20CN网络安全小组论坛 - 黑客进阶 - 关于《欺骗的艺术》之3

论坛: 黑客进阶标题: 关于《欺骗的艺术》之3

作者: coki [coki]

论坛用户

《THE ART OF DECEPTION》
  By  Kevin Mitnick & William Simon

“…a tour de force, a series of tales of how some old-fashioned blarney and high-tech skills can pry any information from anyone.  As entertainment, it’s like reading the climaxes of a dozen complex thrillers, one after the other.”
-- Publishers Weekly

“You might think as you read some of the stories…that they’re not possible, that no one could really succeed in getting away with the lies, dirty tricks, and schemes described in these pages.  The reality is that in every case, these stories depict events that can and do happen; many of them are happening every day somewhere on the planet, maybe even to your business as you read this book.”
-- Kevin Mitnick, The Art of Deception

According to The Computer Security Institute, 85 percent of organizations responding to its 2001 survey of computer crime reported they had detected computer security breaches in the preceding twelve months.  An equally astounding 64 percent reported they had experienced financial losses due to computer breaches in the same time period.  A similar survey conducted by the FBI and reported by the Associated Press in April 2002 indicated computer intruders have attacked nine out of every ten large corporations and government agencies.  Companies can purchase the best security technologies money can buy, train their people to lock up all their secrets before going home at night, and hire building guards from the top security firms in the business.  But according to Kevin Mitnick, a legendary computer hacker turned security consultant to corporations worldwide, those companies are still utterly vulnerable and security too often an illusion.

In THE ART OF DECEPTION (John Wiley & Sons; $27.50;Cloth; ISBN: 0-471-23712-4; October, 2002), Mitnick invites readers into the mind of the computer hacker and reveals how to guard against the gravest computer security risk of all―human nature.  Using realistic but fictional scenarios of successful cons, swindles, and attacks on businesses, organizations, and government institutions, Mitnick illustrates the extent to which even the most locked-down information systems are susceptible to social engineers―hacker con artists who deceive influence or manipulate trusted employees into revealing information, or perform actions that create security holes they can slip through.  He writes, “As developers invent continually better security technologies, making it increasingly difficult to exploit technical vulnerabilities, attackers will turn more and more to exploiting the human element.  Cracking the human firewall is often easy, requires no investment beyond the cost of a telephone call, and involves minimal risk.”

The Art of Deception is loaded with a wide range of information crucial to any company looking to protect itself from computer intruders, vandals, disgruntled employees and industrial spies.  It includes Lingo boxes containing definitions of social engineering and computer hacker terminology, Mitnick Messages offering brief words of wisdom to help companies strengthen their security strategies, and notes and sidebars providing interesting background or additional information.   Written in an engaging and highly readable manner reminiscent of a true-crime novel, and narrated from the point of view of both the attacker and the victim, the book explores why various attacks are so successful and how they might be averted.

Highlights of THE ART OF DECEPTION include:

¨ Why virtually any company is at risk from social engineering attacks.  Mitnick writes, “Commercial security products in most companies are mainly aimed at providing protection against the amateur computer intruder, like the youngsters known as script kiddies.  In fact, these wannabe hackers with downloaded software are mostly just a nuisance.  The greater losses, the real threats, come from sophisticated attackers with well-defined targets who are motivated by financial gain.”

¨ An exploration of the hidden value of seemingly innocuous information, and the ways in which social engineers use innocent, everyday and unimportant information gleaned from “harmless” conversations with their targets or seemingly useless documents to dress themselves in a cloak of believability.

¨ Why our national character contributes to our vulnerability.  Mitnick writes, “We’re not trained to be suspicious of each other.  We are taught to ‘love thy neighbor’ and have trust and faith in each other.  We know that all people are not kind and honest, but too often we live as if they were.  This lovely innocence has been the fabric of the lives of Americans and it’s painful to give up.”

¨ The ways in which social engineers anticipate suspicion and resistance, and the tactics they use to turn distrust into trust.  Mitnick writes, “A good social engineer plans his attack like a chess game, anticipating the questions his target might ask so he can be ready with the proper answers.”

¨ How social engineers trick their targets by offering to help solve problems that they themselves have secretly caused.  Mitnick writes, “We’re all grateful when we’re plagued by a problem and somebody with the knowledge, skill, and willingness comes along offering to lend us a hand.  The social engineer understands that, and knows how to take advantage of it.  He also knows how to cause a problem for you…then make you grateful when he resolves the problem.”  Mitnick also examines the other side of the “Can I help you?” coin: the social engineer who manipulates by pretending he needs his victim to help him.

