
Social Engineering from Kevin Mitnick - henrik_w
http://henrikwarne.com/2015/12/27/social-engineering-from-kevin-mitnick/
======
GFischer
Kevin Mitnick's first book, "The Art of Deception", was an eye-opener for me
as well.

I guess I should read "Ghost in the Wire" too :)

I hadn't thought about those books in a while. If anything, "social
engineering" should be WAY easier in the Facebook age - that's what should be
keeping IT security people at night these days.

[https://en.wikipedia.org/wiki/The_Art_of_Deception](https://en.wikipedia.org/wiki/The_Art_of_Deception)

~~~
carrollgt
I highly recommend "Ghost in the Wire". It's pretty light on the technical
details, but it's really entertaining if you're interested in the "Golden Age"
of hacking.

I was amazed at how much more he leaned on his social engineering skills than
his technical skills when he was in his prime.

------
phrogdriver
I used to work at a large organization with annual security training
requirements for all employees. It consisted of hours of ridiculous scenarios
where the correct answer was always "don't open attachments from people you
don't know and report anything suspicious to IT." I've often thought that
requiring everyone to read "Ghost in the Wires" would be a much more effective
way to show people how social engineering and phishing would actually work.

------
bolle
Mr. Mitnick signed The Art of Deception for me in the early 2000s. I told him
it was for a friend who at the time was 'interested in the dark side of
computer security'.

He wrote: Don't do anything I wouldn't do.

~~~
branchless
> Don't do anything I wouldn't do.

Christ, what would that be? He didn't shy away from much.

------
iask
Even to this day one can obtain quite a lot of info from the person at the
front desk in many companies. You are as secure as your weakest links...your
users. I've seen clients both large and small fail to enforce policy.

Money is better spent educating users and enforcing policy than acquiring the
most expensive equipment.

Btw, The Art of Deception is a good read.

------
megraf
I snuck into a Banking security conference; forged a badge, and stayed down
the road to hear Kevin give a very lengthy speech.

It can be found here: ([https://soundcloud.com/michael_graf/kevin-mitnick-
speech-201...](https://soundcloud.com/michael_graf/kevin-mitnick-speech-2013))

I gave him my forged badge, and told him I really like the speech - he signed
my book and spoke with me for around 10 min... Really nice guy

------
bbtn
How does he remember so much details (abbreviations...) from years back? He
keeps diary?

------
Consequences
The only think notable about Mitnick is that he was the first to get
caught/prosecuted. Sloppy opsec.

~~~
haylem
It might be easy in some case to mistake "sloppy" for "pioneering". It's
harder to defend yourself and cover your tracks when you're one of the firsts
to actually have been there and done that.

I think the notable thing about Mitnick was just this: he became notable. He
put these activities on the radar of the law enforcement and of the media when
they weren't all that much concerned about it.

------
gardnr
#spoileralert

------
jondubois
It's a shame that hackers are so glamorized in the media... Hacking is
actually pretty easy. Most hackers just use vulnerabilities which other people
have discovered and they rarely innovate themselves.

Even discovering new vulnerabilities isn't that hard. Once you know a
particular codebase well enough, it's pretty easy to find new vulnerabilities.
The average programmer will likely identify and fix many such
bugs/vulnerabilities each day as part of their regular job but they don't get
the same recognition that hackers get.

Also, social engineering is hardly engineering - It is just another name for
deception/trickery.

I fully support hacking where the intent is to improve a system but doing so
with the intent of achieving personal fame and fortune is just wrong and the
tech media should make more effort to distinguish between the two.

~~~
vox_mollis
In what world do you live?

Hackers are vehemently demonized by the media; by no means is there any sort
of glorification occurring.

~~~
unimpressive
Demonization can be a form of glorification. Consider for example the
following two paragraphs:

"He was slick, convincing several security guards he was a wayward contractor
on his way to meet the department head. Thermal cameras in the server room
defeated by a homemade polyester shield, it took only twenty minutes to
extract BigCo's financial records. Having slipped in under the noses of
corporate security like the most adept of rats, he skittered away in the
anonymity of directions to the bathroom leaving no trace of his visit."

"The felon broke into the store through its back door window using a crowbar.
They stole two empty registers and a safe, ransacking the building in their
search for anything of value. Ramir was frustrated when he came in the next
morning after, yet remains optimistic. "We may have been robbed, but we know
that we're going to come out on top in the long run." The suspect is known
from security footage to have fled the scene in a green pickup truck. If you
have any information related to this crime..."

You get a very different picture of these two peoples competence just from the
way they're depicted and the kind of crime they commit.

