Formats and Prices
This item is a preorder. Your payment method will be charged immediately, and the product is expected to ship on or around September 10, 2019. This date is subject to change due to shipping delays beyond our control.
Be online without leaving a trace. Your every step online is being tracked and stored, and your identity literally stolen. Big companies and big governments want to know and exploit what you do, and privacy is a luxury few can afford or understand.
In this explosive yet practical book, Kevin Mitnick uses true-life stories to show exactly what is happening without your knowledge, teaching you "the art of invisibility" — online and real-world tactics to protect you and your family, using easy step-by-step instructions.
Reading this book, you will learn everything from password protection and smart Wi-Fi usage to advanced techniques designed to maximize your anonymity. Kevin Mitnick knows exactly how vulnerabilities can be exploited and just what to do to prevent that from happening.
The world's most famous — and formerly the US government's most wanted — computer hacker, he has hacked into some of the country's most powerful and seemingly impenetrable agencies and companies, and at one point was on a three-year run from the FBI. Now Mitnick is reformed and widely regarded as the expert on the subject of computer security. Invisibility isn't just for superheroes; privacy is a power you deserve and need in the age of Big Brother and Big Data.
"Who better than Mitnick — internationally wanted hacker turned Fortune 500 security consultant — to teach you how to keep your data safe?" —Esquire
Time to Disappear
Almost two years to the day after Edward Joseph Snowden, a contractor for Booz Allen Hamilton, first disclosed his cache of secret material taken from the National Security Agency (NSA), HBO comedian John Oliver went to Times Square in New York City to survey people at random for a segment of his show on privacy and surveillance. His questions were clear. Who is Edward Snowden? What did he do?1
In the interview clips Oliver aired, no one seemed to know. Even when people said they recalled the name, they couldn't say exactly what Snowden had done (or why). After becoming a contractor for the NSA, Edward Snowden copied thousands of top secret and classified documents that he subsequently gave to reporters so they could make them public around the world. Oliver could have ended his show's segment about surveillance on a depressing note—after years of media coverage, no one in America really seemed to care about domestic spying by the government—but the comedian chose another tack. He flew to Russia, where Snowden now lives in exile, for a one-on-one interview.2
The first question Oliver put to Snowden in Moscow was: What did you hope to accomplish? Snowden answered that he wanted to show the world what the NSA was doing—collecting data on almost everyone. When Oliver showed him the interviews from Times Square, in which one person after another professed not to know who Snowden was, his response was, "Well, you can't have everyone well informed."
Why aren't we more informed when it comes to the privacy issues that Snowden and others have raised? Why don't we seem to care that a government agency is wiretapping our phone calls, our e-mails, and even our text messages? Probably because the NSA, by and large, doesn't directly affect the lives of most of us—at least not in a tangible way, as an intrusion that we can feel.
But as Oliver also discovered in Times Square that day, Americans do care about privacy when it hits home. In addition to asking questions about Snowden, he asked general questions about privacy. For example, when he asked how they felt about a secret (but made-up) government program that records images of naked people whenever the images are sent over the Internet, the response among New Yorkers was also universal—except this time everyone opposed it, emphatically. One person even admitted to having recently sent such a photo.
Everyone interviewed in the Times Square segment agreed that people in the United States should be able to share anything—even a photo of a penis—privately over the Internet. Which was Snowden's basic point.
It turns out that the fake government program that records naked pictures is less far-fetched than you might imagine. As Snowden explained to Oliver in their interview, because companies like Google have servers physically located all over the world, even a simple message (perhaps including nudity) between a husband and wife within the same US city might first bounce off a foreign server. Since that data leaves the United States, even for a nanosecond, the NSA could, thanks to the Patriot Act, collect and archive that text or e-mail (including the indecent photo) because it technically entered the United States from a foreign source at the moment when it was captured. Snowden's point: average Americans are being caught up in a post-9/11 dragnet that was initially designed to stop foreign terrorists but that now spies on practically everyone.
