Hacking: The Next Generation Book Review

Hacking: The Next Generation Book Review

Nitesh Dhanjani, Billy Rios, & Brett Hardin

5 stars


Good Intro to Next Gen Attacks

First Impressions...skinny book. Strike One. Chapter 1 -- "Intelligence Gathering: Peering Through the Windows to Your Organization" spends a lot of time on physical security and social engineering and no mention of Maltego. I'm not sure how anyone can write a book on Intelligence Gathering and NOT include Maltego. Strike Two.

At this point i was thinking I had a dud on my hands BUT Chapter 2 --- "Inside-Out Attacks: The Attacker Is the Insider" redeems. Tons of code and examples to make XSS work in "realistic" scenarios mix the right amount of tech and narrative. My only gripe was that they talked about using XSS shell for XSS exploitation instead of using BEeF which is actively maintained and developed.

All the other chapters (except for Chapter 3) were very good, none of the others are as technical as chapter 2 but I believe they cover the current trends in a entertaining and readable way. Like one reviewer mentioned the information covered in Chapter 5 -- "Cloud Insecurity: Sharing the Cloud with Your Enemy" was not what I expected. It covered high level "possible" attacks versus any "probable" attacks. With the exception of possibly making insecure VM's and getting people to run it. Chapter 7 -- "Infiltrating the Phishing Underground: Learning from Online Criminals?" was a "chapterfied" version of the authors talk on the subject. Chapter 4 -- "Blended Threats: When Applications Exploit Each Other" was a good overview of stringing vulnerabilities that would be/were not considered high risk into high risk issues by combining one or more together which actually is "next generation".

Chapter 3, IMO didnt cover anything new. Mostly a discussion of insecure protocols, arp spoofing, email spoofing. While still a relevant issue in security not "next generation".

Fatal System Error Pseudo Book Review

Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet

Pseudo Book Review since its not "really" a tech book. The book is written with very little technical jargon and its an interesting read with a mix of information on Barrett Lyon who fought DDOS attacks against various websites, the ties of online gambling and the mob with a transition into the fight by Andy Crocker, a British cybersecurity agent, against the Russian and eastern block carding cybercriminials. An entertaining read about the history of carding and denial of service attacks by eastern block criminals.

In the category of:

Masters of Deception: The Gang That Ruled Cyberspace

The Fugitive Game: Online with Kevin Mitnick

Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age

learn about hacker history type books.

SQL Injection Attacks and Defense Book Review

SQL Injection Attacks and Defense Book Review

Justin Clarke (and others)

5 stars

Most Up To Date and Digestible Book on SQL Injection

First off, kudos to Syngress for putting out a high quality book. It looks like they are turning things around.

Second, kudos to the authors for finally explaining SQL Injection and exploiting the OS through the database in a understandable way. Previous books have tried and failed but this book succeeds in explaining what SQL Injection is, how the three forms (Error Based, Union Based, & Blind) of SQL Injection work, as well as post exploitation activities on various databases.

Here's what you get:

Chapter 1: What is SQL Injection?
Chapter 2: Testing for SQL Injection
Chapter 3: Reviewing Code for SQL Injection
Chapter 4: Exploiting SQL Injection
Chapter 5: Blind SQL Injection Exploitation
Chapter 6: Exploiting the Operating System
Chapter 7: Advanced Topics
Chapter 8: Code-Level Defenses
Chapter 9: Platform-Level Defenses
Chapter 10: References

Favorite chapters include "Review Code for SQL Injection", "Exploiting SQL Injection", and "Exploiting the Operating System".

In general I have nothing but positive things to say about the book. However I do wish there was more "new" material for Oracle as most of the discussion on Oracle can be found on the author's blog and presentations. Unfortunately the majority of the things I was unclear about before reading the book, I'm still unclear about because its the same material. My biggest gripe comes from the Oracle privilege escalation section of Chapter 4 where its says "Privilege escalation via Web Application SQL injection is Oracle is quite difficult because most approaches for privilege escalation attacks require PL/SQL injection, which is less common." But never gives an example of how to do PL/SQL injection via the web application. Uncommon != never. Unfortunately for most penetration testers access the TNS listener is usually firewalled off and exploitation Oracle through the web application is exactly whats required. Not covering that vector is really a downer. I'm not an expert in any of the databases so maybe the problem applies to other databases in the book but i didn't notice it in my reading.

There was also a lack of discussion on DB2 or Postgress but there is some material in the Cheat-Sheets section for those databases.

On a more positive note, the coverage of the three core databases (MSSQL, MySQL, ORACLE) is excellent (with the exception of the above comments) and there are two really good chapters on defense (CH8 Code-Level Defenses & CH9 Platform-Level Defenses). Its a must have if you are getting into web application testing.

Oracle Hacker's Handbook Book Review

The Oracle Hacker's Handbook Book Review

by David Litchfield

4 Stars

Required Reading for Breaking into Oracle Databases

I've been doing some Oracle research and of course this is the only book on the market that really covers breaking into Oracle with the exception of The Database Hacker's Handbook which came out in 2005. Justin Clark's (and others) SQL Injection Book published in 2009 also covers some Oracle material but not enough to make this book obsolete.

I bought this book immediately when it came out in 2007 (yeah I'm super late on the review) but frankly put it down because it was confusing and definitely not suited for anyone that didn't already have a basic exposure to Oracle. I picked it up again in late 2008 after doing the background research on Oracle security and administration. Armed with a better understanding of Oracle in general I attacked the book again, focusing on SQL Injection in the Oracle PL/SQL packages with the goal of going from locating an open TNS listener to getting a shell on the system.

