Chained Exploits: Advanced Hacking Attacks from Start to Finish Review

Average Reviews:

(More customer reviews)Are you looking to buy Chained Exploits: Advanced Hacking Attacks from Start to Finish? Here is the right place to find the great deals. we can offer discounts of up to 90% on Chained Exploits: Advanced Hacking Attacks from Start to Finish. Check out the link below:

>> Click Here to See Compare Prices and Get the Best Offers

Chained Exploits: Advanced Hacking Attacks from Start to Finish ReviewI looked forward to Chained Exploits (CE) by Whitaker, Evans and Voth with much anticipation as the concept is a much needed addition to the lexicon on information security. Often academic fields are severely limited by the vocabulary available to discuss issues and the "chained exploit" is sure to become a mainstay in the discourse of information security. Despite my enthusiasm for the concept, however, I was disappointed by the material presented in CE. The genius of the chained exploit is that it upends the traditional threat matrix, typically presented as:
[value of resource] x [likelihood of exploit] = [risk level]
For example, a high value resource that is unlikely to be exploited should be ranked as a low risk, as should a low value resource that is likely to be exploited. Think of this in terms of a temporary database of publically available information used to populate a user demonstration website that is wiped out every 24 hours. If that information is compromised it has no value, so even if the compromise is likely it is a low risk system. Conversely if a system that contains critical financial information is confined to a single workstation that is removed from any networking and housed in a guarded facility it too is a low risk system (since the likelihood of compromise is low).
Unfortunately many auditors make risk assessments based on circumstances in a vacuum. This is where the concept of "chained exploits" becomes so valuable. For instance, if a vulnerability were discovered in a local binary accessible to users that allows privilege escalation, but the local binary exists on a system that has no users (other than administrators who already have root privileges) it is often considered a low risk. Many times patches for these sorts of vulnerabilities are not installed because the patch could introduce instability and would not be considered worthy of the expense given the low risk. Similarly a vulnerability could be discovered in a web service that when exploited could allow a remote attacker to gain an unprivileged local account that, say, only had access to read and write to the /tmp directory. This could also be considered a low risk since such limited access wouldn't present any threat to the system. However, if you "chained exploits" for the two vulnerabilities you suddenly have a condition where a remote attacker can gain a local account and elevate their privilege! This contravenes the low risk ranking of the individual vulnerabilities. When combined they suddenly become a very high risk to the system.
It was this sort of "chain" that I hoped CE would explore. Instead the material presented in the book consisted of context to several high risk vulnerabilities to explain why they might be used in tandem. For instance, the book would propose a scenario where a remote attacker installed a backdoor rootkit on a corporate network workstation then used that workstation to access the central database using default system administrator credentials. Each of the conditions used in these "chains" are extremely high risk already, and thus the book doesn't present any new material for seasoned information security professionals to consider.
For a novice this book is a great resource. It is full of the sorts of horror stories that professionals are all too familiar with, but could potentially be eye opening for a neophyte or someone unfamiliar with computer security. At the very least it is a page turning exploration of very real and often under appreciated risks to enterprises.
I was disappointed that the book didn't raise the level of discourse in the information security field but I suspect that wasn't the point of Chained Exploits. Instead it reads like a greatest hits sequence prepared by veteran penetration testers. It makes for interesting reading, but it isn't particularly informative. Don't look for any new 0 day exploits (or even a discussion of how to find such flaws). Instead the book contains a litany of well known routes to system compromise and illustrative narratives that tie them together in real world scenarios.Chained Exploits: Advanced Hacking Attacks from Start to Finish OverviewThe complete guide to today's hard-to-defend chained attacks: performing them and preventing themNowadays, it's rare for malicious hackers to rely on just one exploit or tool; instead, they use "chained" exploits that integrate multiple forms of attack to achieve their goals. Chained exploits are far more complex and far more difficult to defend. Few security or hacking books cover them well and most don't cover them at all. Now there's a book that brings together start-to-finish information about today's most widespread chained exploits–both how to perform them and how to prevent them. Chained Exploits demonstrates this advanced hacking attack technique through detailed examples that reflect real-world attack strategies, use today's most common attack tools, and focus on actual high-value targets, including credit card and healthcare data. Relentlessly thorough and realistic, this book covers the full spectrum of attack avenues, from wireless networks to physical access and social engineering. Writing for security, network, and other IT professionals, the authors take you through each attack, one step at a time, and then introduce today's most effective countermeasures— both technical and human. Coverage includes:Constructing convincing new phishing attacksDiscovering which sites other Web users are visitingWreaking havoc on IT security via wireless networksDisrupting competitors' Web sitesPerforming–and preventing–corporate espionageDestroying secure filesGaining access to private healthcare recordsAttacking the viewers of social networking pagesCreating entirely new exploitsand moreAndrew Whitaker, Director of Enterprise InfoSec and Networking for Training Camp, has been featured in The Wall Street Journal and BusinessWeek. He coauthored Penetration Testing and Network Defense. Andrew was a winner of EC Council's Instructor of Excellence Award.Keatron Evans is President and Chief Security Consultant of Blink Digital Security, LLC, a trainer for Training Camp, and winner of EC Council's Instructor of Excellence Award. Jack B. Voth specializes in penetration testing, vulnerability assessment, and perimeter security. He co-owns The Client Server, Inc., and teaches for Training Camp throughout the United States and abroad.informit.com/awCover photograph © Corbis /Jupiter Images$49.99 US $59.99 CANADA

