Feeds

The Art of Intrusion

The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers

Seven Steps to Software Security

Book review I'm not that keen on the word “hacker” in the modern, pejorative sense (I remember when it meant a good UNIX programmer) and I'm generally not that that impressed by hackers either - mostly they're not particularly clever and just got lucky.

The art of Intrusion book cover So, I came to this book, newly released in paperback at a lower price, in a not very positive frame of mind; except I do think that the famous Kevin Mitnick was unfairly demonised, and I'm not sure how much actual damage he did in the end. Although unauthorised intrusion into production systems is always bad, what chance is there they were tested for resilience during the sorts of things intruders do, for example.

In fact, however, I was won over pretty quickly (although Charles Arthur, see links, was less impressed). It’s an enjoyable and accessible read (perhaps thanks to Mitnick’s co-author), once you skip the somewhat overdone seven page Acknowledgements chapter. More than that, it’s an “ethical hacking course” in miniature. Well, it’s not quite the same as a professional course from the likes of ISS (which goes into much more detail on the legalities and realities of risk mitigation), but it does touch on the ethics of social engineering, the desirability of imposing Non Disclosure Agreements (NDAs) on penetration testers, and the like. It also looks at the character and motivation of the hacker – and learning about this is a vital first step in defending oneself. All too often highly ethical systems managers build defences against people like themselves, and such people simply aren’t a threat.

The book is loosely structured as a set of “anti-patterns” (my term). There’s a story around an exploit, clearly and objectively told (hackers, we learn, don’t always tell the truth and sometimes exaggerate their prowess), some insight that can be deduced from the story, countermeasures you can take, and a bottom line lesson to learn. This is documentation of a recognised bad place, its consequences, and a path back to where you’d like to be.

Exploits covered range from exploiting the pseudo random nature of numbers controlling a gambling machine, through terrorist information gathering and hacking from jail, to hacking City computers from the WAN through internal networks. Mitnick doesn’t limit himself to code exploits, but covers hardware exploits and social engineering too. Most of the specific issues enabling these exploits have been addressed, but they remain valuable guides to the sort of real threats facing IT installations (and the book is worth buying if it only alerts you to the possibilities of social engineering).

Isn’t sharing this sort of information dangerous – unethical? No, the bad guys know it already. The only people who don’t are some of the overworked, highly-ethical, IT professionals who look after our systems security. I was also pleased to see that Mitnick doesn’t usually over-glamorise his subjects or stray into the realms of the mythical Russian (usually) computing genius that no mere mortals can control. You really can do something about unauthorised intrusion into your systems and, after reading this book, there’s even less excuse for the sort of careless oversights that make hacking possible.

A company CEO, for example, might want to ask his IT manager to explain just why SQL Injection, say, wouldn’t work on his company’s eCommerce site. I think this book tells him enough to let him see if people are trying to pull the wool over his eyes about security. It will also give IT professionals some ammunition if they need to convince their bosses that systems security must be built in from the first, not bolted on by a new management after an expensive and embarrassing security incident has almost bought the company to its knees.

David Norfolk is the author of IT Governance, published by Thorogood. More details here.

The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers

Verdict: Should be required reading for anyone interested in IT security. After you’ve read it, you’ll have some idea of what you’re up against and what you might do about it. Oh, and it’s a good read too.

Author: Kevin D. Mitnick; William L. Simon

Publisher: Wiley

ISBN: 0471782661

Media: Book

List Price: £11.99

Reg price: £9.59

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.