You would think, given the constant news about data breaches and surveillance campaigns by the government, that we'd be much more outraged. You would think that given how fast this happened—in just a handful of years—we'd be reeling from the shock and marching in the streets. Actually, the opposite is true. Many of us, even many readers of this book, now accept to at least some degree the fact that everything we do—all our phone calls, our texts, our e-mails, our social media—can be seen by others.
And that's disappointing.
Perhaps you have broken no laws. You live what you think is an average and quiet life, and you feel you are unnoticed among the crowds of others online today. Trust me: even you are not invisible. At least not yet.
I enjoy magic, and some might argue that sleight of hand is necessary for computer hacking. One popular magic trick is to make an object invisible. The secret, however, is that the object does not physically disappear or actually become invisible. The object always remains in the background, behind a curtain, up a sleeve, in a pocket, whether we can see it or not.
The same is true of the many personal details about each and every one of us that are currently being collected and stored, often without our noticing. Most of us simply don't know how easy it is for others to view these details about us or even where to look. And because we don't see this information, we might believe that we are invisible to our exes, our parents, our schools, our bosses, and even our governments.
The problem is that if you know where to look, all that information is available to just about anyone.
Whenever I speak before large crowds—no matter the size of the room—I usually have one person who challenges me on this fact. After one such event I was challenged by a very skeptical reporter.
I remember we were seated at a private table in a hotel bar in a large US city when the reporter said she'd never been a victim of a data breach. Given her youth, she said she had relatively few assets to her name, hence few records. She never put personal details into any of her stories or her personal social media—she kept it professional. She considered herself invisible. So I asked her for permission to find her Social Security number and any other personal details online. Reluctantly she agreed.
With her seated nearby I logged in to a site, one that is reserved for private investigators. I qualify as the latter through my work investigating hacking incidents globally. I already knew her name, so I asked where she lived. This I could have found on the Internet as well, on another site, if she hadn't told me.
In a couple of minutes I knew her Social Security number, her city of birth, and even her mother's maiden name. I also knew all the places she'd ever called home and all the phone numbers she'd ever used. Staring at the screen, with a surprised look on her face, she confirmed that all the information was more or less true.
The site I used is restricted to vetted companies or individuals. It charges a low fee per month plus additional costs for any information lookups, and from time to time it will audit me to find out whether I have a legitimate purpose for conducting a particular search.
But similar information about anyone can be found for a small lookup fee. And it's perfectly legal.
Have you ever filled out an online form, submitted information to a school or organization that puts its information online, or had a legal case posted to the Internet? If so, you have volunteered personal information to a third party that may do with the information what it pleases. Chances are that some—if not all—of that data is now online and available to companies that make it their business to collect every bit of personal information off the Internet. The Privacy Rights Clearinghouse lists more than 130 companies that collect personal information (whether or not it's accurate) about you.3
And then there's the data that you don't volunteer online but that is nonetheless being harvested by corporations and governments—information about whom we e-mail, text, and call; what we search for online; what we buy, either in a brick-and-mortar or an online store; and where we travel, on foot or by car. The volume of data collected about each and every one of us is growing exponentially each day.
You may think you don't need to worry about this. Trust me: you do. I hope that by the end of this book you will be both well-informed and prepared enough to do something about it.
The fact is that we live with an illusion of privacy, and we probably have been living this way for decades.
At a certain point, we might find ourselves uncomfortable with how much access our government, our employers, our bosses, our teachers, and our parents have into our personal lives. But since that access has been gained gradually, since we've embraced each small digital convenience without resisting its impact on our privacy, it becomes increasingly hard to turn back the clock. Besides, who among us wants to give up our toys?
The danger of living within a digital surveillance state isn't so much that the data is being collected (there's little we can do about that) but what is done with the data once it is collected.
Imagine what an overzealous prosecutor could do with the large dossier of raw data points available on you, perhaps going back several years. Data today, sometimes collected out of context, will live forever. Even US Supreme Court justice Stephen Breyer agrees that it is "difficult for anyone to know, in advance, just when a particular set of statements might later appear (to a prosecutor) to be relevant to some such investigation."4 In other words, a picture of you drunk that someone posted on Facebook might be the least of your concerns.
