Spies Among Us: How to Stop the Spies, Terrorists, Hackers, and Criminals You Don't Even Know You Encounter Every Day (Hardcover)

~ (Author) "James Bond is the second worst spy in history; the first worst spy is Sydney Bristow from the TV show Alias..." (more)
Key Phrases: poor security awareness, black bag operations, technical vulnerabilities, United States, Computer Operations Center, Afshin Bavand (more...)

Editorial Reviews

From Publishers Weekly

Those who are already paranoid about information theft, both personal and professional, should take a muscle relaxant before reading this eye-opening survey of the many holes that exist in our security and intelligence systems. Author Winkler (Corporate Espionage) began his career at the National Security Agency, and his exploits in the private sector, testing security systems by breaking into banks and high-profile companies, have earned him a place in the Information Systems Security Association Hall of Fame. Winkler's background not only lends his book an authoritative voice, but embellishes his nuts-and-bolts material with rich references to intriguing cases in which he's been involved. The book kicks off provocatively, explaining why James Bond and Sydney Bristow from the TV show Alias "suck as spies" and detailing what spies at various levels actually do. He then goes on to explain how spies and/or "their friends" (i.e., hackers, identity thieves, spammers, etc.) can get at an organization. Although the book will interest security professionals more than consumers, there's some choice bits here for readers captivated by cloak-and-dagger endeavors. Winkler's chapter on "How to Be a Spy" shines as a concise tutorial on how genuine spooks operate, and his case studies, which make up the middle of the book, fascinate as examples of how easy it can be to compromise the security systems of high visibility companies-even post 9/11. Overall, this is a thorough, at times absorbing, cautionary tale for any company or person who subscribes to the Boy Scout motto: Be prepared.
Copyright © Reed Business Information, a division of Reed Elsevier Inc. All rights reserved.

