[techbooks] REVIEW: "Hacker Proof", Lars Klander
- BKHKRPRF.RVW 990228
"Hacker Proof", Lars Klander, 1997, 1-884133-55-X, U$54.95/C$74.95
%A Lars Klander lklander@...
%C 2975 S. Rainbow Blvd., Suite 1, Las Vegas, NV 89102
%I Jamsa Press/Gulf Publishing Co.
%O U$54.95/C$74.95 800-432-4112 fax 713-525-4670 starksm@...
%P 660 p. + CD-ROM
%T "Hacker Proof: The Ultimate Guide to Network Security"
There is a great deal of information on security contained within this
book. Unfortunately, it is presented without a cohesive framework.
The overall impression is good. A lot of the forms that would make up
a useful work are followed, such as a summary (rather ironically, in
view of the scattered nature of the text, called "Putting It All
Together") and a set of resources at the end of every chapter. The
author seems to be easily distracted, continually jumping to the next,
more sensational, topic.
Although not divided into parts, the contents do have some logical
divisions. Initially, we are presented with what seems to be intended
as background material, although the scattergun approach leaves all of
the synthesis up to the reader. Chapter one is a rather unfocussed
introduction, talking as much about Internet technologies as about
security. Errors are rather common, ranging from chunks missing out
of sentences to figures with no cutlines to security weaknesses that
are essentially duplicates of each other to mailing lists that haven't
distributed material for years (with contact addresses that are even
older). Theoretically the networking concepts and details in chapter
two might aid in understanding system vulnerabilities, but in the fact
of the book they do not seem to be used effectively. The discussion
of firewalls does not provide sufficient information about either the
needs, weaknesses, or possible inconveniences of the different types
in chapter three. The material on encryption, in chapter four,
mentions a number of the currently important standards, but the
explanations are so flawed that the chapter could not be used to
inform a decision on the strength or use of a cryptographic system.
Material on the use of digital signatures is fairly short, and the
remainder of chapter five rehashes, with really expanding, old ground.
Another section tries to delve into more networking protocols.
Chapter six, on HTTP (HyperText Transfer Protocol), is somewhat
disjointed, and, again, fails to seriously examine the security
implications. S-HTTP (Secure HyperText Transfer Protocol), in chapter
seven, deals mostly with packets and commands, although it does have
some limited discussion of function. The Secure Socket Layer (SSL)
seems to look primarily at arcana rather than use.
Chapter nine looks at a few common forms of attack, but presents
information somewhat at random. Kerberos is reasonably well described
in chapter ten. Some types of electronic commerce technology are
mentioned in chapter eleven. There is an extremely limited look at
auditing in chapter twelve, first for UNIX and then for NT. A very
rough look at security issues within the Java programming language
makes up chapter thirteen. Chapter fourteen's look at viruses has
good basic explanations, but is unreliable in practice.
The remaining chapters generally look at security for specific
systems. Chapters fifteen to seventeen very quickly talk about
individual security functions in NT, NetWare, and UNIX, but fail to
analyze, for example, the effective rights granted by combinations of
the different privilege granting mechanisms. SATAN (System
Administrator's Tool for Analyzing Networks) for UNIX and Kane
Security Analyst for NT get quick overviews in chapter eighteen.
Chapter nineteen presents a number of security vulnerabilities with
the Netscape and particularly the Internet Explorer Web browsers. CGI
(Common Gateway Interface) form weaknesses are discussed in chapter
twenty, but with so many different languages that the ultimate advice
is simply don't make a mistake when programming.
The final chapter is a reasonable look at security policies. However,
with some many items missing from the background provided, the chance
of producing a good policy at this point is relatively small.
As with "Maximum Security" (cf. BKMAXSEC.RVW), this book attempts to
cover the enormous field of security by throwing out as many bits as
possible. Therefore large holes are apparent in the coverage. In
addition, the book lacks an overall framework that could be used to
build a security structure and point the way to vulnerabilities that
were not addressed. For those who already are well comfortable with
security as a concept, this volume does have a lot of references that
might be of use. For those new to the topic, it is not reliable
enough to start with.
copyright Robert M. Slade, 1999 BKHKRPRF.RVW 990228
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
Eat well, stay fit, die anyway
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
eGroup home: http://www.eGroups.com/list/techbooks
Free Web-based e-mail groups by eGroups.com