BKHKRBWR.RVW 20010829 "Hackers Beware", Eric Cole, 2001, 0-7357-1009-0, U$45.00/C$67.95/UK#34.99 %A Eric Cole www.securityhaven.com eric@securityhaven.com %C 201 W. 103rd Street, Indianapolis, IN 46290 %D 2002 %G 0-7357-1009-0 %I Macmillan Computer Publishing (MCP) %O U$45.00/C$67.95/UK#34.99 800-858-7674 317-581-3743 info@mcp.com %P 778 p. %T "Hackers Beware: Defending Your Network from the Wiley Hacker" It is difficult to maintain confidence in a book that, within six sentences of the opening of the first chapter, misspells the word "brakes." We are told that two developmental editors, two copy editors, two proofreaders, and no less than five technical reviewers had at this work. Did any of them pay attention to what they were reading? Chapter one basically states that dangers are out there, security is bad, and companies should be concentrating on prevention, detection, and education. Cole also nudges at the "hacking for protection" theory, without ever really examining it. A brief but reasonable list of security breaking activities is given in chapter two. Various steps and tools involved in gathering information about a network connected to the Internet are described in chapter three. Unfortunately, this explanation, while helpful to a potential attacker, has no utility for the defender: almost all of the data discussed must be publicly available for the network to function, and so there are no means of blocking this level of access. Spoofing, or masquerading, is dealt with in chapter four, but again, while some protective measures are provided, much more time is spent on the disease than the cure. After twenty six pages of telling you how to hijack sessions, including the best programs to use and how to operate them, chapter five gives us two pages of simplistic advice (avoid remote connections) on protection. Chapter six lists a number of common denial of service attacks and, while it does devote a lot of ink to describing the exploits, the material is reasonably balanced, and the suggested defensive measures realistic. Chapter seven requires almost forty pages to tell us that buffer overflows are not good, and you should apply software patches. Password security is very important, but the material in chapter eight is vague, disorganized, and has relatively little to say about good password choice. (Chapters nine and ten describe some NT and UNIX password cracking programs.) The examination of background fundamentals of NT, in chapter eleven, is a terse and unfocused grab bag of information. The analysis It would be of little help in explaining the specific attack programs listed in chapter twelve, a number of which rely on particular applications. The same relation is true of chapters thirteen and fourteen, relating to UNIX. A number of backdoor and remote access trojan programs are described in chapter fifteen. Chapter sixteen discusses log files, and lists some programs for generating spurious network traffic in order to hide attacks. Some random exploits are listed in chapter seventeen, and a few more in eighteen. An attempt is made to combine various attacks into scenarios, in chapter nineteen, but these do not add anything to the material already provided. Chapter twenty is the usual vague look to the future. This book takes the all-too-common approach of assuming that teaching you how to break into systems will help you to protect them. The work also amply demonstrates the fallacy of that argument. While the harried systems administrator spends several hours coming to grips with the minutiae of the attacks described, the vast majority of the exploits listed can be countered simply by ensuring that software patches are up to date. In addition, while dozens of loopholes are listed in these pages, thousands more exist that are not covered. The material contained in these pages may be entertaining, but it is of far more use to the attacker than to the defender. This would be upsetting, were it not for the fact that most of the exploits described are old and not likely to remain unpatched if administrators are keeping up to date. (Of course, many small outfits can't commit a lot of resources to keeping up to date ...) For security specialists, this volume provides nothing that can't be found elsewhere. For non-specialists, it fails to supply a security framework and strategy within which to work. copyright Robert M. Slade, 2001 BKHKRBWR.RVW 20010829 As usual, a draft has been sent to the author. He has requested that this response be included, unedited: Robert: First allow me to say thank you for taking the time to review the book as criticisms are as crucial as praise. We take your feedback seriously. That being said, let me see if I might speak to some of your discussions on "Hackers Beware". When you buy "Hackers Beware", you buy it for the technical content. While we maintain that this faction of the book is air-tight and well- supported, we also admit that we could and should have done a better job with edits on spelling and grammar. While we admit that shortcoming, we also ask that you look at the eleven reviews posted on Amazon, praising the technical content of my book and earning it FIVE- STAR rating. The book starts opens with some introductory material but does that for a reason. Much of the security information that companies need to protect their site is straightforward. Yet companies systems are still hacked into with a growing frequency because they fail to understand how to build a proper defense. So my book aims to ensure that everyone is well, if not over-educated on DEFENSE. There are many books on hacking but what makes this book different is its emphasis on defense. Yes, you need to understand how the enemy breaks into systems, so you can build better defenses. Every section has an area on how to defend against a certain type of attack. So I am not sure how a review can say that defense is not covered when that is the thrust of this book. There are plenty of books that show you how to break in. This book clearly and explicitly explains the properties of a strong defense. Thanks for letting me write a response. Eric