Forum Chat

Mar23,13:31 Johan Marechal
Wees gegroet
Sep20,17:50 Vicente Duque
Kim, Martin, Others :...
Jul07,11:10 Johan Marechal
Jul05,21:13 martin
Fastest in the bush
Jul05,07:48 martin
Jun28,21:16 martin
New domain / new blog!
Jun28,21:11 martin
On posting etiquette
Book Reviews: Security

Stealing the Network: How to Own a Continent

November 29, 2004
131ah-Rogers-Beale-Grand-Fyodor-FX-Craig-Thor-Parker, Syngress, 2004
"Stealing the Network: Owning the Box" was written as a collection of short, independent, stories, while the sequel "StN: Owning a Continent" is written as one long novel with a single plot going through it all. It's much more violent; I mean, people actually die in significant numbers. I think they may have overdone the storyline slightly, but the technical descriptions are still very, very good. There's very little repetition or overlap from the first StN book. We do meet the same characters as in the first book, but now they do other things, using other tools. Anyway, I couldn't put it down. To me, it's comparable to Dan Brown's books, but much more technically accurate, which, to me, is more important that good suspense writing (which, honestly, I don't find Dan Brown does very well).

Both StN books have a very consistent, and great, writing style all through the book (as I said: better than Dan Brown), so I really don't believe all these hackers, each writing their own chapter, did this on their own. It matters not in the least, but there's definitely a shadow writer behind all this. A good one, at that.

Just one little thing: after all was said and done, I still didn't get where all the money actually came from. I probably didn't pay attention at the crucial moment. (No comments yet)

Stealing the Network: How to Own the Box

November 26, 2004
Russen-Mullen-FX-Kaminsky-Grand-Pfeil-Dubrawsky-Burnett-Craig, Syngress, 2003
Lots of hacker info in fictional, first-person story teller form. It's a collection of short, independent, stories. Very well written, hard to put down. I also picked up even more little utilities and tidbits I hadn't seen before. The HTTP referral field, in particular, can contain a username and password in the form, if the user logged in to the original site that way. That's horrible (if true, I haven't checked)! I think I'm going to grep my logs and see what I find... Other things like when the cracker thinks: "Just why they have this system configured as a backup domain controller when it sits in the DMZ is beyond me, but I'll take it." It's a common error, reflecting a profound lack of network understanding. Lovely book. Can't wait to read the sequel (Stealing the Network: how to own a continent). (No comments yet)

All-In-One CISSP Certification, 2nd ed.

November 23, 2004
Shon Harris, Osborne, 2003
This is the easiest and nicest book of the three to read. It is also the one with the most errors. I'm not going to point out any particular errors, but in many places you clearly feel the author hasn't understood the subject matter fully but carries on regardless. I can very well imagine that if you don't know any better, you won't notice and it probably won't even hurt you. But still, this is not ideal. As I said in another review, all these CISSP exam cram books seem to have been produced in an extreme hurry without much technical review. But, maybe that's the nature of books like these, since they must be as fresh as possible. As with the other books, there is no provision for feedback about errors. I even tried emailing the editor, but got no reply. If they don't want to hear about the errors, they probably will not be corrected in later editions. Weird policy, this.

The CD that comes with the book has 850 questions and answers on it and is the best part of the deal. As with the other books, there's no guarantee these questions are similar to real exam questions, but I'm absolutely positive you need to go through humongous amounts of questions to get into the spirit of things, and this CD definitely helps.

The book is written in a light bantering style that goes down just fine for about five minutes, then it gets just a little bit tiring, without becoming really disturbing. I still recommend the book. (No comments yet)

The CISSP Prep Guide, 2nd edition

November 23, 2004
Krutz-Vines, Wiley, 2004
This book covers a bit more than needed for the CISSP exam, since it also covers the ISSEP exam, a concentration exam "on top of" CISSP. The ISSEP is more interesting for people looking for US Government jobs.

The strong point of this book is a very good coverage of the different US legal acts about wiretapping, privacy, health care and more. Maybe the coverage is more extensive than you'll need for the CISSP exam, but it certainly doesn't hurt to get a good overview of the stuff. There's also a CD with exam questions, with answers and explanations. There's no guarantee, however, that these questions look anything like the questions you'll get during the exam.

