Ghost in the Wires

The book is "Ghost in the Wires", an autobiography by security expert and former FBI's most wanted hacker, Kevin Mitnick. Even though I've read a great many books on the author's exploits, I was freshly agog at the author's adventures, told for the first time from his point of view.

The man was a force of nature when it came to breaking into computer systems. There was almost no system he couldn't breach, no act too outrageous. And while his computer hacking skills were impressive, the area where he was a true artist was social engineering. In fact, one might say he was one of the first and best.

The book accounts his journey from misunderstood youth to feared hacker to man on the run and then redemption in serving the very community he once plagued. The first part of the book has already been well documented in other accounts but it is interesting to hear his inner motivations for what he did. The latter half deals with years on the run once he gets in serious trouble with the law.

This covers many of the years that previous third party accounts either made up or theorized, as only Kevin knew where he went or what he was doing. It turns out that fact is often stranger than fiction with some of his exploits in creating fake identities or getting jobs working in IT and even for a bank at one point bogle the mind.

Now younger techies might not be impressed with his retro skills. Most of his best hacks were on phone systems and done over dial up modems. And till he went on the run, most of his hacks where not wildly publicized; unlike today where Anonymous, Wikileaks and other hacker groups have become almost political figures. Kevin plied his art in dark cyber alleys, acknowledged only by other hackers and the law enforcement officials he continually stymied. So while his computer skills might be passé today, the social engineering he practiced still works today and is practiced by the legions of phishers, pharmers and other cyber crime denizens.

Reading this book should keep any IT security professional awake at night. Because it's the only thing that we can't spend technology dollars on to fix. The people element. No matter how many firewalls, IDSs, IPS and malware detectors you have, all it takes is one well meaning employee to bypass it all.

So the lesson of "Ghost" is not that we need better technology to combat the waves of electronic fraud sweeping our companies and governments, but rather we need to spend time on our people. This includes the entire enterprise, not just our direct IT staffs. Figure out how you can allocate some of that money destined for more software and hardware towards boring things like policies and training. Every firm with significant IT resources to protect should have some from of IT security awareness training at least once a year. Get people to think twice before they help that "employee" on the phone or to take an extra moment to verify that request coming in via email. I highly recommend this book for any manager, not just in IT.