You may think you have nothing to hide, but do you know that for sure? In a well-argued opinion piece in Wired, respected security researcher Moxie Marlinspike points out that something as simple as being in possession of a small lobster is actually a federal crime in the United States.5 "It doesn't matter if you bought it at a grocery store, if someone else gave it to you, if it's dead or alive, if you found it after it died of natural causes, or even if you killed it while acting in self-defense. You can go to jail because of a lobster."6 The point here is there are many minor, unenforced laws that you could be breaking without knowing it. Except now there's a data trail to prove it just a few taps away, available to any person who wants it.
Privacy is complex. It is not a one-size-fits-all proposition. We all have different reasons for sharing some information about ourselves freely with strangers and keeping other parts of our lives private. Maybe you simply don't want your significant other reading your personal stuff. Maybe you don't want your employer to know about your private life. Or maybe you really do fear that a government agency is spying on you.
These are very different scenarios, so no one recommendation offered here is going to fit them all. Because we hold complicated and therefore very different attitudes toward privacy, I'll guide you through what's important—what's happening today with surreptitious data collection—and let you decide what works for your own life.
If anything, this book will make you aware of ways to be private within the digital world and offer solutions that you may or may not choose to adopt. Since privacy is a personal choice, degrees of invisibility, too, will vary by individual.
In this book I'll make the case that each and every one of us is being watched, at home and out in the world—as you walk down the street, sit at a café, or drive down the highway. Your computer, your phone, your car, your home alarm system, even your refrigerator are all potential points of access into your private life.
The good news is, in addition to scaring you, I'm also going to show you what to do about the lack of privacy—a situation that has become the norm.
In this book, you'll learn how to:
encrypt and send a secure e-mail
protect your data with good password management
hide your true IP address from places you visit
obscure your computer from being tracked
defend your anonymity
and much more
Now, get ready to master the art of invisibility.
Your Password Can Be Cracked!
Jennifer Lawrence was having a rough Labor Day weekend. The Academy Award winner was one of several celebrities who woke one morning in 2014 to find that their most private pictures—many of which showed them in the nude—were being splashed about on the Internet.
Take a moment to mentally scan all the images that are currently stored on your computer, phone, and e-mail. Sure, many of them are perfectly benign. You'd be fine with the whole world seeing the sunsets, the cute family snapshots, maybe even the jokey bad-hair-day selfie. But would you be comfortable sharing each and every one of them? How would you feel if they suddenly all appeared online? Maybe not all our personal photos are salacious, but they're still records of private moments. We should be able to decide whether, when, and how to share them, yet with cloud services the choice may not always be ours.
The Jennifer Lawrence story dominated the slow Labor Day weekend news cycle in 2014. It was part of an event called theFappening, a huge leak of nude and nearly nude photographs of Rihanna, Kate Upton, Kaley Cuoco, Adrianne Curry, and almost three hundred other celebrities, most of them women, whose cell-phone images had somehow been remotely accessed and shared. While some people were, predictably, interested in seeing these photos, for many the incident was an unsettling reminder that the same thing could have happened to them.
So how did someone get access to those private images of Jennifer Lawrence and others?
Since all the celebrities used iPhones, early speculation centered on a massive data breach affecting Apple's iCloud service, a cloud-storage option for iPhone users. As your physical device runs out of memory, your photos, new files, music, and games are instead stored on a server at Apple, usually for a small monthly fee. Google offers a similar service for Android.
Apple, which almost never comments in the media on security issues, denied any fault on their end. The company issued a statement calling the incident a "very targeted attack on user names, passwords, and security questions" and added that "none of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone."1
The photos first started appearing on a hacker forum well known for posting compromised photos.2 Within that forum you can find active discussions of the digital forensic tools used for surreptitiously obtaining such photos. Researchers, investigators, and law enforcement use these tools to access data from devices or the cloud, usually following a crime. And of course the tools have other uses as well.