Want to learn more information about Chained Exploits: Advanced Hacking Attacks from Start to Finish?

>> Click Here to See All Customer Reviews & Ratings Now

Read More...

Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century Review

Average Reviews:

(More customer reviews)Are you looking to buy Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century? Here is the right place to find the great deals. we can offer discounts of up to 90% on Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century. Check out the link below:

>> Click Here to See Compare Prices and Get the Best Offers

Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century ReviewI must start this review by stating the lead author lists me in the Acknowledgments and elsewhere in the book, which I appreciate. I also did consulting work years ago for the lead author's company, and I know the lead author to be a good guy with a unique eye for applying geography to network security data. Addison-Wesley provided me a review copy.
I did not participate in the writing process for Practical Intrusion Analysis (PIA), but after reading it I think I know how it unfolded. The lead author had enough material to write his two main sections: ch 10, Geospatial Intrusion Detection, and ch 11, Visual Data Communications. He realized he couldn't publish a 115-page book, so he enlisted five contributing authors who wrote chapters on loosely related security topics. Finally the lead author wrote two introductory sections: ch 1, Network Overview, and ch 2, Infrastructure Monitoring. This publication-by-amalgamation method seldom yields coherent or helpful material, despite the superior production efforts of a company like Addison-Wesley. To put a point on PIA's trouble, there's only a single intrusion analyzed in the book, and it's in the lead author's core section. The end result is a book you can skip, although it would be good for chapters 4 and 10 to be published separately as digital "Short Cuts" on InformIT.
Chapters 1 and 2 are not needed. Anyone who needs to learn about networking can read a basic book already published. Ch 2 does mention that 802.1AE (if ever implemented) will hamper network traffic inspection, but you could read that online.
Ch 3 is odd because it begins by mentioning well-worn methods to evade network detection, followed by a discussion of the merits of Snort vs Bro. Someone who had to read the material in chapters 1 and 2 is not going to understand the Snort discussion, especially when it mentions byte_test, depth, regex, http_inspect, uricontent, Structured Exception Handlers, and 16 line Snort signatures. I liked seeing Bro mentioned, but the people who are going to be able to follow the sample Bro policy scripts on pages 75-78 are not the ones reading this book.
Ch 4 outlines several examples of writing signatures for Snort. This section is actually interesting, but you have to know Snort and certain advanced topics pretty well to get value from this section. Readers need to compensate for the far-too-small screenshots and lack of supporting details while reading the examples. Readers also need to figure out what the author is doing, such as when he sets up a client-side exploit against FlashGet by starting a malicious FTP server with flashget-overflow.pl. By the second example he's dropping warnings like "Had Core's advisory told you from where the size of the call to memcpy was coming, you might have to refine the signature to check for the appropriate behavior; unfortunately, the disassembly left out that argument:" [cue the ASM]. The bottom line with this chapter is this: know your audience, and write for them -- not your buddies. People who can follow contributions like this "at line speed" aren't going to read this book.
By ch 5 the "practical" aspect of this book has been left behind, with a discussion of "proactive intrusion prevention and response via attack graphs, which is really an academically-derived discussion of "topological vulnerability analysis." No one does this in the operational world, and no one will. Pages 143-144 talk about IDMEF, even though that specification died years ago. (There is still an independently-maintained -- as of Feb 09 -- Snort-IDMEF plugin. I don't know anyone in industry using it.)
