BKHPYNIT.RVW 20000831 "Hack Proofing Your Network", Ryan Russell et al, 2000, 1-928994-15-6, U$49.95/C$77.50/UK#31.95 %E Ryan Russell %E Stace Cunningham %C 800 Hingham Street, Rockland, MA 02370 %D 2000 %G 1-928994-15-6 %I Syngress Media, Inc. %O U$49.95/C$77.50/UK#31.95 781-681-5151 fax: 781-681-3585 %O www.syngress.com amy@syngress.com %P 450 p. %T "Hack Proofing Your Network: Internet Tradecraft" According to the introduction, this book will teach you how to hack, or break into computer systems. With the best of intentions, of course. As it states, if you don't hack your system, who will? The intent is to teach you how to approach security breaking, with a view to finding, and then patching, the holes in your network. Being an educator, and fairly cynical about anyone who tells me something is "safe," I have a lot of sympathy for this position. In theory. The implementation, though, may leave something to be desired. After all, those who are charged with protecting systems generally have other things to do. They have limited resources. They don't have a lot of leisure, or interest, in testing every single piece of software for any possible buffer overflow condition. So security managers may not be all that interested in spending all of their non-existent free time obsessively hacking their own systems. Well, having reviewed the book, and sent off the draft, the lead author, Ryan Russell, informed me that security managers were not the real intended audience. This work was actually aimed at the keeners, those few who *do* really want to get behind the user interface, and poke about in the workings. But it may have some use beyond that rather select crowd. In Russell's own words, this is what you do after you've got good policies in place, and you've got your routine down for applying patches, watching for new vulnerability announcements, and so forth. Part one, rather oddly entitled "Theory and Ideals," seems to concentrate on basic concepts. It also may seem strange that chapter one, called "Politics," starts out by defining "hacker" and other related terms. On the other hand, any text that tries to argue for the social value of criminals and frauds is bound to be considered political. Ultimately, this piece seems to be trying to justify system breaking activities. All the usual arguments are trotted out, and make the normal amount of sense (very little). (I should also point out that this book started life as an electronic text. This is evident in the frequent citations of Web sites in the course of the work. They may support the content in the context of a Web page, but in print they are annoying, since the relevant material is not incorporated into the book.) Chapter two, "Security Laws," is more a set of cliches: what can go wrong will go wrong, security by obscurity doesn't work. Some of them are wrong (passwords can be securely stored with one-way encryption, albeit still at some risk of brute force attacks; and the NSA has goofed on an algorithm), some are naive (the assertion that there is no guaranteed protection against viruses makes no mention of Fred Cohen's work), and most are of questionable utility. The classes of attack listed in chapter three are neither comprehensive nor fully explained. (Most of the space in the chapter is given over to source listings of attack tools.) "Methodologies" seems to be a collection of random thoughts on analysis in chapter four. Part two describes some activities intended to be undertaken on a computer over which you have complete control, mostly related to decryption. Chapter five looks at making small changes to a system, and checking for modifications. This is a useful function in any kind of analysis, but the examples chosen will hardly be of use to sysadmins. The author admits that chapter six really does not explain cryptography, it really only mentions some password cracking tools. Both chapters seven and eight essentially deal with bad data, first in general terms and then in the specific problem of buffer overflows. While the discussion might be of interest to programmers, it is of limited use to security managers. Part three talks about attacks on remote systems. There is a little explanation about sniffing (which requires some level of local access), session hijacking, and spoofing. Chapters twelve and thirteen list some security holes in server and client software respectively. Oddly, given all the problems in earlier parts of the book, the material on viruses and malware, in chapter fourteen, isn't too bad. It's not great, it displays too much virus code to very little effect, and has a few holes, but it is generally better than the stuff found in standard security texts, and stands out above the rest of the book. Part four contains a single chapter. Although the titular subject is reporting, most of the material promotes the concept of "full disclosure." This is the tenet that security is best served by having all security loopholes disclosed. The discussion does take a fairly responsible tack, recommending that vendors be contacted first, and allowed some time to fix the problem, before the vulnerability or exploit is released to the public. The text is fairly reasonable, although is does contain the full text of a number of email exchanges which add little to the debate. The remaining pages concentrate on the importance of continual study in the security field. The people who have contributed to this book are a step above the usual "wannabes" who tend to write "hacker" security books. The information presented is also somewhat more reliable, and covers a broader range. However, both the thesis and the execution of the work contain flaws. The material still seems more interested in justifying security breaking expeditions than in giving the security administrator a complete and useful reference for protection. Errors, while less rampant than in other, similar texts, are still too common for the content to be considered really dependable. In particular, basic concepts are too quickly dismissed in the eagerness to pass along news of the latest "cool tool." Experienced security managers may find some helpful recent data in this volume, but probably already have resources of their own. Newcomers to the field are advised not to rely too heavily on this as a single source of knowledge. As noted, though, the authors were not really writing for managers or novices. For software engineers, programmers, and testers, there is possibly more utility. Those doing sophisticated software evaluations, and particularly those with sufficient resources to really "test to destruction," might get the most out of the book, especially considering the concentration on breaking, rather than fixing. Still, some research in the RISKS and BUGTRAQ archives would likely get you just as much. copyright Robert M. Slade, 2000 BKHPYNIT.RVW 20000831