Follow the Author
The Art of Invisibility: The World's Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data Hardcover – February 14, 2017
|New from||Used from|
Explore your book, then jump right back to where you left off with Page Flip.
View high quality images that let you zoom in to take a closer look.
Enjoy features only possible in digital – start reading right away, carry your library with you, adjust the font, create shareable notes and highlights, and more.
Discover additional details about the events, people, and places in your book, with Wikipedia integration.
Be online without leaving a trace. Your every step online is being tracked and stored, and your identity literally stolen. Big companies and big governments want to know and exploit what you do, and privacy is a luxury few can afford or understand.
In this explosive yet practical book, Kevin Mitnick uses true-life stories to show exactly what is happening without your knowledge, teaching you "the art of invisibility" -- online and real-world tactics to protect you and your family, using easy step-by-step instructions.
Reading this book, you will learn everything from password protection and smart Wi-Fi usage to advanced techniques designed to maximize your anonymity. Kevin Mitnick knows exactly how vulnerabilities can be exploited and just what to do to prevent that from happening.
The world's most famous -- and formerly the US government's most wanted -- computer hacker, he has hacked into some of the country's most powerful and seemingly impenetrable agencies and companies, and at one point was on a three-year run from the FBI. Now Mitnick is reformed and widely regarded as the expert on the subject of computer security. Invisibility isn't just for superheroes; privacy is a power you deserve and need in the age of Big Brother and Big Data.
"Who better than Mitnick -- internationally wanted hacker turned Fortune 500 security consultant -- to teach you how to keep your data safe?" --Esquire
"How would it feel to find out that your neighbor and friend has secretly observed you in your own home for years? The place that should be most private to you was not, and the intruder's devices themselves weren't something you'd ever have thought to look for. This kind of behavior is the opposite of giving normal people freedom and security, of valuing and respecting them as humans--and it's happening more and more. The answer to peeping eyes and cyber theft is to move society toward greater cyber-security and it all starts with essential education about being private and invisible in our daily lives. Kevin's book is the must read in this new world."―Steve Wozniak, cofounder, Apple Inc.
"The FBI's most-wanted hacker."―Wired
"Who better than Mitnick -- internationally wanted hacker turned Fortune 500 security consultant -- to teach you how to keep your data safe from spear phishing, computer worms, and Fancy Bears?"―Esquire
"Offers a sobering reminder of how our raw data -- from email, cars, home Wi-Fi networks and so on -- makes us vulnerable."―Amy Webb, New York Times Book Review
"Mitnick's new book aims to help everyone -- from the everyday internet users to the hardcore paranoid -- do a better job of keeping personal information private."―Laura Hautala, CNET
Praise for The Art of Deception
"The most famous computer hacker in the world. A tour de force."―Publishers Weekly
"The world's most famous computer hacker and cybercult hero...has written a blueprint for system security based on his own experiences. Required reading for IT professionals, this book is highly recommended for public, academic, and corporate libraries."―Library Journal
Praise for Ghost in the Wires
"Intriguing, insightful and extremely educational into the mind of one who truly mastered the art of social engineering with the use of a computer and modern day technologies. I strongly believe that one can learn a great deal about protecting themselves once they understand how another one perpetrates the crime."―Frank W. Abagnale, author of Catch Me if You Can
About the Author
- Publisher : Little, Brown and Company (February 14, 2017)
- Language : English
- Hardcover : 320 pages
- ISBN-10 : 0316380504
- ISBN-13 : 978-0316380508
- Item Weight : 1.17 pounds
- Dimensions : 6.35 x 1.25 x 9.55 inches
- Best Sellers Rank: #154,058 in Books (See Top 100 in Books)
- Customer Reviews:
About the author
Top reviews from the United States
There was a problem filtering reviews right now. Please try again later.
