REVIEW: "Phishing: Cutting the Identity Theft Line", Rachael Liniger/Russell Dean Vines
- BKPHSHNG.RVW 20061014
"Phishing: Cutting the Identity Theft Line", Rachael Liniger/Russell
Dean Vines, 2005, 0-7645-8498-7, U$29.99/C$38.99/UK#18.99
%A Rachael Liniger
%A Russell Dean Vines
%C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
%I John Wiley & Sons, Inc.
%O U$29.99/C$38.99/UK#18.99 416-236-4433 fax: 416-236-4448
%O Audience i+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P 309 p.
%T "Phishing: Cutting the Identity Theft Line"
The introduction to the book provides a good, and very realistic,
prologue to the topic of phishing. The audience for the work is said
to consist of executives and incident response teams for banks and
large corporations, information security professionals, and general
Chapter one furnishes the reader with a solid overview of the subject,
although it would seem to be aimed primarily at individual Web and
email users. "Phishing Emails," in chapter two, explains various spam
hiding and URL obfuscation technologies. The list is not exhaustive,
but is sufficient to illustrate the basic concepts clearly. (The
writing, in this chapter by Rachael Liniger, is delightful. Wit and
humour are used extensively, and to good effect.) Chapter three
presents information on false or obfuscated URLs, as well as useful
detail on pop-ups: the content is much superior to other sources on
the same topic. (There is also an oddly placed section on public key
encryption.) Spyware is reviewed in chapter four.
You cannot stop phishing completely, notes chapter five, examining
various players in the fight against identity theft and the
limitations of the action they can take. Chapter six is supposed to
be about helping the organization to avoid phishing, and sets forth
some policies in regard to email and Websites that are very practical
in preventing abuse. (The section on authentication schemes is less
so, and eventually the chapter devolves into random topics.) A
generic and sometimes terse outline of incident response and network
forensics makes chapter seven poor in relation to other parts of the
book. In terms of consumer education, chapter eight has a number of
recommendations for safer computing, with lots of "avoid Microsoft"
advice, but also configuration settings, a bit of email analysis
material, and an admonition to check your home finance statements
carefully. Chapter nine deals with actions to take if you,
personally, are the victim of identity theft. (Most of the agencies
mentioned are based in the United States, but the resource list does
have some additional contacts for the UK and Germany.)
Identity theft (and, by extension, phishing) is a major problem, and
not enough is being done to address the issue. This book lays out the
risks and threats clearly, and proposes practical solutions for a
variety of actors in the drama. The text is readable and the concepts
are clear. I can recommend this work to almost anyone involved in a
security role, particularly those in the financial or online
industries, law enforcement, or working in the field of security
copyright Robert M. Slade, 2006 BKPHSHNG.RVW 20061014
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
Ah! When I were lad, we used to 'ave t'wait 40 milliseconds
on noisy channel wi' 'uge 58 volt bits *and* rounded edges
for a network link to come oop--*and* login both ends!
Dictionary of Information Security www.syngress.com/catalog/?pid=4150