Security Awareness Blog

Ghost in the Wires - Social Engineering at its Finest

I just finished reading Kevin Mitnick's new book, Ghost in the Wires. This was an amazing read. If you are involved in information security in anyway, I really recommend you (and your boss) read the book. This is not a technical manual on how to do social engineering, if you are looking for that I recommend Kevin's "Art of Deception". Instead this book is Kevin's story on how he used social enginnering to get what he wanted .... and it blew me away. He repeatedly describes how he simply used the phone to compromise organizations, from personal information on individuals through the DMV to requesting wiretaps on the FBI. What really blew me away was his description of how he gained access to the source code of almost every commercial Unix operating system and mobile phone, bypassing the most advanced security of its time by simply tricking people.

The reason I'm so excited about this book is there is no other resource I can think of that demonstrates the power of social engineering and hacking the HumanOS. As Kevin repeatedly demonstrates, it does not matter what technology you have installed, it is the human that we need to secure.

2 Comments

Posted September 21, 2011 at 7:38 PM | Permalink | Reply

HJohn

I'll definitely be reading this book.
I've noticed an expansion of "attacking the human." Be it social engineering, blackmail, or direct assault.
I think what it boils down to is that attackers will try to take the easiest path. That is more often becoming the human as countermeasures became harder to circumvent (or understand).
I'm curious how continued improvements to biometrics may ultimately change the equation.

Posted September 21, 2011 at 10:51 PM | Permalink | Reply

lspitzner

Harold,
Absolutely. After watching bad guys for over ten years with the Honeynet Project, one thing I have learned is bad guys are human, as such they will always take the path of least resistance. The security community has made tremendous strides in securing technology, but almost nothing when it comes to the HumanOS. As such you are quite correct, the bad guys will target the human, and Kevin's book demonstrates just how powerful that attack vector is.