[ISN] Book Review: "Maximum Security", Anonymous

From: mea culpa (jerichot_private)
Date: Tue Jul 21 1998 - 08:10:31 PDT

  • Next message: mea culpa: "[ISN] Book Review: "Windows NT Security Guide", Sutton"

    Posted to: Risks Digest 19.85
    Originally From: "Rob Slade" <rsladet_private>
    BKMAXSEC.RVW   980501
    "Maximum Security", Anonymous, 1997, 1-57521-268-4,
    %A   Anonymous
    %C   201 W. 103rd Street, Indianapolis, IN   46290
    %D   1997
    %E   Mark Taber newtech_mgrt_private
    %G   1-57521-268-4
    %I   Macmillan Computer Publishing (MCP)
    %O   U$49.99/C$70.95/UK#46.95 800-858-7674 http://www.mcp.com
    %P   885 p. + CD-ROM
    %T   "Maximum Security"
    Rather loudly promoted on the net these days, the major selling point of
    this book is that it was written "by an experienced hacker."  Supposedly
    one who spent some time as a guest of Uncle Sam for fiddling bank
    machines.  (Some of what we are told about the author does not fit with
    the contents of the book, but then, as an old professional paranoid, I may
    be unduly suspicious.)  Leaving aside questions of morality and
    definitions of the term "hacker," let us merely observe that these people
    are the gnostics.  They are the devotees of the hidden, esoteric, and
    arcane knowledge.  Such knowledge, of course, is cheapened and weakened by
    being revealed.  Which may explain a certain reticence on a number of
    points in the book.  The introduction makes this mindset clear: Anonymous
    assumes that if you will not work diligently at his direction you do not
    deserve to secure your system.  One can almost feel his glee at the
    expectation that thousands of sysadmins around the world will be wracking
    their brains and flooding Usenet with discussions of the significance of
    his clues to the vital encrypted message he has hidden on the CD-ROM. 
    This does, of course, presume that his direction, and the contents of the
    book, warrant the effort to try and guess his riddle. 
    Part one might be characterized as a social background to security. 
    Chapter one is essentially an extension of the introduction, continuing to
    try to convince the reader that the book is worthwhile.  But it also
    states that the author wishes to raise the awareness of security in the
    general public.  I rather doubt that this will be the book to do so: the
    average user will be put off by both the size and the subtitle's emphasis
    on Internet sites and networks, neither of which the average user will
    run.  The (very verbose)  sales pitch continues in chapter two with rather
    generic promises of the goodies offered to all manner of readers, and a
    list of chapters to come.  (Of course, nudge, nudge, wink, wink, some
    unethical people might use this information for cracking, nudge, nudge,
    but none of *us* upstanding people would do that, right? wink, wink)
    Having been rather careless with the term "hacker" up to this point,
    chapter three belatedly attempts to distinguish between hackers and
    crackers.  It doesn't succeed very well, being a pretty faint-hearted try. 
    Chapter four lists a number of security penetrations in an bid to prove
    that anyone can be attacked. 
    Part two moves into more of a technical background to security.  Chapter
    five looks at the complexity of current network systems and other factors
    militating against safety.  A brief introduction to the TCP/IP protocol
    suite is given in chapter six.  Chapter seven gives some random material
    on the Internet, programming, and UNIX.  A variety of Internet problems
    are briefly mentioned in chapter eight. 
    Part three looks at a number of the more common security penetration
    tools.  Chapters nine through fourteen discuss scanners, password
    crackers, trojans, password sniffers, identity tools, and malicious
    software respectively.  Advice on how to deal with these problems varies
    in depth, but generally is not extensive.  As only one example, the author
    does recommend that Web browsers be set to alert the user when a cookie is
    being set, but fails to give the slightest indication of how this is to be
    accomplished.  The section on viruses is the book in miniature: not
    necessarily *all* wrong, but overly verbose, lacking in insight, and
    missing those points that would really be helpful to the computer user or
    Part four reviews a number of operating system platforms.  Chapter fifteen
    presents the concept of vulnerabilities (termed as "holes").  In spite of
    the fact that MS-DOS, Windows 3.x, and Windows 95 have no appreciable
    security, chapter sixteen lists a large number of security penetration
    programs for them.  (It also has a rather odd reference demonstrating that
    the author does not actually understand how the CMOS password functions
    work.)  Chapter seventeen does contain a collection of the more common
    suggestions for securing a UNIX box.  Tools for breaking Novell NetWare
    are displayed in chapter eighteen.  Cracking tools for VMS are listed in
    chapter nineteen.  Chapter twenty has both cracking and some protection
    software for the Mac.  The installation of the Plan 9 operating system is
    discussed in chapter twenty one. 
    Part five gives some advice on what to go after when you crack a system. 
    Chapter twenty two suggests that root access is a suitable target. 
    Chapter twenty three points out that it is easier to crack a system with
    partial access or inside information.  Consultants seem to be the topic of
    chapter twenty four. 
    Part six gives information on how to penetrate a system from outside. 
    Chapter twenty five looks at gathering information about the target. 
    Rather obvious statements about levels of attack are made in chapter
    twenty six.  Chapter twenty seven is a simple review of packet filtering
    firewalls.  IP spoofing is discussed in chapter twenty eight.  Telnet
    attacks cover a wide range, so it is surprising that chapter twenty nine
    is so short.  Chapter thirty looks at loopholes in Web page programming. 
    Part seven, chapter thirty one, reviews legal aspects, and for once even
    mentions laws outside the US. 
    Basically, there is a whole lot of partial information here.  It is a
    handy list of security related Web sites, but made less useful by the
    bulked out verbiage between the listings.  In addition, it is rather plain
    to see that there is far greater emphasis on cracking than on protection. 
    (After all, how vital is it to securing your system to know the algorithm
    for generating fake Microsoft software registration keys?)  All you
    teenage-mutant-cyberscofflaw-wannabes might be disappointed, though: the
    information is almost never complete. 
    copyright Robert M. Slade, 1998   BKMAXSEC.RVW   980501
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:59:06 PDT