Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "The Database Hacker's Handbook", David Litchfield/Chris Anley/John Heasman/Bill Grindlay

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKDBHKHB.RVW 20060913 The Database Hacker s Handbook , David Litchfield/Chris Anley/John Heasman/Bill Grindlay, 2005, 0-7645-7801-4,
    Message 1 of 1 , Oct 30, 2006
      BKDBHKHB.RVW 20060913

      "The Database Hacker's Handbook", David Litchfield/Chris Anley/John
      Heasman/Bill Grindlay, 2005, 0-7645-7801-4, U$50.00/C$64.99/UK#31.99
      %A David Litchfield
      %A Chris Anley
      %A John Heasman
      %A Bill Grindlay
      %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
      %D 2005
      %G 0-7645-7801-4
      %I John Wiley & Sons, Inc.
      %O U$50.00/C$64.99/UK#31.99 416-236-4433 fax: 416-236-4448
      %O http://www.amazon.com/exec/obidos/ASIN/0764578014/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/0764578014/robsladesin03-20
      %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
      %P 500 p.
      %T "The Database Hacker's Handbook: Defending Database Servers"

      In the brief and disjointed preface and, similarly, introduction (two
      pieces which could easily have been combined), we are told that the
      book is intended for database administrators, network administrators,
      security auditors, and security professionals. However, there are
      implications, right from the start, that this is a "hack to secure"
      book and that, instead of real database security, we are going to be
      dealing only with server engine bugs.

      Part one is an introduction. Chapter one is supposed to tell us why
      we should care about database security, but instead still seems to be
      dancing around the issue of bugs in engine code, and particularly the
      bugs that the authors (and their relatives) have found.

      Part two is about Oracle. Chapter two tells us something of the
      oracle architecture, obfuscated by packet dumps and pages of code for
      programs to attack parts of the system. More of the same is in
      chapter three, and, from the examples, it is not always clear how some
      of these "attacks" differ from the simple ability of authorized users
      to make changes to the system. Possible operating system and network
      attacks related to Oracle's command system are outlined in chapter
      four. Chapter five recommends various configurations and options for
      making an Oracle database server more secure.

      Part three looks at DB2. Chapter six is an introduction to the
      product (and pages of code for an authentication request). Then there
      are more pages of programming for finding a DB2 server (chapter seven)
      and attacking it (eight). Chapter nine is a terse mention of some
      factors to consider when securing the system.

      Part four reviews Informix, with architecture (ten), attack code
      (eleven), and configuration for security (twelve).

      Sybase gets the same treatment in part five. This time the code (in
      chapter fourteen) just gets the version number and chapter fifteen
      looks at commands that can be passed to the network.

      The popular MySQL is dealt with in part six. Since the product is
      open source, the examination of the architecture, in chapter
      seventeen, is more detailed and the advice on configuration, in
      chapter twenty, is equally extensive.

      Part seven chooses SQL Server as its topic. Architecture, attack,
      hardening: no surprises.

      Part eight turns to PostgresSQL. Same.

      OK, we get it. Unpatched applications have holes. Big surprise. The
      authors have provided very little that will be of use to database
      administrators, network administrators, security auditors, and
      security professionals.

      copyright Robert M. Slade, 2006 BKDBHKHB.RVW 20060913

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Microsoft is not the ANSWER. Microsoft is the QUESTION,
      and the ANSWER is NO!
      Dictionary of Information Security www.syngress.com/catalog/?pid=4150
    Your message has been successfully submitted and would be delivered to recipients shortly.