Review

Required reading by counterintelligence warrant officers in training at the U.S. Army Intelligence Center, Spies Among Us is a primer into the basic principles of intelligence operations. Indeed, Ira Winkler notes that spies, terrorists, hackers, and criminals all use the same basic techniques to collect information on their targets.
Mr. Winkler is a former undercover security analyst with the National Security Agency, who now works with governments and major corporations to help them uncover potential security breaches. He states in the introduction to Spies Among Us that there seems to be a fascination with spectacular acts committed by terrorists, foreign intelligence operatives, and computer hacking geniuses. Against such threats, corporations and individuals are tempted to feel powerless. Such acts, though potentially devastating, are quite rare and only affect relatively small numbers of people and businesses. Conversely, natural disasters, accidents, and criminal acts, though not as spectacular, are much more common and affect many more people. In Spies Among Us, Mr. Winkler seeks to empower his readers with simple countermeasures that can mitigate the common threats we all face. He further adds that such prudence also helps protect against attacks from the terrorists, spies, and computer geniuses.
Spies Among Us is divided into three parts. Part I discusses the fundamental concepts of the intelligence process, espionage, and crime. Part II explores the details of some notable penetration tests conducted by Mr. Winkler and his colleagues as well as some real-world cases of high- level crime and espionage. Finally, Part III describes the simple countermeasures that can be used to reduce both individual and corporate vulnerabilities to various threats.
In Part I, Mr. Winkler defines risk, threat, vulnerability, counter-measures, value, and their interrelationship. He further explains how to determine the value of assets and how to evaluate various threats against those assets. Of particular interest to BECCA members, Mr. Winkler thoroughly describes the corporate espionage threats that U.S. corporations face. He lists the major countries that successfully use their state intelligence agencies to target U.S. corporations. Among those countries are two U.S. allies identified by the CIA as conducting espionage against U.S. companies: France and Israel. Furthermore, Mr. Winkler describes how each nation targets U.S. corporations both at home and abroad. He states that the U.S. government is quite different than that of most other industrialized nations in that it generally does not collect intelligence on behalf of its corporations. Contrast this with the statement of Pierre Marion, the former head of the French foreign intelligence agency who has stated, "There is no such thing as an economic ally." Among other countries, the U.S. government is considered "naïve" in its view of international corporate espionage.
In addition to foreign intelligence threats, Part II of Spies Among Us explains how corporate information leaks can be caused or exploited by insiders (employees), petty crime, suppliers, customers, and competitors. In regards to employees, the author draws an amazing parallel between the profile of an extremely hard- working employee and that of a spy. They both show interest in what their coworkers are doing, they volunteer For extra work, they work late, and they rarely take vacations. Attackers Target vulnerabilities of corporations and individuals. Mr. Winkler defines Vulnerabilities in four categories: operational, physical, personnel, and technical. Under operational vulnerabilities, he addresses security awareness and makes a notable statement, that "there is no common sense without common knowledge," emphasizing the importance of security awareness training for everyone.
In Part II, not only does the author describe various successful attacks Against major corporations, he also describes the vulnerabilities which facilitated or allowed these attacks.
In Part III, Mr. Winkler explains simple countermeasures to address these vulnerabilities and similar vulnerabilities of individuals. He defines these countermeasures in the same categories that he used for vulnerabilities. However, he makes the interesting observation that the categories do not necessarily correlate. For instance, he states that poor security awareness is an operational vulnerability. However, an effective countermeasure for poor awareness is a technical countermeasure such as token-based authentication which thwarts social engineering attacks designed to obtain passwords from users. In the final chapter, Mr. Winkler provides practical suggestions for implementing and testing countermeasures and incident response procedures. He includes sound advice on how to garner support from management and compliance from employees. He states that an effective security awareness program could result in "thousands of people detecting security problems, not just the two people in a typical security department."
As a military intelligence professional, I found Spies Among Us to be a fascinating and enlightening read. As only someone who has great understanding can, Mr. Winkler greatly simplifies the intelligence process and provides interesting insights into recent events. He also writes from the vantage point of an insider. The security countermeasures he recommends are practical and feasible for both organizations and individuals to implement. As someone who sees the need for professional reading but who does not normally enjoy such activity, I found this book to be refreshingly enjoyable to read. I highly recommend Spies Among Us to anyone working in the security or intelligence field. I also highly recommend it to anyone else who has ever felt vulnerable or who just wants to peer into the hidden world of espionage and crime that is always among us.
"Spies Among Us reads like a Robert Ludlum novel, [and] it’s riveting because it’s all true. If you’ve got a social security number, you need to read this book whether you’re a CEO or a grandmother. Winkler reveals the top threats to our personal and national security, with lots of straight-forward advice on how to protect yourself."
–Soledad O'Brien, CNN

See all Editorial Reviews

Product Details

• Hardcover: 346 pages
• Publisher: Wiley; 1 edition (April 8, 2005)
• Language: English
• ISBN-10: 0764584685
• ISBN-13: 978-0764584688
• Product Dimensions: 9 x 6.1 x 1.1 inches
• Shipping Weight: 1.2 pounds (View shipping rates and policies)
• Average Customer Review: 4.3 out of 5 stars  See all reviews (18 customer reviews)
• Amazon.com Sales Rank: #227,870 in Books (See Bestsellers in Books)

Customer Reviews

Most Helpful Customer Reviews

35 of 39 people found the following review helpful:

3.0 out of 5 stars sound advice from a competent professional, but not much new here, November 27, 2005

By	James J. Lippard "skeptic" (Phoenix, AZ USA) - See all my reviews (REAL NAME)

Spies Among Us is in many ways similar to Winkler's previous book, Corporate Espionage. It describes threats and vulnerabilities, gives case studies of attacks and penetrations (some malicious by miscreants, some as part of his own testing), and offers countermeasures and lessons learned.

The book is divided into three parts--Part I is on "Espionage Concepts," which describes the intelligence process, forms of information, risk equations, how security's components are confidentiality, integrity, and availability, how to measure asset values, and so on. Part II is "Case Studies" and is the most interesting and original portion of the book. Part III is "Stopping the Spies," about specific vulnerabilities and countermeasures.