An important point to remember is that when the personal hotspot is turned on, the device registers with the closest cell tower. Furthermore, anonymity is supported by remembering to never turn on one's personal phone or laptop in the same place where turning on the anonymous laptop, burner phone, or anonymous hotspot takes place. As mentioned above, the Tor browser must always be used to create and access all online accounts associated with this anonymous identity. Protonmail.com, Tutanota.com, and fastmail.com are resources available that support anonymity. Funding to support an anonymous identity will have to be run through an anonymity mechanism: such as to convert prepaid giftcards into Bitcoin and then running the Bitcoin through a laundering service. Supporting this endeavor, the Tor browser can be used to set up an initial bitcoin wallet at paxful.com. And tumblers are a specific form of online laundering service where Bitcoin is taken from a variety of sources and then mixed together so that the result retains value and carries traces of many owners, thus diminishing further the possibility of identification. In addition to using the resources specified thus far, this endeavor makes advantageous the use of a VPN, and to make certain to closely review a VPN provider's terms of service and privacy policies. This complete 'invisibility' setup can cost from $200 up to $500; while while this requires a certain investment of capital, the pursuer of comprehensive privacy can them move onward.
With this set up in place, an important point to remember is that electronic devices can measure the nanosecond differences in the way each person presses keys on keyboards. This can lead to a 'keystroke profile' and to counter this, KeyBoard Privacy is an available plugin for the Chrome browser. Moving along after acknowledging this keyboard-related issue, the Deep web includes subscription-only sites and corporate intranet sites, whereas the Dark Web is where the Silk Road exists along with the ability to hire an assassin and acquire child pornography. Already mentioned a number of times, Tor (or the Onion router) was created by the US Naval Research Lab, and is vital for the implementation of these privacy steps while traveling. In this context, a number of pointers are important: 1. Clean up any sensitive data before you travel and perform a full backup. 2.Leave the data there [on the computer] but encrypt it with a strong key; do not keep the passphrase with you. 3.Upload the encrypted data to a cloud service, then download and upload as needed. 4.Use a free product such as VeraCrypt to create a hidden encrypted file folder on your hard drive. 5.Whenever entering your password into your devices, cover oneself and one's computer with a jacket. 6.Seal one's laptop and other devices in a FedEx or other Tyvek envelope and sign it.
Furthermore, this book also describes that there are Automated Targeting Systems (ATS) that create an automatic dossier about a traveller when commuting internationally. And when deleting data on a computer it is important to remember that deletion changes to the MBR entry for a file (the index used to find parts of the file on the hard drive); the file (or some of its parts) remains on the hard drive until the new data is written over that part; it is very difficult to 'wipe' a solid state drive. Related to this, an important point is that '...if you plug your iphone into another person's computer and 'trust' it, a trusted relationship is created between the computer and the iOS device which allows the computer to access photos, videos, SMS messages, call logs, and WhatsApp messages..' For iTunes backups, it is good to set a password for encrypted files. If an end-user needs to share files, and he or she is using an Apple product, there is the option to use 'Airdrop;' if a phone needs to be charged, the lightning cable plugged into the system or an electrical outlet, not into someone else's computer.
When going through any security checkpoint, it is important to make sure one's laptop and electronic devices are the last on the conveyor belt. Along with this, to encrypt an entire drive, there are different options available: Symantec's PGP Whole Disk Encryption, Windows WinMagic, and OSX File Vault 2. An important point to consider, along with drive encryption, is that Tails is an OS that can be booted up on any modern-day computer to avoid leaving any forensically recoverable data on the hard drive, preferably one that can be write-protected. Tails can be downloaded onto a DVD or USB stick, and the BIOS firmware or the EFI initial boot sequence can be set for either DVD or USB so as to boot the Tails distribution. And while the utility provides a useful advantage, there are potential issues with Bitlocker: it uses a pseudorandom number generator called Dual_EC_DRBG which might contain a NSA backdoor, it is privately owned, and the key must be shared with Microsoft unless purchased for $250.