One of the tools openly discussed on the forum, Elcomsoft Phone Password Breaker, or EPPB, is intended to enable law enforcement and government agencies to access iCloud accounts and is sold publicly. It is just one of many tools out there, but it appears to be the most popular on the forum. EPPB requires that users have the target's iCloud username and password information first. For people using this forum, however, obtaining iCloud usernames and passwords is not a problem. It so happened that over that holiday weekend in 2014, someone posted to a popular online code repository (Github) a tool called iBrute, a password-hacking mechanism specifically designed for acquiring iCloud credentials from just about anyone.
Using iBrute and EPPB together, someone could impersonate a victim and download a full backup of that victim's cloud-stored iPhone data onto another device. This capability is useful when you upgrade your phone, for example. It is also valuable to an attacker, who then can see everything you've ever done on your mobile device. This yields much more information than just logging in to a victim's iCloud account.
Jonathan Zdziarski, a forensics consultant and security researcher, told Wired that his examination of the leaked photos from Kate Upton, for example, was consistent with the use of iBrute and EPPB. Having access to a restored iPhone backup gives an attacker lots of personal information that might later be useful for blackmail.3
In October 2016, Ryan Collins, a thirty-six-year-old from Lancaster, Pennsylvania, was sentenced to eighteen months in prison for "unauthorized access to a protected computer to obtain information" related to the hack. He was charged with illegal access to over one hundred Apple and Google e-mail accounts.4
To protect your iCloud and other online accounts, you must set a strong password. That's obvious. Yet in my experience as a penetration tester (pen tester)—someone who is paid to hack into computer networks and find vulnerabilities—I find that many people, even executives at large corporations, are lazy when it comes to passwords. Consider that the CEO of Sony Entertainment, Michael Lynton, used "sonyml3" as his domain account password. It's no wonder his e-mails were hacked and spread across the Internet since the attackers had administrative access to most everything within the company.
Beyond your work-related passwords are those passwords that protect your most personal accounts. Choosing a hard-to-guess password won't prevent hacking tools such as oclHashcat (a password-cracking tool that leverages graphics processing units—or GPUs—for high-speed cracking) from possibly cracking your password, but it will make the process slow enough to encourage an attacker to move on to an easier target.
It's a fair guess that some of the passwords exposed during the July 2015 Ashley Madison hack are certainly being used elsewhere, including on bank accounts and even work computers. From the lists of 11 million Ashley Madison passwords posted online, the most common were "123456," "12345," "password," "DEFAULT," "123456789," "qwerty," "12345678," "abc123," and "1234567."5 If you see one of your own passwords here, chances are you are vulnerable to a data breach, as these common terms are included in most password-cracking tool kits available online. You can always check the site www.haveibeenpwned.com to see if your account has been compromised in the past.
In the twenty-first century, we can do better. And I mean much better, with longer and much more complex configurations of letters and numbers. That may sound hard, but I will show you both an automatic and a manual way to do this.
The easiest approach is to forgo the creation of your own passwords and simply automate the process. There are several digital password managers out there. Not only do they store your passwords within a locked vault and allow one-click access when you need them, they also generate new and really strong, unique passwords for each site when you need them.
Be aware, though, of two problems with this approach. One is that password managers use one master password for access. If someone happens to infect your computer with malware that steals the password database and your master password through keylogging—when the malware records every keystroke you make—it's game over. That person will then have access to all your passwords. During my pen-testing engagements, I sometimes replace the password manager with a modified version that transmits the master password to us (when the password manager is open-source). This is done after we gain admin access to the client's network. We then go after all the privileged passwords. In other words, we will use password managers as a back door to get the keys to the kingdom.
The other problem is kind of obvious: If you lose the master password, you lose all your passwords. Ultimately, this is okay, as you can always perform a password reset on each site, but that would be a huge hassle if you have a lot of accounts.
Despite these flaws, the following tips should be more than adequate to keep your passwords secure.
