Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Hack Proofing Your Network", Ryan Russell et al

Expand Messages
  • Rob Slade, doting grandpa of Ryan and Tr
    BKHPYNIT.RVW 20000831 Hack Proofing Your Network , Ryan Russell et al, 2000, 1-928994-15-6, U$49.95/C$77.50/UK#31.95 %E Ryan Russell %E Stace Cunningham
    Message 1 of 1 , Dec 4, 2000
    • 0 Attachment
      BKHPYNIT.RVW 20000831

      "Hack Proofing Your Network", Ryan Russell et al, 2000, 1-928994-15-6,
      %E Ryan Russell
      %E Stace Cunningham
      %C 800 Hingham Street, Rockland, MA 02370
      %D 2000
      %G 1-928994-15-6
      %I Syngress Media, Inc.
      %O U$49.95/C$77.50/UK#31.95 781-681-5151 fax: 781-681-3585
      %O www.syngress.com amy@...
      %P 450 p.
      %T "Hack Proofing Your Network: Internet Tradecraft"

      According to the introduction, this book will teach you how to hack,
      or break into computer systems. With the best of intentions, of
      course. As it states, if you don't hack your system, who will? The
      intent is to teach you how to approach security breaking, with a view
      to finding, and then patching, the holes in your network.

      Being an educator, and fairly cynical about anyone who tells me
      something is "safe," I have a lot of sympathy for this position. In
      theory. The implementation, though, may leave something to be
      desired. After all, those who are charged with protecting systems
      generally have other things to do. They have limited resources. They
      don't have a lot of leisure, or interest, in testing every single
      piece of software for any possible buffer overflow condition. So
      security managers may not be all that interested in spending all of
      their non-existent free time obsessively hacking their own systems.

      Well, having reviewed the book, and sent off the draft, the lead
      author, Ryan Russell, informed me that security managers were not the
      real intended audience. This work was actually aimed at the keeners,
      those few who *do* really want to get behind the user interface, and
      poke about in the workings. But it may have some use beyond that
      rather select crowd. In Russell's own words, this is what you do
      after you've got good policies in place, and you've got your routine
      down for applying patches, watching for new vulnerability
      announcements, and so forth.

      Part one, rather oddly entitled "Theory and Ideals," seems to
      concentrate on basic concepts. It also may seem strange that chapter
      one, called "Politics," starts out by defining "hacker" and other
      related terms. On the other hand, any text that tries to argue for
      the social value of criminals and frauds is bound to be considered
      political. Ultimately, this piece seems to be trying to justify
      system breaking activities. All the usual arguments are trotted out,
      and make the normal amount of sense (very little). (I should also
      point out that this book started life as an electronic text. This is
      evident in the frequent citations of Web sites in the course of the
      work. They may support the content in the context of a Web page, but
      in print they are annoying, since the relevant material is not
      incorporated into the book.) Chapter two, "Security Laws," is more a
      set of cliches: what can go wrong will go wrong, security by obscurity
      doesn't work. Some of them are wrong (passwords can be securely
      stored with one-way encryption, albeit still at some risk of brute
      force attacks; and the NSA has goofed on an algorithm), some are naive
      (the assertion that there is no guaranteed protection against viruses
      makes no mention of Fred Cohen's work), and most are of questionable
      utility. The classes of attack listed in chapter three are neither
      comprehensive nor fully explained. (Most of the space in the chapter
      is given over to source listings of attack tools.) "Methodologies"
      seems to be a collection of random thoughts on analysis in chapter

      Part two describes some activities intended to be undertaken on a
      computer over which you have complete control, mostly related to
      decryption. Chapter five looks at making small changes to a system,
      and checking for modifications. This is a useful function in any kind
      of analysis, but the examples chosen will hardly be of use to
      sysadmins. The author admits that chapter six really does not explain
      cryptography, it really only mentions some password cracking tools.
      Both chapters seven and eight essentially deal with bad data, first in
      general terms and then in the specific problem of buffer overflows.
      While the discussion might be of interest to programmers, it is of
      limited use to security managers.

      Part three talks about attacks on remote systems. There is a little
      explanation about sniffing (which requires some level of local
      access), session hijacking, and spoofing. Chapters twelve and
      thirteen list some security holes in server and client software
      respectively. Oddly, given all the problems in earlier parts of the
      book, the material on viruses and malware, in chapter fourteen, isn't
      too bad. It's not great, it displays too much virus code to very
      little effect, and has a few holes, but it is generally better than
      the stuff found in standard security texts, and stands out above the
      rest of the book.

      Part four contains a single chapter. Although the titular subject is
      reporting, most of the material promotes the concept of "full
      disclosure." This is the tenet that security is best served by having
      all security loopholes disclosed. The discussion does take a fairly
      responsible tack, recommending that vendors be contacted first, and
      allowed some time to fix the problem, before the vulnerability or
      exploit is released to the public. The text is fairly reasonable,
      although is does contain the full text of a number of email exchanges
      which add little to the debate. The remaining pages concentrate on
      the importance of continual study in the security field.

      The people who have contributed to this book are a step above the
      usual "wannabes" who tend to write "hacker" security books. The
      information presented is also somewhat more reliable, and covers a
      broader range. However, both the thesis and the execution of the work
      contain flaws. The material still seems more interested in justifying
      security breaking expeditions than in giving the security
      administrator a complete and useful reference for protection. Errors,
      while less rampant than in other, similar texts, are still too common
      for the content to be considered really dependable. In particular,
      basic concepts are too quickly dismissed in the eagerness to pass
      along news of the latest "cool tool." Experienced security managers
      may find some helpful recent data in this volume, but probably already
      have resources of their own. Newcomers to the field are advised not
      to rely too heavily on this as a single source of knowledge.

      As noted, though, the authors were not really writing for managers or
      novices. For software engineers, programmers, and testers, there is
      possibly more utility. Those doing sophisticated software
      evaluations, and particularly those with sufficient resources to
      really "test to destruction," might get the most out of the book,
      especially considering the concentration on breaking, rather than
      fixing. Still, some research in the RISKS and BUGTRAQ archives would
      likely get you just as much.

      copyright Robert M. Slade, 2000 BKHPYNIT.RVW 20000831

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... rslade@... slade@... p1@...
      Life is pain, Highness. Anyone who says differently is selling
      something. - Dread Pirate Roberts, The Princess Bride
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.