The book has a few surprising errors, though. One really obnoxious error is that the authors tell us, several times, that analog signals are "sinus waves", while digital signals are "saw-tooth". What?! "Saw-tooth"??? Where in the world did they get that idea? I find it hard to believe they could actually go through life with a misunderstanding of that size... A weakness of all these books, for some reason, is that there's no way to report errors. Maybe they know they'd get overwhelmed. (No comments yet)

Official (ISC)2 Guide to the CISSP Exam

November 23, 2004
Hansche-Berti-Hare, (ISC)2 Press - Auerbach, 2004
This is the official guide to the CISSP exam, and it's a kind of an outline. I know, it's 800+ pages, and still it's an outline, sorry about that, guys. I don't think it's possible to just learn this book and pass. Even if it was, you'd just be a parrot, without any deeper understanding of the topics. I did use three different exam cram books to get a broader view on the whole, but this one comes closest to the content and spirit of the exam itself, without a doubt. It's also the one of the three with the least errors in it. I really don't know if you need three books; I have a feeling you do, others say you don't. I also have no idea if I passed the exam by a tiny margin or with an insanely fantastic score, they don't tell you that. Anyway, I do recommend you use several books, but that you fundamentally base the scope and content on the official guide. Then you have to use a number of other books for the real meat, such as "Applied Cryptography", "Network Security", "Building Internet Firewalls" and several more. (You'll find these discussed elsewhere on my site. That does seem to be the safest course. (No comments yet)

Firewalls and Internet Security, 2nd ed.

October 06, 2004
Cheswick-Bellovin-Rubin, Addison-Wesley, 2003
These are three very well-known and knowledgeable people putting down their own ideas on firewalls and internet security in general. The book doesn't try to comprehensively cover any particular terrain, but seems to cover the areas the authors find relevant and interesting, each area to its own depth as they see fit. Which altogether makes for a very enjoyable and useful book. Heaps of common sense advice pervades the text, together with good pointers to other sources of information. What they don't do is go into each separate protocol and cover all the ports and gotcha's, but maybe they left that to Chapman and Zwicky's "Building Internet Firewalls" (which, coming to think of it, I should probably get the latest edition of...). All in all, a highly recommended book. (No comments yet)

Network Security, 2nd edition

September 12, 2004
Kaufman-Perlman-Speciner, Prentice-Hall, 1995
Another really great book. Here you find the mathematics and procedures used to build the different encryption and authentication protocols. If you want to really understand assymetrical key systems (public/private keys), just work through this book seven or eight times, and it's as easy as that. It doesn't cover a few more recent things like the RIPE MD message digest, but I can live with that. The book can be enjoyed without the math, but for the real joy, you should know some math. (Added July 2000)

Kaufman-Perlman-Speciner, Prentice-Hall, 2002
Got the second edition now. All the above is still valid, but now the book also covers IPSec, SSL, PKI, AES and more stuff that simply didn't exist when the first edition was written. I still can't find Ripe-MD mentioned, but since nobody at all talks about it, it's probably not relevant anymore. So be it. All the new chapters are written in the same bantering style as the first edition and all of it is a delight to read. For such a heavy subject matter, it's amazing how quickly you can get through it and still retain enough of it to make it useful. (No comments yet)

Exploiting Software

July 31, 2004
Hoglund-McGraw, Addison-Wesley, 2004
This book picks up where the "Hacking Exposed" books leave off and goes into some considerable detail of how to evolve new kinds of cracks. It does give some concrete examples, but it mainly presents general methods and pointers in which direction to go. The authors do demonstrate weaknesses in all kinds of systems, but time and time again, the weaknesses in Microsoft operating systems are of a degree to beat them all. The MS operating systems are really the pits and MS doesn't seem to ever have had the inclination to make them safe in any way, regardless of what their PR machine says. I'm a Windows developer and my career is based on their stuff, so I don't have an anti-MS bias as far as I know. Still, I'm really getting pissed off.
In particular, attacking client side software is discussed, and this is really a big thing that you should pay attention to.
If you want to make hacking into a career, this book is a pretty good place to get started. There are, in fact, completely legal and responsible ways of making a living. Like working for the military, for instance... or for a white hacking company. Personally, I read stuff like this to know what I'm up against, not to actually use it. And this book was the first in a long time to open my eyes to methods I hadn't thought of yet. The "Hacking Exposed" books also opened my eyes, but only to the ease of hacking for script kiddies, not to anything really new in the methods as "Exploiting Software" does. This book deserves a "amused and horrified" face, but since I don't have a graphic like that, it gets a big smiler instead. (No comments yet)

Defend I.T.