The author is well known in the security industry and one of only a handful of Oracle Security "experts", so the skill level was definitely there.

Breakdown of the Chapters:
Introduction.
Chapter 1 Overview of the Oracle RDBMS.
Chapter 2 The Oracle Network Architecture.
Chapter 3 Attacking the TNS Listener and Dispatchers.
Chapter 4 Attacking the Authentication Process.
Chapter 5 Oracle and PL/SQL.
Chapter 6 Triggers.
Chapter 7 Indirect Privilege Escalation.
Chapter 8 Defeating Virtual Private Databases.
Chapter 9 Attacking Oracle PL/SQL Web Applications.
Chapter 10 Running Operating System Commands.
Chapter 11 Accessing the File System.
Chapter 12 Accessing the Network.
Appendix A Default Usernames and Passwords.

I think most of the background chapters are "adequate" and the exploitation chapters are very good. At the time of publishing the author released code for vulnerabilities that were brand new. I do have issues with Chapter 5 Oracle and PL/SQL. I think the coverage of PL/SQL is only adequate if you already know PL/SQL. It took me going and reading a lot of other material on the net about PL/SQL to understand things that are glossed over in the chapter. The chapter is good and covers tons of material but from an attacking Oracle perspective more time should have been spent on teaching the reading how to use the "describe" package option in PL/SQL to describe the package to learn how to craft your queries correctly as well as how to research and write your own SQL Injection queries based on published vulnerabilities. More coverage on default privileges and roles would have been useful as well. Again, if you have been an Oracle DBA, you understand this already. If you are an Oracle security researchers you know this already. If you are a pentester trying to get some Oracle under your belt you'll have to go pick up another book or hit the internet to get the background material.

The other chapters are good and they cover their stated topics. More examples would have been nice of course. A couple of times we are told to check out the Oracle coverage in The Database Hacker's Handbook. That's just frustrating. While I'm not a huge fan of republishing materials, if information is needed to understand or better understand a topic then include it, its not like OHH was "running long" its very slim for a security book.

What knocked the book down to 4 stars was when I went and read the Oracle sections of The Database Hacker's Handbook and it had material that wasn't included in OHH. Given the "slimness" of the book, it wouldn't have hurt the book to reproduce the content from DHH as it is relevant and helps explain the concepts better than the coverage in OHH.


source code download location
http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470080221,descCd-DOWNLOAD.html

Wicked Cool Ruby Scripts Book Review

Wicked Cool Ruby Scripts Book Review

By Steve Pugh

4 stars

Thanks to No Starch Press for my review copy!

From the Description

Wicked Cool Ruby Scripts provides 58 scripts that offer quick solutions to problems like system administration, manipulating images, and managing a website. After getting your feet wet creating simple scripts to automate tasks like file compression and decompression, you'll learn how to create powerful web crawlers, security scripts, and full-fledged libraries and applications, as well as how to:

* Rename files, disable processes, change permissions, and modify users
* Manipulate strings, encrypt files, and sort efficiently
* Validate web links, check for orphan files, and generate forms
* Mass edit photos, extract image information, and create thumbnails
* Parse CSV files and scrape links, images, and pages from the Web


Ruby is a highly extendable and sometimes confusing language especially when you throw in all the various rubygems out there. Wicked Cool Ruby Scripts provides many examples on how to use the various gems to script together quick hacks (wicked scripts) to various problems one may encounter.

Steve walks us through the problem we are trying to solve, the the code to solve the problem, how to run the code, what the results look like, a lengthy discussion on how it works and "hacking the script" with ideas on how to extend what we wrote. All the code is well commented (see the sample chapter on No Starch Press) and well explained.

Pros:
Easy and fun to read, font is readable, doesn't contain pages and pages of uncommented code, source code is available, companion website exists, and the book left me with memorable ways to remember and use the material. I've actually gone back a few times to look at some of the scripts in the book. I also liked the metasploit section (of course). It certainly isn't your typical "Hello World" programming book which is also refreshing.

Cons:
As one other person posted in their Amazon review, its a bit hard to say what level the book is for. Its certainly NOT for beginners as we're expected to already have ruby up and running and understand the basics and its not advanced material either. That leaves us with intermediate which is ok but certainly makes it hard to recommend for knowledgeable programmers. The book is short, its got 58 or so scripts coming in at 170 pages but it would have been nice to have more. Its certainly not "too short" but more would have been nice. I would have liked to had more information on the specific rubygems used for different scripts. Links to where to the specific gem homepages to get further usage would have been nice as well.

View the detailed Table of Contents (PDF)

View the Index (PDF)

Sample Chapter: Chapter 1: "General Purpose Utilities"

Source Code: Source Code from the Book

Programming Book Review Criteria

I don't read too many programming books and I don't usually finish the programming books I do try to read. I ended up getting sidetracked trying out the code and never finish the books. I know excuses, excuses... I also didn't have a programming book review criteria like I do for regular tech books. Chances are a programming book isn't going to bring anything "brand new" to the community or explain a brand new concept; its about programming in whatever language. So the following is what I came up with. I reserve the right to change it for future programming book reviews. I couldn't think of a way an easy way to grant stars so I guess I'll just wing it for the time being.

Programming Book Review Criteria

working ideas:

-how was the book written? easy to understand?

-what level is the book written to? Beginner, intermediate, expert?

-code correct? are there mistakes? do the examples work in real life?

-can you download the source code? does it have a companion site?

-does it have more than 2 pages in a row of code? I hate that!

-if the code is more than a snippet, is it documented?

-if the book uses external libraries (like ruby gems) are links to those libraries included in the book or companion site.

-did it leave me with a memorable way to remember the material?

