des Vaters mit seinem Sohn. Der Vater geht relativ lax mit seinen Kreditkartenangaben um. "Die sind doch gut geschützt", denkt er. Der Sohn sieht das anders und meint, er könne alle relevanten Informationen erhalten, ohne dass er vom Tisch aufstehen müsse. Innerhalb von 10 Minuten. Top, die Wette gilt. Der Sohn zückt sein Telefon, wendet seine Fähigkeiten als Social Engineer an und erhält nicht nur die Kreditkartennummer und Ablaufdatum, sondern auch das Geburtsdatum des Vaters. Alles, in dem er einfach danach gefragt hat.
Auch finden sich Geschichten darüber, wie Informationen aus Hochsicherheitsgefängnissen oder von hohen Ämtern entwendet wurden. Also von Orten, an denen man mit einer hohen Anforderung an die Sicherheit rechnet.
Mitnick zeigt uns in seinem Buch die Tricks und Kniffe der Angreifer und hängt dem Leser ein gutes Werkzeug aus, wann er aufmerksam und vorsichtig werden sollte. Im Grossen und Ganzen wendet sich der Autor an die Führungsetage einer grösseren Firma, die die Möglichkeit hat, Änderungen und Regeln in Bezug auf die Sicherheit durchzuführen. Aber auch als einfacher Angestellter (wie ich es bin) erfährt man viel darüber, was eine gut gemeinte Auskunft alles anrichten kann.
Zwar hat das Buch schon ein paar Jährchen auf dem Buckel (Originalausgabe erschien 2002), aber an der grundsätzlichen Aussage Mitnicks hat sich nichts geändert. Die Medien mögen andere sein, vielleicht auch die Quellen der Angriffe, aber da das Handwerk der Social Engineers auf den Menschen abzielt, sind diese Vorgehensweisen noch immer dieselben.
Auch ich habe schon arglos Informationen weitergegeben. Dies wird nun nicht mehr vorkommen. Man mag denken "Wieso sollte jemand ein so kleines Geschäft wie unseres angreifen wollen?", aber genau mit dieser Haltung rechnen die Angreifer. Niemand geht davon aus, dass der freundliche Herr am Telefon, der so sehr in der Misere steckt, gar nicht der ist, der er zu sein scheint. Es geht dabei nicht um Informationen wie "wo finde ich die Post?", sondern um Daten, die man nicht einfach blindlings jemandem anvertrauen sollte.
Jemand möchte ein Passwort wissen? Vorsicht ist geboten! Etwas herunterladen? Lieber erst vergewissern, dass man wirklich mit jemandem aus der IT spricht!
Nach der Lektüre dieses Buches werde ich vorsichtiger sein, auch unseren Kunden zuliebe. Ich möchte nämlich nicht, dass deren Daten in die Finger irgendwelcher Krimineller geraten! Ausserdem muss ich dringend meine Passwörter ändern...
January 31, 2021
The book reveals a specter of tricks so called "social engineers" use to obtain information they are not supposed to have access to. Although technical means play a significant role, the most emphasis is placed on human element. The deceit schemes are split into multiple steps in which people are tricked into submitting seemingly insignificant information. But when put together those insignificant elements result in a loss of valuable information.
I must admit that some trickery schemes seemed fascinating to me. The ingenuity and the aspiration to find ways around seemingly fail-safe system deserves admiration. On the other hand, most "social engineers" are imitators, the real geniuses among them are rare.
I put the term "social engineer" in quotation marks because I don't think it is a right term for naming deceitful practices described in this book.
The real meaning of a term "social engineering" I would demonstrate by one Sufi story from Idries Shah's book "A veiled gazelle".
In this story a traveling Sufi master once encountered peasants who argued on who should farm a certain piece of land. The master approached peasants and in some ways know only to him (!) persuaded those people to submit the land to him. He settled there and after several years, when peasants learned to work the land by sharing it, the master gave the land back. This is a social engineering.