As in the previous book, Winkler's advice is sound and the case studies are interesting. Unfortunately, much of the book duplicates the prior book and other books in the field, which is part of why it took me three months to get through this book--I got hung up in Part III, which was mostly old hat.

What I found most disappointing about the book beyond its lack of novelty were two features: first, that there were frequent errors and omissions which seemed a display of either lack of research or carelessness; second, that Winkler takes many opportunities to tell the reader that he's involved in important things, but without showing the evidence for it.

Examples of the first include not only simple things like typos that should have been caught by the editor (p. xv "phased" for "fazed", p. xvi "over" for "cover"), but factual errors. On p. 55 he writes of the 1996 blackout of "nine states of the Pacific Northwest." There aren't nine Pacific Northwest states, and there were two Western U.S. 1996 blackouts caused by power lines sagging to trees, an Idaho/Wyoming line on July 2 affecting 14 Western states and a California line on August 10 affecting states from Oregon to Mexico and Texas.

On p. 78 he gives estimates of the number of people with various hacking skills which appear to have been pulled from a hat; I suspect his estimate of 100,000 people capable of developing hacking tools from knowledge of vulnerabilities is a substantial underestimate.

On p. 81 he claims that, contrary to other countries, the U.S. government intelligence agencies don't pass information back to U.S. companies. While this is official policy, counterexamples may be found (e.g., the book Friends in High Places discusses information flow in both directions between the CIA and the Bechtel corporation in the Middle East).

On p. 143, Winker writes that "There has supposedly been only one day zero attack, which is an attack that exploits a vulnerability that was not previously reported and known." No reference (though I suspect he's referring to a successful 2003 attack on Microsoft IIS against the U.S. Air Force prior to the March 13, 2003 release of MS03-007), and surely false, if by "reported" he means reported to the general public, e.g., via a published security advisory.

Omissions include his discussion on p. 93 of Israeli intelligence actions against U.S. corporations, where he says "an Israeli telecommunications [company, sic] acquired a U.S. domestic carrier" and "now has control and access to the phone lines of many companies," but doesn't name the company. Why not? Isn't this something of importance for U.S. companies to be aware of? (Perhaps he is referring to Verint, formerly Converse Infosys.)

Similarly, on p. 94 he writes that "There are also the recent charges of a Pentagon official who passed classfieid documents to Israel through a political lobbying group," but omits any details, even though these charges against Lawrence Franklin, who worked under Douglas Feith at the Pentagon, were well known (and Franklin has since confessed).

On p. 95 he writes of a German intelligence project, Project Rahab, that "one of [its] major reported successes includes infiltration of the SWIFT system, which is one of the world's major financial networks." Again, no references--in this case, the allegation probably comes from Timothy Haight's article "High Tech Spies" in the July 5, 1993 issue of Time magazine (p. 24), regarding the BND (German intelligence) use of a virus written by Chaos Computer Club member Bernd Fix. According to Fix (search the web for Rahab, SWIFT, and Bernd Fix and you'll find his commentary on this), there have been a lot of wild claims made, and he can't vouch for any of them. Any of these omissions could have been elaborated on and made the book much more interesting.

Winkler's self-aggrandizing can be found at a number of points throughout the book, such as on p. 84 where he writes that a small literary agency can represent people "some of whom (such as myself) have access to sensitive information." My favorite example is on p. 121 under the heading "personal aggrandizement," where Winkler writes that "An individual's desire to impress others has caused some of the biggest security problems in history." In the very next paragraph, he writes, "As I mention in the Introduction, one of my female friends was a CIA operative who posed in Playboy magazine."

Still, the book is worthwhile for a solid collection of vulnerabilities and countermeasures if you don't already have one, and the case studies are enjoyable (some of which are from Winkler's direct experience, others of which are reports of cases which have been reported on elsewhere, such as Alexey Ivanov in chapter 10 and Abraham Abdallah in chapter 11). One weakness of chapter 13 ("Taking Action", about setting up a security program and implementing countermeasures) is that it gives short shrift (p. 304) to measurement of effectiveness and the security life cycle.

