Thursday, 30 January 2014
The Art of Deception - A Book by Kevin Mitnick
I've always enjoyed reading about the art of social engineering and i even wrote an article to Pentestmag entitled "Social Engineering: Penetration Testing the Human Element" back in 2013. So i got this book from Amazon and yes, Kevin goes in depth into this art sharing scenarios and what are ways to prevent such things from happening.
Here are some of the contents that interests me.
On Stanley Rifkin
"A few days later Rifkin flew to Switzerland, picked up his cash, and handed over $8 million to a Russian agency for a pile of diamonds. He flew back, passing through U.S. Customs with the stones hidden in a money belt. He had pulled off the biggest bank heist in history-and done it without using a gun, even without a computer. Oddly, his caper eventually made it into the pages of the Guinness Book of World Records in the category of "biggest computer fraud. Stanley Rifkin had used the art of deception-the skills and techniques that are today called social engineering. Thorough planning and a good gift of gab is all it really took. And that's what this book is about - the techniques of social engineering and how to defend against their being used at your company."
"On the surface this appears to be a simple message to get across to employees. It's not, because to appreciate this idea requires that employees grasp how a simple act like changing a password can lead to a security compromise. You can tell a child "Look both ways before crossing the street," but until the child understands why that's important, you're relying on blind obedience. And rules requiring blind obedience are typically ignored or forgotten."
Educating Cleaners and Piggybacking
"Also, cleaning crews should be trained about piggybacking techniques (unauthorized persons following an authorized person into a secure entrance). The should also be trained not to allow another person to follow them into the building just because the person looks like they might be an employee."
On Security vs Productivity
"Of course, corporate security policy should mandate system administrators to enforce security policy through technical means whenever possible, with the goal of not relying on fallible humans any more than necessary. It's a no brainer that when you limit the number of successive invalid login attempts to a particular account, for example, you make an attacker's life significantly more difficult.
Every organization faces that uneasy balance between strong security and employee productivity, which leads some employees to ignore security policies, not accepting how essential these safeguards are for protecting the integrity of sensitive corporate information."
On using the power of Authority
"Because Kurt was pretexting as a vice president in his conversation with Anna, a clerk in Finance, he kenw that it would be very unlikely that she would question his authority. On the contrary, she might entertain the thought that helping a VP could gain her favor."
A Potential Fatal Mistake
"The nurses who received these instructions did not know the caller. They did not even know whether he was really a doctor (he was not). They received the instructions for the prescription by telephone, which was a violation of hospital policy. The drug they were told to administer was not authorized for use on the wards, and the dosage they were told to administer was twice the maximum daily dosage, and thus could have endangered the life of the patient."
Double Standards on Spyware?
"Anitivirus software doesn't detect commercial spyware, thereby treating the software as not malicious even though the intent is to spy on other people. So the computer equivalent of wiretapping goes unnoticed, creating the risk that each of us might be under illegal surveillance at any time. Of course, the antivirus software manufacturers may argue that spyware can be used for legitimate purposes, and therefore should not be treated as malicious. But the developers of certain tools once used by the hacking community, which are now being freely distributed or sold as security-related software, are nonetheless treated as malicious code. There's a double standard here, and i'm left wondering why."
On Baiting the Victims
"The attacker sends emails claiming that the first 500 people to register at the company's new Web site will win free tickets to a hot new movie. When an unsuspecting employee registers at the site, he is asked to provide his company email address and to choose a password. Many people, motivated by convenience, have the propensity to use the same or a similar password on every computer system they use. Taking advantage of this, the attacker then attempts to compromise the target's work and home computer systems with the username and password that have been enetered during the Web site registration process."
On the need to challenge the executives
"Employees must be trained not to assist people they do not personally know, even if the person making the request claims to be an executive. Once security policies concerning verification have been put in place, management must support employees in adhering to these policies, even when it means that an employee challeneges a member of the executive staff who is asking the employee to circumvent a security policy."