No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing (Paperback)

~ (Author), Jack Wiles (Author), Scott Pinzon (Technical Editor), (Series Editor)
Key Phrases: appliance module, super user, lamp module, Google Hacking Showcase, Physical Security, Broke Into Their Buildings (more...)

Editorial Reviews

Product Description

As the cliché reminds us, information is power. In this age of computer systems and technology, an increasing majority of the world's information is stored electronically. It makes sense then that as an industry we rely on high-tech electronic protection systems to guard that information. As a professional hacker, I get paid to uncover weaknesses in those systems and exploit them. Whether breaking into buildings or slipping past industrial-grade firewalls, my goal has always been the same: extract the informational secrets using any means necessary. After hundreds of jobs, I discovered the secret to bypassing every conceivable high-tech security system. This book reveals those secrets, and as the title suggests, it has nothing to do with high technology. As it turns out, the secret isn't much of a secret at all. Hackers have known about these techniques for years. Presented in a light, accessible style, you'll get to ride shotgun with the authors on successful real-world break-ins as they share photos, videos and stories that prove how vulnerable the high-tech world is to no-tech attacks.

As you browse this book, you'll hear old familiar terms like "dumpster diving", "social engineering", and "shoulder surfing". Some of these terms have drifted into obscurity to the point of becoming industry folklore; the tactics of the pre-dawn information age. But make no mistake; these and other old-school tactics work with amazing effectiveness today. In fact, there's a very good chance that someone in your organization will fall victim to one or more of these attacks this year. Will they be ready?

. Dumpster Diving
Be a good sport and don't read the two "D" words written in big bold letters above, and act surprised when I tell you hackers can accomplish this without relying on a single bit of technology (punny).
. Tailgating
Hackers and ninja both like wearing black, and they do share the ability to slip inside a building and blend with the shadows.
. Shoulder Surfing
If you like having a screen on your laptop so you can see what you're working on, don't read this chapter.
. Physical Security
Locks are serious business and lock technicians are true engineers, most backed with years of hands-on experience. But what happens when you take the age-old respected profession of the locksmith and sprinkle it with hacker ingenuity?
. Social Engineering with Jack Wiles
Jack has trained hundreds of federal agents, corporate attorneys, CEOs and internal auditors on computer crime and security-related topics. His unforgettable presentations are filled with three decades of personal "war stories" from the trenches of Information Security and Physical Security.
. Google Hacking
A hacker doesn't even need his own computer to do the necessary research. If he can make it to a public library, Kinko's or Internet cafe, he can use Google to process all that data into something useful.
. P2P Hacking
Let's assume a guy has no budget, no commercial hacking software, no support from organized crime and no fancy gear. With all those restrictions, is this guy still a threat to you? Have a look at this chapter and judge for yourself.
. People Watching
Skilled people watchers can learn a whole lot in just a few quick glances. In this chapter we'll take a look at a few examples of the types of things that draws a no-tech hacker's eye.
. Kiosks
What happens when a kiosk is more than a kiosk? What happens when the kiosk holds airline passenger information? What if the kiosk holds confidential patient information? What if the kiosk holds cash?
. Vehicle Surveillance
Most people don't realize that some of the most thrilling vehicular espionage happens when the cars aren't moving at all!

About the Author

Johnny Long is a Christian by grace, a professional hacker by trade, a pirate by blood, a ninja in training, a security researcher and author. He can be found lurking at his website (http://johnny.ihackstuff.com). He is the founder of Hackers For Charity(http://ihackcharities.org), an organization that provides hackers with job experience while leveraging their skills for charities that need those skills.

Kevin Mitnick (Technical Editor) is the most famous computer hacker in the world. Since his first arrest in 1981, at age 17, he has spent nearly half his adult life either in prison or as a fugitive. He has been the subject of three books and his alleged 1982 hack into NORAD inspired the movie War Games. Since his plea-bargain release in 2000, he says he has reformed and is devoting his talents to helping computer security.

