The Art of Deception by Kevin D. Mitnick and William L. Simon.
Given my employment in the programming space, and having a passing interest in security, (I once asked for, and received, the textbook Applied Cryptography for my birthday), I had heard the name Kevin Mitnick before. Still, I hadn't applied myself to looking him up or reading much about him. That is until mid-2023 when news of his passing reached me. I took a look through my e-book collection and I spotted a title by him that I decided to read, almost in honour of Mr. Mitnick.
Aging Lessons
The book was published in 2002, and it does show its age. A lot of the examples involve manipulating the telephone system, fax machines, and inter-office mail. While I'm certain that there are still companies operating in this type of environment, for example, my first co-op term at Symcor in 2018, where I was provided a desk phone. I did occasionally receive calls to it, and each time the phone rang, it was a great surprise to me. But since then, I haven't encountered business phone lines, fax machines, or inter-office mail. So much of that has been superseded by email and message communications like Slack. The modern business that is looking to protect itself from social engineering can only take the nuggets from this book, as some examples and policies have become less relevant over time.
One of these policies was the policy to treat company hierarchies, organizational charts, and lines of report as Internal information, not to be shared with anyone outside the company. And while many businesses still strive to do this, their efforts stand in opposition to the information goldmine that is LinkedIn. I don't think Mr. Mitnick imagined that company employees (and even the C-Suite) have posted their names, emails, company positions, and connections so publicly for a bad actor to take advantage of. Nowadays, a LinkedIn presence is just expected.
Questionable Embellishments
One other thing that struck me as odd was that certain examples were sexist or had some questionable writing. I understand that these scenarios in the book are "stories", based on experiences that Mitnick and others have lived, but some of the embellishment done to these stories left me questioning. Some stories included details such as the young, attractive, and naive Executive Assistant, who wants to break into the sales field and is enthralled and charmed by the social engineer posing as a high-powered salesman. Acquiescing to his requests, and even dinner dates for a chance at the opportunity he brings. Another example is the female social engineer putting on a sexy voice to charm hapless male IT workers into doing her bidding by installing backdoored programs or leaking information about servers.
I suppose, to a certain person, these embellishments add some excitement to the stories that might otherwise be dull. Or Mitnick is trying to tap into the 007 Bond-ish charm of the spy. But to me, it just cheapened some of the stories such that it was hard to believe that the scenario ever played out like that.
Overall
Overall, I did enjoy the book. If one frames these scenarios through more of a historical lens, then they become quite interesting and one is able to compare how things were in the 90s to now. The stories about phone phreaking were cool, and what's not to love reading about someone pulling off a heist? However, in these cases, it's information that is being sought, not just money.
Social Engineering
The Art of Deception focuses on social engineering, and it contains some pertinent lessons that many companies have adopted by now, as well, it also includes some words of warning that fall hollow with how the internet and social media, in particular, have developed. To quote the book,
The risks of social engineering attacks to the modern worker are still pertinent today, take phishing emails for example. Some of the stories told in the book remind of me Deviant Ollam's stories on penetration testing and red teaming that his company does, and that he speaks about at conferences.