Feeds

The Art of Intrusion

The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers

Choosing a cloud hosting partner with confidence

Book review I'm not that keen on the word “hacker” in the modern, pejorative sense (I remember when it meant a good UNIX programmer) and I'm generally not that that impressed by hackers either - mostly they're not particularly clever and just got lucky.

The art of Intrusion book cover So, I came to this book, newly released in paperback at a lower price, in a not very positive frame of mind; except I do think that the famous Kevin Mitnick was unfairly demonised, and I'm not sure how much actual damage he did in the end. Although unauthorised intrusion into production systems is always bad, what chance is there they were tested for resilience during the sorts of things intruders do, for example.

In fact, however, I was won over pretty quickly (although Charles Arthur, see links, was less impressed). It’s an enjoyable and accessible read (perhaps thanks to Mitnick’s co-author), once you skip the somewhat overdone seven page Acknowledgements chapter. More than that, it’s an “ethical hacking course” in miniature. Well, it’s not quite the same as a professional course from the likes of ISS (which goes into much more detail on the legalities and realities of risk mitigation), but it does touch on the ethics of social engineering, the desirability of imposing Non Disclosure Agreements (NDAs) on penetration testers, and the like. It also looks at the character and motivation of the hacker – and learning about this is a vital first step in defending oneself. All too often highly ethical systems managers build defences against people like themselves, and such people simply aren’t a threat.

The book is loosely structured as a set of “anti-patterns” (my term). There’s a story around an exploit, clearly and objectively told (hackers, we learn, don’t always tell the truth and sometimes exaggerate their prowess), some insight that can be deduced from the story, countermeasures you can take, and a bottom line lesson to learn. This is documentation of a recognised bad place, its consequences, and a path back to where you’d like to be.

Exploits covered range from exploiting the pseudo random nature of numbers controlling a gambling machine, through terrorist information gathering and hacking from jail, to hacking City computers from the WAN through internal networks. Mitnick doesn’t limit himself to code exploits, but covers hardware exploits and social engineering too. Most of the specific issues enabling these exploits have been addressed, but they remain valuable guides to the sort of real threats facing IT installations (and the book is worth buying if it only alerts you to the possibilities of social engineering).

Isn’t sharing this sort of information dangerous – unethical? No, the bad guys know it already. The only people who don’t are some of the overworked, highly-ethical, IT professionals who look after our systems security. I was also pleased to see that Mitnick doesn’t usually over-glamorise his subjects or stray into the realms of the mythical Russian (usually) computing genius that no mere mortals can control. You really can do something about unauthorised intrusion into your systems and, after reading this book, there’s even less excuse for the sort of careless oversights that make hacking possible.

A company CEO, for example, might want to ask his IT manager to explain just why SQL Injection, say, wouldn’t work on his company’s eCommerce site. I think this book tells him enough to let him see if people are trying to pull the wool over his eyes about security. It will also give IT professionals some ammunition if they need to convince their bosses that systems security must be built in from the first, not bolted on by a new management after an expensive and embarrassing security incident has almost bought the company to its knees.

David Norfolk is the author of IT Governance, published by Thorogood. More details here.

The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers

Verdict: Should be required reading for anyone interested in IT security. After you’ve read it, you’ll have some idea of what you’re up against and what you might do about it. Oh, and it’s a good read too.

Author: Kevin D. Mitnick; William L. Simon

Publisher: Wiley

ISBN: 0471782661

Media: Book

List Price: £11.99

Reg price: £9.59

Beginner's guide to SSL certificates

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
China is ALREADY spying on Apple iCloud users, watchdog claims
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.