-how is the font for the text of the book? too small, hard to read, distracting?

Gray Hat Python: Python Programming for Hackers and Reverse Engineers

Gray Hat Python: Python Programming for Hackers and Reverse Engineers (Paperback)
by Justin Seitz

Publisher Description

Python is fast becoming the programming language of choice for hackers, reverse engineers, and software testers because it's easy to write quickly, and it has the low-level support and libraries that make hackers happy. But until now, there has been no real manual on how to use Python for a variety of hacking tasks. You had to dig through forum posts and man pages, endlessly tweaking your own code to get everything working. Not anymore.

Gray Hat Python explains the concepts behind hacking tools and techniques like debuggers, trojans, fuzzers, and emulators. But author Justin Seitz goes beyond theory, showing you how to harness existing Python-based security tools - and how to build your own when the pre-built ones won't cut it.


My Take

I have to start off by saying that I've been looking forward to this book being published for months now. Since it initially popped up on the No Starch website I've been following it and nagging the publishers about it's release. I was fortunate enough to get a copy last Friday and I dove into it full force, even my final exam suffered because I was a little too focused on this book. I have mixed feelings about the book overall, there was definitely a few things I gained from it. On the other hand, there were many more things that could have been added. If you are new to Reverse Engineering then you will most likely obtain a leap of knowledge from the book. Packed with code examples on various open source tools and concepts to create your own, you'll be waste deep in python for a while. If you've been around for the last few years and have already checked out many of the open source tools discussed in the book you may only get a few things out of it. I don't understand CG's rating system so I'm not going to give you a star formula, or even a numeric rating.


Justin does a great job elaborating through the the code examples used throughout the book. The sheer scope of this book makes it difficult to cover everything but Justin definitely attempts to give you a taste for the more common scenarios you may find yourself in. Below I highlight a few chapters that I found interesting and useful. Overall the entire book is useful but a large portion covers open source tools that have a plethora of documentation and examples in existence.

Chapter 3 is just downright awesome. This chapter walks you through creating your own python based debugger that is similar to pydbg. Between the concepts and actual implementation you obtain a solid understanding of what is going on in a Windows based debugger.

Chapter 6 goes over Hooking in 5 pages. This topic could easily fill a few chapters by itself but Justin sums everything up quite nicely with plenty of examples.

Chapter 7 discusses DLL and Code injection which was a pretty interesting topic. The chapter even gets a little "Evil" by showing you how to hide files on a filesystem using python. It goes one step deeper into evilness by demonstrating how to code a back door into files.

Chapter 8 goes into fuzzing concepts and the demonstration is very practical for anyone doing exploitation. Justin shows us how to create a file format fuzzer which I thought was pretty slick.

The last chapter I found pretty interesting was chapter 10 titled "Fuzzing Windows Drivers." This chapter outlines methods of identifying Device names and IOCTL codes using Immunity Debugger. It continues to show examples of an IOCTL Fuzzer that can be used in conjunction with the rest of the scripts outlined in the chapter. Definately some cool stuff. Personally, I'm not quite up to a Drive level fuzzing level but I still found the knowledge very useful and was able to translate some of the immunity scripts into IDAPython scripts for static analysis to find the device names and IOCTL Codes.


The Cons

The entire book was based off Dynamic analysis. This is great for those out there doing RE through execution, but it really sucks for people like me who only does dynamic analysis 10% of the time.

The entire book is windows specific. Yes, most RE work is done on windows, for windows binaries. However, there are closed source applications and even embedded stuff that is Linux based. Would have definitely been useful to have some examples for these types of cases.

At times I found the book drifting into the direction of exploitation. Granted, RE and exploitation go hand in hand but I feel those of us who perform RE for the purpose of compatibility, protocol analysis, and other crap were left out a bit.

The chapter on debugger design did not have all that much to say about designing a debugger. In fact, it was probably more inline with a quick introduction to x86 architecture, specifically registers and stacks. It was not until chapter 3 that you really understand the elements involved.

Overall, I equate this book to Hacking the art of exploitation first edition but for Reverse Engineering. The book is packed with useful information for both the novice to the professional but I hope a second edition comes out with more information, that covers both static and dynamic analysis.

Geek Mafia Pseudo Book Review

So not a real book review because its not a tech book, but certainly a recommendation to grab a copy of Geek Mafia (PM Fiction) and read it if you read (and I may be kicked out of the "club" for this) non-technical books at all.

Geek Mafia has a good mix of tech, sex, geek, and adventure to make it a good read. I've ordered the second one (Geek Mafia: Mile Zero (PM Fiction) and I'm ordering the third one (Geek Mafia: Black Hat Blues (PM Fiction) as soon its available.

Chained Exploits: Advanced Hacking Attacks from Start to Finish Book Review

Witty (Hopefully) Amazon Title: Nothing New to People in the Security Community

Chained Exploits: Advanced Hacking Attacks from Start to Finish

by Andrew Whitaker, Keatron Evans, Jack B. Voth

3 stars

From the Description:

"Nowadays, it’s rare for malicious hackers to rely on just one exploit or tool; instead, they use “chained” exploits that integrate multiple forms of attack to achieve their goals. Chained exploits are far more complex and far more difficult to defend. Few security or hacking books cover them well and most don’t cover them at all. Now there’s a book that brings together start-to-finish information about today’s most widespread chained exploits–both how to perform them and how to prevent them.

Chained Exploits demonstrates this advanced hacking attack technique through detailed examples that reflect real-world attack strategies, use today’s most common attack tools, and focus on actual high-value targets, including credit card and healthcare data. Relentlessly thorough and realistic, this book covers the full spectrum of attack avenues, from wireless networks to physical access and social engineering."