What happened here was that the master manipulated people to establish practices that were beneficial to the community. After achieving his goal he returned the property he obtained by trickery.
An example of social engineering in a context of this book could be an effort to grow awareness of deceitful practices.
So, how do we name those so called "social engineers"? Tricksters, swindlers, grifters or just thieves.
Does the book teach how to become a "social engineer"? Well, for people with a certain mindset and loose moral restraints - maybe.
But the real value of this book is bringing into awareness existence of deceitful practices, explaining how to recognize them and giving an outline of procedures that help protecting your information.
I must admit that some trickery schemes seemed fascinating to me. The ingenuity and the aspiration to find ways around seemingly fail-safe system deserves admiration. On the other hand, most "social engineers" are imitators, the real geniuses among them are rare.
I put the term "social engineer" in quotation marks because I don't think it is a right term for naming deceitful practices described in this book.
The real meaning of a term "social engineering" I would demonstrate by one Sufi story from Idries Shah's book "A veiled gazelle".
In this story a traveling Sufi master once encountered peasants who argued on who should farm a certain piece of land. The master approached peasants and in some ways know only to him (!) persuaded those people to submit the land to him. He settled there and after several years, when peasants learned to work the land by sharing it, the master gave the land back. This is a social engineering.
What happened here was that the master manipulated people to establish practices that were beneficial to the community. After achieving his goal he returned the property he obtained by trickery.
An example of social engineering in a context of this book could be an effort to grow awareness of deceitful practices.
So, how do we name those so called "social engineers"? Tricksters, swindlers, grifters or just thieves.
Does the book teach how to become a "social engineer"? Well, for people with a certain mindset and loose moral restraints - maybe.
But the real value of this book is bringing into awareness existence of deceitful practices, explaining how to recognize them and giving an outline of procedures that help protecting your information.
February 28, 2024
all reviews in one place:
night mode reading
; skaitom nakties rezimu
About the Book: How often do you change your password? Is it one word? Do you have it written down? What’s your password policy at work? Is everyone adhering to it? Did you open that email from a sender you didn’t know? It looked legit enough, and had no attachments, what’s the harm, right? So, how secure do you feel? How secure you really are? How secure is anything once it’s online? Well, reading this, it seems security is an uphill battle we’re all, for some reason, skimming on. The author provides great tales on social engineering, deception, and backs it up with various solid advice on how to protect yourself from it all, whether you’re just someone using the internet, or a company with an internal network. After all, who’s better to advise on safety against social engineering, than the one who popularized the term?
My Opinion: If you ever thought “oh, who’d hack me, I’m no one and have nothing” – you must read this book. If you rarely, if ever, change your password – you must read this book. If it’s something idiotically common, a joke, or very specific to you – read this book. If you use real data to answer your security questions (aka real mother’s maiden name, real best friend, real pet) – read this book. Read this book in general, to know what’s out there, what to expect. Wish I had it about two decades ago, would’ve saved me some headache trying to explain older family members that advertisement banner screaming “you have a virus!” doesn’t mean you have a virus, it means you’ll pretty much guaranteed get one if you click on it though. Amusing, if scary, very well paced, and well written too.
A 5 out of 5, great end to the Villainous February.
About the Book: How often do you change your password? Is it one word? Do you have it written down? What’s your password policy at work? Is everyone adhering to it? Did you open that email from a sender you didn’t know? It looked legit enough, and had no attachments, what’s the harm, right? So, how secure do you feel? How secure you really are? How secure is anything once it’s online? Well, reading this, it seems security is an uphill battle we’re all, for some reason, skimming on. The author provides great tales on social engineering, deception, and backs it up with various solid advice on how to protect yourself from it all, whether you’re just someone using the internet, or a company with an internal network. After all, who’s better to advise on safety against social engineering, than the one who popularized the term?