Much more common than travelling is the reality of corporate work life. There is tracking software on Corporate Owned, Personally Enabled (COPE) smartphones and service trucks with GPS to surveil employees. Some companies monitor employee's outlook calendar entries, email headers, and I.M. logs, ostensibly used to help companies figure out how their employees are spending their time. Anything passing through a corporate network belongs to the company - it is not the employee's. And when at work an employee must remember to always lock his or her computer screen. If concerned about privacy, one needs to not do anything personal while at work. Keep a strict firewall between one's worklife and home life. Never use company wi-fi, turn off SSID broadcast if using a portable hotspot. There is the need to keep personal business out of the company computer systems, especially when searching for health-related topics or looking for a new job. There is also a technology called KeySweeper, which is a disquised USB charger that wirelessly and passively looks for, decrypts, logs, and reports back (over GSM) all keystrokes from any MS wireless keyboard in the vicinity, thus increasing the possibility of workplace surveillance.
Impacted by resources used frequently at the workplace, Google Drive has introduced a new information rights management (IRM) feature; in addition to the documents, spreadsheets, and presentations created within Google docs, Google Drive now accepts PDF and other file formats as well. Useful features include the ability to disable the download, print, and copy capabilities for commenters and viewers. An employee can also prevent anyone from adding additional people to a shared file. Of course these management features are only available to file owners. That means if someone has invited an employee to share a file that person has to set the privacy restriction. Similar to this, SpiderOak is a service provider that offers the full benefits of cloud storage and sync capability along with 100% data privacy; this resource protects sensitive data through 2-factor password authentication and 256-bit AES encryption so that files and passwords stay private. Another concern to keep in mind is that in 2013 Google started what is called hotwording, which is a feature that allows an end-user to give a simple command that activates the listening mode in Chrome.
Continuing with the topic of motoring, in one altercation with another motorist, the author describes: 'I grabbed my cell phone, called the DMV, and impersonated law enforcement. I got the DMV to run his plates, then they gave me his name, address, and SSN. Then I called AirTouch Cellular impersonating an AirTouch employee, and had them do a search on his SSN for any cellular accounts.' The author then gave the motorist a phonecall, communicating a terse reprimand. As an example from history, in 1888 that kind of constant exposure was still a shocking and disconcerting novelty. The Hartford Courant sounded an alarm: 'The sedate citizen can't indulge in any hilariousness without incuring the risk of being caught in the act and having his photograph passed around among his sunday-school children. And the young fellow who wishes to spoon with his best girl while sailing down the river must keep himself constantly sheltered.'
On a different note with usage of corporate resources, exchangeable image file (EIF) data in a digital image contains, among other things, the date and time when the picture was snapped, the make and model of the camera, and, if you have geolocation activated on the device taking the photo, the longitude and latitude of the place where you took the image. 'Some repressive governments ... have taken photos of protestors at large anti-government rallies and then put the images on the Web. This is not using image recognition software so much as it is crowdsourcing the identification process.' One can also perform what is called a reverse image search in google by clicking on the tiny camera within the google seach window and uploading any photo from your hard drive. In a few minutes the investigator will see any copies of that image findable online. In theory, if it one's own photo, he or she should know all the sites that came up in the results. Consistent with remaining vigilant while on business travel, if a dating site is in use and is being accessed from someone else's computer, or from a public kiosk computer, always remember to log out to make sure that no personally identifiable information is cached, or accessible to other kiosk users.
To remedy this concern, TorGuard and ExpressVPN are connection services that use TCP; one can also install a VPN on a mobile phone. Email providers such as google, yahoo, and MS retain login records for more than a year, and these reveal the particular IP addresses a consumer has logged in from. When one connects to a wireless network, the MAC address on a computer is automatically recorded by the wireless networking equipment. A best practice is to never trust a public PC terminal. Even if one is using a telephone-based dial-up modem or a cable-based ASM (any-source multicast) router (available from Cisco and Belkin, among others), these devices have had their share of software and configuration issues. It is best to always download the latest firmware and to update the router configuration settings. If an end-user does not have the instructions for the router in question, there's an online list of URLs that tells the investigator what to type into the browser window so as to connect directly to the router on a residential network.