6 of 6 people found the following review helpful:

5.0 out of 5 stars Wake up managers!, December 9, 2005

By	Dr. G. Hinson "NoticeBored.com" (New Zealand) - See all my reviews (REAL NAME)

Read this book to appreciate what is (or should be) keeping your Information Security Manager awake at nights, and to understand what he/she probably wants (or ought) to do about it.

Ira learnt his trade working for the US National Security Agency. His spooky background provides a somewhat disturbing undercurrent throughout the book but this is neither a James Bond training manual nor a shock horror exposé of the murky world of spies. It is in fact a very broad exposition highlighting the urgent need for all organizations to implement suitable information security controls.

Chapter five "How the spies really get you" should be compulsory reading for all managers. In less than fifty pages, Ira explains how virtually anyone in or associated with the average organization may represent a vulnerability, some more than others. I challenge any experienced manager to read this chapter without thinking about probable weaknesses in their own organization, perhaps even in their own departments.

If chapter five piques your interest, I guarantee you will enjoy the rest of the book. The previous four chapters set the scene, explaining that information security is far more than simply a matter of implementing system/network access controls. The next six chapters (part II of the book) present compelling case studies built (we are told) around genuine real-world situations. Ira is known for describing attack methods quite explicitly, meaning that having read the case studies, you will be in a similar position to those who actually committed these attacks. Each case concludes with a description of the vulnerabilities exploited.

The final two chapters (part III) attempt to redress the balance by explaining how to address the risks presented in the rest of the book and so `stop the spies'. Given the broad nature of the threats and vulnerabilities described in parts I and II, it would be unrealistic to expect to get a complete set of answers in just two short chapters ... but that would miss the whole point of the book. Part III gives an overview of the main elements of most information security programs. In one, two or occasionally three paragraphs, Ira explains what the average Information Security Manager actually means by concepts such as single sign on and defense in depth.

This book should provide a wake-up call to complacent managers who feel their organizations are somehow immune to industrial espionage, social engineers and even terrorist infiltration.

4 of 4 people found the following review helpful:

5.0 out of 5 stars So how at risk are you?, July 17, 2005

By	Thomas Duff "Duffbert" (Portland, OR United States) - See all my reviews (TOP 50 REVIEWER)    (REAL NAME)

So just how safe are you and your company/organization? My guess is, not very. Spies Among Us by Ira Winkler will definitely drive home that fact...

Contents:
Part 1 - Espionage Concepts: How To Be A Spy; Why You Can Never Be Secure; Death By 1000 Cuts; Spies And Their Friends; How The Spies Really Get You
Part 2 - Case Studies: Spy vs. Spy; Nuclear Meltdown; Fill'er Up!; The Entrepreneur; The Criminal Face Of The Internet Age; Crimes Against Individuals
Part 3 - Stopping The Spies: Taking Control; Taking Action; Index

Winkler is someone who does "attacks" for a living. He routinely is hired by companies to do threat assessment on their systems and locations, and unfortunately he is often successful with far too little effort. These assessments could be just a simulated attack to gain access to secured locations and systems that could then be compromised, clear up to security of nuclear facility information and terrorist attacks on fueling facilities at airports. It's that last one that is scary, in that it was done in a post-9/11 environment, and went off without a hitch. We're just not in the "security mindset" in most cases.

But rather than just go on about how easy it is to hack and crack systems, he also offers plenty of advice on how best to build a security program that is effective (both from a cost and result perspective). Each of the case studies ends with a summary that shows how something like this could happen, as well as what vulnerabilities were found and exploited. That piece by itself would be worth the cost of the book. But the final two chapters are where you'll benefit most. Winkler covers a multitude of counter-measures (personnel, physical, operational, technical) that can be implemented in order to have a more secure environment. The final chapter then explains how to implement a comprehensive program based on the value of your information and the amount of risk present. Rather than just saying "do this, this, and this", you get a customized approach based on your own unique situation. Really good stuff...

As he states early on in the book, there's no way to be 100% safe and secure. But you can do far more than "hope for the best". This is the book that can help you understand just how dangerous things can be and how at risk you are...