Next message: mea culpa: "[ISN] Book Review: "Windows NT Security Guide", Sutton"
Posted to: Risks Digest 19.85
Originally From: "Rob Slade" <rslade�t_private>
BKMAXSEC.RVW 980501
"Maximum Security", Anonymous, 1997, 1-57521-268-4,
U$49.99/C$70.95/UK#46.95
%A Anonymous
%C 201 W. 103rd Street, Indianapolis, IN 46290
%D 1997
%E Mark Taber newtech_mgr�t_private
%G 1-57521-268-4
%I Macmillan Computer Publishing (MCP)
%O U$49.99/C$70.95/UK#46.95 800-858-7674 http://www.mcp.com
%P 885 p. + CD-ROM
%T "Maximum Security"
Rather loudly promoted on the net these days, the major selling point of
this book is that it was written "by an experienced hacker." Supposedly
one who spent some time as a guest of Uncle Sam for fiddling bank
machines. (Some of what we are told about the author does not fit with
the contents of the book, but then, as an old professional paranoid, I may
be unduly suspicious.) Leaving aside questions of morality and
definitions of the term "hacker," let us merely observe that these people
are the gnostics. They are the devotees of the hidden, esoteric, and
arcane knowledge. Such knowledge, of course, is cheapened and weakened by
being revealed. Which may explain a certain reticence on a number of
points in the book. The introduction makes this mindset clear: Anonymous
assumes that if you will not work diligently at his direction you do not
deserve to secure your system. One can almost feel his glee at the
expectation that thousands of sysadmins around the world will be wracking
their brains and flooding Usenet with discussions of the significance of
his clues to the vital encrypted message he has hidden on the CD-ROM.
This does, of course, presume that his direction, and the contents of the
book, warrant the effort to try and guess his riddle.
Part one might be characterized as a social background to security.
Chapter one is essentially an extension of the introduction, continuing to
try to convince the reader that the book is worthwhile. But it also
states that the author wishes to raise the awareness of security in the
general public. I rather doubt that this will be the book to do so: the
average user will be put off by both the size and the subtitle's emphasis
on Internet sites and networks, neither of which the average user will
run. The (very verbose) sales pitch continues in chapter two with rather
generic promises of the goodies offered to all manner of readers, and a
list of chapters to come. (Of course, nudge, nudge, wink, wink, some
unethical people might use this information for cracking, nudge, nudge,
but none of *us* upstanding people would do that, right? wink, wink)
Having been rather careless with the term "hacker" up to this point,
chapter three belatedly attempts to distinguish between hackers and
crackers. It doesn't succeed very well, being a pretty faint-hearted try.
Chapter four lists a number of security penetrations in an bid to prove
that anyone can be attacked.
Part two moves into more of a technical background to security. Chapter
five looks at the complexity of current network systems and other factors
militating against safety. A brief introduction to the TCP/IP protocol
suite is given in chapter six. Chapter seven gives some random material
on the Internet, programming, and UNIX. A variety of Internet problems
are briefly mentioned in chapter eight.
Part three looks at a number of the more common security penetration
tools. Chapters nine through fourteen discuss scanners, password
crackers, trojans, password sniffers, identity tools, and malicious
software respectively. Advice on how to deal with these problems varies
in depth, but generally is not extensive. As only one example, the author
does recommend that Web browsers be set to alert the user when a cookie is
being set, but fails to give the slightest indication of how this is to be
accomplished. The section on viruses is the book in miniature: not
necessarily *all* wrong, but overly verbose, lacking in insight, and
missing those points that would really be helpful to the computer user or
manager.
Part four reviews a number of operating system platforms. Chapter fifteen
presents the concept of vulnerabilities (termed as "holes"). In spite of
the fact that MS-DOS, Windows 3.x, and Windows 95 have no appreciable
security, chapter sixteen lists a large number of security penetration
programs for them. (It also has a rather odd reference demonstrating that
the author does not actually understand how the CMOS password functions
work.) Chapter seventeen does contain a collection of the more common
suggestions for securing a UNIX box. Tools for breaking Novell NetWare
are displayed in chapter eighteen. Cracking tools for VMS are listed in
chapter nineteen. Chapter twenty has both cracking and some protection
software for the Mac. The installation of the Plan 9 operating system is
discussed in chapter twenty one.
Part five gives some advice on what to go after when you crack a system.
Chapter twenty two suggests that root access is a suitable target.
Chapter twenty three points out that it is easier to crack a system with
partial access or inside information. Consultants seem to be the topic of
chapter twenty four.
Part six gives information on how to penetrate a system from outside.
Chapter twenty five looks at gathering information about the target.
Rather obvious statements about levels of attack are made in chapter
twenty six. Chapter twenty seven is a simple review of packet filtering
firewalls. IP spoofing is discussed in chapter twenty eight. Telnet
attacks cover a wide range, so it is surprising that chapter twenty nine
is so short. Chapter thirty looks at loopholes in Web page programming.
Part seven, chapter thirty one, reviews legal aspects, and for once even
mentions laws outside the US.
Basically, there is a whole lot of partial information here. It is a
handy list of security related Web sites, but made less useful by the
bulked out verbiage between the listings. In addition, it is rather plain
to see that there is far greater emphasis on cracking than on protection.
(After all, how vital is it to securing your system to know the algorithm
for generating fake Microsoft software registration keys?) All you
teenage-mutant-cyberscofflaw-wannabes might be disappointed, though: the
information is almost never complete.
copyright Robert M. Slade, 1998 BKMAXSEC.RVW 980501
-o-
Subscribe: mail majordomo�t_private with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30
: Fri Apr 13 2001 - 12:59:06 PDT