REVIEW: "Hacking Exposed", Stuart McClure/Joel Scambray/George Kurtz
- BKHCKEXP.RVW 20020911
"Hacking Exposed", Stuart McClure/Joel Scambray/George Kurtz, 2001,
%A Stuart McClure stuart@...
%A Joel Scambray joel@...
%A George Kurtz george@...
%C 300 Water Street, Whitby, Ontario L1N 9B6
%I McGraw-Hill Ryerson/Osborne
%O U$49.99 905-430-5000 fax: 905-430-5020
%P 729 p. + CD-ROM
%T "Hacking Exposed: Network Security Secrets and Solutions, 3rd Ed"
Yes, I know that this book has the most sales for any security work,
ever. And, for the life of me, I still can't figure out why.
Part one looks at gathering data for an attack. Chapter one discusses
company information that is generally available. However, while it
may alert some to the fact that a lot of information can be obtained
about them, most of the material deals with facts that you either want
to make available, or that you must make available. Some suggested
countermeasures are useful, while others strain the topic, such as the
protection against domain hijacking. Scanning for weaknesses and
loopholes, mostly with individual tools, in this edition, is the topic
of chapter two. Enumeration, or finding weak user accounts and
unprotected system resources (mostly on Windows 2000) is covered in
Part two looks at details of specific systems. Chapter four touches
on Windows 9x. NT gets a fair amount of detail in chapter five, but
such vital and standard topics as disabling the Administrator account
and setting up auditing are barely mentioned. Windows 2000 now has
its own chapter: six. Some common NetWare attacks are listed in
chapter seven. UNIX has the most extensive coverage, in chapter
eight, but it is hardly comprehensive.
Part three deals with network weaknesses. Most of chapter nine
discusses wardialling and dial-up, but there is a brief mention of
Virtual Private Networks (VPN). Some device weaknesses (vendor
specific bugs, that is) are listed in chapter ten. (There is also a
very brief mention of wardriving and detecting wireless networks.)
Firewalls, in chapter eleven, are primarily addressed in terms of
scanning to (for identification) or through. Chapter twelve describes
a few denial of service attacks. (Something has been lost in the
update: a discussion of IP fragmentation attacks refers to "earlier"
material on teardrop that no longer appears in the book.)
Part four looks at software. Chapter thirteen deals with remote
access software in fair detail. Hijacking and backdoors are discussed
in chapter fourteen. Miscellaneous Web site bugs are reviewed in
chapter fifteen. Chapter sixteen is a confusing amalgam of ActiveX
design flaws, Internet Explorer implementation bugs, and random
discussions of malware.
The original preface (which no longer appears in the work) stated that
the book was intended for system administrators, but it did, and still
does, read more like a cookbook for security breaking. The authors
defend themselves against this charge in advance, and certainly "keep
quiet" versus "let it all hang out" is a constant debate in security
circles. However, the attack descriptions are far more detailed than
the countermeasures sections, and many attacks are presented without
any specific protections being mentioned. There are a number of
points in the book that can be helpful in identifying specific
security weaknesses. However, the book can't be comprehensive in that
regard, and what it fails to do is give an overall concept of, or
framework for, security on an ongoing basis. The examples given are
frightening and stimulating, but the authors present them as the
entire picture. In fact, even the picture as presented is not entire.
A number of descriptions given in the book either do not mention, or
gloss over, the fact that, for example, sniffers must be placed on a
local, promiscuous, network, and session hijacking requires that the
attackers somehow get "between" two systems.
On the other hand, the book is quite readable and can give you some
tips. And, I wouldn't mind seeing a few sysadmins a little more
scared than they are at the moment. As long as they don't think that
this is *all* you need to do.
copyright Robert M. Slade, 2000, 2002 BKHCKEXP.RVW 20020911
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
If you have responsibility for security, but have no authority to
set rules or punish violators, your own role in the organization
is to take the blame when something big goes wrong.
- Spaf's First Principle of Security Administration
Practical UNIX and Internet Security, Garfinkel & Spafford
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade