REVIEW: "Zero Day Threat", Byron Acohido/Jon Swartz
- BKZRDYTH.RVW 20090120
"Zero Day Threat", Byron Acohido/Jon Swartz, 2008, 978-1-4027-5695-5,
%A Byron Acohido
%A Jon Swartz
%C 1 Atlantic Ave, #105, Toronto, ON, Canada M6K 3E7
%G 978-1-4027-5695-5 1-4027-5695-X
%I Sterling Publishing Co., Inc.
%O U$19.95/C$21.95 800-805-5489 specialsales@...
%O Audience n Tech 1 Writing 2 (see revfaq.htm for explanation)
%P 297 p.
%T "Zero Day Threat"
The title here is definitely misleading: the authors have just taken a
sensational term and stuck it on a book about "the shocking truth of
how banks and credit bureaus help cyber crooks steal your money and
identity." Now, as a malware researcher, I'm delighted to see them
state, right off the top, the rather bitter truth that security is in
such a sorry state because the general populace demands convenience
over security, and major companies are willing to give it to them.
I'm not quite as happy to find that Acohido and Swartz don't fully
understand what a zero day threat actually is. I'm willing to suspend
judgment for a while based on their very useful division of each
chapter into exploiters (traditional blackhats and opportunists),
enablers (those who build weak infrastructures), and expediters (those
who, in various ways, make the problem worse). It's good to see that
the authors aren't just retailing the common "oooh, teenage hackers!"
stories, and realize that the situation is complex, and involves the
interacting behaviours of many different parties.
The synergy of this approach is not demonstrated in chapter one. Of
the three parts of the chapter, the first talks about some drug
addicts involved in dumpster diving for credit card and bank account
information, the second briefly notes the speed and volume of credit
card transactions, and the third examines a few of the malware
instances around the year 2000. It is not clear what these have to do
with each other. Subsequent chapters follow up on these stories. The
tales start to interweave at about chapter five, but few connections
are made between the items in the content, and those that do exist
seem to be almost random. A final chapter in the book, eighteen, is
entitled "What Must Be Done." Unfortunately, it is overly broad, and
not very specific, reducing to an assertion that we need better
financial activity oversight and review, better Internet
infrastructure, and better security in operating systems and other
software. Appendix A, on personal security, contains a fairly
pedestrian collection of advice on credit card, financial, computer,
and Internet security. All of the recommendations would help increase
the safety of most people: sadly they do not exhaust the possible
avenues of attack, and many of the suggestions are not completely
within the capability of the average user. (For example, yes, it is a
good idea to use strong passwords that are long, and contain a mix of
characters, and to change those passwords on a regular basis. The
trick is to teach people ways of creating passwords such that the user
can remember them, and attackers can't. As a second instance, it is
dangerous to click on any banner ad or popup window: what proportion
of those who use the Internet regularly can identify those entities
when they appear?)
Acohido and Swartz demonstrate, as David Rice did in "Geekonomics"
(cf. BKGKNMCS.RVW), that financial entities have little incentive
either to take serious steps to reduce electronic fraud, or to protect
consumers (or merchants) from losses due to fraudulent transactions.
The authors have done an excellent job of research in the narrative,
at least as far as events in the public record are concerned. There
is also evidence of commendable exclusive investigation to confirm or
enhance specific areas. Unfortunately, the technical material has
little depth, and is somewhat suspect when dealing with specialized
Overall, the stories of the blackhat community are entertaining, the
tales from the financial world emphasize dangers that should be
stressed, and the narratives from the malware environment provide a
history (more social than technical) of major recent infestations.
The work contains a wealth of stories that could be used to promote
security awareness, but doesn't otherwise provide a significant source
of security assistance.
copyright Robert M. Slade, 2009 BKZRDYTH.RVW 20090120
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
Microsoft is not the ANSWER. Microsoft is the QUESTION,
and the ANSWER is NO!