The Art of Deception by Kevin Mitnick

During the 1990s, the author of this book, Kevin Mitnick, was reputed to be the world's most dangerous hacker. After serving a five-year prison term, however, he has been doing quite well for himself. He now has his own consulting firm, a radio show, and has published a book. If you go to his web site, you'll notice that he'll be giving presentations in Las Vegas this year.

If you're not already familiar with the exploits of Kevin Mitnick, here is a brief review of the high points of his criminal career:

1981 At age 17, he is convicted of stealing computer manuals from a Pacific Bell switching station.

1982 He breaks into the North American Air Defense Command computer, seizing temporary control of three central telephone company offices in Manhattan. He also gains access to all phone switching centers in California

1988 He monitors email of MCI and DEC security officials. Digital Equipment accuses him of causing $4 million worth of damage to computer operations and stealing $1 million worth of software. Receives one-year jail sentence at low-security prison in Lompoc, California.

1993 Accused of wiretapping calls from the FBI to the California DMV and using law-enforcement codes gleaned from the wiretaps to illegally gain entry to the drivers license database.

1994 On Christmas Day, Mitnick fatefully breaks into the San Diego Supercomputer Center, patrolled by security expert Tsutomu Shimomura.

1994 Mitnick hacks into The Well, a popular portal site for techies. He deposits some of Shimomura's files there. Shimomura's subsequent pursuit through cyberspace leads to Mitnick's arrest near Raleigh, North Carolina, in 1995.

1997 Sentenced to nearly two years in prison for parole violations and using stolen cellular phone numbers to dial into computer databases. Awaits trial for 25 counts of computer and wire fraud, possessing unlawful access devices, damaging computers and intercepting electronic messages in an unrelated case.

After Mitnick's sentencing, hackers broke into the Yahoo! site, declaring that widespread damage would occur across the Internet if Mitnick was not released.

1999 Mitnick pleads guilty to five felony charges in U.S. Federal court.He had cost high-tech companies at least $291.8 million over a two-year span.

January 21, 2000 Released from prison after serving almost five years. He is told, among other things, that he cannot use the Internet until Jan 20, 2003.

[Source:The Tangled Web by Richard Power]

Enter Shimomura

Sometimes multinational corporations and government bureaucracies don't really matter. Sometimes it just takes one attack on one individual. Attack the wrong guy, and you're in big trouble. Who is "the wrong guy"? He's the one who doesn't care about the money, because he's been insulted and he sees it as a point of honor to bring you down. In this case, the wrong guy for Mitnick to hack was Japanese-born Tsutomu Shimomura. A high school and college dropout (like Mitnick), Shimomura had been pursuing a career in cyber security at various corporations and universities. His keen technical knowledge of Unix and other operating systems had enabled him and his assistants to track many Internet crimes.

Shimomura's pursuit of Mitnick made material for stories in the New York Times, 60 Minutes, Playboy and other high-profile media outlets. This was partially because of the efforts of NYT reporter John Markoff. Mitnick was later to accuse his pursuers of being publicity-hounds, trying "to profit from the Myth of Kevin Mitnick";.i.e, that he was some powerful underworld character, determined to bring down the Internet. On the other hand, since his release, Mitnick has never ceased to profit from that myth himself. Part of his testimony before Congress reads:

"I have gained unauthorized access to computer systems at some of the largest corporations on the planet and have successfully penetrated some of the most resilient computer systems ever developed. I have used both technical and non-technical means to obtain the source code to various operating systems and telecommunications devices to study their vulnerabilities and their inner workings."

Shimomura and Markoff, in their book Takedown, conclude that Mitnick is "a man who has had fifteen years and six arrests to figure out what is right and wrong."

"For me," writes Shimomura, "Kevin Mitnick's real crime is that he violated the original spirit of the hacker ethic. It's not okay to read other people's mail, and to believe that software and other computer technology should be freely shared is not the same as believing that it's okay to steal them."

"The network of computers known as the Internet began as a unique experiment in building a community of people who shared a set of values about technology and the role computers could play in shaping the world. That community was based largely on a shared sense of trust."

The Defense of Mitnick

During his years in jail and afterwards, Mitnick's supporters, like Eric Corley of the "2600" organization, and other "revolutionary" cyber-groups have claimed that because Mitnick did not financially gain from his activities, he should never have been prosecuted. There was even a "Free Kevin" site, complete with buttons, banners and fiery manifestoes. Yet nowhere in his online messages does Mitnick express any altruistic or revolutionary vision of the future. He never robs from the rich and gives to the poor. In fact, he behaves more like an addict needing one more fix.