My Opinion: If you ever thought “oh, who’d hack me, I’m no one and have nothing” – you must read this book. If you rarely, if ever, change your password – you must read this book. If it’s something idiotically common, a joke, or very specific to you – read this book. If you use real data to answer your security questions (aka real mother’s maiden name, real best friend, real pet) – read this book. Read this book in general, to know what’s out there, what to expect. Wish I had it about two decades ago, would’ve saved me some headache trying to explain older family members that advertisement banner screaming “you have a virus!” doesn’t mean you have a virus, it means you’ll pretty much guaranteed get one if you click on it though. Amusing, if scary, very well paced, and well written too.
A 5 out of 5, great end to the Villainous February.
October 9, 2021
Технически остаряла, едно и също се повтаря до втръсване.
June 18, 2023
you should only read this book if you were in a coma since 2005 and only woke up recently,
almost all of the things it talks about is basic human common sense and if someone lacks that dont think this book will do anything to help such a person avoid being a victim to social engineering.
a utter trash and a waste of time, and grind that i just wanted to be over with.
it was good for like the first 20% of the book, beyond that it was the author putting in his daydreams about social engineering attacks with the same formula just in a different building, it was horrible and mind numbing to read,
like taleb says a book that tells all it can based on the heading of the section its not worth reading, same applies to this crap of a book, i could have guessed what the next coming pages would be by reading the chapter titles, all the same repetitive common sense repeated in extreme detail as if talking to a 7 year old.
a utter waste of time, times like this is when i wish i could overcome my sunk-cost fallacy issues and throw crap like this away without finishing it.
a utter waste of time.
almost all of the things it talks about is basic human common sense and if someone lacks that dont think this book will do anything to help such a person avoid being a victim to social engineering.
a utter trash and a waste of time, and grind that i just wanted to be over with.
it was good for like the first 20% of the book, beyond that it was the author putting in his daydreams about social engineering attacks with the same formula just in a different building, it was horrible and mind numbing to read,
like taleb says a book that tells all it can based on the heading of the section its not worth reading, same applies to this crap of a book, i could have guessed what the next coming pages would be by reading the chapter titles, all the same repetitive common sense repeated in extreme detail as if talking to a 7 year old.
a utter waste of time, times like this is when i wish i could overcome my sunk-cost fallacy issues and throw crap like this away without finishing it.
a utter waste of time.
October 31, 2021
This book is really creepy.
It serves as a how-to, and to a lesser extent a how-to-prevent, book on social engineering attacks. Most professionals in the industry understand that attacks are rarely purely technology-based. Much more often companies are compromised through a combination of human and computer vulnerabilities.
This book focuses on the human component of such attacks and is written from the perspective of someone who was extremely effective at executing such attacks. Though I was already somewhat aware of these dangers and aware of many of the techniques, this book was an eye-opener.
For those working in IT or technical departments, this book is certainly a should-read. It is also written in such a way as to be full of interesting stories for the non-technically minded.
It serves as a how-to, and to a lesser extent a how-to-prevent, book on social engineering attacks. Most professionals in the industry understand that attacks are rarely purely technology-based. Much more often companies are compromised through a combination of human and computer vulnerabilities.
This book focuses on the human component of such attacks and is written from the perspective of someone who was extremely effective at executing such attacks. Though I was already somewhat aware of these dangers and aware of many of the techniques, this book was an eye-opener.
For those working in IT or technical departments, this book is certainly a should-read. It is also written in such a way as to be full of interesting stories for the non-technically minded.
April 9, 2013
I found the most valuable sections in this book to be the policy recommendations and information security practices described in the last chapters (despite their age). The anecdotal and fictionalized scenarios were effective up to a point, but there are so many of them that it wore me down and I just started scanning them when I was about 3/4 of the way through. Mitnick's "messages" provided helpful suggestions and contextual gotchas interspersed with the social engineering/con situations, but the real meat was at the end of the book. I'll probably buy this book simply because of the security policy information and the easy-to-understand business cases that are easily comprehendible due to their storylike nature.