Helping to understand better the need for VPNs, there is a hacker tool called Aircrack-NG that can reveal the authorized MAC address of a currently connected user and then an attacker can then the MAC address to connect to the wireles router. Also an important consideration with residential wireless security, WPS (Wireless protected setup) is vulnerable to the attack method called Pixie Dust, which is an offline attack that affects only a few chip makers, including Ralink, Realtek, and Broadcom, and it works by helping hackers gain access to the password on wireless routers. Therefore, it is a good idea to turn off WPS. There is also theft-tracking software: when someone using the software reports that his or her school system-issued laptop has been stolen, the school system administration department can log on to a website and see images from the stolen laptop's webcam as well as hear sounds from the microphone. Furthermore, whether from a corporate, educational, or private residential network, it is a good idea to avoid clicking on email attachments unless opening them in Google Quick View or Google Docs. AdBlockPlus is an effective ad-removal plugin that complements smooth email access in all these contexts and helps to minimize the possibility of malware infection.
Providing important perspective on when and when not to access certain online resources, 70% of health sites' URLs contain information exposing specific conditions, treatments, and diseases. While it is important to have HTTPS Everywhere enabled in the browser while accessing such material, any person using a browser needs to remember that it encrypts contents of sites but not the URL. In order to know better about how to be anonymous while online, Panopticlick<dot>com is a site built by the Electronic Frontier Foundation that will determine just how common or unique a browser configuration is compared to others. Marketers, criminal hackers, and governments are all trying to get information that a private end-user may not want to give. Addressing this concern, NoScript is a Firefox plugin that effectively blocks just about everything considered harmful to the typical residential computer (the equivalent for Chrome is called ScriptBlock). With such a resource implemented, there should be no flashing ads on the google home page, otherwise the computer/browser may be compromised. For both Firefox and Chrome, Ghostery is a utility that identifies all the web traffic trackers that sites use to follow an individual end-user's activity. Having multiple online personality profiles dilutes the privacy impact of having only one identifiable address, and thus the serious pursuer of anonymity must be firmly aware of hardware, software, and circumstantial challenges.
To add further perspective with web browser security, magic cookies provide third parties with information about account and specific preferences; they are proxies for the data that lives on the back end of the website. OAuth is an authentication protocol that allows a site to trust an end-user even if one does not enter a password, and thus is important to be aware of. Facebook Disconnect for Chrome is used to block facebook services on third party sites. 'Given what Facebook knows about its 1.65 billion subscribers, the company has been fairly benevolent - so far. It has a ton of data, but it, like Google, has chosen not to act on all of it.' 'The best way to remove a toolbar is to uninstall it the way you would uninstall any program on your traditional PC. But some of the most persistent and parasitic toolbars may require you to download a removal tool, and often the process of uninstalling can leave behind enough information to allow advertising agents related to the toolbar to reinstall it.' 'A geolocation discrepancy like this often flags an attempt to purchase as possible abuse. [in reference to online transactions made via Tor].'
As an aside, an important piece of meta-data is that open-source and nonprofit organizations provide perhaps the most secure software and services because there are literally thousands of eyes pouring over the code and flagging anything that looks suspicious or vulnerable. Apps such as AIM, Blackberry Messenger, and Skype all store messages without encrypting them. That means the service provider can read the content (if it's stored in the cloud) and use it for advertising. AIM keeps an archive of all messages sent through its service; it also saves the message content, keeping records of the messages in the cloud in case the end-user ever wants to access a chat history from any device different from the one where the last session took place. Off the Record (OTR) messaging is a higher standard of end-to-end encryption protocol used for text messages and can be found in a number of products: ChatSecure, Signal, Cryptocat, and Tor Messenger and thus directly supports a project of anonymous internet usage.
