Good con artists are rarely spontaneous. They take time to observe their victims' behavior, then find subtle ways to exploit the predictable foibles of human nature. And while the resulting scams may seem elaborate, once they're explained, you see how simple they really are.

The same is true of criminal hackers online. The best hacks have been accomplished without special tools or technology. What hackers need is time to map target networks and locate convenient ways in.

More often than not, hackers gain entrance to networks not through gaping software or hardware security holes, but through some sort of human error. Sometimes it's something as simple as forgetting to change the default password on a router. Famed hacker Kevin Mitnick made a career out of breaking into corporate systems, not with technically complex exploits but with basic "social engineering."

Fictional accounts
A new book from Syngress Press, Stealing the Network: How to Own the Box,  supports the theory that most hacks are the result of human, not computer, weakness. The authors relate a number of fictional scenarios in which corporate networks are broken into because humans left them vulnerable.

There are more subtle reasons for online crime...such as revenge.

The book doesn't delve deeply into what motivates hackers. I think today their primary objective is to make money, not to become famous. In the early days of the Net, hackers committed exploits to boost their egos. Now, I think, the threat of arrest has left only a few serious criminals attempting break-ins again and again. For their specialized skills, some people are willing to pay--especially if the hacker is able to turn over 20 million credit card numbers or the latest software release from a major developer.

There are more subtle reasons for online crime, as well, such as revenge. The book tells the (fictional) story of an out-of-work IT tech who decides, after a year of unemployment, to get back at his former company. He stalks one of the company's HR employees and eventually discovers a Post-it Note containing a remote dial-in access number and a password that the staffer carelessly leaves behind in a cybercafe. When the dial-in number fails to provide the sort of access he wants, the unemployed man forges a security ID out of discarded company letterhead, clear plastic coating, and electrical tape (to suggest a magnetic strip along the backside) and gains physical access to the company headquarters and ultimately to the server room itself.

Hack people, not machines
While this book depicts extreme behavior, the scenarios are realistic. For instance, in one story, a hacker is able to steal software code because a system administrator names the servers after their functions--FTP server, mail server, staging server, and so on. This is something that occurs in real life and makes the life of a criminal hacker that much easier. A reoccurring mantra in the book seems to be, "I'm not hacking the system. I'm hacking the people who designed it."

While this book depicts extreme behavior, the scenarios are realistic.

Stealing the Network  is not for computer novices, as many technical terms are not fully explained. Still, for anyone with a modest understanding of computer security jargon and network architecture, it's a good read.

There are other books that seek to dispel the mystery behind criminal activity on the Internet, too, such as Osborne/McGraw-Hill's Hacker's Challenge 2. It describes fictional attacks, then asks the reader to figure out what happened before flipping to the back of the book for the "real" explanation.

No new information here
Some complain that these books are bad for security--that they both glamorize hackers and help those starting out in online crime to be more effective. I disagree. These books do not pass on any new information; they stick to material that's already been reported by the government or the media or is readily available on Haxor sites.

On the contrary, I believe these books can help improve the state of computer security by making more individuals and companies aware of how online crimes are actually committed--thus enabling them to better protect themselves in the future.

Do you think fictional--or actual--security exploits should be publicized? Why or why not? TalkBack to me.