BKTANGWB.RVW 20001027 "Tangled Web", Richard Power, 2000, 0-7897-2443-X, U$25.00/C$37.95/UK#18.50 %A Richard Power %C 201 W. 103rd Street, Indianapolis, IN 46290 %D 2000 %G 0-7897-2443-X %I Macmillan Computer Publishing (MCP) %O U$25.00/C$37.95/UK#18.50 800-858-7674 317-581-3743 www.mcp.com %P 431 p. %T "Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace" This book gives a reasonably balanced review of the perception of security experts in regard to the level of computer or communications involved crime going on in our networked world. That is because this is not so much a book, as an extended compilation article. Power reproduces interviews with, or grabs quotations from the written works of, a great many forensic and security specialists or researchers. Very large chunks of the book are taken from previously published works. Note also that I say "balanced," and not "complete." Part one appears to be intended as a general introduction to computer related crime. Chapter one is the usual statement that it goes on, mercifully brief. Despite an interview with Sarah Gordon and extensive quoting from Donn Parker, chapter two's look at cybercriminals focusses rather narrowly on the fact that people who do crimes aren't normal. The CSI (Computer Security Institute)/FBI Computer Crime and Security Survey is introduced with many graphs and tables in chapter three. The description does mention, but doesn't emphasize, the fact that the survey was self-selecting and self- reporting, and therefore only marginally more informative than an opinion poll. Chapter four tries to look at costs. The title of part two seems to indicate a deeper analysis of criminals and system breakers. Chapter five touches on the infamous Operation Sundevil (the law enforcement disaster that was the inspiration behind Bruce Sterling's "The Hacker Crackdown," cf. BKHKRCRK.RVW), and the even more infamous Morris Internet Worm: is Power trying to equate police activity with system breaking? Three penetration episodes that led to the arrest of young crackers are described in chapter six. Some stories of theft of credit card numbers, bank fraud, and advanced phone phreaking are given in chapter seven, but these are cobbled together from published interviews with police, and have little technical background. There is a little bit about nuisances and vandalism, and a lot about distributed denial of service, in chapter eight. Chapter nine tells the stories of the Melissa and Love Bug email worms. As with the earlier tales in the book, the material is technically weak, and has other errors of fact as well. (I exclude the respective CERT advisories, which are reproduced in full.) Part three is about spies and espionage. However, chapter ten, which talks about spies, doesn't really have anything to say about computer penetration. The stories are all very terse mentions of spying culled from general news reports. The tales of insider fraud, in chapter eleven, vary in length and don't really present any more than trivial information. Infowar gets a mix of anecdotes and speculation in chapter twelve. Part four looks at personal attacks. Both chapter thirteen, on identity theft, and chapter fourteen, on child pornography, are short and oddly unhelpful. Part five turns to defensive activities. Chapter fifteen concentrates on where the security department should be on the corporate org chart. Global law enforcement recounts a few presentations by non-US law enforcement people in chapter sixteen. There are more details on US government security offices and activities, in chapter seventeen, but not many. Countermeasures, in chapter eighteen, is a "once over lightly" of the entire security field. The epilogue, entitled "The Human Factor," is vague. If you haven't been paying any attention to computer security, this book is a quick read that will get you a very rough idea of what is going on in the areas of greatest concern to large corporations. If it scares a few people that will be all to the good: it certainly doesn't help you to start doing anything about security. Presumably it is the general public, with little knowledge of computer security, that is the intended audience. However, the lack of structure and uneven quality and depth of information make it difficult to know what those readers will take from this book. If, of course, you have been paying any attention at all, this is pretty old news. copyright Robert M. Slade, 2001 BKTANGWB.RVW 20001027