October 26, 2016
So ... Interesting read. Social engineering has been going on a long time and has impacted many corporations, governments, etc. I felt this book did a great job documenting examples of what has taken place as well as provided insights for what you and your organization can do to help prevent, the best that you can, social engineering attacks.
This book definitely irritated me as I had not thought about the detailed level of attacks folks have gone through. Thinking back, there have probably been some times where I had been the person on the receiving end. Wish I had read this about a decade ago as it has some good common sense knowledge to learn from.
This book definitely irritated me as I had not thought about the detailed level of attacks folks have gone through. Thinking back, there have probably been some times where I had been the person on the receiving end. Wish I had read this about a decade ago as it has some good common sense knowledge to learn from.
February 22, 2022
For a person who's the best hacker in the US and a book on social engineering, there's an obvious lack in knowledge of marketing. It's mainly for business leaders, business leaders that don't know what Trojan, http is. At the same time you're not able to make a difference between a dozen of similar stories with a same message if you don't know what a Trojan is, if you do have technological know-how the book is way too basic. And then you have a summary at the end. Could've been done better
August 13, 2014
Zzzzzzzzzz, Oh sorry..... This was a tough read. Very dry and if you've ever worked in a corporate environment, or IT at all, most of this is simply common sense.
Some of the 'examples' used are repeated in Kevin's other book, Ghost in the Wires, which I read before this one. GitW is a good read, this one, not so much.....
Some of the 'examples' used are repeated in Kevin's other book, Ghost in the Wires, which I read before this one. GitW is a good read, this one, not so much.....
August 15, 2017
Eğlenceli ve en önemlisi de gerçek... Kesinlikle teknik ve zorlayıcı karmaşık değil. Herkes Hacker olabilir, yeter ki biraz kafası çalışsın seviyesinde anlatıyor... Özellikle olay anlatımları çok başarılı...
April 8, 2008
Human's are like bad Microsoft coding.
April 28, 2024
DNF @ 43% (not because it's bad, but because it's outdated and I already got everything of value from it)
This book was published in 2003 and definitely shows its age. It explains basic hacking terms that most people understand, places a lot of emphasis on passwords (which most people now understand, the main issue is now laziness as opposed to knowledge deficit), has to tell you what PayPal and Google are, mentions floppy discs and people using their phones to make actual phonecalls...
Basically it's a dinosaur, lol.
BUT it does have some fun anecdotes about social engineering and the information is still interesting and useful. It doesn't translate brilliantly to audiobook as they spell out full URLs or phone numbers (which in itself seems a security oversight?? or useless if they're all 555-- I wasn't paying attention because I automatically tune those out). After a certain point the stories become a little repetitive, so I think it's safe to say there's nothing else I can really get from this book at this point in time. I'll definitely be picking up more recent writings on the subject, though!
This book was published in 2003 and definitely shows its age. It explains basic hacking terms that most people understand, places a lot of emphasis on passwords (which most people now understand, the main issue is now laziness as opposed to knowledge deficit), has to tell you what PayPal and Google are, mentions floppy discs and people using their phones to make actual phonecalls...
Basically it's a dinosaur, lol.
BUT it does have some fun anecdotes about social engineering and the information is still interesting and useful. It doesn't translate brilliantly to audiobook as they spell out full URLs or phone numbers (which in itself seems a security oversight?? or useless if they're all 555-- I wasn't paying attention because I automatically tune those out). After a certain point the stories become a little repetitive, so I think it's safe to say there's nothing else I can really get from this book at this point in time. I'll definitely be picking up more recent writings on the subject, though!
September 9, 2021
The Art do Deception is a great book because it points to the single issue with security - humans. The human element is a massive problem because unlike AI, humans rely on hunches and benefit of the doubt as part of their judgement. Eye opening
May 7, 2023
"The Art of Deception" by Kevin D. Mitnick is a thought-provoking book that sheds light on the human vulnerabilities in the world of cybersecurity. The book emphasizes the importance of understanding the human element of security, as it is often the weakest link in any system. Mitnick provides numerous examples of how hackers use tactics such as trust-building, curiosity, and fear to manipulate people into divulging sensitive information.