First, strong passphrases, not passwords, should be long—at least twenty to twenty-five characters. Random characters—ek5iogh#skf&skd—work best. Unfortunately the human mind has trouble remembering random sequences. So use a password manager. Using a password manager is far better than choosing your own. I prefer open-source password managers like Password Safe and KeePass that only store data locally on your computer.
Another important rule for good passwords is never use the same password for two different accounts. That's hard. Today we have passwords on just about everything. So have a password manager generate and store strong, unique passwords for you.
Even if you have a strong password, technology can still be used to defeat you. There are password-guessing programs such as John the Ripper, a free open-source program that anyone can download and that works within configuration parameters set by the user.6 For example, a user might specify how many characters to try, whether to use special symbols, whether to include foreign language sets, and so on. John the Ripper and other password hackers are able to permute the password letters using rule sets that are extremely effective at cracking passwords. This simply means it tries every possible combination of numbers, letters, and symbols within the parameters until it is successful at cracking your password. Fortunately, most of us aren't up against nation-states with virtually unlimited time and resources. More likely we're up against a spouse, a relative, or someone we really pissed off who, when faced with a twenty-five-character password, won't have the time or resources to successfully crack it.
Let's say you want to create your passwords the old-fashioned way and that you've chosen some really strong passwords. Guess what? It's okay to write them down. Just don't write "Bank of America: 4the1sttimein4ever*." That would be too obvious. Instead replace the name of your bank (for example) with something cryptic, such as "Cookie Jar" (because some people once hid their money in cookie jars) and follow it with "4the1st." Notice I didn't complete the phrase. You don't need to. You know the rest of the phrase. But someone else might not.
Anyone finding this printed-out list of incomplete passwords should be sufficiently confused—at least at first. Interesting story: I was at a friend's house—a very well-known Microsoft employee—and during dinner we were discussing the security of passwords with his wife and child. At one point my friend's wife got up and went to the refrigerator. She had written down all her passwords on a single piece of paper and stuck it to the appliance's door with a magnet. My friend just shook his head, and I grinned widely. Writing down passwords might not be a perfect solution, but neither is forgetting that rarely used strong password.
Some websites—such as your banking website—lock out users after several failed password attempts, usually three. Many sites, however, still do not do this. But even if a site does lock a person out after three failed attempts, that isn't how the bad guys use John the Ripper or oclHashcat. (Incidentally, oclHashcat distributes the hacking process over multiple GPUs and is much more powerful than John the Ripper.) Also, hackers don't actually try every single possible password on a live site.
Let's say there has been a data breach, and included within the data dump are usernames and passwords. But the passwords retrieved from the data breach are mere gibberish.
How does that help anyone break into your account?
Whenever you type in a password, whether it is to unlock your laptop or an online service—that password is put through a one-way algorithm known as a hash function. It is not the same as encryption. Encryption is two-way: you can encrypt and decrypt as long as you have a key. A hash is a fingerprint representing a particular string of characters. In theory, one-way algorithms can't be reversed—or at least not easily.
What is stored in the password database on your traditional PC, your mobile device, or your cloud account is not MaryHadALittleLamb123$ but its hash value, which is a sequence of numbers and letters. The sequence is a token that represents your password.7
It is the password hashes, not the passwords themselves, that are stored in the protected memory of our computers and can be obtained from a compromise of targeted systems or leaked in data breaches. Once an attacker has obtained these password hashes, the hacker can use a variety of publicly available tools, such as John the Ripper or oclHashcat, to crack the hashes and obtain the actual password, either through brute force (trying every possible alphanumeric combination) or trying each word in a word list, such as a dictionary. Options available in John the Ripper and oclHashcat allow the attacker to modify the words tried against numerous rule sets, for example the rule set called leetspeak—a system for replacing letters with numbers, as in "k3v1n m17n1ck." This rule will change all passwords to various leetspeak permutations. Using these methods to crack passwords is much more effective than simple brute force. The simplest and most common passwords are easily cracked first, then more complex passwords are cracked over time. The length of time it takes depends on several factors. Using a password-cracking tool together with your breached username and hashed password, hackers may be able to access one or more of your accounts by trying that password on additional sites connected to your e-mail address or other identifier.
