The Art of Intrusion review

Wendy M Grossman ZDNet.co.uk

Published: 19 Apr 2005

It's ten years since the media were awash with the story of the US-wide chase and eventual capture of Kevin Mitnick, billed in song, story and the New York Times as the archetypal 'dark side' hacker. The Art of Intrusion is the second book produced by Mitnick in collaboration with writer William L. Simon since Mitnick's release from jail. In the first, The Art of Deception, Mitnick drew heavily on his own experience in 'social engineering' -- his term for convincing people to tell him things they shouldn't, to allow him access to company computer systems.

In The Art of Intrusion, which is subtitled The Real Stories Behind the Exploits of Hacker, Intruders & Deceivers, Mitnick and Simon tell stories of cracks into everything from Las Vegas casinos to corporate networks, based on interviews with the crackers themselves (most of the names have been changed to protect the guilty and the cracked-into). Each story gets a chapter that includes a description of the crack and how it was carried out, followed by a set of lessons for companies to take away and implement.

The tale of the trio who managed to win persistently at Las Vegas casinos for several years before one of them was caught, for example, relied on flaws in the random number generator that made it possible to predict the slot machines' sequences of results. They had been able to buy identical machines legally, dissassemble them, extract the ROM chips, and read the program used to control the machines. The lessons: use tamper-proof chips and protect the firmware from reverse-engineering.

In another case, a hacker who managed to obtain access to a number of large corporations (Microsoft, Excite@Home, and the New York Times among them), did so in part by collating information made publicly available by the WHOIS databases and DNS records, as well as email headers. Here, Mitnick and Simon propose network configurations to limit some of the information that computers can divulge.

Mitnick and Simon draw their examples from all sorts of situations: the pair who managed to finagle themselves 24/7 online (dial-up) access from prison, where they were not supposed to be connected to the Internet at all; the time the l0pht -- a Boston-based hacker collective -- did a penetration test on the network belonging to a company interested in buying them; the English duo who targeted a company that transports money and prisoners, eventually telling the company how they'd accessed its internal systems. The reasons these various cracks worked were different in each case: lack of knowledgeable supervision; arrogance on the part of company executives, who didn't understand that the l0pht members might be able to penetrate far enough to read and hear their internal discussions of the prospective purchase; vulnerabilities of administrators' notebooks.

This probably isn't a book you'll want to sit down and read straight through, even though the technical detail is admirably explained for a general audience. Reading about other people's hacking exploits is a little like reading about other people's dreams -- you only want to do it a bit at a time. Still, it's valuable for any company manager or security person to understand just how clever crackers can be, and how many vulnerabilities and openings there are for them to exploit.

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular

• Most Recent
• Most Popular