Ch 6 is a generic overview of using network flows. The only new material is less than a page on IPFIX, which is just a table comparing that newer format with NetFlow. Ch 7 is called "Web Application Firewalls," but it's just an overview. Read Ivan Ristic's Apache Security or Ryan Barnett's Preventing Web Attacks with Apache if you want to know this topic. Ch 7 is titled "Wireless IDS/IPS," which is an even shallower overview than the previous topic. In none of these chapters do we have anything practical nor any intrusions analyzed. Ch 9 discusses physical security, but I didn't think it fit with the intended theme for the book.
I thought chapter 10 was interesting. Geospatial and visualization techniques do have a role in many operations, and ch 10 had the only example of an intrusion analysis. Unfortunately I don't think readers could take ch 10 and implement their own operational system. Ch 11 seemed irrelevant in light of the excellent visualization books by Raffy Marty and Greg Conti.
The book finishes with ch 12, Return on Investment: Business Justification. It was totally unnecessary: cite some regulations, list some breach costs, then compare ROI, NPV, and IRR. Talk a little about MSSPs and cyber liability insurance, then end. If you really want the best discussion of security costs, read Managing Cybersecurity Resources by Gordon and Loeb.
The subtitle for PIA is "Prevention and Detection for the Twenty-First Century." Readers will not find that in PIA. The lead author started with a kernel of a good idea, but the end result does not deliver enough real value to to readers. The lead author's material, and the chapter on Snort signature writing, could have been published as digital Short Cuts, or including in a compendium of chapters in a "survey" book. If you want to read a book intrusion analysis, you're more likely to be satisfied reading a book on intrusion forensics.Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century Overview"Practical Intrusion Analysis provides a solid fundamental overview of the art and science of intrusion analysis." –Nate Miller, Cofounder, Stratum SecurityThe Only Definitive Guide to New State-of-the-Art Techniques in Intrusion Detection and PreventionRecently, powerful innovations in intrusion detection and prevention have evolved in response to emerging threats and changing business environments. However, security practitioners have found little reliable, usable information about these new IDS/IPS technologies. In Practical Intrusion Analysis, one of the field's leading experts brings together these innovations for the first time and demonstrates how they can be used to analyze attacks, mitigate damage, and track attackers. Ryan Trost reviews the fundamental techniques and business drivers of intrusion detection and prevention by analyzing today's new vulnerabilities and attack vectors. Next, he presents complete explanations of powerful new IDS/IPS methodologies based on Network Behavioral Analysis (NBA), data visualization, geospatial analysis, and more.Writing for security practitioners and managers at all experience levels, Trost introduces new solutions for virtually every environment. Coverage includesAssessing the strengths and limitations of mainstream monitoring tools and IDS technologies

Want to learn more information about Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century?

>> Click Here to See All Customer Reviews & Ratings Now

Read More...

Googling Security: How Much Does Google Know About You? Review

Average Reviews:

(More customer reviews)Are you looking to buy Googling Security: How Much Does Google Know About You? Here is the right place to find the great deals. we can offer discounts of up to 90% on Googling Security: How Much Does Google Know About You. Check out the link below:

