Secrets that are just a click away

The Art of Deception - World without Secrets

November 15, 2002

It is generally acknowledged that the world has been changed for ever by the massive proliferation of personal and other kinds of computerised data, information and knowledge. But however much the change may be seen as being for the better, there is an undeniably sinister Big Brother aspect to the ubiquitous availability of such data, one with rather disturbing implications for the future direction of society.

Data in computers can all too easily fall into unauthorised hands; and deliberate digital attacks can potentially sabotage critical infrastructure, such as banking systems, power plants and the routing of aircraft above our cities, and even prepare the way for terrorist attacks. During 2002, digital attacks increased - with more than 15,500 overt hacker attacks in October alone - and the economic damage through overt and covert attacks, as well as from computer viruses and worms, is running at an estimated $35 billion a year. Both these books - one written by a computer security expert, the other by a former computer hacker-turned-security expert - are therefore timely and likely to appeal to the general reader as much as to those charged with protecting computerised data.

World without Secrets by Richard Hunter (of the Gartner Group) is written with a mixture of eloquence and frivolity that makes the book difficult to put down. It is carefully crafted from numerous interviews with people at the sharp end, and the many anecdotes are pulled together to create a well-rounded and multi-faceted story. There are a few minuses, however. The interviews are frequently quoted verbatim, which means that some remarks seem out of context. More seriously, the book makes predictions for future technological capabilities, starting from 2003, without sufficient coverage of the history of computer security. Furthermore, an overall framework is lacking. For example, there is no sustained discussion of recognised principles for handling data, tackling as one the issues of confidentiality, integrity, authentication and non-repudiation (known, a touch ironically, as CIA-NR issues).

The book begins with an examination of data mining, in other words the "intensive analysis of large masses of structured, factual data". Because the activity of everyone using the internet is, in one way or another, stored, as our dependence on the internet grows, so will the quantity of stored information about us all. The results from analysing this material are undoubtedly of incalculable value from a marketing angle and are already treated as a commodity in a range of ways.

While this is familiar stuff, it leads Hunter to a less obvious and important point. The commonly held view that if you do not use the internet for purchasing purposes you can feel more secure, is erroneous. Any commercial transaction involves and generates computerised data, whether the transaction is carried out over the internet, by phone or face to face. The data can at some point be accessed by others; and US law may not necessarily permit individuals to prevent these others from utilising "their" data. Inevitably, the more extensively an individual's personal information is distributed, the more likely it is that identity theft for fraudulent purposes will increase.

Hunter outlines various technological ways, both actual and under development, in which personal information can be recorded, stored and - what is the most difficult to grasp from a legal security perspective - analysed. He paints a picture of a world where information is being Hoovered up at every conceivable opportunity: not just from the internet but also from the streets, our cars, even our homes. He believes that a "world without secrets", where all information is freely and extensively available, is virtually unavoidable. It has already happened in the software and music industries, with profound and far-reaching consequences, as he shows in two chapters devoted to these industries.

But, of course, what is done to organise this information is what makes it valuable, through the translation of raw information into knowledge. The adage "knowledge is power" rings clearly throughout this book. For Hunter, power will increasingly be defined as the ability to provide timely, limited and structured information to those who require it. Many businesses are willing to take bigger and bigger risks in providing such information for the sake of the obvious benefits if the risks pay off.

For these businesses, misuse of information by insiders is the trickiest problem and the most common stumbling block for those executives trying to improve the security of commercially sensitive information. Here, another adage comes into play: "where there is a will there is a way". If an employee is hell bent on stealing or destroying information, he or she will in most instances be more than capable of doing so, if not in person then through confidence tricks on fellow employees or even blackmail.

The implications of the wide availability of hacker tools on the internet are examined. Hunter shows that there are in effect no barriers to entry and exit for would-be participants in a cyber war. In conclusion, he investigates the concept of a "digital Pearl Harbor", as defined by the Federal Bureau of Investigations's National Infrastructure Protection Committee, and provides intelligent and sensible insights into the likely nature and extent of this medium of conflict. At the end of the book comes a highly appropriate appeal for readers to appreciate that "disregard for the sanctity of information must be treated as seriously as disregard for borders once was".