It took me awhile to decide on a star rating for this book. It had lots of very good pro's and to me several significant cons. So the pro's: I couldn't think of another book that approaches the problem from the "chained exploit" perspective meaning one exploit doesn't give you the keys to the kingdom or your final end state. Now, for the last 10 years we've had the Hacking Exposed Methodology which essentially tells us "how to chain exploits together" but doesn't actually walk you through the process during a chapter of a book or share the process in the "story" format that Chained Exploits does. The Hacker's Challenge series of books is similar but the Chained Exploits book gives you a bit more technical detail (code snippits, metasploit output, etc) than the Hacker's Challenge books. The countermeasures in Chained Exploits are also valuable and usable which is refreshing because they usually seem like an afterthought and less of a major piece of other books.

OK so the cons:

So the "chained exploit" approach is valuable from a teaching point of view but anybody that pentests for a living has been doing this for awhile now, its just part of "the process." Its certainly not new to the security community but maybe new to print. You could also argue that chaining reconnaissance with the sending of our phishing email really isn't "chaining" anything, again its our process of attack or methodology. Our attacker phoenix, for being such an evil black hat, makes some gross errors that go unmentioned in the book. One of the biggest errors was testing code on his home system that actually sends traffic to the later victim. A halfway decent admin with some Law Enforcement help will trace that activity right back to the source...his apartment. That leads me into my final con about the book. The book, while technically correct and well written, was not overly technical or employing many new techniques. I felt like most of the attacks mentioned in the book were pretty old and had been discussed in a lot of other places. I would have liked to have seen much more technical attacks carried out. There was no mention of semi-advanced techniques like IDS evasion, AV evasion and detection, or stealthiness. We don't live in a day and age anymore where i can push netcat to most Windows systems and not expect AV to catch it or IDS to signal on the traffic. The authors were certainly capable of more advanced technical content but did not deliver.

Detailed info here: http://www.informit.com/store/product.aspx?isbn=032149881X

Googling Security: How Much Does Google Know About You? Book Review

Googling Security: How Much Does Google Know About You?

Greg Conti

5 stars

Witty (hopefully) Title for Amazon: Google may not be evil, but its still worth keeping an eye on

Disclaimer: I know the author personally and was given a review copy of the book.

I haven't read many (non-religious) books that totally change my outlook about the world we live in. In 2008, Robert O'Harrow's "No Place to Hide" is one such book and Greg Conti's Googling Security is the second.

The book begins with a simple question. "Have you ever searched for something you wouldn't want you grandmother to know about?" A simple but powerful question. Of course all of us have searched for topics we would rather our grandmother, friends, or spouse not know about. Would you ever consider posting the sum of your Google queries on your blog or website? Probably not, but just about all of us have given this information to Google in our dealings with them over the years. The book helps you take a look at how the sum of that information gathered through the use of the multitude of Google's "free" tools adds up to take a huge chunk of our privacy and very well could be giving Google a solid look into our personalities to include things most of us would prefer keep private.

Breakdown of the chapters:

Chapter 1: Googling 1

Chapter 2: Information Flows and Leakage 31

Chapter 3: Footprints, Fingerprints, and Connections 59

Chapter 4: Search 97

Chapter 5: Communications 139

Chapter 6: Mapping, Directions, and Imagery 177

Chapter 7: Advertising and Embedded Content 205

Chapter 8: Googlebot 239

Chapter 9: Countermeasures 259

Chapter 10: Conclusions and a Look to the Future 299

A common theme that the author found while conducting research for the book was "Google will collect personal information from you to provide you with a better experience."
Right now we expect Google to "do no evil" and their current policies say they don't personally identify its users but as the author points out through the chapters in the book; Google gathers A LOT of data they DO tell us about and the ability to gather even more data is already built into its "free" services.

Some other reviewers have said that its "preaching to the choir." While I agree that the normal person that would buy this book is in the IT field, I wouldnt be so quick to immediately say that the average system admin or evern security guy understands the magnitude of information gathering that could possibly be going on and the value and power of that information. While not specifically mentioned in the book I would encourage anyone interested in the topic to check out Conti's DEFCON 16 presentation on "Could Googling Take Down a President, a Prime Minister, or an Average Citizen?" When you think about the importance or value of that first page of results returned by Google and think about how events, commerce, or public opinion could be shaped by crafting the results that are returned you have a powerful tool(weapon?). What if the top results for a certain political candidate consistently only returned negative commentary? or if events were "buried" by Google never returning those results? Just because Google doesn't currently appear to be altering results or collecting and using personal information, its important to understand the power every user gives to Google in both personal information and the power of controlling what is presented to searchers.

One of the best things the book has that most books covering similar (privacy) type topics is a countermeasures chapter. While saying "don't use Google" really isn't an option for most people the best advice from the chapter was teaching people to know and understand what they are disclosing and adjusting the behavior accordingly.

My only dislike in the book was the coverage of "physical" information leakage (TEMPEST). The material is good, but I don't think it was pertinent to the Google and privacy discussion.

Conti's DEFCON 16 INFO

Abstract: http://www.defcon.org/html/defcon-16/dc-16-speakers.html#Conti
Materials: http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-conti.pdf

Book Review Criteria: http://carnal0wnage.blogspot.com/2008/03/book-review-criteria.html

The Truth About Identity Theft Book Review

The Truth About Identity Theft Book Review

by Jim Stickley

4 stars

Witty (Hopefully) Amazon Title: Digestible Truths to Protect Yourself from Identity Theft

When this book showed up (review copy) I initially thought what a piece of garbage. Like a previous commenter said, the book has a lackluster cover and its small and skinny.
BUT, I flipped through and noticed that it contained lots of little "truths" 3-4 pages in length that quickly covered specific topics related to identity theft and protecting yourself online. So I decided to give it a shot.