>> Click Here to See Compare Prices and Get the Best Offers

Googling Security: How Much Does Google Know About You ReviewIt has been suggested that if one was somehow able to change history so that aspirin had never been discovered until now, it would have died in the lab and stand no chance of FDA approval. In a report from the Manhattan Institute, they write that no modern drug development organization would touch it. Similarly, if we knew the power that Google would have in 2008 with its ability to aggregate and correlate personal data, it is arguable that various regulatory and privacy bodies would never allow it to exist given the extensive privacy issues.
In a fascinating and eye-opening new book Googling Security: How Much Does Google Know About You?, author Greg Conti explores the many security risks around Google and other search engines. Part of the problem is that in the rush to get content onto the web, organizations often give short shrift to the security and privacy of their data. At the individual level, those who make use of the innumerable and ever expanding amount of Google free services can end up paying for those services with their personal information being compromised, or shared in ways they would not truly approve of; but implicitly do so via their acceptance of the Google Terms of Service.
While the book focuses specifically on Google, the security issues detailed are just as relevant to Yahoo, MSN, AOL, Ask and the more than 50 other search engines.
Until now, Google and security have often not been used together. As an example, my friend and SEO guru Shimon Sandler has a blog around search engine optimization (SEO). In the over three years that his blog has been around, my recent post on The Need for Security in SEO was the first on topic of SEO security. Similar SEO blogs also have a very low number (and often no) articles on SEO and security. Sandler notes that when he mentions privacy issues around search to his clients, it is often the first time they have thought of it.
The book opens with the observation that Google's business model is built on the prospect of providing its services for free. From the individual user's perspective, this is a model that they can live with. But the inherent risk is that the services really are not completely free; they come at the cost of the loss of control of one's personal information that they share with Google.
The book lists over 50 Google services and applications which collect personal information. From mail, alerts, blogging, news, desktop, images, maps, groups, video and more. People are placing a great deal of trust into Google as each time they use a Google service, they are trusting the organization to safeguard their personal information. In chapter 5, the book lists over 20 stated uses and advantages of Google Groups, and the possible information disclosure risks of each.
In the books 10 chapters, the author provides a systematic overview of how Google gets your personal data and what it does with it. In chapter 3, the book details how disparate pieces of data can be aggregated and mined to create extremely detailed user profiles. These profiles are invaluable to advertisers who will pay Google dearly for such meticulous user data. This level of personal data aggregation was impossible to obtain just a few years ago, given the lack of computing power, combined with the single point of user data. The book notes that this level of personalization, while golden to advertisers, is a privacy anathema.
Chapter 6 is particularly interesting in that it details the risks of using Google Maps. Conti explains that the privacy issue via the use of Google Maps is that it combines disclosure risks of search and connects it to mapping. You are now sharing geographic locations and the associated interactions. By clicking on a link in a Google map, the user discloses and strengthens the link between the search they performed and what they deemed as important in the result. By aggregating source IP addresses and destinations searches, Google can easily ascertain confidential data.
After detailing over 250 pages of the risks of Google and related services, Chapter 9 is about countermeasures. Short of simply not using the services, the book notes that there is no clear solution for protecting yourself and company from web-based information disclosure. Nonetheless, the chapter lists a number of things that can be done to reduce the threat. Some are easier, some are harder; but they can ultimately add up to a significant layer of protection. Chapter 9 details 11 specific steps that help users appreciate the magnitude of their disclosures and make informed decisions about which search services to use.
Googling Security: How Much Does Google Know About You? is an important book given that far too many people do not realize how much personal information they are disclosing on a daily basis. An important point that the book makes is that small information disclosures are not truly small when they are aggregated over the course of years. Advances in data mining and artificial intelligence are magnifying the importance of the threat, all under the guise of improving the end-user experience. The book emphasizes the need to evaluate the short-term computing gains with the long-term privacy losses.
The final chapter notes that apathy is the enemy. As a user becomes aware of the magnitude of the threat, they will see it grow every day. But the next step is to take action. Be it with technical countermeasures, taking your business where privacy is better supported, or petitioning lawmakers.
As to the underlying question, "how much does Google know about you?", the answer is that it is a colossal amount, far more than most people realize. For anyone who uses the Internet, Googling Security should be on their list of required reading. The risks that Google and other search engines present are of great consequence and can't be overlooked. If not, privacy could slowly be a thing of the past.
Googling Security: How Much Does Google Know About You OverviewWhat Does Google Know about You? And Who Are They Telling?When you use Google's "free" services, you pay, big time–with personal information about yourself. Google is making a fortune on what it knows about you…and you may be shocked by just how much Google does know. Googling Security is the first book to reveal how Google's vast information stockpiles could be used against you or your business–and what you can do to protect yourself.Unlike other books on Google hacking, this book covers information you disclose when using all of Google's top applications, not just what savvy users can retrieve via Google's search results. West Point computer science professor Greg Conti reveals the privacy implications of Gmail, Google Maps, Google Talk, Google Groups, Google Alerts, Google's new mobile applications, and more. Drawing on his own advanced security research, Conti shows how Google's databases can be used by others with bad intent, even if Google succeeds in its pledge of "don't be evil."Uncover the trail of informational "bread crumbs" you leave when you use Google search

Want to learn more information about Googling Security: How Much Does Google Know About You?

>> Click Here to See All Customer Reviews & Ratings Now

Read More...