¨ How social engineers use a large measure of knowledge and skill with computer systems and telephone systems to manipulate people into doing things that help them achieve their goals.  Mitnick explores the most common Internet scams.  He shows how social engineers use come-on email attachments and “free software” to take advantage of our natural desire to get a free gift, and how they use computer viruses, Trojan horses, and worms not to do damage but to carry out successful strikes against specific targets.  He also explains how to spot malicious software and become virus savvy.

¨ How social engineers use guilt, sympathy, and intimidation to get what they want by stimulating their targets’ emotions.  Mitnick writes, “We all want to avoid difficult situations for ourselves and others.  Based on this positive impulse, the attacker can play on a person’s sympathy, make his victim feel guilty, or use intimidation as a weapon.”

¨ A comprehensive look at what happens when social engineers up the ante by gaining physical access to corporate premises in order to thwart high-tech security measures and steal the kinds of secrets that can make or break a company.

¨ Why new employees provide prime targets for social engineers.  Mitnick writes, “An attacker targets entry-level employees because they are typically unaware of the value of specific company information or of the possible results of certain actions.  Also, they tend to be easily influenced by some of the more common social engineering approaches.”  Mitnick shows how even the most security conscious employee―following established procedures to verify callers making requests―can be duped by a sophisticated attacker.

¨ Detailed accounts of specific strategies, swindles and cons.  Mitnick reveals what so-called phone phreaks (hackers who specialize in exploiting phone systems and phone company employees) discovered years ago: a slick method for getting unlisted phone numbers.  He illustrates several different methods attackers use to convince even alert, suspicious employees to reveal their computer usernames and passwords.  He shows how an Operations Center manager cooperated in allowing an attacker to steal his company’s most secret product information.  And he describes the methods of an attacker who manipulated his target into downloading software that spied on every computer keystroke she made and emailed the details to him.

THE ART OF DECEPTION concludes with a look at what Mitnick describes as the only truly effective way to mitigate the threat of social engineering: properly used security technologies combined with security policies that set ground rules for employee behavior, and appropriate education and training for employees.  Mitnick offers a complete security policy that can be adapted, customized, and immediately implemented by any organization looking to keep itself and its information safe.  He also provides a “Security at a Glance” section, including checklists, tables, and charts, that summarizes key information anyone can use to help their employees foil a social engineering attack on the job, or devise their own security-training program.

About the Author:
Kevin Mitnick is a security consultant to corporations worldwide.  He has testified before the Senate Committee on Governmental Affairs on the need for legislation to ensure the security of the government’s information systems.  His articles have appeared in Newsweek, Time, and other major news magazines and trade journals, and he has appeared in Court TV, Good Morning America, 60 Minutes, and CNN’s Burden of Proof, Headline News, and Street Sweep.  He has been the subject of several books, including the best-selling Fugitive Game.

About Wiley:
Wiley is a global knowledge company with a diverse portfolio of technology, business, consumer and how-to brands, computer-based learning tools, Web-based products and Internet e-services.  Wiley's best-selling brands and imprints include Jossey-Bass, For Dummies, Betty Crocker, Culinary Institute of American (CIA), Bible, CliffsNotes, Frommer’s, Unofficial Guides, Visual, Weight Watchers, Ernst & Young, JK Lasser, and Webster’s New World.  Wiley has thousands of active titles in 39 languages and also owns the Websites www.cliffsnotes.com, www.dummies.com and www.frommers.com.

Founded in 1807, Wiley provides must-have content and services to customers worldwide.  Its core businesses include scientific, technical and medical journals, encyclopedias, books and other online products and services, professional and consumer books and subscription services and education materials for undergraduate and graduate students and lifelong learners. Wiley has publishing, marketing and distribution centers in the United States, Canada, Europe, Asia and Australia. The company is listed on the New York Stock Exchange under the symbols JWa and JWb.  Wiley’s Internet site can be accessed at http://www.wiley.com. (c) 2002 Wiley.  All rights reserved.

#           #          #

地主发表时间: 06/01 15:55

回复: coki [coki]

论坛用户

大家来看一下，这是一篇不错的文章呀，大家不要错过呀

B1层发表时间: 06/08 17:50

回复: upxshell [kuangren]

论坛用户

看的头大

B2层发表时间: 06/20 18:02

论坛: 黑客进阶