BKHACKDM.RVW 20060910 "Hacking for Dummies", Kevin Beaver, 2004, 0-7645-5784-X, U$24.99/C$35.99/UK#16.99 %A Kevin Beaver kbeaver@principlelogic.com %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2004 %G 0-7645-5784-X %I John Wiley & Sons, Inc. %O U$24.99/C$35.99/UK#16.99 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/076455784X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/076455784X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/076455784X/robsladesin03-20 %O Audience i- Tech 1 Writing 2 (see revfaq.htm for explanation) %P 358 p. %T "Hacking for Dummies" Why, yes, now that you mention it, I believe that I *did* use this title in an April Fools joke back in 2002 (cf. BKHAKDUM.RVW). Turns out the joke's on me: this time they're serious. Actually, the introduction points out that the book is about "ethical" hacking (otherwise known as penetration testing), and is intended for system administrators, information security managers, and security consultants who want some tips on security assessment. So it isn't exactly a "hack to secure" book, but I can't be expected to be happy about the title. Part one is supposed to give you a foundation for ethical hacking. Chapter one, an introduction, sets out the usual "set a thief to catch a thief" argument, lists some attack types, and recommends that readers be ethical. The usual "hacker mindset" stereotypes are in chapter two. Chapter three has a terse but reasonable list of questions that may assist you in planning for a penetration test. Some initial sources of information that attackers will use to direct their assaults are given in chapter four. Part two purports to get you started on the attack itself. Chapter five has a basic but haphazard discussion of social engineering. Physical security is important, but the material in chapter six is incomplete, and concentrates more on attacks than countermeasures. Random trivia about passwords is in chapter seven. Part three turns to networks. Chapter eight looks at wardialling. (I agree that the practice should not be ignored, if only to find neglected modems, but the content is still obsolete.) A list of vulnerability scanning tools makes up chapter nine. Wireless hacking, in chapter ten, has a catalogue of tools, but also suggests useful countermeasures. Part four looks at hacking the operating system. Chapter eleven repeats the inventory of Windows tools, twelve repeats the Linux utilities, and thirteen has different tools--because they are especially for Novell Netware. Part five moves to application hacks. Poor information about malware, and weak suggestions about testing, are in chapter fourteen. Attacks against email and instant messaging, in chapter fifteen, are random, esoteric, and unrealistic. The content about attacks directed against web applications, in chapter sixteen, is disorganized and poorly explained. Part six deals with the outcomes and results of an ethical hack. Chapter seventeen provides a terse list of contents for penetration test reports. Rectifying security problems is minimally covered in chapter eighteen. Ongoing security assessment and awareness programs are suggested in nineteen. Part seven is the part of tens, comprising ten tips for getting management "buy in" (for the idea of "ethical hacking") and ten mistakes (in conducting a penetration test). This book may be helpful as a source for suggesting vulnerability scanning tools, but not much else. copyright Robert M. Slade, 2006 BKHACKDM.RVW 20060910