Review: Cyber Crime

[The date of publication is not known.]

Cyber Crime
How to Protect Yourself from Computer Criminals
Laura E. Quarantiello
0-936653-74-4, Tiare Publications/Limelight Books

Part One:

Chapter One – ‘Terrorism On Line: Inside Comptuer Crime’: Chapter one opens with defining computer crime, and does a decent (and fair) job of defining why hackers hack. “In the end, it all comes down to one of those six reasons.”

Chapter Two – ‘Computer Criminals and their Crimes: Digital Outlaws’: Starting out with ‘phreaking’, the author gives a brief history of hackers and the phone systems. Unfortunately, a serious lack of research shines through in this chapter, where a list of “phreaker boxes” is quoted. It has been well established that a majority of these boxes never worked, and were little more than wishful thinking by hackers with little knowledge of the phone system. The rest of the chapter delves into different aspects of hacking and how hackers evolved.

Chapter Three – ‘Cyber-Sneezes: Viruses’: As with most computer security books, this is the token chapter on computer Viruses.

Chapter Four – ‘The Darkest Side to Computer Crime: Threats to Your Personal Safety and Property’: Chapter four begins by giving contrast between crime and virtual crime. One admirable feature is the clarification that not all online pedestrians will be mugged by cybercriminals. Unfortunately, a good portion of the chapter deals with ‘stalking’, pornography, and child pornography, which seems out of place in contrast with other sections.

Part Two:

Chapter Five – ‘Cyber Security: Foiling Computer Criminals and Staying Safe’: This chapter suffers the problem of trying to squeeze too much information into a small place. Writing about how to secure your systems should take books. Starting out with the idea of ‘weak links’, they abruptly end after two and move into other non-numbered categories. While a decent effort, it brings its failure upon itself by trying.

Chapter Six – ‘Cyber-Cops: Walking the Digital Beat’: Much to the dismay of law enforcement, this chapter paints a relatively accurate picture of the state of computer crime and law enforcement’s ability to deal with it. (Considering when the book was written). Toward the end of the section, contact info for CERT and the advice to call the FBI is given. The exact organizations the author found lacking.

Overview: For a 100 page, 1 hour read, this book does a better than average job of portraying computer crime. Despite the handful of errors, the author gives a fair overview of computer crime, hackers, and law enforcement.

Review: The Happy Hacker: A Guide to (Mostly) Harmless Computer Hacking

[The date of publication is not known.]

The Happy Hacker: A Guide to (Mostly) Harmless Computer Hacking
Carolyn P. Meinel
0-929408-21-7, 268 pages, American Eagle Publications
Technical Editors: John D. Robinson, Roger A. Prata, Daniel Gilkerson, Damian Bates, Mark Schmitz, Troy Larsen

My first impression of the book was a make money fast scheme gone wrong. Cashing in on the buzzword of the 90’s, Ms. Meinel runs the word ‘hacker’ into the ground by the end of chapter 1.

Looking past the glaring errors in grammar and spelling, the reader must deal with the constant technical errors, contradictions, and overall lacking ‘style’ the author uses. The book consists of material that has mostly been published on the web in various states (also technically incorrect), and brings no new insight to the subject she claims to teach.

As far as teaching ‘hacking’, I couldn’t find a single quality reference or section that dealt with hacking. Considering the questionable past of the author, the book furthers thoughts that she has no experience as a hacker, security consultant, or anything related to computers at all.

What most people consider novelty ‘tricks’ like changing a Win95 bootup screen, Ms. Meinel touts as ‘hacking’. The continued reference to Windows 95 and lack of Unix information further suggests the book isn’t about hacking at all, rather simple tricks and documented options that can be found in most Windows books.

For those interested in learning hacking, stick to more positive sources. Check out some other security books or online resources. Hacking is not something that can be taught from a book, it is more a state of mind and desire to learn. After reading this book, users can expect to find themselves in a confused state with more questions than they started with. Unfortunately, they find themselves with no more insight on where the answers may be found either.

Page 67: “I make my living asking dumb questions.” Quoted material is straight from the author’s mouth, and seems to be dead on with the technical level of the book.

Review: Investigating Computer Crime

[The date of publication is not known.]

Investigating Computer Crime
Franklin Clark, Ken Diliberto
0-8493-8158-4, 228 pages, CRC Press, INC

Chapter 1 – “Computer Search Warrant Team”: Chapter one starts out quick and to the point. In this three page chapter, the authors outline six groups that make up a computer search warrant team. Supervisor, Interview Team, Sketch/Photo team, Physical search team, security/arrest, and technical evidence seizure team.

Chapter 2 – “Computer-Related Evidence”: A detailed list of types of evidence that can be found at a subject’s location. The chapter lists types of evidence, shows where it might be found, gives examples, as well as includes pictures. Unfortunately, the common stereotyping of hackers begins here which may distract the reader from the facts.

Chapter 3 – “Investigative Tool Box”: Every investigative team should carry a toolkit to effectively perform their duties. The advice and recommendations in this chapter seem to focus on MSDOS and Win 3.1 systems. Programs and software tend to be Windows based commercial programs. Little mention is made of OS/2, UNIX, or more obscure OSs.

Chapter 4 – “Crime Scene Investigation”: Each investigation must go through certain steps to be effectively completed. Starting with scene evaluation and ending with “completing the search”. This chapter goes step by step through the required process.

Chapter 5 – “Making a Boot Disk”: Once again, this chapter seems to focus on MSDOS based systems. Those investigating Unix or NT systems will not benefit from the information here. Since a majority of systems are now 95, NT, or Unix, this chapter could stand for a second version.

