REVIEW: "Hack Proofing Your Network", Ryan Russell et al
- BKHPYNIT.RVW 20000831
"Hack Proofing Your Network", Ryan Russell et al, 2000, 1-928994-15-6,
%E Ryan Russell
%E Stace Cunningham
%C 800 Hingham Street, Rockland, MA 02370
%I Syngress Media, Inc.
%O U$49.95/C$77.50/UK#31.95 781-681-5151 fax: 781-681-3585
%O www.syngress.com amy@...
%P 450 p.
%T "Hack Proofing Your Network: Internet Tradecraft"
According to the introduction, this book will teach you how to hack,
or break into computer systems. With the best of intentions, of
course. As it states, if you don't hack your system, who will? The
intent is to teach you how to approach security breaking, with a view
to finding, and then patching, the holes in your network.
Being an educator, and fairly cynical about anyone who tells me
something is "safe," I have a lot of sympathy for this position. In
theory. The implementation, though, may leave something to be
desired. After all, those who are charged with protecting systems
generally have other things to do. They have limited resources. They
don't have a lot of leisure, or interest, in testing every single
piece of software for any possible buffer overflow condition. So
security managers may not be all that interested in spending all of
their non-existent free time obsessively hacking their own systems.
Well, having reviewed the book, and sent off the draft, the lead
author, Ryan Russell, informed me that security managers were not the
real intended audience. This work was actually aimed at the keeners,
those few who *do* really want to get behind the user interface, and
poke about in the workings. But it may have some use beyond that
rather select crowd. In Russell's own words, this is what you do
after you've got good policies in place, and you've got your routine
down for applying patches, watching for new vulnerability
announcements, and so forth.
Part one, rather oddly entitled "Theory and Ideals," seems to
concentrate on basic concepts. It also may seem strange that chapter
one, called "Politics," starts out by defining "hacker" and other
related terms. On the other hand, any text that tries to argue for
the social value of criminals and frauds is bound to be considered
political. Ultimately, this piece seems to be trying to justify
system breaking activities. All the usual arguments are trotted out,
and make the normal amount of sense (very little). (I should also
point out that this book started life as an electronic text. This is
evident in the frequent citations of Web sites in the course of the
work. They may support the content in the context of a Web page, but
in print they are annoying, since the relevant material is not
incorporated into the book.) Chapter two, "Security Laws," is more a
set of cliches: what can go wrong will go wrong, security by obscurity
doesn't work. Some of them are wrong (passwords can be securely
stored with one-way encryption, albeit still at some risk of brute
force attacks; and the NSA has goofed on an algorithm), some are naive
(the assertion that there is no guaranteed protection against viruses
makes no mention of Fred Cohen's work), and most are of questionable
utility. The classes of attack listed in chapter three are neither
comprehensive nor fully explained. (Most of the space in the chapter
is given over to source listings of attack tools.) "Methodologies"
seems to be a collection of random thoughts on analysis in chapter
Part two describes some activities intended to be undertaken on a
computer over which you have complete control, mostly related to
decryption. Chapter five looks at making small changes to a system,
and checking for modifications. This is a useful function in any kind
of analysis, but the examples chosen will hardly be of use to
sysadmins. The author admits that chapter six really does not explain
cryptography, it really only mentions some password cracking tools.
Both chapters seven and eight essentially deal with bad data, first in
general terms and then in the specific problem of buffer overflows.
While the discussion might be of interest to programmers, it is of
limited use to security managers.
Part three talks about attacks on remote systems. There is a little
explanation about sniffing (which requires some level of local
access), session hijacking, and spoofing. Chapters twelve and
thirteen list some security holes in server and client software
respectively. Oddly, given all the problems in earlier parts of the
book, the material on viruses and malware, in chapter fourteen, isn't
too bad. It's not great, it displays too much virus code to very
little effect, and has a few holes, but it is generally better than
the stuff found in standard security texts, and stands out above the
rest of the book.
Part four contains a single chapter. Although the titular subject is
reporting, most of the material promotes the concept of "full
disclosure." This is the tenet that security is best served by having
all security loopholes disclosed. The discussion does take a fairly
responsible tack, recommending that vendors be contacted first, and
allowed some time to fix the problem, before the vulnerability or
exploit is released to the public. The text is fairly reasonable,
although is does contain the full text of a number of email exchanges
which add little to the debate. The remaining pages concentrate on
the importance of continual study in the security field.
The people who have contributed to this book are a step above the
usual "wannabes" who tend to write "hacker" security books. The
information presented is also somewhat more reliable, and covers a
broader range. However, both the thesis and the execution of the work
contain flaws. The material still seems more interested in justifying
security breaking expeditions than in giving the security
administrator a complete and useful reference for protection. Errors,
while less rampant than in other, similar texts, are still too common
for the content to be considered really dependable. In particular,
basic concepts are too quickly dismissed in the eagerness to pass
along news of the latest "cool tool." Experienced security managers
may find some helpful recent data in this volume, but probably already
have resources of their own. Newcomers to the field are advised not
to rely too heavily on this as a single source of knowledge.
As noted, though, the authors were not really writing for managers or
novices. For software engineers, programmers, and testers, there is
possibly more utility. Those doing sophisticated software
evaluations, and particularly those with sufficient resources to
really "test to destruction," might get the most out of the book,
especially considering the concentration on breaking, rather than
fixing. Still, some research in the RISKS and BUGTRAQ archives would
likely get you just as much.
copyright Robert M. Slade, 2000 BKHPYNIT.RVW 20000831
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
Life is pain, Highness. Anyone who says differently is selling
something. - Dread Pirate Roberts, The Princess Bride
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade