[ISN] REVIEW: "Hacking for Dummies", Kevin Beaver

From: InfoSec News (alerts@private)
Date: Mon Nov 13 2006 - 23:45:00 PST


Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade@private>

BKHACKDM.RVW   20060910

"Hacking for Dummies", Kevin Beaver, 2004, 0-7645-5784-X,
U$24.99/C$35.99/UK#16.99
%A   Kevin Beaver kbeaver@private
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2004
%G   0-7645-5784-X
%I   John Wiley & Sons, Inc.
%O   U$24.99/C$35.99/UK#16.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/076455784X/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/076455784X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/076455784X/robsladesin03-20
%O   Audience i- Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   358 p.
%T   "Hacking for Dummies"

Why, yes, now that you mention it, I believe that I *did* use this
title in an April Fools joke back in 2002 (cf. BKHAKDUM.RVW).  Turns
out the joke's on me: this time they're serious.

Actually, the introduction points out that the book is about "ethical"
hacking (otherwise known as penetration testing), and is intended for
system administrators, information security managers, and security
consultants who want some tips on security assessment.  So it isn't
exactly a "hack to secure" book, but I can't be expected to be happy
about the title.

Part one is supposed to give you a foundation for ethical hacking. 
Chapter one, an introduction, sets out the usual "set a thief to catch
a thief" argument, lists some attack types, and recommends that
readers be ethical.  The usual "hacker mindset" stereotypes are in
chapter two.  Chapter three has a terse but reasonable list of
questions that may assist you in planning for a penetration test. 
Some initial sources of information that attackers will use to direct
their assaults are given in chapter four.

Part two purports to get you started on the attack itself.  Chapter
five has a basic but haphazard discussion of social engineering. 
Physical security is important, but the material in chapter six is
incomplete, and concentrates more on attacks than countermeasures. 
Random trivia about passwords is in chapter seven.

Part three turns to networks.  Chapter eight looks at wardialling.  (I
agree that the practice should not be ignored, if only to find
neglected modems, but the content is still obsolete.)  A list of
vulnerability scanning tools makes up chapter nine.  Wireless hacking,
in chapter ten, has a catalogue of tools, but also suggests useful
countermeasures.

Part four looks at hacking the operating system.  Chapter eleven
repeats the inventory of Windows tools, twelve repeats the Linux
utilities, and thirteen has different tools--because they are
especially for Novell Netware.

Part five moves to application hacks.  Poor information about malware,
and weak suggestions about testing, are in chapter fourteen.  Attacks
against email and instant messaging, in chapter fifteen, are random,
esoteric, and unrealistic.  The content about attacks directed against
web applications, in chapter sixteen, is disorganized and poorly
explained.

Part six deals with the outcomes and results of an ethical hack. 
Chapter seventeen provides a terse list of contents for penetration
test reports.  Rectifying security problems is minimally covered in
chapter eighteen.  Ongoing security assessment and awareness programs
are suggested in nineteen.

Part seven is the part of tens, comprising ten tips for getting
management "buy in" (for the idea of "ethical hacking") and ten
mistakes (in conducting a penetration test).

This book may be helpful as a source for suggesting vulnerability
scanning tools, but not much else.

copyright Robert M. Slade, 2006   BKHACKDM.RVW   20060910


======================  (quote inserted randomly by Pegasus Mailer)
rslade@private     slade@private     rslade@private
Microsoft gambled that making their users fault-tolerant was a
better use of resources than making their software reliable.
                                                      - Paul Guertin
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm


_________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Mon Nov 13 2006 - 23:53:05 PST