The writing style is clear and easy to follow, and Mitnick's personal anecdotes add a human touch to the subject matter. The book is structured in a way that makes it accessible to both technical and non-technical readers.
Overall, "The Art of Deception" is a valuable starting point for anyone interested in cybersecurity or anyone concerned about the security of their personal information. Mitnick's insights into the world of social engineering provide a fascinating and informative perspective on the human side of security.
The writing style is clear and easy to follow, and Mitnick's personal anecdotes add a human touch to the subject matter. The book is structured in a way that makes it accessible to both technical and non-technical readers.
Overall, "The Art of Deception" is a valuable starting point for anyone interested in cybersecurity or anyone concerned about the security of their personal information. Mitnick's insights into the world of social engineering provide a fascinating and informative perspective on the human side of security.
March 4, 2012
Me crucé con este libro (está en la mula, por supuesto) y me lo he devorado en dos días. Hay una segunda parte, The Art of Intrusion, que parece que está incluso mejor.
Kevin Mitnick se hizo bastante famoso, para su desgracia, cuando le condenaron a unos cuantos años de cárcel por diversos delitos contra la seguridad electrónica de varias empresas y agencias estatales norteamericanas (nada grave según él, el holocausto informático según el fiscal). La Wikipedia (Kevin Mitnick, Kevin Mitnick 
) cuenta su historia por encima. El caso es que él está convencido de que le tomaron como cabeza de turco, tanto los periodistas como el sistema judicial.
Este libro no es una biografía, sino un repaso a los métodos de lo que se ha dado en llamar “ingeniería social”, o el arte de sonsacar información importante a la gente que la tiene sin que estos se alarmen. El libro consiste en un montón de casos (supuestamente verídicos) en los que una persona ajena a cualquier empresa u organización acaba por obtener gran cantidad de información. Kevin Mitnick [KM] habla de detectives privados, de estudiantes de instituto con mucho tiempo libre e incluso de una nueva figura, en el borde de la legalidad, llamada “brokers de información”, especialistas todos ellos en encontrar información que supuestamente no debe ser divulgada al público.
Los casos son realmente entretenidos de leer. Muchas de las veces uno piensa “no, eso no me podría pasar a mí”, pero eso justo es lo que dice KM que piensa todo el mundo. Y sin embargo pasa constantemente, según él. En cada caso que relata termina instruyendo acerca de cómo algunas políticas de difusión de información dentro de la empresa, bien instauradas, podrían evitar la gran mayoría, si no todos, los escapes de información debidos a ataques mediante ingeniería social.
El último capítulo es algo más soso y se dedica íntegramente a resumir de manera estructurada todos los pasos que cualquier organización, ya sea privada o gubernamental, debería dar para establecer políticas claras e inatacables que minimicen el flujo de información importante al exterior.
El libro es muy entretenido y se lee rápidamente. Deja (al menos a mí) con muchas ganas de seguir leyendo sobre el tema, por lo que rápidamente “localicé” el siguiente libro del mismo autor, que ya ando devorando. Mi nota: Muy interesante.
June 22, 2007
In The Art of Deception, [Kevin Mitnick] discusses the thing he's best at: Social Engineering. Social engineering is the term used in computer security to describe the manipulation of humans in order to break through a security barrier, and is sometimes referred to as hacking the mind.
In the first chapter of his book, usually referred to as The Lost Chapter (As it wasn't published with the final version of the book), Kevin Mitnick tries to convince his readers that he is innocent – or at least that he isn't a "criminal". I believe he made good points in this chapter, and wish it was published.
The book isn't about Mitnick, though; it's about social engineering. If he was ever on the dark side, he is no longer there. He now works as a security consultant, and this book is designed to help improve security awareness, and help us all avoid being deceived by social engineers.
