The Art of Deception: Controlling the Human Element of Security

A look into former Hacker Kevin Mitnick’s book: The Art Of Deception and how social engineers obtain personal information as well as hacking for their personal gain.

As the title conveys, this book is about deceit. It focuses on deceiving people to obtain information for personal gain. Furthermore this book is not about hacking as such; instead it focuses on social engineering. The author, Kevin D. Mitnick describes a social engineer as “Somebody who uses deception, influence, and persuasion against businesses, usually targeting their information.”(preface xii)
Primarily the book is about how social engineers can gain information from people. Mitnick demonstrates how social engineers get their information by using fictional, although very plausible, stories and at the end of each story he analyses the con by explaining how the people (victims) involved were deceived and gives examples of how the con could have been prevented; usually simple things such as verifying who the caller was.
Chapters 15 and 16 give details of how to prevent social engineering attacks on organisations. The latter of the two is the longest chapter in the book because Mitnick gives examples of security policies such as discussing sensitive information over the telephone and that the operator must personally recognise the voice or the call must be an internal call from within the organisation. Another example of Mitnick’s security policies is the importance of passwords, he writes extensively on this topic. Most of the policies Mitnick describes are things that should be just common sense but obviously many people have been taken in by the social engineers.
This book was written chiefly for businesses and organisations; Mitnick makes them aware that it is comparatively easy for social engineers to gain people’s trust, consequently gaining potentially valuable information. In some cases it is frightening how easy it is to acquire credit card details of a customer, just from a few phone calls. On a personal level, I felt that I had little interest in the last two chapters as they were principally aimed at organisations, although these suggestions could form a basis for safeguarding companies’ and employees interests.

The author’s viewpoint is best described in the preface of the book. Mitnick claims he is not the malevolent hacker the media have portrayed him. He Charts his history of deception from the age of twelve when he discovered a way to travel on the bus free throughout Los Angeles by using partly used travel cards that had been discarded by the drivers, and a paper punch he acquired by “a friendly driver, answering my carefully planted question, told me where to buy the special type of punch” (preface ix). He continues in the preface to explain how he became a social engineer from his time at high school by meeting a student who was interested in ‘phone phreaking’. Mitnick describes it as “a type of hacking that allows you to explore the telephone systems network by exploiting the phone systems and phone company employees” (preface x). Using his phone phreaking skills, he could obtain information about a customer on the phone company by using the “lingo” (preface x) and knowledge of the companies by asking the right questions. Mitnick was able to obtain a secret test number which enabled him to make long distance calls for free (although they were actually billed to another companies account). Mitnick states that “My much-publicized hacking career actually started when I was at high school. While I cannot describe the detail here (…) I was one of the driving forces in my early hacks.”(preface xi) After high school he studied at the Computer Learning Center and managed to gain “administrative privileges in the operating system” (preface xii) on their IBM minicomputer by discovering a vulnerability, but the staff could not work out how he had done it, so they proposed that if he improved the schools computers security, he would be suspended for hacking the system. Mitnick claims that he did all this out of curiosity, “to see what he could do; and find out secret information about operating systems…and anything else that stirred my curiosity” (preface xii). He also claims that he is a changed person and that he acknowledges that his actions were illegal and that he committed invasions of privacy, and he is using those social engineering tactics to “helping government, businesses, and individuals prevent, detect and respond to information-security threats” (preface xiii).

As I highlighted earlier, the central theme of this book is how easy it is for social engineers to gather information from their victims. One of the issues he raises is that people are usually the weakest link in security. Mitnick discusses how “Security is merely an illusion, an illusion sometimes made even worse when gullibility, naïveté, or ignorance comes into play” (p.4). This raises an important point- we are not as safe as we think we are. Subsequently Mitnick outlines how social engineers exploit our trust; he explains that “social engineers have strong people skills. They’re charming, polite, and easy to like-social traits needed for establishing rapid rapport and trust.” (p.8). Using theses means, the social engineer can take advantage of our trust and get the information the social engineer needs. This supports the idea that “….we humans (…) remain the most severe threat to each others security” (p.8). It is also interesting to note that Mitnick states that according to his knowledge, terrorists have not yet used social engineer strategies to attack corporations and businesses, it does not necessarily mean they will not or have not used them “the potential is there. It’s just too easy”. (p.10)
Pursuing the issue of human vulnerability, the second part of the book gives some fictional stories of how the social engineer extracts the information they want from the victims, by gaining their trust. Mitnick also brings into the equation that social engineers use what may seem an insignificant bit of information combined with exploiting people’s trust to get the information they need, “Much of the seemingly innocuous information in a company’s possession is prized by a social engineering attacker because it can play a vital role in his effort to dress himself in a cloak of believability” (p.15).
In chapter 4, Mitnick describes how a social engineer builds a trust with the victim. He says that social engineering attacks are successful because “human beings are all vulnerable to being deceived because people can misplace their trust if manipulated in certain ways” (p.41). Mitnick compares the building of trust to a game of chess, “…he’s always prepared to turn distrust into trust. A good social engineer plans his attack like a chess game, anticipating the questions his target might ask so he can be ready with the proper answers” (p.41). Mitnick goes on to explain that the key to deception is trust, and “when people don’t have a reason to be suspicious, it’s easy for the social engineer to gain their trust” (p.41). He also says “Once he’s got your trust the drawbridge is lowered and the castle door thrown open so he can enter and take whatever information he wants” (p.41). This quote is particularly interesting that when the social engineer has got the victim’s trust the victim is willing to share any information because they trust him. Another way social engineers exploit our human nature is by the social engineer ‘helping’ the victim “…somebody with the knowledge, skill and willingness comes along and offering to lend us a hand. The social engineer understands that, and knows how to take advantage of it” (p.55). Naturally, the social engineer has created the problem, and then the social engineer is the one who can ‘fix’ the problem; Mitnick refers to this as “reverse social engineering” (p.60).
Alternatively, social engineers can also manipulate the victims in other ways; “The social engineer manipulates by pretending he needs the other persons help to help him” (p.77). This is the opposite of the previous way of getting their trust, but it still works because we all want to help another person facing problems.
However, the social engineer can use technology to exploit our human nature. One way is using the internet and the World Wide Web. Social engineers send out e-mails containing free software, but in reality, this is just malicious software designed to get information from keystrokes. The reason why people open these attachments? It is because it is ‘free’. Mitnick explains “…most of us are eager to get something free that we may be distracted from thinking clearly about the offer or promise being made” (p.93). Another method of getting information is from phoney sites, where the victim is mislead into entering their username, password and other details. Mitnick gives examples where social engineers send e-mails claiming to be from PayPal or eBay, and requesting users to enter usernames, passwords, and the social engineers using these acquired information to commit fraud.
Throughout the book Mitnick also gives other methods of exploiting human nature to gain the information, but a final issue that Mitnick brings up is that “there is no technology in the world that can prevent a social engineering attack” (p.245), Thus no matter how good the technology is to prevent hackers and social engineers, will find a way round and it usually is by exploitation, bringing us back to that humans are the largest threat to security.
Overall I believe Mitnick, raises important issues that we are in fact incredibly vulnerable to attacks from social engineers.

References:

Mitnick K, & Simon W, 2003, “The Art of Deception”, Wiley Publishing, Inc, Indiana.