Issue dated - 3rd March 2003

-

CURRENT ISSUE
INDIA NEWS
NEWS ANALYSIS
STOCK FILE
OPINION
E-BUSINESS
COMPANY WATCH
INDIA COMPUTES!
REVIEWS
PRODUCTS
EVENTS
COLUMNS
TECH FORUM

THE C# COLUMN
BETWEEN THE BYTES
TECHNOLOGY
SPECIALS <NEW>
HMA BANKBIZ
EC SERVICES
ARCHIVES/SEARCH
IT APPOINTMENTS
WRITE TO US
SUBSCRIBE/RENEW
CUSTOMER SERVICE
ADVERTISE
ABOUT US
 Network Sites
  IT People
  Network Magazine
  Business Traveller
  Exp. Hotelier & Caterer
  Exp. Travel & Tourism
  Exp. Backwaters
  Exp. Pharma Pulse
  Exp. Healthcare Mgmt.
  Express Textile
 Group Sites
  ExpressIndia
  Indian Express
  Financial Express

 
Front Page > Reviews > Story Print this Page|  Email this page

The art of deception: A legendary hacker speaks

Samir Kelekar

The weakest link in the world of computer/network security today is the human factor. This is the basic premise of The Art of Deception, authored by Kevin Mitnick and William Simon.

The Art of Deception: Controlling the Human Element of Security Kevin Mitnick and William Simon Wiley Dreamtech (Indian edition; 2003) Rs 295/-

Kevin Mitnick is a legendary hacker, who dodged the FBI and other law enforcing authorities in the US for years before he was nabbed by an equally, if not more brilliant, cyber detective and security expert Tsutomu Shimomura in 1995. The absorbing cat-and-mouse game between Shimomura and Mitnick is chronicled in the best-selling book Takedown (Hyperion 1996).

Mitnick was an expert at phone-phreaking, fiddling around with the switches of the telecom companies to make them do as he pleased—this included helping himself to toll-free calls as also forwarding interesting phone numbers to destinations of his liking. One of the incidents in this book that Mitnick talks about is how one could forward the number where cops in a particular state in the US call to get information about criminals, to one’s own phone, and further get info from the cops themselves regarding their identities and other authentication info. This could then be used to masquerade as a cop.

Some of the firsts of Mitnick were the first real-life use of IP spoofing attacks, and using or rather abusing the Unix trust relationship between computers to effect break-ins. Another of Mitnick’s favourite accomplishments, if one may call it so, was that he hacked into the e-mail of Eric Allman, the author of the famous Unix mail server program sendmail. The intent was that since security bugs in sendmail and discussions regarding them used to be reported to the sendmail author, Mitnick could use them to get ideas of breaking into systems. In fact, Mitnick was nabbed when he hacked into Shimomura’s system to obtain a particular program from a mobile phone company—software that would have eventually helped Mitnick become invisible! Mitnick has now served his sentence, is out of jail and probation, and has been permitted to use a computer since January.

The main theme of The Art of Deception is best illustrated in Mitnick’s own words:

“Security is not a technology problem—it’s a people and management problem. As developers invent continually better security technologies, making it increasingly difficult to exploit technical vulnerabilities, attackers will turn more and more to exploiting the human element. Cracking the human firewall is easy, requires no investment beyond the cost of a phone call, and involves minimal risk.”

Incidents & anecdotes
The book talks about a number of incidents, most of them fictional; however they look highly plausible. Most of the incidents depicted have a common thread running through them, in the sense that the techniques are similar.

For instance, consider the case where one wants to lay one’s hands on someone’s credit report available with a credit bureau. Mitnick suggests the following strategy: One first does a good research of how a credit bureau operates with its customers. The customers of a credit bureau are merchants who call the credit bureau to get information on the credit history of their customers. Mitnick would make himself familiar with the terms of the business. Then, he would pose as someone from the credit bureau or someone commissioned by the credit bureau to do a survey of its customers. He would call the merchants that deal with the credit bureau and ask some innocuous-sounding questions pertaining to their satisfaction regarding the service of the bureau, as part of the survey he is carrying out. In-between he would throw in a question that would query for the information that he wants; in this case, it could be asking them their merchant ID.

