bCentral Home
Your Online Business Center

The art of intrusion

A review of reformed hacker Kevin Mitnick's new book

By Matthew Stibbe

Alex Mayfield reverse-engineers Vegas video poker machines to predict big wins.

'Comrade' and 'ne0h', two teenage hackers, break into Boeing's computers for Khalid, a shadowy online presence with links to Osama Bin Laden.

William and Danny get regular access to the internet. Nothing unusual there, except that they are locked up in a US Federal prison and the guards don't know.

Quote�Mitnick knows what he's talking about. As a teenager he served jail time for hacking�End Quote

Adrian Lamo hacks into the New York Times and adds himself to their list of expert contributors.

These are just some of the true stories in Kevin Mitnick's new book, The Art of Intrusion. Mitnick, who looks like a junior executive on the flyleaf, knows what he is talking about. As a teenager he served jail time for hacking.

The book gives a real insight into the 'because I can' motivation of many hackers. Mitnick and his co-author William Simon capture their stories nicely. Each chapter reveals critical security lessons and Mitnick provides a lot of advice about how to protect yourself against similar exploits.

Lessons

Some of the most surprising lessons are:

The use of weak and easily-hacked passwords is depressingly common.

Relying on obscurity (unlisted phone numbers, obscure names and so on) just doesn't work.

Technical solutions are easily side-stepped by social engineering and manipulation.

Again and again, hackers seem able to blag their way into buildings without being challenged.

In Mitnick's world, security guards, prison warders and casino pit bosses are useless.

Strong perimeters are useless once someone is inside. You need defence in depth.

Many good defences are let down by a single oversight - an unprotected router, an unchanged default password, an unpatched server.

Defences have to win every time, a hacker only has to win once.

Hacking is like water going downhill; it finds the path of least resistance. As one hacker says, "there is always something that works. It's just a matter of finding out what."

Real hackers will spend astounding amounts of time and effort to achieve their objectives. They will get to know your network and systems better than you do.

Mitnick is sympathetic to his subjects. Occasionally he seems to justify behaviour that is illegal. His hackers are like mountaineers. They do it for the challenge, rarely for monetary gain. At worst, as when working for terrorists or defrauding casinos, they come across as naive rather than bad people. While engaging, this analysis is disingenuous.

Quote�Defences have to win every time. A hacker only has to win once.�End Quote

That said; the book is well written and compelling. Most of it is accessible to a general reader but some sections require more technical understanding. Anyone interested in information security will get something from this book that they can't get from more serious 'how-to' manuals: the story of real people.

As for me, I will find it hard to forget the persistence and ingenuity used by the hackers in this book. As one of them says: "every time [some software engineer] says, 'nobody will go to the trouble of doing that,' there's some kid in Finland who will go to the trouble."


Sign into Microsoft Small Business+ for free web-based training and software support.

sign in
Security information

Find a local Microsoft Small Business Specialist to help with your IT needs

Microsoft Small Business SpecialistMore info >

What do you want your PC to help you with?

What do you want your PC to help you with?







Free business newsletters - subscribe now

Our free newsletters are packed full of business advice and ideas - plus all the latest news

Security information

Get the latest bulletins and updates direct from Microsoft