July 26, 2004
Gupta-Laliberte, Addison-Wesley, 2004
It's about computer forensics; the figuring out what happened and who-dunnit. I've always thought that this kind of work would be exciting, but now I know better. If it is anything like this book, it's definitely boring. It seems to consist of making backups, filling in forms and taking photographs of ugly computers. Hardly ever is any exciting piece of data found by ingenious insights. If anything is found, it's by plodding. Often, nothing is found or whatever is found makes no sense. Even though the book isn't all that big (about 300 pages), it still succeeds in repeating itself quite a lot, so there doesn't seem to be that much to say about the subject. This piece of litterature definitely failed to give me a hard-on. A caveat: it may just be this book that is boring, not the subject matter itself, but I wouldn't bet on it. In the final analysis, I do recommend anyone thinking about computer forensics as a career choice to read it. It could save you from making a mistake. (No comments yet)

Beyond Fear

May 20, 2004
Schneier, Copernicus, 2003
It's good but confuses me. For instance, it's basically a "common sense" book and reading it I'm continually reinforced in my belief in my own common sense. Practically everything in here made me feel better about my own judgement but nothing in here made me change my mind about anything. I often had the feeling people I know should read this book, but since they need to read it, they don't have the common sense to understand it. If they don't listen to me, why should they listen to Schneier? Yes, I know, Schneier is much more of a name than I am, but only to people who already know him and thus have the requisite common sense. We're going in circles here. What I actually need is a book telling me how to get common sense into people that don't have it and Schneier's book doesn't go into that problem.

There's some scary stuff here, too. Nothing Schneier intended to be scary, but rather scary because it's so obvious he's backing away from certain subjects and touches on others only with extreme caution. Parts of the book have the tone I'd imagine in a book from a totalitarian state, I'm sorry to say. Example (page 250): "...the U.S has arrested about a thousand people and is holding them incommunicado, without allowing them trials or hearings or, in many cases, access to an attorney.". Correct me if I'm wrong, but isn't the right to "due process" a constitutional right? If the constitution of the USA can be ignored, isn't this reason enough to make one hell of a noise? Why doesn't Schneier scream bloody murder here? Unless, of course, doing that would make the book difficult (illegal?) to sell, or would land the author on all kinds of blacklists. I get the feeling from the book that Schneier, like a lot of other people, would like to formulate himself much more strongly (at least I hope so!), but is fearful that his career may suffer. That is a sad reflection on the country that used to be the moral leader of the free world that it has come to this. (3/2004) (No comments yet)

The Art of Deception

May 20, 2004
Mitnick, Wiley, 2002
It starts out full of hype and breathless, with lots of "it's much worse than you think!" type of exclamations. Made me go "oh, no, say it isn't so". Having nothing better to do, I kept on reading anyway and it seems that as he went along, he tired of his own tirades, dropped the oversimplistic bull and actually started telling a story. The story he tells is about the social engineering aspect of hacking. There's nothing in this book about how to break into a computer using technology, it's all about the con game these people play. Not only is that the most important part of hacking; the part that does the most damage and is used by professional crooks, but it is also the part that no other book I've seen goes into at all. So finally, I have to admit, this is an important book to read. (7/2003) (No comments yet)

Secrets & Lies

May 20, 2004
Schneier, Wiley, 2000
This is the same Bruce Schneier that wrote "Applied Cryptography", but this book is meant for management level types. Or rather, for everyone not exclusively into the algorithms themselves, but the how and why of things. It's very broad in approach and a bit moralizing/lecturing, but I think that's on purpose. It's also slightly repetitive at times as the author tries to whip the reader into doing something he seems convinced the reader won't do anyway. He's probably right. (6/2003) (No comments yet)

Designing Secure Web-based Applications for Windows 2000

May 20, 2004
Howard, MS Press, 2000
No doubt this is a good book. But it treats stuff that's a bit outside the area I'm interested in, so I have a tendency to fall asleep while reading it. So maybe it's useful after all. (11/2002) (No comments yet)

Digital Certificates

May 20, 2004
Feghhi-Feghhi-Williams, Addison-Wesley, 1999
This one does not convince at all. Actually, the parts the authors seem to really know, that is certificates, it's more than ok. Those parts are good reading to get a grip on what certificates are about and what different uses and initiatives are out there. It's a good read for a developer and even for managers (if they've got half a brain and some actually do). But, and it's a big but, the authors obviously thought they had to fill out the material a bit to get to a decent number of pages (which they barely did). And to do that, they did the usual background material on how encryption works and such. And here they fall down badly. There are a few really embarrassing errors in the descriptions. Not little typos, but real fat misunderstandings. Let's take a few examples (hoping I'm not the one who misunderstood...).

On page 16 they discuss "One-time password protocols" and describe the S/KEY system as follows: "This protocol requires a claimant and an authenticating system to share a small secret number n. The claimant hashes its password n times to create a one-time password and sends it to the system, which also hashes its own stored copy of the password n times and authenticates the claimant if the two results match. Upon a successful authentication, both parties decrement n." Well, you know, this sounds really stupid. If that number n is small it won't be secret for long. And why would it be secret at all? Actually, as I understood the system, the whole point is that the server does not have a copy of the original password. Instead, the server gets the password as it looks after n hashes at the outset. Then the client at the first logon passes the original password hashed (n-1) times. If the server by hashing the received hash once more arrives at the original (n) times hashed password, it knows it could only come from someone who has access to the original password. Next time the client sends the password hashed one time less; (n-2) times. The server hashes it once and arrives at the previously received hash that was hashed (n-1) times and knows everything is dandy.