One of Mitnick's defenders, Jonathan Littman, in his book The Fugitive Game, claims that after serving eight months in solitary for his first offense, Mitnick could no longer obtain a job because the government would call his employers and tell them of his past activities (the Pac Bell rip-off, etc.). He was forced, therefore, into a life of crime. Most of Littman's book consists of online messages sent to him by Mitnick during his years as a fugitive.

(But, hey Jonathan, if you're reading this, I'm not trying to single you out. It's just that your arguments are so typical of Mitnick's defenders.)

Littman takes great pleasure in depicting the FBI and other law enforcement agents as arrogant and bumbling. (To be fair, Shimomura also berates them as an ineffective bureaucracy.) Well, maybe the FBI should have been pursuing child pornographers and terrorists instead of a cyber-addict like Mitnick, but who is to say that they weren't doing that also?

Surprisingly, Littman raises no legal points, and, in fact, unwittingly denigrates the man whom he is supposedly defending. For example, the first chapter and a half of the book is spent describing Mitnick's early working environment, the sleazy Los Angeles street scene. (This is a great way of winning sympathy for him?) One of Kevin's early associates, for example, is a pimp who...Well, you get the idea.

Littman even suggests the possiblity , with no proof offered, that Shimomura was working for the National Security Agency as an undercover agent. On the other hand, how do we know that Mitnick wasn't working for the KGB?

Many of Mitnick's later comments, however, contradicted his supporters' statements about him.

By 2002, Mitnick had been released from prison and entered the computer security business.

And then, wouldn't ya know it? His web site got hacked! Twice!

The Art of Deception

In his introduction to this book, Apple co-founder Steven Wozniak declares that "Kevin Mitnick is one of the finest people I know...As young men, both Kevin Mitnick and I were intensely curious about the world and eager to prove ourselves..."

(But, Kevin, suppose your clients decide to outsource your work to India and China?)

But seriously...The Art of Deception is one valuable and exhaustive work on Internet security, one of the best I've read in a long time.

The author spends a good deal of time describing the mindset and techniques of the social engineer.If you've ever or worked in sales of any kind or taken sales courses , you'll recognize a number of these techniques: Cold-calling, informational interviewing, closing on objections, etc..(Mitnick is under court orders until 2010 not to report the details of his own exploits.)

Here are some gems of advice to the budding social engineer:

-Posing as a fellow employee is important, because "it's all about being a team player and helping each other get the job done."

-Knowledge of a company's lingo and its corporate structure are always helpful.

-You should bury serious, informational questions between innocuous questions. That way if the police question your victims, they will only remember the last thing you asked them.

-Work on the human feelings of sympathy, guilt and intimidation, something like: "I'm Mark Sellers, in the registrar's office. Say, you feel like taking pity on the new guy?...Great...Listen, I need to know..."

-The more a social engineer can make his contact seem like business as usual the more he allays suspicion.

-Headhunter firms use social engineering to learn about company personnel and structures. They can use seemingly unrelated information which when combined together present an overall picture of a company or organization. Therefore, employees should be instructed as to what information to give callers and what information not to give.

Among the more elaborate schemes discussed are how a social engineer can cause a problem for you, then fix it, and then play on your gratitude in order to extract information. I know about this one. I once worked with a technician who would alter the config.sys files on the employees' PCs so they couldn't boot up. When he later "fixed" the problem, the users were always grateful. This way, the tech avoided working on time-consuming trouble tickets.

Building Trust and "Preventing the Con":

Some authorities recommend that 40 per cent of a company's overall security budget be spent on awareness training for employees. This book explains in detail how to set up such training programs. Mitnick recommends that no employee be provided computer access until he or she has attended a basic security awareness session. He even provides flow charts showing the steps in social engineering procedures. (He also shows how to stop the procedure at each step.)

Here are some quick tips from The Man himself:

-Users should keep logs of all requests for information.

-Maintain a list of people trained in trusted procedures.

-Make a complete inventory of your holdings, to determine which assets are most valuable and which, therefore, should be the most secure. Also determine what methods an attacker might use to compromise those particular assets.

-Designate specific persons to be permitted to give out secret information.

-Don't keep credit card information on file.

-If a stranger does you a favor, then asks you a favor, don't reciprocate without thinking carefully about what he's asking for.

-Never cooperate with a stranger who asks you to look up information, enter unfamiliar commands into a computer, make changes to software settings or...open an email attachment or download unchecked software.

-Don't use cheap paper shredders that tear the paper into long strips that can be reassembled by patient dumpster-divers. Also, buy a lock for your dumpster.

-If your company has implemented proxy servers as intermediaries to protect the enterprise from electronic security threats, have those servers been checked recently to be sure they're configured properly?

The book concludes with Mitnick profusely thanking the dozens of people who have helped him turn his life around.

Well, good luck, Kevin, and tell the Woz that we all said "Hi!"