Having succeeded in the first step, Mitnick now calls the credit bureau posing as the merchant and furnishes to them the merchant id to get the credit report of the particular person he is interested in. Of course, he needs more info to do the above. He may need the toll free number of the credit bureau, a number that is accessible only to the bureau’s customers. Mitnick would have found it out in an intelligent manner through the survey: a question such as “Which of our toll-free lines are you currently using?”

Mitnick has other techniques to look like an authentic entity. For instance, he can spoof caller ids; he mentions real life incidents where he used to spoof the caller ID in such a way that the receiver thought it was a call from the White House. Mitnick used this technique to get the attention of his radio-station programme director, when he was co-hosting a radio programme called “The Dark Side of the Internet.”

The book is full of interesting anecdotes about how social engineers operate. Social engineering, by the way, is the art of eliciting sensitive information by talking one’s way through. Another incident involves getting the secret codes that banks use to authorise callers to give them information on customers. Mitnick’s techniques are highly sophisticated. For instance, he would call a person in the bank, posing as a person from another bank (giving out the right information about the branch number he is calling from, etc) first just to figure out her name, as also quietly figure out when she would be out for lunch. Then, he would call her colleague and tell him that she promised something, and literally talk him into giving out a secret code, noting it is urgent. More steps are involved before he can get his job done, but basically a high level of people skills and quick thinking not just to get out of a tricky situation but turn the situation around to his favour are part of his skills. Mitnick gives other insights too: For instance, he says it is possible to print a business card within an hour, one appropriate to what the occasion demands—so don’t just rely on someone’s business card to ascertain his/her authenticity.

Security solutions
Mitnick also suggests solutions to the problems of security that he talks about in this book. Every incident described is followed by an analysis, which includes a description of the reasons why the incident happened, what the mistakes were, what was not taken care of, as well as ways and means of fixing the problem. The last part is a list of security policies Mitnick recommends a company should have as part of its security repertoire.

The book is a nice read. Some of the techniques used to elicit information may not be new to Indians. For instance, IT job placement agents in Bangalore routinely use innovative techniques to get through the screening by receptionists of IT firms to get to a phone conversation with potential candidates; however Mitnick goes much farther. In fact, it may be possible to develop a whole theory of social engineering on the basis of the material of this book.

Reactions
There have been many reactions to the Mitnick book. A first chapter of the book, which is rumoured to have been rejected by the publisher, is floating around on the Internet. This chapter talks about Mitnick’s friendship and tiff with the New York Times reporter John Markoff, who covers cyber security issues. Markoff co-authored with Shimomura the book titled Takedown mentioned above. Among other interesting reactions to the book is one by Simson Garfinkel, a co-author of a famous book titled Practical Unix Security. Garfinkel mentions that technology can be used to tackle many of the problems that Mitnick mentions in this book; in other words, the security holes may be due to a human factor, but the solution could be technological.
Mitnick is not against technology. In fact, the book itself is an interesting combination of technology along with the human factor. It goes without saying that The Art of Deception is a must-read for those interested in security and hacking, and as one of the reviews on the flap of the book says, reading the book is like reading the climaxes of a dozen complex thrillers one after another.

Mitnick has now started a company called Defensive Thinking, which aims to help companies defend themselves against cyber attacks and the like. However, just a couple of weeks ago, Mitnick’s site itself was hacked. No damage done, only a Web page was changed and posted with a message welcoming Mitnick to freedom. The hack is more illustrative of the love Mitnick enjoys among the hacker community. However, it is pertinent to note that a transition from a top-class hacker to a security expert may after all not be so easy. It may take a few years at least for even Mitnick.

Till then however the enduring image of Mitnick that comes to my mind is that of a hacker sitting in a corner of a Raleigh, North Carolina apartment in the middle of the night, using his cellphone modem to get onto the Internet and breaking into Shimomura’s computer on the other side of the US.
<Back to top>


© Copyright 2000: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in
Mumbai by The Business Publications Division of the Indian Express Group of Newspapers.
Please contact our Webmaster for any queries on this site.