The book is broken into 9 parts:

Part 1: The Truth About Phishing and Vishing
Part 2: The Truth About Trash
Part 3: The Truth About No-Tech Identity Theft
Part 4: The Truth About Just How Low Identity Thieves Will Go
Part 5: The Truth About Identity Theft in Plain Sight
Part 6: The Truth About Online Cons
Part 7: The Truth About Security at Work
Part 8: The Truth About Identity Theft from Real Victims
Part 9: The Truth About Putting a Stop to Identity Theft

Again, each part consists of several 3-4 page vignettes on topics related to the section and each vignette, while short, yields some actionable information on the topic. I didnt have any specific favorites, they were all good. Just about all of them were real world examples that they author conducted during security assessments or real life examples from people that had contacted the author or stories he had heard. Its sometimes much easier to emphasize with Susan who was a victim of identify theft and the troubles she was having trying to set things right. Of real value was the part on Putting a Stop to Identity Theft which tells you how to get rid of the pre-certified credit card offers, checking your credit reports, actions to take if you are a victim of identity theft and some of the pitfalls that can come up during the process.

So why 4 stars? Well mostly because I review technical security books it wouldn't be fair to give a less technical book that doesn't yield "new" (but still useful) information 5 stars when other more technical books are graded much harsher. So that being said, if I had approached it being a less technical reviewer I would have easily given it 5 stars. If you want to get a book for mom and dad to protect to help them protect themselves from themselves and the rest of the bad guys out there this is the book for them. Unfortunately I finished it too close to Xmas to give copies as gifts.

Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion Book Review

Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion Book Review
by Hal Abelson, Ken Ledeen, Harry Lewis

4 stars

Witty (Hopefully) Amazon Title: My bits are gone and I want them back!

The authors of Blow to Bits: Your Life, Liberty, and Happiness After the Digital Explosion cover both new and old technologies and how they relate to todays cultural and political climates. Driving home the history of most of the technologies we can't live without and their tumultuous relationship with the legislative and judicial branches of the American government.

Breakdown of the chapters:

Chapter 1: Digital Explosion: Why Is It Happening, and What Is at Stake? 1

Chapter 2: Naked in the Sunlight: Privacy Lost, Privacy Abandoned 19

Chapter 3: Ghosts in the Machine: Secrets and Surprises of Electronic Documents 73

Chapter 4: Needles in the Haystack: Google and Other Brokers in the Bits Bazaar 109

Chapter 5: Secret Bits: How Codes Became Unbreakable 161

Chapter 6: Balance Toppled: Who Owns the Bits? 195

Chapter 7: You Can’t Say That on the Internet: Guarding the Frontiers of Digital Expression 229

Chapter 8: Bits in the Air: Old Metaphors, New Technologies, and Free Speech 259

Conclusion: After the Explosion 295

All the chapters were well written, informative and flow well together. I felt the authors did a great job breaking down the technical concepts behind the technologies well enough to get the required background (technical but not too technical) and then move into the political discussions of those technologies. The real value of the book was the "Your Life, Liberty, and Happiness" portion of the discussions. They discuss how has the world changed now that we are moving away from paper and everything is in bits. Who owns those bits, what is the government and industry allowed to do with those bits and what about privacy in our lives now that very detailed profiles of people can be generated from those bits (especially since we gave that information away for a few cents off at the register or for some "free service")?

There are plenty of books that discuss the 1's and 0's of the concepts but few I have read that talk about the privacy, governmental or cultural issues that arise from those technologies. Like one of the other reviewers(1) mentioned, plenty of "geez whiz" moments along with plenty of other "I cant believe they did that" moments as well. A great read.

Implementing NAP and NAC Security Technologies Book Review

Implementing NAP and NAC Security Technologies: The Complete Guide to Network Access Control

Dan Hoffman

4 stars

Witty Title for Amazon: Clear and Actionable Advice on Choosing the Right NAC Solution

Disclaimer:
I was asked to read a pre-release copy of the book, my quote made it onto the book, and I was given a review copy.

I found myself in a position to learn about the different types of NAC appliances as well as Mobile NAC. The problem is that I don't work for a NAC vendor or install NACs for a living. Googling left me with tons of vendor hype on NAC but not a lot of good information to help me understand the different type of NACs, how they work, and why I would would choose one type over the other. Dan Hoffman's book is the only NAC book I know of that is (mostly) vendor neutral. The only other NAC/NAP books I know of are Cisco Press book which obviously tout Cisco products as the best way to go. Dan Hoffman breaks down the functionality of NAC and they different types of NAC solutions into simple easy to understand language, just like he did for Blackjacking on mobile threats. He has a great knack for explaining technical systems and topics in an easy to understand way.

Here is a list of what he covers in the book:

CH1 Understanding Terms and Technologies
CH2 The Technical Components of NAC Solutions
CH3 What Are You Trying to Protect?
CH4 Understanding the Need for LAN-Based NAC/NAP
CH5 Understanding the Need for Mobile NAC
CH6 Understanding Cisco Clean Access
CH7 Understanding Cisco Network Admission Control Framework
CH8 Understanding Fiberlink Mobile NAC
CH9 Understanding Microsoft NAP Solutions
CH10 Understanding NAC and NAP in Other Products

My favorite chapters are CH3 "What Are You Trying to Protect?", CH4 "Understanding the Need for LAN-Based NAC/NAP", and CH5 "Understanding the Need for Mobile NAC."