To clarify an important point with the usage of mobile devices, the IMSI (International Mobile Subscriber Identity) is a unique number assigned to a phone's SIM card; the first part of that number uniquely identifies the mobile network operator and the remaining part identifies the mobile phone. With mobile devices in general, the 2G network offered two standards: Global System for Mobile Communications (GSM) and Code Division Multiple Access (CDMA). That technology also introduced short message service (SMS), unstructured supplementary service data (USSD), and other simple communication protocols that are still in use. While in a live environment, an important piece of information is that Signalling System Protocol keeps mobile calls connected when driving along a freeway and switching from cell tower to cell tower; this handles the process for call establishment, billing, routing, and information exchange functions. VoIP uses the same coaxial cable that brings streaming video and high-speed internet into your home. '...Whenever you write an email, no matter how inconsequential, and even if you delete it from your inbox, remember that there's an excellent chance that a copy of those words and images will be scanned and will live on.'
As countermeasures for this risk, PGP, OpenPGP, and GPG (GNU Privacy Guard) are interoperational methods of email encryption. '...When you receive an unsolicited phone call from your bank asking for your SSN or account info you should always hang up and call the bank yourself.' Public algorithms have been vetted for weakness (as discussed above with opensource software). When one encrypts a message - an email, text, or phone call - it is highly adviseable to use end-to-end encryption. That means the message stays unreadable until it reaches its intended recipients; only sender and receiver have the key to decode; a researcher can do a google search for 'End-to-End Encryption Voice Call. [to circle back to the brief discussion above about VoIP]' On the same note, MailVelope is a PGP plug-in that handles the public and private encryption keys. Metadata is information in the to and from fields, IP address of involved servers, and the subject line. These pieces of information are not typically encrypted. Therefore, third parties will still be able to see the metadata of an encrypted message unless this concern is specifically addressed.
Moving on with the topic of telephony, Call Detail Records (CDRs) show the time a call was made, number dialed, length of the call, and number of times a particular number was called; this information can be used in tandem with social engineering (which is a 'hacking technique that uses manipulation, deception, and influence to get a human target to comply with a request'). An app developed at Dartmouth College matches patterns of stress, depression, and loneliness in user data, and thus very intimate details can be divulged in an unsecured discussion. To be truly invisible and counter such a concern, a few things are essential: removal of true IP address, obfuscation of hardware and software, and defense of anonymity. Instead of hosting one's own proxy, he or she can use a service known as an 'anonymous remailer' which will mask your email's IP address for the sender. These services can be identified with a search engine and change the email addresses of the sender before sending the message to its intended recipient. And an anonymous remailer can be used in tandem with Tor, which was designed to be used by people living in harsh regimes as a way to avoid censorship of popular media and services and to prevent anyone from tracking what search terms they use. There are several weaknesses with Tor: no control over the exit nodes, which may be under the control of government or law enforcement, a user can still be profiled and possibly identified, and Tor is very slow [due to the additional, robust security precautions]. A very basic rule is that one has to keep anonymous accounts completely separate from anything that could relate back to a true identity (and the Tor browser certainly helps with this). To communicate in secrecy, one will need to create new email accounts using Tor so that the IP address setting up the account is not associated with a real identity in any way.
Moving on, there are email services that don't require verification, and if one does not need to worry about authorities, Skype numbers work well for google account registration and similar stuff; after using Tor to randomize the IP address, and after creating a gmail account that has nothing to do with one's real phone number, google sends the phone number a verification code or a voice call. An end-user needs to be aware of all the ways that someone can identify him or her even if undertaking some (but not all) of the precautions described; an explorer needs to perform due dilligence every time anonymous accountsare used. As emphasized above, end-to-end encryption is very important.
