Feeds

The Art of Intrusion

The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers

Internet Security Threat Report 2014

Book review I'm not that keen on the word “hacker” in the modern, pejorative sense (I remember when it meant a good UNIX programmer) and I'm generally not that that impressed by hackers either - mostly they're not particularly clever and just got lucky.

The art of Intrusion book cover So, I came to this book, newly released in paperback at a lower price, in a not very positive frame of mind; except I do think that the famous Kevin Mitnick was unfairly demonised, and I'm not sure how much actual damage he did in the end. Although unauthorised intrusion into production systems is always bad, what chance is there they were tested for resilience during the sorts of things intruders do, for example.

In fact, however, I was won over pretty quickly (although Charles Arthur, see links, was less impressed). It’s an enjoyable and accessible read (perhaps thanks to Mitnick’s co-author), once you skip the somewhat overdone seven page Acknowledgements chapter. More than that, it’s an “ethical hacking course” in miniature. Well, it’s not quite the same as a professional course from the likes of ISS (which goes into much more detail on the legalities and realities of risk mitigation), but it does touch on the ethics of social engineering, the desirability of imposing Non Disclosure Agreements (NDAs) on penetration testers, and the like. It also looks at the character and motivation of the hacker – and learning about this is a vital first step in defending oneself. All too often highly ethical systems managers build defences against people like themselves, and such people simply aren’t a threat.

The book is loosely structured as a set of “anti-patterns” (my term). There’s a story around an exploit, clearly and objectively told (hackers, we learn, don’t always tell the truth and sometimes exaggerate their prowess), some insight that can be deduced from the story, countermeasures you can take, and a bottom line lesson to learn. This is documentation of a recognised bad place, its consequences, and a path back to where you’d like to be.

Exploits covered range from exploiting the pseudo random nature of numbers controlling a gambling machine, through terrorist information gathering and hacking from jail, to hacking City computers from the WAN through internal networks. Mitnick doesn’t limit himself to code exploits, but covers hardware exploits and social engineering too. Most of the specific issues enabling these exploits have been addressed, but they remain valuable guides to the sort of real threats facing IT installations (and the book is worth buying if it only alerts you to the possibilities of social engineering).

Isn’t sharing this sort of information dangerous – unethical? No, the bad guys know it already. The only people who don’t are some of the overworked, highly-ethical, IT professionals who look after our systems security. I was also pleased to see that Mitnick doesn’t usually over-glamorise his subjects or stray into the realms of the mythical Russian (usually) computing genius that no mere mortals can control. You really can do something about unauthorised intrusion into your systems and, after reading this book, there’s even less excuse for the sort of careless oversights that make hacking possible.

A company CEO, for example, might want to ask his IT manager to explain just why SQL Injection, say, wouldn’t work on his company’s eCommerce site. I think this book tells him enough to let him see if people are trying to pull the wool over his eyes about security. It will also give IT professionals some ammunition if they need to convince their bosses that systems security must be built in from the first, not bolted on by a new management after an expensive and embarrassing security incident has almost bought the company to its knees.

David Norfolk is the author of IT Governance, published by Thorogood. More details here.

The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers

Verdict: Should be required reading for anyone interested in IT security. After you’ve read it, you’ll have some idea of what you’re up against and what you might do about it. Oh, and it’s a good read too.

Author: Kevin D. Mitnick; William L. Simon

Publisher: Wiley

ISBN: 0471782661

Media: Book

List Price: £11.99

Reg price: £9.59

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.