By far the most important chapter is chapter three where Dan walks through the questions an organization needs to ask itself before it purchases a NAC solution. The company needs to know if they are trying to protect LAN based or Mobile assets and they need to know exactly what they are trying to protect the answer from the first question against. Dan discusses the various scenarios that come about from those two questions and the two follow on chapters provide even more detail on how the two types of solutions (LAN based and Mobile NAC) work and how they differ from one another. Chapter two covers the details of the different parts of NAC and Chapters 6-10 give some of the specifics about different NAC vendor's solutions (not a complete list).

The only thing I didn't like about the book was that it really didn't cover bypassing NAC. It would have been nice to see some content on how NAC is currently being bypassed or what NAC doesn't protect against and how to mitigate against it.

Book Review: The IDA Pro Book

I was able to pick up a pre-released copy of The IDA Pro book at Defcon in the vendor area, thanks to Adam from No Starch. This book is not an introduction to reverse engineering, its a hard core manual for IDA Pro. IDA Pro is a critical weapon in any reverser's arsenal, so proficiency in this tool is paramount to your success in reverse engineering. If you are new to IDA Pro you need this book, even if you've been working with IDA for a while you will more than likely learn quite a few things after reading it. Unlike the two other books I've read on IDA Pro this book has no fluff or filler, its solid information! The funny thing when comparing it to the other two IDA books is its thicker than both combined, and contains an exponentially larger amount of information.

The author takes time to explain things in a very clear manner as you walk through from an introduction to the tool to more advanced usage such as customizing, extending IDA, debugging, and dealing with obfuscated code. The author answered questions I had been spent weeks asking and searching the Internet for.


Likes:

Just about everything. The author walks you through plenty of code and discusses scenarios where you could apply the information he is giving you. The fact that he took his time to elaborate on why, and when you might use a piece of information is unlike many authors whom will give you information and leave the reader wondering "What would I use that for".

This book does not just talk about Win32 and Portable Executable format, ELF binaries have a continual guest appearance throughout the book, and firmware/binaries are mentioned in numerous chapters.

Side bar elaboration is kept to a minimum, I often find in texts that an author will go on about background information that does not add anything significant to what I am reading. Chris Eagle keeps this to a minimum adding small side bars when necessary but only take up a small amount of real estate.


Dislikes

My only dislike of this book was the use of PE format as the example in chapter 18 – Binary Files and Ida Loader modules. Despite the use of a well known format chosen for this example the concepts were clearly displayed. I think it would have made it more interesting if the author had used a lesser known format, or do as the author of "Reversing, Secrets of Reverse Engineers" did and create his own binary.


-Phn1x

Pre-Review Blown To Bits: Your Life, Liberty, and Happiness After the Digital Explosion

Just a quick pre-review for Blown To Bits: Your Life, Liberty, and Happiness After the Digital Explosion. It is an excellent follow up to No Place to Hide. Its been updated, talks about current privacy issues and is thus far well written. The authors do a great job of laying out how we have given away or privacy for convenience and how the big data shops technically aren't breaking any laws which works out just fine for the government who gladly pay them to spy and aggregate data.

I should be able to finish it up on the way to vegas and hopefully will remember enough post defcon to write the review ;-)

LAN Switch Security Book Review

LAN Switch Security: What Hackers Know About Your Switches

by Eric Vyncke and Christopher Paggen

4 stars

“Should be required reading for Pentesters”

LAN Switch Security provides enough information to leverage the most common layer 2 attacks a pentester would be interested in; MAC Flooding, VLAN Hopping, DTP attacks, and CDP Snarfing along with plenty of switching protocol details for the Cisco ninja wannabe.

With the exception of the white paper for the tool Yersinia there isn't much in the way of resources out there for conducting Layer 2 attacks and certainly nothing written to the technical level of LSS.

The discussion of Layer 2 attacks in the first few chapters of this book are excellent and easily worth the price of the book especially if you are responsible for securing switches or just breaking into and abusing them. Chapter 4's (“Are VLANS Safe?”) discussion on Dynamic Trunking Protocol is probably the most valuable for pentesters. The chapter covers using Yersinia to (hopefully) turn the port the attacker is connected to into a trunk port. This enables the attacker to see all traffic on all VLANS (pretty handy). In addition to exceptional background material on switching protocols and information on breaking the different switching protocols the book gives us quality information on securing those same protocols to include a good chunk of the IOS commands to implement the recommended changes.

Pros:

-All the chapters using Yersinia for attacks and the overview of Yersinia
-The structure (Technology Overview, Discussion of the Vulnerability, Remediation) of each chapter works well
-Plenty of Cisco IOS command line specifics to get the job done
-Really good overviews of the switching protocols, how to break them, and how to secure them
-Discussion of data planes and control planes

Cons:

-Check out the cons of Richard Bejtlich & Stephen Northcutt...all valid
-No discussion of minimum lab requirements to set up a lab to reproduce the attacks
-I lost interest from part II onward, probably because most of the attacks don't give you much (if any) in the way of privileges and it got fairly deep into switching protocols I don't usually deal with and the book seems to drift. I'm not sure what happened but the book doesn't end as strong as it begins.
-Some repeating of material in different chapters

I gave the book 4 stars mostly due to editing issues, lack of lab guidance to reproduce the attacks,and the fact that I lost interest in the book toward the end. Even though I lost interest toward the end I still recommend this book for anyone interested in breaking Layer 2 or securing it.

