Feeds

The Art of Intrusion

The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers

Intelligent flash storage arrays

Book review I'm not that keen on the word “hacker” in the modern, pejorative sense (I remember when it meant a good UNIX programmer) and I'm generally not that that impressed by hackers either - mostly they're not particularly clever and just got lucky.

The art of Intrusion book cover So, I came to this book, newly released in paperback at a lower price, in a not very positive frame of mind; except I do think that the famous Kevin Mitnick was unfairly demonised, and I'm not sure how much actual damage he did in the end. Although unauthorised intrusion into production systems is always bad, what chance is there they were tested for resilience during the sorts of things intruders do, for example.

In fact, however, I was won over pretty quickly (although Charles Arthur, see links, was less impressed). It’s an enjoyable and accessible read (perhaps thanks to Mitnick’s co-author), once you skip the somewhat overdone seven page Acknowledgements chapter. More than that, it’s an “ethical hacking course” in miniature. Well, it’s not quite the same as a professional course from the likes of ISS (which goes into much more detail on the legalities and realities of risk mitigation), but it does touch on the ethics of social engineering, the desirability of imposing Non Disclosure Agreements (NDAs) on penetration testers, and the like. It also looks at the character and motivation of the hacker – and learning about this is a vital first step in defending oneself. All too often highly ethical systems managers build defences against people like themselves, and such people simply aren’t a threat.

The book is loosely structured as a set of “anti-patterns” (my term). There’s a story around an exploit, clearly and objectively told (hackers, we learn, don’t always tell the truth and sometimes exaggerate their prowess), some insight that can be deduced from the story, countermeasures you can take, and a bottom line lesson to learn. This is documentation of a recognised bad place, its consequences, and a path back to where you’d like to be.

Exploits covered range from exploiting the pseudo random nature of numbers controlling a gambling machine, through terrorist information gathering and hacking from jail, to hacking City computers from the WAN through internal networks. Mitnick doesn’t limit himself to code exploits, but covers hardware exploits and social engineering too. Most of the specific issues enabling these exploits have been addressed, but they remain valuable guides to the sort of real threats facing IT installations (and the book is worth buying if it only alerts you to the possibilities of social engineering).

Isn’t sharing this sort of information dangerous – unethical? No, the bad guys know it already. The only people who don’t are some of the overworked, highly-ethical, IT professionals who look after our systems security. I was also pleased to see that Mitnick doesn’t usually over-glamorise his subjects or stray into the realms of the mythical Russian (usually) computing genius that no mere mortals can control. You really can do something about unauthorised intrusion into your systems and, after reading this book, there’s even less excuse for the sort of careless oversights that make hacking possible.

A company CEO, for example, might want to ask his IT manager to explain just why SQL Injection, say, wouldn’t work on his company’s eCommerce site. I think this book tells him enough to let him see if people are trying to pull the wool over his eyes about security. It will also give IT professionals some ammunition if they need to convince their bosses that systems security must be built in from the first, not bolted on by a new management after an expensive and embarrassing security incident has almost bought the company to its knees.

David Norfolk is the author of IT Governance, published by Thorogood. More details here.

The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers

Verdict: Should be required reading for anyone interested in IT security. After you’ve read it, you’ll have some idea of what you’re up against and what you might do about it. Oh, and it’s a good read too.

Author: Kevin D. Mitnick; William L. Simon

Publisher: Wiley

ISBN: 0471782661

Media: Book

List Price: £11.99

Reg price: £9.59

Intelligent flash storage arrays

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.