In general, the more characters in your password, the longer it will take password-guessing programs such as John the Ripper to run through all the possible variations. As computer processors get faster, the length of time it takes to calculate all the possible six-character and even eight-character passwords is becoming a lot shorter, too. That's why I recommend using passwords of twenty-five characters or more.
After you create strong passwords—and many of them—never give them out. That seems painfully obvious, but surveys in London and other major cities show that people have traded their passwords in exchange for something as trivial as a pen or a piece of chocolate.8
A friend of mine once shared his Netflix password with a girlfriend. It made sense at the time. There was the immediate gratification of letting her choose a movie for them to watch together. But trapped within Netflix's recommended-movie section were all his "because you watched…" movies, including movies he had watched with past girlfriends. The Sisterhood of the Traveling Pants, for instance, is not a film he would have ordered himself, and his girlfriend knew this.
Of course, everyone has exes. You might even be suspicious if you dated someone who didn't. But no girlfriend wants to be confronted with evidence of those who have gone before her.
If you password-protect your online services, you should also password-protect your individual devices. Most of us have laptops, and many of us still have desktops. You may be home alone now, but what about those dinner guests coming later? Why take a chance that one of them could access your files, photos, and games just by sitting at your desk and moving the mouse? Another Netflix cautionary tale: back in the days when Netflix primarily sent out DVDs, I knew a couple who got pranked. During a party at their house, they'd left their browser open to their Netflix account. Afterward, the couple found that all sorts of raunchy B-and C-list movies had been added to their queue—but only after they'd received more than one of these films in the mail.
It's even more important to protect yourself with passwords at the office. Think of all those times you're called away from your desk into an impromptu meeting. Someone could walk by your desk and see the spreadsheet for the next quarter's budget. Or all the e-mails sitting in your inbox. Or worse, unless you have a password-protected screen saver that kicks in after a few seconds of inactivity, whenever you're away from your desk for an extended period—out to lunch or at a long meeting—someone could sit down and write an e-mail and send it as you. Or even alter the next quarter's budget.
Praise for The Art of Invisibility
"How would it feel to find out that your neighbor and friend has secretly observed you in your own home for years? The place that should be most private to you was not, and the intruder's devices themselves weren't something you'd ever have thought to look for. This kind of behavior is the opposite of giving normal people freedom and security, of valuing and respecting them as humans--and it's happening more and more. The answer to peeping eyes and cyber theft is to move society toward greater cyber-security and it all starts with essential education about being private and invisible in our daily lives. Kevin's book is the must read in this new world."—Steve Wozniak, cofounder, Apple Inc.
- "The FBI's most-wanted hacker."—Wired
- "Who better than Mitnick -- internationally wanted hacker turned Fortune 500 security consultant -- to teach you how to keep your data safe from spear phishing, computer worms, and Fancy Bears?"—Esquire
- "Offers a sobering reminder of how our raw data -- from email, cars, home Wi-Fi networks and so on -- makes us vulnerable."—Amy Webb, New York Times Book Review
- "Mitnick's new book aims to help everyone -- from the everyday internet users to the hardcore paranoid -- do a better job of keeping personal information private."—Laura Hautala, CNET
Praise for The Art of Deception
"The most famous computer hacker in the world. A tour de force."—Publishers Weekly
- "The world's most famous computer hacker and cybercult hero...has written a blueprint for system security based on his own experiences. Required reading for IT professionals, this book is highly recommended for public, academic, and corporate libraries."—Library Journal
Praise for Ghost in the Wires
"Intriguing, insightful and extremely educational into the mind of one who truly mastered the art of social engineering with the use of a computer and modern day technologies. I strongly believe that one can learn a great deal about protecting themselves once they understand how another one perpetrates the crime."—Frank W. Abagnale, author of Catch Me if You Can
- On Sale
- Sep 10, 2019
- Page Count
- 320 pages
- Back Bay Books