Links:

http://www.yersinia.net/doc.htm
http://www.yersinia.net/attacks.htm

Yersinia article from hakin9 magazine (sorry couldnt find the full one, this link is for pay after the first page)

1984 was a typo! -- No Place to Hide Pseudo Book Review

I really blame phn1x for actually answering my question of what Safeway does with the information of what you buy and suggesting the book "No Place to Hide" by Robert O'Harrow.

Google Books Link:
http://books.google.com/books?hl=en&id=caydrFMa1mIC&dq

I won't do the typical review I do because its not a "tech" book but I will say that it was eye opening. I'm embarrassed to not know the scope of information (and how easily we give it up) that is being accumulated about us by different commercial organizations (ChoicePoint, Acxiom, and more), computer generated models of our likes and dislikes formulated and sold to various vendors, private information about us from marriage, mortgages, books checked out from the library, you name it, and of course that information being easily sold to the government so they can live up to laws forbidding the government from spying on citizens by the government itself not actually doing the spying but merely buying data and services from these vendors.

I don't want to go all Dale Gribble (more) but some fun/spooky/scary things from the book.

1. you dont have to fill out warranty cards that ask for all that personal info like how much you make and what kind of car you drive. By law all products have a 1 yr warranty without you having to mail in that registration card.

2. your phone number is your new SSN and the "key" tying good chunks of your data to you. Add your zip code to make sure there are no mistakes.

3. where do these companies get the data? From: telephone directories, voter registrations forms, tax assessor offices, questionnaires, warranty cards, catalog buyer behavior information, and product registration forms.

4. who generated the initial no fly lists? yep those companies.

5. best part, all the data policing is done by the companies and not the government.

And for a real world example, in my mailbox yesterday was some junk mail from some Baptist church. Of course called and said thanks for the letter but how the f**k did you get my name and address. The utility company gave it to them...WTF.

EFF and EPIC can expect good donations this year, as long as they don't write down my name and address so the government doesn't have its initial start list of dissidents when things go south. But its probably waaaaaaay to late to worry about that. I know I'm already on that list.

For Cons of the book, read the reviews on amazon they mostly say the same thing. Basically great information, but no remediation. fI there even is any at this point.

If you want to see what they have on you, at least ChoicePoint appears to do this for free if you are willing to cough up some information.
http://www.choicepoint.com/consumer/all_products.html

also opt-out info:
http://www.privacyatchoicepoint.com/optout_ext.html

Metasploit Toolkit Book Review

Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research by David Maynor

2 Stars

Potential for something great was there but wasn't delivered

I'm going to take a harsh stance on this book, mostly because this book had potential to really build upon all the information publicly available for Metasploit and really make a great book on Metasploit internals and advanced usage. Instead it seems like current public/free information was just rehashed and new information not updated for the 3.x branch of MSF.

What I consider the "meat" of this book, and what should have made this a 4 or 5 star book, covers the Metasploit Framework 2.x branch and NOT the current 3.x branch. By "meat" I mean the case studies covering exploitation using MSF. The major difference between the two is that 2.x was written in Perl and 3.x in Ruby. To be fair the first 5 chapters cover using MSF 3.x, but I really didn't feel they covered much, if anything, that's not out on the net with the exception of Chapter 5 (Adding new Payloads). "Using" Metasploit has been covered a million times in a million other books. A book specifically on Metasploit should have covered things not covered in every other hacking book.

Chapter 1 is an "Introduction to Metasploit." If you haven't ever used the tool and didn't want to RTFM, then "maybe" it would be useful for you. Most of the material I felt could be found on the Metasploit main support page, the wiki, or via google, but mostly the first two. I'm also not sure why there are pages and pages of current payloads and exploits with no explanations as to why I would use one type of payload versus another especially for the obscure ones like find tag or ordinal payloads. Doing a "show exploits" or "show payloads" without dialogue on the differences adds little value. The Leveraging Metasploit on Penetration Tests section is one paragraph :-(

Chapter 2 is "Architecture, Environment, and Installation." There are 2-3 pages on locking down a system. Why is that included? Very random. Let me cover the installation covered in the book for you. Windows, double click the executable. *nix, download via svn. That's about the level of detail we get...sigh :-(

Chapter 3 is a whopping 7 pages including the FAQ section on "Metasploit Framework and Advanced Environment Configurations." That chapter covers what is in the directories of your msf installation and using the setg command.

Chapter 4 is "Advanced Payload and Add-on Modules." Covers some old information on meterpreter and some meterpreter basics, the stuff on the net covers it in far more detail. Decent coverage of the VNC Inject payload, crappy coverage of the PassiveX payload, ok coverage of auxiliary modules and a mention of db autopwn.

Chapter 5 is "Adding New Payloads." Chapter 5 is the best chapter in the book because it discusses something...here it goes...NEW! and related to MSF 3.x. Chapter 5 is an excellent chapter walking us thru building a SIP Invite spoofer auxiliary module. Had the whole book been of this caliber it would have been a 5 star book.

The case studies should have been rewritten to work with MSF 3.x, they are all for 2.x. They are good and contain the required detail (but I didn't not work through all the examples yet) Things are similar between the branches and you can probably muddle through the conversions but it makes no sense for the first half of the book to be about 3.x and the meat to be about 2.x. At a minimum a chapter or section on converting exploits from 2.x to 3.x was in order, but was not included.

I didn't find Appendix B, "Building a Test Lab for Penetration Testing" to be all that helpful either. I think it's a reprint from Penetration Tester's Open Source Toolkit v2, but can't confirm because I don't have that book.

Hacking Exposed Web 2.0 Book Review

Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions by Rich Cannings, Himanshu Dwivedi, Zane Lackey, and Alex Stamos

Reliance on author's tool detracts from books potential

3 Stars

Thanks to McGraw-Hill for my review copy.