The bulk of this book consists of different stories of social engineers getting their job done, followed by advice on how to avoid such kinds of attacks. Just like any security book, this book can also help the bad guys improve their skills, because it offers many ideas on how you can trick people; however, if the good guys read the book, they would laugh at the bad guys' attempts and say "Ha, I know that one!" No, really!
The idea of the book is very interesting, and some of its stories are really smart; however, I must admit that it gets a bit repetitive towards the end. The authors are trying to separate different stories into different chapters, but the differences between the ideas in these stories are sometimes so small.
The ideas represented in this book are applicable to more than just computer-related systems (Hey, you don't have to use them to steal money, but they're good to know anyway!); however, due to the fact that information is closely associated with computing nowadays, you'll usually find a lot of technical details in the book. But anyway, as long as you use a computer, you'll most likely be fine reading it!
The authors have just completed a new book, The Art of Intrusion. It looks like it is going to be more technical, and more geared toward hacking than social engineering. I probably will give it a try sometime.
In the first chapter of his book, usually referred to as The Lost Chapter (As it wasn't published with the final version of the book), Kevin Mitnick tries to convince his readers that he is innocent – or at least that he isn't a "criminal". I believe he made good points in this chapter, and wish it was published.
The book isn't about Mitnick, though; it's about social engineering. If he was ever on the dark side, he is no longer there. He now works as a security consultant, and this book is designed to help improve security awareness, and help us all avoid being deceived by social engineers.
The bulk of this book consists of different stories of social engineers getting their job done, followed by advice on how to avoid such kinds of attacks. Just like any security book, this book can also help the bad guys improve their skills, because it offers many ideas on how you can trick people; however, if the good guys read the book, they would laugh at the bad guys' attempts and say "Ha, I know that one!" No, really!
The idea of the book is very interesting, and some of its stories are really smart; however, I must admit that it gets a bit repetitive towards the end. The authors are trying to separate different stories into different chapters, but the differences between the ideas in these stories are sometimes so small.
The ideas represented in this book are applicable to more than just computer-related systems (Hey, you don't have to use them to steal money, but they're good to know anyway!); however, due to the fact that information is closely associated with computing nowadays, you'll usually find a lot of technical details in the book. But anyway, as long as you use a computer, you'll most likely be fine reading it!
The authors have just completed a new book, The Art of Intrusion. It looks like it is going to be more technical, and more geared toward hacking than social engineering. I probably will give it a try sometime.
November 19, 2021
Un libro nato male 20 anni fa ed invecchiato pure peggio. Mitnick ha ovviamente sfruttato il suo status di famosissimo hacker per scrivere questo libro, che però diventa la combinazione - noiosa - di due parti.
La prima è una lunga autocelebrazione dei social engineers. Sono bravissimi, ottengono sempre le informazioni che cercano, e sono inarrestabili. A me (da ex consulente di sicurezza) la cosa convince a metà, perchè o gli esempi indicati sono eccessivamente positivi per far capire i concetti, oppure queste persone sono sempre state in grado di trovare degli autentici (perdonate il termine) idioti, perchè obbediscono e acconsentono alle più spudorate e lampanti richieste. Inoltre, se i primi esempi appunto servono a far capire il concetto, Kevin si dilunga in veramente troppi esempi.
La seconda parte è forse la più interessante tecnicamente, dato che indica varie "policy" di sicurezza che aziende e persone possono adottare. Ma in un libro stonano pesantemente, sono illeggibili (io le ho onestamente solo sfogliate velocemente) e inutili se uno ha preso questo libro solo per una piacevole lettura. Sarebbe stato meglio pubblicarle online e indicare l'indirizzo web nel libro, anche nel 2002 era possibile farlo.
La prima è una lunga autocelebrazione dei social engineers. Sono bravissimi, ottengono sempre le informazioni che cercano, e sono inarrestabili. A me (da ex consulente di sicurezza) la cosa convince a metà, perchè o gli esempi indicati sono eccessivamente positivi per far capire i concetti, oppure queste persone sono sempre state in grado di trovare degli autentici (perdonate il termine) idioti, perchè obbediscono e acconsentono alle più spudorate e lampanti richieste. Inoltre, se i primi esempi appunto servono a far capire il concetto, Kevin si dilunga in veramente troppi esempi.
