The Art of Deception (2001) is a book on Machiavellian strategies to penetrate systems through people, a practice that is today’s called “social engineering”.
- Humans are security’s weakest links (security is a process and a people’s problem)
- Successful social engineering attacks often start with small, apparent inconsequential information
- Companies that want to protect their assets must focus on employees training on security and security processes (and, I’d add on learning basics of manipulation)
About the Author: The author, Kevin Mitnick, is a well-known hacker who turned “white hat” to help government, organizations, and users defend against hacker attacks.
Note on The Summary: In this summary of “The Art of Deception”, I will focus mostly on the social side rather than on the processes and training that companies should implement to protect themselves against social engineering.
Culture Makes Us Easy Targets of Social Engineering
The author says that it’s the culture itself that makes us easy targets of social engineers.
We are taught to “trust our neighbors” and have trust and faith on each other.
All people are not kind and honest. Living as if they were, is the best way to get conned.
Personally, I don’t believe that most people believe in the lie of most people being kind and honest.
It’s more a question of numbers: people are not deceived daily and are not the daily targets of fraud attempts. The familiarity of not-being conned is what leads many people to lower their guard.
Good Security is A Balance
Too much security, and the processes bog down the organization.
Too little security, and a breach can bring an organization to its knees.
However, it might be wishful thinking to hope that security will not slow down processes at all or, in some cases, inconvenience someone (ie: regular employees who forgot their badges at home).
Commercial Security Products Are Against Amateur
The commercial security products are mostly to protect against amateurs intruders -also referred to as script kiddies-.
The real threats come from more professional, more experienced attackers who focus on one target at a time and carefully study their systems, processes, and organizational culture.
The amateurs go for quantity, searching for very weak prey mostly for fun.
The professionals focus on one target and look for a financial return.
Good Social Engineers Are Charmers
In most cases, successful social engineers are good with people.
They know how to be charming, they are likable and they know people’s psychology and they leverage it to bond and connect with people.
When necessary, they might as well leverage authority to pressure lower-level employees into compliance.
Social Engineers Techniques
The author says that social engineers use well-known influencing techniques and reference Robert Cialdini’s seminal work Influence.
Here are some more social engineer techniques:
- Cushion the important question between inconsequential ones
- Use personal question (ie.: how long you’ve been with the company) to gauge his reaction (if he answers normally: great sign)
- Use the lingo to sound like an insider
- Ask something too big so they must refuse you and propose you the alternative you wanted all along: it will inspire trust (ie.: “can you go fetch my colleague badge in the next building, it’s in his drawer”)
Note: the word “fetch” is on purpose to make it more unlikely he’ll want to comply
- Take advantage of new people who are clueless and have less courage of pushing back
- Use intimidation with the ruse of authority by mentioning a boss’ boss or the CEO (works especially well with lower level employees)
- Piggyback and most employees won’t challenge you. You can carry a few big boxes and pretend you can’t access your badge or open the door by yourself if you need an excuse
The Art of Deception Stories
These are only some of the stories covered by Kevin Mitnick in “The Art of Deception”:
- A person gets out of a speeding ticket by fooling the police into revealing a time when the arresting officer will be out of town, and then requesting a court date coinciding with that time.
- The social engineer gains access to the company’s system, guarded by a password that changes daily, by waiting for a snowstorm and then calling the network center posing as a snowed-in employee who wants to work from home, tricking the operator into revealing today’s password and access through duplicity.
- A con-artist gains proprietary information about a start-up company by waiting until the CEO is out of town, and then showing up at the company headquarters pretending to be a close friend and business associate of the CEO.
There is a popular saying that a secure computer is one that is turned off. Clever, but false: the pretexter simply talks to someone into going back to the office and turn it back on.
Social engineer rule:
First rule: never visit the premise unless you really have to. They have a hard time identifying you if you’re just a voice on the telephone. And if they cannot identify you, they cannot arrest you.
It’s hard to put handcuffs around a voice.
On hiding the money:
It was a typical case of “where is he hiding the money”, or sometimes it’s “where is she hiding the money”. Sometimes it was a rich who wanted to know where her husband had hidden her money, though a woman with money ever marries a guy without was a riddle Keth wondered every know and then but never found a good answer for.
On a guy stealing an identity to fake a degree:
He had just become Michael Parker, Bachelor of Science in computer science, graduate with honors in 1998.
In this case the B.S. was uniquely appropriate.
On dumpster diving:
It might be a tactic too low down for James Bond.
Movie goers would much rather watch him outfoxing criminals and bedding beauties than standing knee dip in garbage.
But real life spies are less squeamish when something of value can be hidden among banana peels and coffe grounds.
No surprise there.
People just lose all creativity when it comes to choosing passwords.
On poor safety practices:
He logged in to the network with password and user data which were conveniently written down on post-it notes attached to the display.
On keeping a low profile:
A good social engineer never advertises his skills and knowledge.
You always want people to underestimate you, not see you as a threat.
- Don’t give out any personal or identifiable information unless there is a need to know basis and you can identify the requester
- Many Similar Stories
The stories are the real added value of “The Art of Deception”.
After a while, though they start to get similar and they lose some of their appeals.
It would have been better, in my opinion, to cherry-pick the best one and then maybe do a better analysis of them.
- Great Stories
The stories give you a real feel of how social engineering actually work in real life, and what people can do to protect themselves.
The “Art of Deception” is the best book on social engineering I have read so far.
I rate “The Art of Deception” much higher than the more popular “Social Engineering“.