Based on my review criteria: http://carnal0wnage.blogspot.com/2008/03/book-review-criteria.html this book should have easily been a 4 or 5 star book, but I gave it 3 stars for its major flaw. Its major flaw is that it only talks about iSec partner's SecurityQA Toolbar as a tool for testing for the different types of web application vulnerabilities. Only discussing one closed source, for pay tool, that only runs on Windows is really disappointing from a security professional standpoint. I really expected a good snapshot in time on the DIFFERENT tools and techniques for doing web 2.0 auditing. There are tons of “for-pay” and more importantly FREE web application scanners and tools that look for the same vulnerabilities discussed in the book and the fact that they don't mention any other tools or methods is very disappointing.

Now that the above is out of the way...lets get on with the likes and dislikes.

Likes:
-The analysis of the samy worm is excellent. They break the code apart and really analyze what's going on and why it worked at the time.
-The chapter on ActiveX security is excellent. It covers a lot of ground on why ActiveX controls are bad, how to fuzz them and how to defend against them.
-The whole first part of the book on Web 1.0 vulnerabilities is well written, I had just finished XSS attacks and having that background helped a lot with the relevant chapters in HE Web 2.0.

Dislikes:
-The book is short, about 246 pages, that's probably too short for the price for a security book.
-A good chunk of the chapters cover over and over installing and using their SecurityQA Toolbar, I only need it once, if that.
-I think the book stops a bit short of actually exploiting Web 2.0 vulnerabilities. It talks a lot about identifying which 2.0 framework an application was built with and identifying different methods in that application, if debug functionality is enabled, and finding hidden URLs but how I exploit SQL injection issues or XPATH injection or LDAP injection issues IN web 2.0 applications is missing. That was the core problem with web 1.0, its still a valid and dangerous entry point for web 2.0 and should have been covered. Hacking Exposed is generally about exploiting vulnerabilities and not stopping at identifying them which is where the book seems to have stopped.

Overall the authors are obviously very knowledgeable about the subject. One of the other reviewers mentioned that it goes from technically very easy to very difficult even within chapters and I think this is true. The code sample for the examples they give are great and their explanations of web 1.0 and the web 2.0 threats is very well written with good examples. Like I said, had it not been for their fixation with their own tool as the only option we have for web 1.0 and 2.0 testing this would have easily been a 4 star book. For those a bit more interested in web 2.0 I would recommend checking out Shreeraj Shah's Web 2.0 Security and Hacking Web Services books and his website which has free web 2.0 auditing tools.

No Tech Hacking by Johnny Long Book Review

No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing by Johnny Long

4 stars

Solid advice on securing the human vulnerability

Johnny Long has a great knack for taking what should be common sense observations on human vulnerabilities and making them unique, entertaining, and most importantly actionable. The book really seems to be a book to go along with his numerous “No Tech Hacking” talks he has given at several security conferences. If you want an example check out the 2007 Shmoocon Archives: shmoocon.org/2007/presentations.html

Here are the chapters:

Dumpster Diving
Tailgating
Shoulder Surfing
Physical Security
Social Engineering with Jack Wiles
Google Hacking
P2P Hacking
People Watching
Kiosks
Vehicle Surveillance
Badge Surveillance
Epilogue

All of the chapters are pretty good, I particularly liked the Physical Security, P2P Hacking, and Kiosks (even though it was a short chapter). Again, a lot of what he talks about is common sense and taken from his talks he gives a security conferences. But it comes from a guy that gets paid to break into buildings for a living so you can trust the advice and situations to be pretty close to reality.

Things I liked about the book:

-The Physical Security section talks about defeating different types of locks and security systems. It was good relevant content with good advice on how to fix it. The Kiosk chapter talks a little bit about breaking out of Kiosks and information you can gather. Using P2P to look for sensitive documents is a good idea as well. Really all the chapters had valuable information in them. In plain words he sums up relevant and dangerous security issues that target the human element of security.
-The large font and lots of pictures make the book a quick read. I also like that there were pictures to go along with all the points he was trying to make. His “arrest me face” on page 95 is the best.
-The book is pretty much without typos and editing issues which says a lot for a syngress book.
-The book is useful for both technicians and managers, I feel like i can give the book to both the techies and management and have them both get something out of it.

Some things I didn't like about the book:

-The book has a slight condescending tone. I think this is the author's attempt to be funny, and in person I think he could have pulled it off. But in print it really comes across as a “you are dumb, so dumb I have to write a book about hacking you without technology to show you how dumb you are.” It doesn't make the book “bad” its just annoying at times.
-The tailgating section (page 24) slams a person for wearing their badge INSIDE and says she is not security conscious. Why would you NOT where your badge inside? On one hand he complains about people not challenging him because of his fake badge or lack of a badge and then he says that wearing a badge inside is an opportunity for someone who sneaks in to take pictures of it, well guess what, they are already inside, there are other bigger issues now. In my opinion, badge on inside=good, badge on outside at lunch=bad.
-The book suffers a bit from the "Everything must be secure... damn the functionality" problem that a lot of security researchers and hard core security proposals suffer from. What I mean by all that is sometimes security people lose sight of why things are they way they are or the fact that changing the way things are done would hinder actually getting work done. The best example I can come up with from the book is his discussion of DoD decals on cars (in the vehicle surveillance chapter) and how they give away too much information. While not arguing his point on giving away information, I'd like to see his proposal for a better solution to access control on DoD bases. I'd also argue that oil change stickers showing where I got my oil changed (that may give you some information on where I live or work) are far less dangerous than that person just following me to home or work now that they have me and my car associated with one another.