Product Details

• Paperback: 384 pages
• Publisher: Syngress (February 21, 2008)
• Language: English
• ISBN-10: 1597492159
• ISBN-13: 978-1597492157
• Product Dimensions: 9.1 x 7.5 x 0.9 inches
• Shipping Weight: 1.4 pounds (View shipping rates and policies)
• Average Customer Review: 4.4 out of 5 stars  See all reviews (10 customer reviews)
• Amazon.com Sales Rank: #232,253 in Books (See Bestsellers in Books)

  Popular in this category: (What's this?)

  #61 in

  Books > Computers & Internet > Business & Culture > Security

Customer Reviews

Most Helpful Customer Reviews

13 of 13 people found the following review helpful:

4.0 out of 5 stars Solid advice on securing the human vulnerability , March 12, 2008

By	Chris Gates (NoVA, USA) - See all my reviews

Johnny Long has a great knack for taking what should be common sense observations on human vulnerabilities and making them unique, entertaining, and most importantly actionable. The book really seems to be a book to go along with his numerous "No Tech Hacking" talks he has given at several security conferences. If you want an example check out the 2007 Shmoocon Archives: http://shmoocon.org/2007/presentations.html

Here are the chapters:

Dumpster Diving
Tailgating
Shoulder Surfing
Physical Security
Social Engineering with Jack Wiles
Google Hacking
P2P Hacking
People Watching
Kiosks
Vehicle Surveillance
Badge Surveillance
Epilogue

All of the chapters are pretty good, I particularly liked the Physical Security, P2P Hacking, and Kiosks (even though it was a short chapter). Again, a lot of what he talks about is common sense and taken from his talks he gives a security conferences. But it comes from a guy that gets paid to break into buildings for a living so you can trust the advice and situations to be pretty close to reality.

Things I liked about the book:
-The Physical Security section talks about defeating different types of locks and security systems. It was good relevant content with good advice on how to fix it. The Kiosk chapter talks a little bit about breaking out of Kiosks and information you can gather. Using P2P to look for sensitive documents is a good idea as well. Really all the chapters had valuable information in them. In plain words he sums up relevant and dangerous security issues that target the human element of security.
-The large font and lots of pictures make the book a quick read. I also like that there were pictures to go along with all the points he was trying to make. His "arrest me face" on page 95 is the best.
-The book is pretty much without typos and editing issues which says a lot for a syngress book.
-The book is useful for both technicians and managers, I feel like i can give the book to both the techies and management and have them both get something out of it.

Some things I didn't like about the book:
-The book has a slight condescending tone. I think this is the author's attempt to be funny, and in person I think he could have pulled it off. But in print it really comes across as a "you are dumb, so dumb I have to write a book about hacking you without technology to show you how dumb you are." It doesn't make the book "bad" its just annoying at times.
-The tailgating section (page 24) slams a person for wearing their badge INSIDE and says she is not security conscious. Why would you NOT where your badge inside? On one hand he complains about people not challenging him because of his fake badge or lack of a badge and then he says that wearing a badge inside is an opportunity for someone who sneaks in to take pictures of it, well guess what, they are already inside, there are other bigger issues now. In my opinion, badge on inside=good, badge on outside at lunch=bad.
-The book suffers a bit from the "Everything must be secure... damn the functionality" problem that a lot of security researchers and hard core security proposals suffer from. What I mean by all that is sometimes security people lose sight of why things are they way they are or the fact that changing the way things are done would hinder actually getting work done. The best example I can come up with from the book is his discussion of DoD decals on cars (in the vehicle surveillance chapter) and how they give away too much information. While not arguing his point on giving away information, I'd like to see his proposal for a better solution to access control on DoD bases. I'd also argue that oil change stickers showing where I got my oil changed (that may give you some information on where I live or work) are far less dangerous than that person just following me to home or work now that they have me and my car associated with one another.

