Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Zero Day Threat", Byron Acohido/Jon Swartz

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Han
    BKZRDYTH.RVW 20090120 Zero Day Threat , Byron Acohido/Jon Swartz, 2008, 978-1-4027-5695-5, U$19.95/C$21.95 %A Byron Acohido %A Jon Swartz %C 1
    Message 1 of 1 , Jun 8, 2009
    View Source
    • 0 Attachment
      BKZRDYTH.RVW 20090120

      "Zero Day Threat", Byron Acohido/Jon Swartz, 2008, 978-1-4027-5695-5,
      U$19.95/C$21.95
      %A Byron Acohido
      %A Jon Swartz
      %C 1 Atlantic Ave, #105, Toronto, ON, Canada M6K 3E7
      %D 2008
      %G 978-1-4027-5695-5 1-4027-5695-X
      %I Sterling Publishing Co., Inc.
      %O U$19.95/C$21.95 800-805-5489 specialsales@...
      %O http://www.amazon.com/exec/obidos/ASIN/140275695X/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/140275695X/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/140275695X/robsladesin03-20
      %O Audience n Tech 1 Writing 2 (see revfaq.htm for explanation)
      %P 297 p.
      %T "Zero Day Threat"

      The title here is definitely misleading: the authors have just taken a
      sensational term and stuck it on a book about "the shocking truth of
      how banks and credit bureaus help cyber crooks steal your money and
      identity." Now, as a malware researcher, I'm delighted to see them
      state, right off the top, the rather bitter truth that security is in
      such a sorry state because the general populace demands convenience
      over security, and major companies are willing to give it to them.
      I'm not quite as happy to find that Acohido and Swartz don't fully
      understand what a zero day threat actually is. I'm willing to suspend
      judgment for a while based on their very useful division of each
      chapter into exploiters (traditional blackhats and opportunists),
      enablers (those who build weak infrastructures), and expediters (those
      who, in various ways, make the problem worse). It's good to see that
      the authors aren't just retailing the common "oooh, teenage hackers!"
      stories, and realize that the situation is complex, and involves the
      interacting behaviours of many different parties.

      The synergy of this approach is not demonstrated in chapter one. Of
      the three parts of the chapter, the first talks about some drug
      addicts involved in dumpster diving for credit card and bank account
      information, the second briefly notes the speed and volume of credit
      card transactions, and the third examines a few of the malware
      instances around the year 2000. It is not clear what these have to do
      with each other. Subsequent chapters follow up on these stories. The
      tales start to interweave at about chapter five, but few connections
      are made between the items in the content, and those that do exist
      seem to be almost random. A final chapter in the book, eighteen, is
      entitled "What Must Be Done." Unfortunately, it is overly broad, and
      not very specific, reducing to an assertion that we need better
      financial activity oversight and review, better Internet
      infrastructure, and better security in operating systems and other
      software. Appendix A, on personal security, contains a fairly
      pedestrian collection of advice on credit card, financial, computer,
      and Internet security. All of the recommendations would help increase
      the safety of most people: sadly they do not exhaust the possible
      avenues of attack, and many of the suggestions are not completely
      within the capability of the average user. (For example, yes, it is a
      good idea to use strong passwords that are long, and contain a mix of
      characters, and to change those passwords on a regular basis. The
      trick is to teach people ways of creating passwords such that the user
      can remember them, and attackers can't. As a second instance, it is
      dangerous to click on any banner ad or popup window: what proportion
      of those who use the Internet regularly can identify those entities
      when they appear?)

      Acohido and Swartz demonstrate, as David Rice did in "Geekonomics"
      (cf. BKGKNMCS.RVW), that financial entities have little incentive
      either to take serious steps to reduce electronic fraud, or to protect
      consumers (or merchants) from losses due to fraudulent transactions.

      The authors have done an excellent job of research in the narrative,
      at least as far as events in the public record are concerned. There
      is also evidence of commendable exclusive investigation to confirm or
      enhance specific areas. Unfortunately, the technical material has
      little depth, and is somewhat suspect when dealing with specialized
      areas.

      Overall, the stories of the blackhat community are entertaining, the
      tales from the financial world emphasize dangers that should be
      stressed, and the narratives from the malware environment provide a
      history (more social than technical) of major recent infestations.
      The work contains a wealth of stories that could be used to promote
      security awareness, but doesn't otherwise provide a significant source
      of security assistance.

      copyright Robert M. Slade, 2009 BKZRDYTH.RVW 20090120


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Microsoft is not the ANSWER. Microsoft is the QUESTION,
      and the ANSWER is NO!
      http://victoria.tc.ca/techrev/rms.htm
      http://blog.isc2.org/isc2_blog/slade/index.html http://twitter.com/rslade
      http://blogs.securiteam.com/index.php/archives/author/p1/
    Your message has been successfully submitted and would be delivered to recipients shortly.