Feeds

The Art of Intrusion

The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers

Using blade systems to cut costs and sharpen efficiencies

Book review I'm not that keen on the word “hacker” in the modern, pejorative sense (I remember when it meant a good UNIX programmer) and I'm generally not that that impressed by hackers either - mostly they're not particularly clever and just got lucky.

The art of Intrusion book cover So, I came to this book, newly released in paperback at a lower price, in a not very positive frame of mind; except I do think that the famous Kevin Mitnick was unfairly demonised, and I'm not sure how much actual damage he did in the end. Although unauthorised intrusion into production systems is always bad, what chance is there they were tested for resilience during the sorts of things intruders do, for example.

In fact, however, I was won over pretty quickly (although Charles Arthur, see links, was less impressed). It’s an enjoyable and accessible read (perhaps thanks to Mitnick’s co-author), once you skip the somewhat overdone seven page Acknowledgements chapter. More than that, it’s an “ethical hacking course” in miniature. Well, it’s not quite the same as a professional course from the likes of ISS (which goes into much more detail on the legalities and realities of risk mitigation), but it does touch on the ethics of social engineering, the desirability of imposing Non Disclosure Agreements (NDAs) on penetration testers, and the like. It also looks at the character and motivation of the hacker – and learning about this is a vital first step in defending oneself. All too often highly ethical systems managers build defences against people like themselves, and such people simply aren’t a threat.

The book is loosely structured as a set of “anti-patterns” (my term). There’s a story around an exploit, clearly and objectively told (hackers, we learn, don’t always tell the truth and sometimes exaggerate their prowess), some insight that can be deduced from the story, countermeasures you can take, and a bottom line lesson to learn. This is documentation of a recognised bad place, its consequences, and a path back to where you’d like to be.

Exploits covered range from exploiting the pseudo random nature of numbers controlling a gambling machine, through terrorist information gathering and hacking from jail, to hacking City computers from the WAN through internal networks. Mitnick doesn’t limit himself to code exploits, but covers hardware exploits and social engineering too. Most of the specific issues enabling these exploits have been addressed, but they remain valuable guides to the sort of real threats facing IT installations (and the book is worth buying if it only alerts you to the possibilities of social engineering).

Isn’t sharing this sort of information dangerous – unethical? No, the bad guys know it already. The only people who don’t are some of the overworked, highly-ethical, IT professionals who look after our systems security. I was also pleased to see that Mitnick doesn’t usually over-glamorise his subjects or stray into the realms of the mythical Russian (usually) computing genius that no mere mortals can control. You really can do something about unauthorised intrusion into your systems and, after reading this book, there’s even less excuse for the sort of careless oversights that make hacking possible.

A company CEO, for example, might want to ask his IT manager to explain just why SQL Injection, say, wouldn’t work on his company’s eCommerce site. I think this book tells him enough to let him see if people are trying to pull the wool over his eyes about security. It will also give IT professionals some ammunition if they need to convince their bosses that systems security must be built in from the first, not bolted on by a new management after an expensive and embarrassing security incident has almost bought the company to its knees.

David Norfolk is the author of IT Governance, published by Thorogood. More details here.

The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers

Verdict: Should be required reading for anyone interested in IT security. After you’ve read it, you’ll have some idea of what you’re up against and what you might do about it. Oh, and it’s a good read too.

Author: Kevin D. Mitnick; William L. Simon

Publisher: Wiley

ISBN: 0471782661

Media: Book

List Price: £11.99

Reg price: £9.59

Boost IT visibility and business value

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.