REVIEW: "The Database Hacker's Handbook", David Litchfield/Chris Anley/John Heasman/Bill Grindlay
- BKDBHKHB.RVW 20060913
"The Database Hacker's Handbook", David Litchfield/Chris Anley/John
Heasman/Bill Grindlay, 2005, 0-7645-7801-4, U$50.00/C$64.99/UK#31.99
%A David Litchfield
%A Chris Anley
%A John Heasman
%A Bill Grindlay
%C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
%I John Wiley & Sons, Inc.
%O U$50.00/C$64.99/UK#31.99 416-236-4433 fax: 416-236-4448
%O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 500 p.
%T "The Database Hacker's Handbook: Defending Database Servers"
In the brief and disjointed preface and, similarly, introduction (two
pieces which could easily have been combined), we are told that the
book is intended for database administrators, network administrators,
security auditors, and security professionals. However, there are
implications, right from the start, that this is a "hack to secure"
book and that, instead of real database security, we are going to be
dealing only with server engine bugs.
Part one is an introduction. Chapter one is supposed to tell us why
we should care about database security, but instead still seems to be
dancing around the issue of bugs in engine code, and particularly the
bugs that the authors (and their relatives) have found.
Part two is about Oracle. Chapter two tells us something of the
oracle architecture, obfuscated by packet dumps and pages of code for
programs to attack parts of the system. More of the same is in
chapter three, and, from the examples, it is not always clear how some
of these "attacks" differ from the simple ability of authorized users
to make changes to the system. Possible operating system and network
attacks related to Oracle's command system are outlined in chapter
four. Chapter five recommends various configurations and options for
making an Oracle database server more secure.
Part three looks at DB2. Chapter six is an introduction to the
product (and pages of code for an authentication request). Then there
are more pages of programming for finding a DB2 server (chapter seven)
and attacking it (eight). Chapter nine is a terse mention of some
factors to consider when securing the system.
Part four reviews Informix, with architecture (ten), attack code
(eleven), and configuration for security (twelve).
Sybase gets the same treatment in part five. This time the code (in
chapter fourteen) just gets the version number and chapter fifteen
looks at commands that can be passed to the network.
The popular MySQL is dealt with in part six. Since the product is
open source, the examination of the architecture, in chapter
seventeen, is more detailed and the advice on configuration, in
chapter twenty, is equally extensive.
Part seven chooses SQL Server as its topic. Architecture, attack,
hardening: no surprises.
Part eight turns to PostgresSQL. Same.
OK, we get it. Unpatched applications have holes. Big surprise. The
authors have provided very little that will be of use to database
administrators, network administrators, security auditors, and
copyright Robert M. Slade, 2006 BKDBHKHB.RVW 20060913
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
Microsoft is not the ANSWER. Microsoft is the QUESTION,
and the ANSWER is NO!
Dictionary of Information Security www.syngress.com/catalog/?pid=4150