[ISN] REVIEW: "Hacker Proof", Lars Klander

From: mea culpa (jerichoat_private)
Date: Tue Apr 06 1999 - 09:14:14 PDT

  • Next message: mea culpa: "[ISN] Internet security market grows by $1 billion"

    Forwarded From: "Rob Slade" <rsladeat_private>
    
    BKHKRPRF.RVW   990228
    
    "Hacker Proof", Lars Klander, 1997, 1-884133-55-X, U$54.95/C$74.95
    %A   Lars Klander lklanderat_private
    %C   2975 S. Rainbow Blvd., Suite 1, Las Vegas, NV   89102
    %D   1997
    %G   1-884133-55-X
    %I   Jamsa Press/Gulf Publishing Co.
    %O   U$54.95/C$74.95 800-432-4112 fax 713-525-4670 starksmat_private
    %P   660 p. + CD-ROM
    %T   "Hacker Proof: The Ultimate Guide to Network Security"
    
    There is a great deal of information on security contained within this
    book.  Unfortunately, it is presented without a cohesive framework.  The
    overall impression is good.  A lot of the forms that would make up a
    useful work are followed, such as a summary (rather ironically, in view of
    the scattered nature of the text, called "Putting It All Together") and a
    set of resources at the end of every chapter.  The author seems to be
    easily distracted, continually jumping to the next, more sensational,
    topic. 
    
    Although not divided into parts, the contents do have some logical
    divisions.  Initially, we are presented with what seems to be intended as
    background material, although the scattergun approach leaves all of the
    synthesis up to the reader.  Chapter one is a rather unfocussed
    introduction, talking as much about Internet technologies as about
    security.  Errors are rather common, ranging from chunks missing out of
    sentences to figures with no cutlines to security weaknesses that are
    essentially duplicates of each other to mailing lists that haven't
    distributed material for years (with contact addresses that are even
    older).  Theoretically the networking concepts and details in chapter two
    might aid in understanding system vulnerabilities, but in the fact of the
    book they do not seem to be used effectively.  The discussion of firewalls
    does not provide sufficient information about either the needs,
    weaknesses, or possible inconveniences of the different types in chapter
    three.  The material on encryption, in chapter four, mentions a number of
    the currently important standards, but the explanations are so flawed that
    the chapter could not be used to inform a decision on the strength or use
    of a cryptographic system. Material on the use of digital signatures is
    fairly short, and the remainder of chapter five rehashes, with really
    expanding, old ground. 
    
    Another section tries to delve into more networking protocols.  Chapter
    six, on HTTP (HyperText Transfer Protocol), is somewhat disjointed, and,
    again, fails to seriously examine the security implications.  S-HTTP
    (Secure HyperText Transfer Protocol), in chapter seven, deals mostly with
    packets and commands, although it does have some limited discussion of
    function.  The Secure Socket Layer (SSL)  seems to look primarily at
    arcana rather than use. 
    
    Chapter nine looks at a few common forms of attack, but presents
    information somewhat at random.  Kerberos is reasonably well described in
    chapter ten.  Some types of electronic commerce technology are mentioned
    in chapter eleven.  There is an extremely limited look at auditing in
    chapter twelve, first for UNIX and then for NT.  A very rough look at
    security issues within the Java programming language makes up chapter
    thirteen.  Chapter fourteen's look at viruses has good basic explanations,
    but is unreliable in practice. 
    
    The remaining chapters generally look at security for specific systems. 
    Chapters fifteen to seventeen very quickly talk about individual security
    functions in NT, NetWare, and UNIX, but fail to analyze, for example, the
    effective rights granted by combinations of the different privilege
    granting mechanisms.  SATAN (System Administrator's Tool for Analyzing
    Networks) for UNIX and Kane Security Analyst for NT get quick overviews in
    chapter eighteen. Chapter nineteen presents a number of security
    vulnerabilities with the Netscape and particularly the Internet Explorer
    Web browsers.  CGI (Common Gateway Interface) form weaknesses are
    discussed in chapter twenty, but with so many different languages that the
    ultimate advice is simply don't make a mistake when programming. 
    
    The final chapter is a reasonable look at security policies.  However,
    with some many items missing from the background provided, the chance of
    producing a good policy at this point is relatively small. 
    
    As with "Maximum Security" (cf. BKMAXSEC.RVW), this book attempts to cover
    the enormous field of security by throwing out as many bits as possible. 
    Therefore large holes are apparent in the coverage.  In addition, the book
    lacks an overall framework that could be used to build a security
    structure and point the way to vulnerabilities that were not addressed. 
    For those who already are well comfortable with security as a concept,
    this volume does have a lot of references that might be of use.  For those
    new to the topic, it is not reliable enough to start with. 
    
    copyright Robert M. Slade, 1999 BKHKRPRF.RVW 990228
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:21:57 PDT