No Tech Hacking

A guide to Social Engineering,
Dumpster Diving, and Shoulder Surfing

Author: Johnny Long

ISBN: 978-1-59749-215-7

Publisher: Syngress (2008)

285 pages

Price: ~^US$30 from Amazon

Executive summary

This easy-to-read guide to common social engineering and physical site penetration techniques may not tell us anything new but there is clearly a need for organizations and individuals to appreciate their vulnerabilities and hopefully counter the threats.

Introduction

The hacking of IT systems through networks and terminals is getting harder and harder as most organizations gradually up their game, configuring operating systems for security, installing better access controls and malware controls, improving network security monitoring and so forth. Humans may be no more vulnerable to deliberate compromises than they ever were, but while technical methods are getting harder, non-technical attacks on humans are becoming relatively easier. Non-technical methods are attractive for attackers who lack the technical skills and resources for classical hacking, and they often involve less risk of detection. In many cases, technical and non-technical approaches are complementary, hence many attacks involve elements of both.

Coverage

Johnny takes us on a cook’s tour through the basics of social engineering and a few other non-technical methods of compromising a target organization. The areas covered are:

Dumpster diving - retrieving useful information from the trash, or simply discarded somewhere public;
Tailgating - slipping in to a building behind an employee;
Shoulder surfing - watching over someone’s shoulder as they type;
Physical security - mostly in fact this chapter covers lock picking using shims and bumpers to attack normal key and combination locks, and tubes to attack circular ‘security locks’;
Social engineering - outlines techniques involving manipulation of targets by phone;
Google hacking - finding useful information about a target using Google searches (this chapter is simply reprinted from the second edition of Google Hacking);
P2P hacking - hardly hacking really, this just describes browsing though the files offered through peer to peer applications by naive users;
People watching - a rudimentary guide to spotting clues about where people work from logos on their clothing and computer bags;
Kiosks - a technique to subvert the locked-down user interface on public kiosks using MS Windows software, plus a few blurry shots of an ATM technician at work;
Vehicle surveillance - a rudimentary guide to spotting clues about where people work from their car park passes and permits;
Badge surveillance - observing staff passes as a prelude to making fakes;
Top ten ways to shut down no tech hackers - that this chapter is called an epilogue seems to indicate that controls against social engineering and other non-technical attacks is something of an afterthought by the author.

Other common social engineering methods, for example the psychological manipulation techniques often described by Kevin Mitnick, phishing and many other types of frauds and scams perpetrated through a variety of communications media (email, phone, letter, FAX, SMS, even paper notes left on a windshield ...), are barely mentioned.

The book doesn’t explain the process of non-technical hacking very well, in other words the stages normally involved in identifying, researching and exploiting a target. That a social engineer or intruder would fear detection and would almost certainly have pre-planned a cover story and escape route, for example, is only vaguely hinted at.

Depth

In most aspects, the coverage is distinctly superficial, barely scratching the surface. In the cover blurb, the author claims to be disclosing super-cool secrets but in reality the book falls well short of disclosing anything really novel. On the other hand, it is painfully clear that many people either don’t know about or fail to take account of even the simple attack described in the book, implying that there is definitely a need for awareness materials covering the basics.

The epilogue’s advice on ten ways to limit the risks is generally naive and banale, resembling the similarly vague guidance given by Kevin Mitnick in some of his books. I presume that Johnny Long is not actually an information security professional by day and so he lacks the practical experience to appreciate that his suggestions are probably unsuitable and unhelpful for most commercial settings. As an example, he advises that strip-cut shredders don’t offer much security, yet “particle shredders” (normally called cross-cut shredders) are dismissed as “pretty expensive” and “overkill” ... “unless you’re truly evil (or paranoid)”. Perhaps the truth is that decent security controls would make the no tech hackers’ job harder so maybe it’s not in the author’s interest to promote good security practices.

Quality

As seems to be the way with Syngress books, the print quality is poor. Most of the monochromatic photographic images are dark and indistinct, barely good enough even to make out the fields that have not been deliberately blurred by the author. The author is not a professional photographer but he is still able to obtain potentially useful information from candid snaps through windows or in public places.

The social engineering chapter has a different style to the rest of the book, which is not surprising given that it was written by Jack Wiles (who for some reason is not acknowledged as an author on the cover). Jack’s contribution is above average so it’s a shame he didn’t collaborate with Johnny on the rest.

Johnny’s parts of the book are straightforward enough and appear accurate as far as they go.

Writing style and readability

The writing style is informal throughout, reflecting the chatty nature of typical conversations between those who over-use the word “dude” but, thankfully, without the obscure hacker jargon and obscenities. With so many photos in the book and a fairly large font size, the average page has only about 100 words, hence I was able to read the book cover-to-cover in about 4 hours. This is no heavyweight academic textbook, with hardly any actual references or even acknowledgments outside the hacking subculture.

Audience

It’s hard to figure out to whom the book might appeal. It is too superficial to be of much value to actual non-tech hackers unless they are very new to the game, and it lacks the pragmatism that would be of some worth to information security and risk management professionals. Maybe it would interest members of the general public, but again it expounds on the risks without really helping anyone counteract them.

Conclusion

Although the author ably describes some simple non-technical attack methods, it is a shame he doesn’t present a more compelling call-to-action. Readers can and indeed should be more aware of, and ideally resistant to, the methods described. The book presents the basic information but doesn’t really motivate readers to respond, leaving it rather flat.