[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] Buch von Kevin Mitnick über "social hacking" erschienen
Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------
http://www.csmonitor.com/2002/1003/p15s02-bogn.html
World's greatest computer hacker raises alarm
By Simson Garfinkel
October 03, 2002
THE ART OF DECEPTION:
Controlling the Human Element of Secrecy
By Kevin Mitnick
John Wiley & Sons
304 pp., $27.50
Kevin Mitnick may have been the greatest computer hacker the world has
ever known. At least, the FBI treated him that way. In the 1980s,
Mitnick allegedly broke into computer systems belonging to Pacific
Bell, Digital Equipment, and the North American Air Defense Command.
In the 1990s, Mitnick became the subject of a nationwide manhunt by
the FBI. The New York Times ran a front-page story about his alleged
attempts to steal cellular telephone software on July 4, 1994. He was
finally apprehended by computer expert Tsutomu Shimomura on Feb. 15,
1995.
Mitnick was held in jail for four years without facing trial because
his attorney never had a chance to review the government's evidence
against him. It was repeatedly withheld on the grounds that releasing
it would compromise national security.
Meanwhile, three books were published on Mitnick's capture ? including
one by Shimomura and John Markoff, The New York Times reporter who
many say stepped over ethical lines and participated in the
investigation. Disney and Miramax produced a movie on the caper. It
premièred in France but was shut down by a combination of protests and
a lawsuit.
In the meantime, Mitnick's case became a cause célèbre among many in
the shadowy world of the computer underground. When The New York Times
website was hacked in September 1998, the hacker's message was that
Mitnick had been unfairly targeted. Dozens of websites devote
themselves to the treatment that Mitnick has received. Many others
debunk the government's assertion that he was personally responsible
for more than $80 million in corporate losses.
This backstory is critically important for understanding Kevin
Mitnick's first book, "The Art of Deception," in which the reformed
hacker- turned-security-consultant explains in painstaking detail how
the reliance on modern communications technology has made US
businesses more vulnerable to 19th-century style cons and swindles.
His book contains roughly two dozen case studies of "social
engineering" in which a hacker successfully identifies a piece of
information, gets it, and then vanishes.
One such story describes how a man named Rick Daggot showed up one day
at a small startup robotics company for a meeting with the company's
founder and vice president. Daggot was friendly and well-dressed and
claimed to be joining the company's team. There was just one problem:
The founder wasn't in town; Daggot had inadvertently come on the wrong
day.
Trying to make the most of a bad situation, Daggot offered to take the
company's receptionist and a few engineers out for lunch. Over drinks
they talked about ? what else ? the company's top-secret project. A
few days later, Daggot called back, saying that he was in touch with
the founder, and that copies of several key documents should be sent
to the founder's new e-mail account, the only one he could get working
while he was traveling.
Of course, the whole thing was a ruse. The founder was traveling, but
Daggot worked for the competition. Having gained the trust of a few
engineers and gotten the documents he needed, Daggot disappeared. When
the founder returned, he called in the police, but was told that no
crime had taken place. A few months later, the competitor announced a
product that was nearly identical to the one described by the stolen
documents.
Daggot's story is a good one, and there are a lot of them in "The Art
of Deception." But alas, all of these stories have the same problem:
None of them is true. Under the terms of Mitnick's plea bargain, he's
prohibited from selling his story for 10 years. As a result, this book
shines no light on the crimes that Mitnick allegedly perpetrated ? or
on the government's alleged excesses in prosecuting him.
Ironically, it's Mitnick's reputation as a deceiver that gives him the
credibility and even the moral authority to write this book. In
interviews, Mitnick has confirmed that many of these stories are based
on exploits from his past.
Although some will accuse Mitnick of creating a handbook that teaches
crooks how to break into organizations, the truth is that we all need
to understand these con games to protect against them. To stress this
point, his last two chapters contain policies, procedures, and
training that companies can implement to further protect themselves.
In keeping with his premise that the most damaging security
penetrations are the result of deceit ? not technical penetration ?
almost none of Mitnick's suggestions is technical in nature.
The most important recommendation is that when somebody contacts you
claiming to be from your organization, you need to verify that they
are working for your organization ? no matter whether they are asking
for your help, offering to help you, or just trying to be friendly.
A more controversial suggestion is that organizations should launch
simulated "social engineering attacks" on their own employees.
Although the training would be invaluable, Mitnick acknowledges that
some companies might not want to intentionally lie to their employees.
"Nine out of every 10 large corporations and government agencies have
been attacked by computer intruders," states Mitnick, basing his
analysis on the Computer Security Institute's annual survey. Let's
hope that if they implement the strategies in this book, companies
that are attacked won't be so easily penetrated.
Simson Garfinkel is a graduate student at the MIT Laboratory for
Computer Science, and the author of numerous books on computers,
security, and privacy.
---------------------------------------------------------------
Liste verlassen:
Mail an infowar -
de-request -!
- infopeace -
de mit "unsubscribe" im Text.