Kevin Mitnick, author of The Art of Deception , is one of the hacker gurus of our time, who for many years had no regard at all for the "sanctity of information". But since his release from a US federal prison in 2000, after being convicted of computer-security offences, he has "turned gamekeeper" by acting as a security consultant to corporations. He has also testified before the US Senate on the security of government IT systems.

His book (written with the help of a professional writer, William Simon) is in essence about how to protect yourself and your company from what for many years he himself enjoyed doing most: hacking into other people's computers - not for financial gain, just for fun and out of intellectual curiosity. For him it involved not just hacking but also "social engineering", which Mitnick defines as "getting people to do things they wouldn't ordinarily do for a stranger". A social engineer has IT skills, naturally, but he is also able to lie convincingly to company employees, gain their trust and then exploit it.

Anyone, any time, any place is at risk. The social engineer knows that the best route to the information he is chasing is by taking the path of least resistance. If you want something, just ask the right people for it in an intelligent fashion. Typically, the information is about three or four phone calls away.

By making a few well-placed calls to well-chosen individuals, often junior employees, the social engineer can learn a lot about the company he is targeting. The phone is the preferred method of "attack" because it maintains a distance between the attacker and the target. The personal approach is strongly discouraged unless the potential benefit is enormous. As his knowledge increases, the social engineer is in a position to target the next step in the chain. By the time he reaches the last person, the one who can give out the crucial information, such as a password, he has built up a series of relationships with the key person's employees or superiors. A good excuse, a plausible motivation, a reasonable knowledge of the company and the lingo used by the employees - and the social engineer enters the IT system through the front door. It is difficult to say no to a caller who comes with such satisfactory references, especially when he is apparently someone doing an important job, such as a consultancy on behalf of your company.

Mitnick's vast experience in the field allows him to introduce a huge range of convincing scenarios and examples, some of them apparently fictitious, in which the tactics of the successful social engineer are thoroughly explained. Each tactic comes with a preventive technique to deal with the type of deceit in question. Both the tactics and the countermeasures would appear to be masterable by anyone, given sufficient practice. The last part of the book discusses how corporations should protect themselves and recommends some detailed security policies.

A drawback is that Mitnick regularly promotes his website, www.freekevin.com , where the visitor is encouraged to make donations towards his legal costs, probably in a romanticising attempt to appeal to aspiring hackers.

The most vital point in the book is that most digital attacks do not directly target computers and advanced technological devices. They target human beings, the weakest link in the security chain. An attack on the computer itself - quite often the server containing precious information and secrets - is the last resort of the social engineer. A direct attack is more likely to fail as a result of firewalls, intrusion detection systems and encrypted transmissions. People are more helpful than technology. The book makes it abundantly clear that everyone can be fooled and cheated by the professionals. This is why, if a company really wants to secure its business, it has to begin with its employees and its staff policies, with the help of technology, of course. By knowing the social engineer's modus operandi , as well as following the company's security procedures, employees can prevent criminal offences and save company assets.

But applying such security measures brings with it a series of restrictions that can limit the efficiency of a company. "Corporate security is a question of balance," writes Mitnick. "The challenge is to achieve a balance between security and productivity." As always in the security field, high levels of security and efficiency are not necessarily complementary in a company. There is a choice to make and a risk to take; and the choice is not easy.

D. K. Matai is executive chairman, mi2g, a company specialising in computer security.

The Art of Deception: Controlling the Human Element of Security

Author - Kevin D. Mitnick and William L. Simon
ISBN - 0 471 23712 4
Publisher - Wiley
Price - £19.95
Pages - 368

Register to continue

Why register?

  • Registration is free and only takes a moment
  • Once registered, you can read 3 articles a month
  • Sign up for our newsletter
Register
Please Login or Register to read this article.

Sponsored