Reflecting the impressive breadth of this book, Elcomsoft Phone Password Breaker (EPPB) is discussed as a utility that is intended to enable law enforcement to access iCloud accounts. Similar to this, iBrute is a password-hacking mechanism specifically designed for acquiring iCloud credentials. Choosing a hard-to-guess password will not prevent hacking tools like oclHashcat, which leverages GPUs for high-speed cracking. Similarly, John the Ripper is an open source password guessing program; it is able to permute the password letters using rule sets that are extremely effective. With that said, obfuscation is a powerful factor, as being one of hundreds of millions of participants in the world-wide online community, and also the time-intensive nature of cracking well-put-together passwords.
On this very same note, one also have the option to forego the creation of a password and automate the process with a digital password manager; he or she can use a digital locked vault and allow one-click access when needed; password managers use one master password for access; if the master password is lost then all passwords are lost. Very similar to password selection, Strong passphrases of at least twenty characters are the best and it is best to never use the same password/passphrase for two different accounts; PasswordSafe and KeePass are open-source password managers that only store
Anyway, as a developer and security enthusiast, I've always been interested in the hacking scene. Back then, when Kevin Mitnick and Kevin Poulson were in the news because of their "activities", I was glued to the t.v. I wanted to know everything they did! See, the thing is, I was like them. I craved knowledge. I wanted to explore that hidden and forbidden world of the byte and the baud that consisted of inter-connected mainframes and central stations via phone lines. I dialed into a lot of "boards" (BBSes) and got "forbidden knowledge" of what they used to call "phreaking" (phone hacking) from text files uploaded by phreakers. I thought it was just fun and games and never really did anything with the so-called "power" that I had gleaned from those text files.
Fast forward to today, things are a lot worse, security-wise, with regards to computer security and threats to your private information. Especially since our daily lives are now entertwined with this ubiquitous thing called the internet. Every interaction we perform in our browsers, or internet-enabled applications, leaves information and trails that can be used against us. Our phones, even our automobiles, can be used to track us via GPS. Our credit card purchases can be used to build profiles of us that can be bought and sold to third party customers. Recently, the current U.S. Republican administration repealed a bill that would've prevented ISPs from selling your browsing information to private parties. Nothing you do online is private anymore. Nothing. This isn't like information that Facebook and Google collect on you. The ISP information is every single page that you go to in your browser. Think about this, for a moment: You have a medical condition. It's being treated and no one but your closest family knows about it. Like almost everyone with your condition, you browse online about it and have joined online support groups. Your child also suffers from a condition. They are autistic. Like almost any concerned parent, you look online to learn more about you child's condition and, too, to share your experiences and learn from others in similar situations. Recently, you've applied for a new job through a recruiter. They assure you that you're a perfect fit based on your resume and your phone screening interview with them. They want to pass your resume on to the company now, which you give your consent to do so. Now, the company that will be doing the hiring does something that, in the past, they couldn't have done: They buy your browsing history from your local ISP. They don't need your consent for this. Your browsing data is considered the ISPs property now and can be sold as a commodity that is tied directly to you. Your prospective employer can now see that, based on your browsing history, that you have a medical condition and a child with autism. Which, more than likely, means you will probably miss a lot of work. So, they do what any good business will do: They pass on your resume. You don't even get a chance to interview with them. Your resume gets deep-sixed based soley off your browsing history and nothing else.
Now, with that nightmare scenario fresh in your head, I want you to understand that when I say this book can help you to avoid such a situation, I really mean it. From encrypting your email, to setting up a VPN, to using the anonymous Tor Onion browser and other security methods, this book can help someone that doesn't know anything about internet security by showing them how to secure their private information, their browsing habits, their email, and all online activity. Seriously, in this day and age, it's almost a sin not to be aware of at least the basic dangers out there in "cyberspace". With this book, you can be very sure that if you follow the steps provided, you'll be very secure from most of those threats.
Top reviews from other countries
I'm trying to learn about offsec to eventually do the course and the exam, and this book gives me a good sense of what sort of things I should be looking for as a wanna-be security specialist.