Then on page 96 "Sandboxing" is described as some kind of strict checking of rights before a component or script can access stuff on your machine. It's not, it's another way of doing things. It's based on creating a virtual environment for a program where only the things are present that it may touch. For instance, you create a fake file system that simply does not have any files you don't want the program to touch. If you check on page 107, you find a title: "Lifting the Sandbox Barrier". Which elicits a deeply felt "uh?". What "barrier"?

Then just a minor niggle on page 151: "Note that Outlook Express will warn you if you attempt to send an encrypted message to someone for whom you have not established a certificate". "Warn"? Meaning that if you say "OK" it sends it anyway? How? Unencrypted? Encrypted for a key received by ESP? Sends it to someone else it does have a certificate for instead? Curious minds want to know.

If you draw the conclusion that I don't like this book, you may be right. If you draw the conclusion I'm sorry I bought it (had it bought, actually), you'd be wrong. Some of the stuff on certficates is really useful. Now, let's hope it's correct, too. (11/2002) (No comments yet)

Applied Cryptography 2nd ed.

May 20, 2004
Schneier, Wiley, 1996
Oh, my. This one's going to keep me busy for a great while. Covers every darn algorithm in detail. Except, of course, Rijndael, which I'll have to find somewhere else. By the way, there's a description of SKEY in here that confirms exactly what I thought when reading the Feghhi folks' book (above). So I was right (of course). By the way, this book actually replaces and improves on "Network Security" (Kaufman below. Didn't think that was possible.

A few days later... "keep me busy a great while", sure. I'm three quarters of the way through the book. I can't claim I understood everything, but I really got a good idea about almost everything in the book. The explanations are amazingly clear and useful. Also, this is as close to a cliff-hanger as you're likely to get in this type of literature. You simply can't put it down. (11/2002) (No comments yet)

Hacking Exposed 3rd ed.

May 20, 2004
McClure-Scambray-Kurtz, McGraw-Hill, 2001
I'm saving this for those long winter nights. Cosy, cuddly thing. (11/2002).

Ok, got through the book, got through the winter. A lot in here is repetition of what's in Hacking Exposed Windows 2000 and a lot is different. These two books overlap maybe 25%, or at least that's what it feels like, so you actually do need to read both. Since I'm all into Windows programming (one can always dream of other things, but that's what I'm getting paid for...), the other book is the most useful day-to-day. (6/2003) (No comments yet)

Hacking Exposed Windows 2000

May 20, 2004
McClure-Scambray, McGraw-Hill
Scary book. In other words, you'll love it. All the devious things that can be (read: "are being") done to your machines and the exact recipies on how to do it, step by step. Do as I did, give the book to your boss and if he's the right kind of material, he'll start hacking into your company network right away and with great gusto. Not as much fun as doing it yourself, but certainly a lot safer. My boss (may he live forever) had a lot of fun playing with it (which he won't admit too, of course). Much smoke and fire. Now, if I only could make him give it back... (11/2002) (No comments yet)

Building Internet Firewalls

May 20, 2004
Chapman-Zwicky, O'Reilly, 1995
This one is really great. It remains the reference I use for general protocols. In particular, if you need to set up packet filtering rules, mappings and more of that ilk, this book runs through the actions each protocol takes over its different ports. For any standard protocol, this one always gave me all the angles I needed to set it up and to trouble-shoot it. (Added July 2000) (No comments yet)

PGP Pretty Good Privacy

May 20, 2004
Garfinkel, O'Reilly, 1995
A kind of extended manual for PGP, and useful as such. It doesn't teach you the internals, however, so if you're a coder, you won't use this one to create your own competitor to PGP. But you will use it if you want to run PGP from your app in batch files, for instance. If you want to run it as a DLL, you need the PGP SDK from PGP Corp. (Appeared in july 2002 as the latest holder of PGP rights.) (Added July 2000) (No comments yet)

Practical Unix Security

May 20, 2004
Garfinkel-Spafford, O'Reilly, 1991
A good overview of the Unix system utilities and files. Everyone doing Unix security should know this stuff first; the eternal unchangeable problems inherent in the Unix system itself. Not the little mistakes, backdoors and bugs; for those you need more up to date sources of information. (Added July 2000) (No comments yet)