La seconda parte è forse la più interessante tecnicamente, dato che indica varie "policy" di sicurezza che aziende e persone possono adottare. Ma in un libro stonano pesantemente, sono illeggibili (io le ho onestamente solo sfogliate velocemente) e inutili se uno ha preso questo libro solo per una piacevole lettura. Sarebbe stato meglio pubblicarle online e indicare l'indirizzo web nel libro, anche nel 2002 era possibile farlo.
January 23, 2016
Kevin D. Mitnick - a former hacker turned security expert - gives an excellent view on security threats posed by human factor in modern world.
The common sense that computer geeks are often fat, unpopular with heavy glasses and nerdy faces is not applicable in "Social Engineer" category. Social engineer is someone with talent and understanding for both social behavior and technical command. He/she can infiltrate in a company system by manipulating human psychology (unshakeable confidence, empathy, guilt, reciprocity) and ofcourse, lingo and insight needed in a great impostor. The funny parts are, sometimes the job can be done by curious individuals or dumpster scavengers. Imagine the work done by industrial spies to create heavy impact spionage !
You will find dialogs which so amazingly similar with those in heist movies. Yep, it is real and complex.
It was an enjoyable read for me, some parts are repetitive, i felt like a voice of an old, experienced man keeps echoing: Its all about human, not about fancy technology or machine.
The common sense that computer geeks are often fat, unpopular with heavy glasses and nerdy faces is not applicable in "Social Engineer" category. Social engineer is someone with talent and understanding for both social behavior and technical command. He/she can infiltrate in a company system by manipulating human psychology (unshakeable confidence, empathy, guilt, reciprocity) and ofcourse, lingo and insight needed in a great impostor. The funny parts are, sometimes the job can be done by curious individuals or dumpster scavengers. Imagine the work done by industrial spies to create heavy impact spionage !
You will find dialogs which so amazingly similar with those in heist movies. Yep, it is real and complex.
It was an enjoyable read for me, some parts are repetitive, i felt like a voice of an old, experienced man keeps echoing: Its all about human, not about fancy technology or machine.
March 28, 2015
Kevin Mitnick is probably best known for being a phone phreak and fugitive computer hacker in the late-80s and early 90s, who was the focus of a considerable manhunt. Following his capture and time in prison, he's become an Internet security consultant and turned his talents to helping people avoid the sort of hacks he became famous for perpetrating. This book is a chronicle of numerous social engineering attacks, some hypothetical, some based on real-world examples (which may or may not have been carried out by Mitnick himself) and recommendations for how to guard against such attacks. I actually recognize a number of the policies he recommends as being part of the security awareness my company conducts every year for employees, so apparently, someone listened. I must admit I found the anecdotes more interesting than the policy recommendations, though someone tasked with guarding his or her companies assets would no doubt find these of immense value. Definitely worth a read.
February 21, 2022
Okay. First of all. This book is dated. Seriously dated. Its from before social networking was a thing, so the final part about securing your enterprise? No longer relevant.
Now, the meaty part (the first 4/5 of the book) is a great primer on social engineering and how your stuff might be stolen by seemingly innocent questions. Even if some of the examples are also dated (dial in connections? Fax?) as Mitnick says, it not about the technology, its about the human element, so most of them still apply even in 2022.
If you have an interest on security, this is a fun to read and light must - read book
Now, the meaty part (the first 4/5 of the book) is a great primer on social engineering and how your stuff might be stolen by seemingly innocent questions. Even if some of the examples are also dated (dial in connections? Fax?) as Mitnick says, it not about the technology, its about the human element, so most of them still apply even in 2022.
If you have an interest on security, this is a fun to read and light must - read book
Displaying 1 - 30 of 403 reviews