9 of 9 people found the following review helpful:

4.0 out of 5 stars Almost as good as the live No Tech Hacking talk, June 7, 2008

By	Richard Bejtlich "TaoSecurity.com" (Metro Washington, DC) - See all my reviews (TOP 500 REVIEWER)    (REAL NAME)

No Tech Hacking (NTH) again demonstrates that the fewer the number of authors a Syngress book advertises, the better the book. With security star Johnny Long as the main author, the book adds a section in Ch 5 (Social Engineering) by Techno Security organizer Jack Wiles. The "special contributors" no doubt worked with Johnny to answer his questions, but it's clear that relying on a primary author resulted in a better-than-average Syngress title. (Harlan Carvey's Windows Forensic Analysis is another example of this phenomenon.)

I liked NTH. The book makes a good companion to titles like The Art of Deception and The Art of Intrusion by Kevin Mitnick, and The Art of the Steal by Frank Abagnale. (Mitnick wrote the foreword for NTH.) Johnny Long is a great author who knows how to tell a story in a captivating way. I agree with some of the criticism levied by previous reviewer Chris Gates about the badge story on p 24. If you aren't supposed to display a badge outdoors (true), and you aren't supposed to display it indoors (false), where do you display it? Maybe Johnny meant a badge-wearing employee should have noticed someone photographing her badge?

I dropped one star for two reasons, and could have dropped two stars if I didn't think Johnny Long is a great author otherwise. First, I was very disappointed to see 75 pages of Google Hacking reprinted as Ch 6 of NTH. The 285 page NTH would have been 210 without Ch 6, and definitely would not have merited the price on the back cover. This reprinting tendency is another Syngress problem.

Second, this book should have been published in color. A great deal of the book shows photographs or screen captures taken by the author while conducting penetration tests. The impact would have been much greater in color. Consider keeping the same price but removing Ch 6 and publishing in color next time. If Syngress has anything like a star author, it's Johnny Long. People attending his No Tech Hacking talks would snatch a color edition up without thinking twice. If you need a good example of a modern color security book, check out Security Data Visualization by Greg Conti, published by No Starch.

Overall, anyone who has some military experience in OPSEC (operational security) will recognize most of the vulnerabilities and exposures identified in NTH. If you need a way to teach your employees how to resist No Tech Hacking, this book is a great teaching tool.

6 of 6 people found the following review helpful:

5.0 out of 5 stars Simple Threats Can Cause Serious Problems, April 8, 2008

By	K Rudolph - See all my reviews

Johnny Long's book, "No Tech Hacking," brings new attention to overlooked aspects of information security. In his book, Long reveals how simple threats can cause serious problems, even in organizations prepared for a Mission Impossible-style attack scenario.

Long recounts how he and his team of ethical hackers consistently access sensitive information with no special equipment or technical skills. In fact, Long reveals how the ordinary (coat hangers, hand towels, drinking straws, baby powder, and aluminum cans) can result in extraordinary breaches of organizational security.

Long shares real world stories and cell-phone photographs from his adventures in people watching, shoulder surfing, dumpster diving, and vehicle observation.

Long and his colleagues go to great, conspicuous lengths to collect non-public information. While their targets should notice almost all of their activities, most do not. The closest thing to a consequence or confrontation they encounter is a glare from an airline passenger.

Why isn't Long confronted when others observe him surreptitiously taking pictures? Some people don't like to confront an unfamiliar person or don't know whom to report their concerns to. Others are complacent and don't expect negative events to occur. Action invites risk: risk of an awkward or unwarranted accusation, that one won't be taken seriously, and possible personal embarrassment. Sometimes, people feel that the safest action is no action at all. Unfortunately, that feeling of security is deceptive.

Thankfully, Long offers useful advice. He recommends that companies should:

1. Provide incentives for reporting suspicious activities, and
2. Make the desired response well-known and easy-to-do.

To follow these recommendations, organizations need to ensure that everyone knows what information to disclose and what information requires protection. Foremost, all organizations should create policies for verifying the identity of anyone who requests non-public information and adequately train all employees to recognize these situations and take appropriate actions.

In the next edition, it would be great to see more of the practical tips (perhaps even a detailed checklist for each chapter) about what do to protect against these simple, but damaging, threats.

Summary: This is a useful book for creating and spreading awareness of important and often overlooked aspects of information security.