Chapter 6 – “Simple Overview of Seizing a Computer”: Chapter six is nothing more than a three page checklist overview of the steps in seizing a computer. Unfortunately, it doesn’t go into much detail or prepare the reader for uncommon occurrences.

Chapter 7 – “Evidence Evaluation and Analysis”: Once the material has been collected from the subject computer, the long process of examining the files begins. Covering the different types of files like spreadsheets, databases, or graphics, this chapter focuses on DOS or Win based computers.

Chapter 8 – “Investigating Floppies”: Much like the previous chapter, this one applies to any floppy disks seized in a warrant.

Chapter 9 – “Common File Extensions”: A three page list of common file extensions. Aside from the duplicate entries (like ‘gif’), there is a noticeable lack of other extremely common extensions like ‘tar’, ‘gz’, or ‘arj’.

Chapter 10 – “Passwords and Encryption”: While covering passwords and elements of good password security, the chapter falls very short on practical encryption. Someone new to investigating computer crime is likely to walk away thinking that encryption will not be a big hurdle when encountered. Rather than cover more on PGP, CFS, or SFS, the chapter goes into BBS passwords, Quicken, Word Perfect, and similar programs.

Chapter 11 – “Investigating Bulletin Boards”: The obvious base of the author’s experience, this chapter goes into details on BBSs, their operation, finding them, and more. Along with some information on elements of a BBS, suggestions are made for the L.E. officer poking around new BBSs. Guidelines for investigators trying to infiltrate a BBS are given, but the concept of fitting in seems to fall short.

Chapter 12 – “‘Elite’ Acronyms”: The mere existence of this chapter along with the short list suggest the authors don’t fully grasp the depth of the ‘underground’ scene. While listing some obscure groups I have personally never heard of, they leave off well known and overly used acronyms often used among the scene.

Chapter 13 – “Networks”: Perhaps one of the more concise chapters, this section gives a good summary of networks, network devices, and network operating systems. Understanding networks is the key to properly investigating.

Chapter 14 – “Ideal Investigative Computer Systems”: Though written in 1996, the recommend systems for investigators as outlined seems appropriately detailed. However, while the outline does provide a decent foundation for new investigators to work from, it seems rather short-sighted.

Chapter 15 – “Court Procedures”: Often one of the more elusive and more misunderstood components of a computer crime investigation, the court procedures are often the most critical. This chapter touches on expert witnesses, pretrial preparation, terminology, and more.

Chapter 16 – “Search Warrants”: By citing case law and specific examples the authors have encountered, the a good coverage of details on types and differences of various search warrants is presented. Included in the chapter are sample warrants from previous cases to give the reader a solid idea of what they encompass.

Overview: For someone new to investigating computer crime, this is the ideal book for you. Not only does it cover most aspects of an investigation, it does so by providing examples and pictures for re-enforcement. To the experienced investigator, the book may fill in a few small gaps or bring to light a new element previously overlooked. Lastly, to anyone working on cases involving Unix or the internet, this book is not for you.

Review: Time Based Security

[The date of publication is not known.]

Time Based Security
Practical and Provable Methods to Protect Enterprise and Infrastructure, Networks and Nation
Winn Schwartau
0-672-31341-3, 174 pages, Interpact Press

What is TBS (Time Based Security)? TBS is defined by the author as “a non-technical examination of the very foundation of the technical realities of the networked society. It is designed for a wide audience with varying skill sets, backgrounds and business needs.” Unfortunately, the title’s use of “practical and provable methods to protect enterprise and infrastructure, networks and nation” implies (to me) that the book will cover practical and applicable solutions to the problems pointed out. Rather than presenting solutions, the author gives a high level diagnosis of the problem, as well as simple-to-use equations for determining how it affects your organization.

The first fourteen chapters (each chapter averages 4.5 pages) go into the description and foundation of TBS. Schwartau calls on well grounded and practical examples to convey the importance of utilizing a security plan that utilizes TBS. From the foundation, simple equations are designed to contrast the importance of Protection, Detection, and Reaction (the key elements of TBS).

The next few chapters go into various security concepts and how they apply to a TBS model. Starting with ‘Defense in Depth’ (Chapter 17), Schwartau applies practical examples to his TBS equations and shows how to factor in elements such as multi layered security. Unfortunately, these chapters (especially ‘SequentialTime-Based Security’ [Chapter 18]), are extremely short and lack the description needed to adequately convey their importance.

The remaining chapters cover a wider variety of topics and expand past the TBS model a bit more. Some of these topics are Reaction Channels, TBS Reaction Matrices & Empowerment, and Using TBS in Protection.

Overview: While TBS presents a great overview of the concepts and effects of Time based Security, it does not present a grounded practical method for implementing these ideas into a working network. Technical people reading this book will no doubt question the book’s claims of it being “your handbook for protecting intangible things of value that have no physical substance.” Management and non-technical people however, should definitely read this book. Schwartau cites easy to use examples and layman’s terms to explain the risks your network suffers.

Review: Ethical and Social Issues in the Information Age

[The date of publication is not known.]

Ethical and Social Issues in the Information Age
Undergraduate Texts in Computer Science
Joseph Migga Kizza
0-387-98275-2, 172 Pages, Springer-Verlag

Overview: “Ethical and Social Issues in the Information Age” is an excellent foundation and resource for defining ethics and morals in a technological world. For any reader interested in exploring this often shady area of life, I highly recommend this be your introduction. Along with the clear and concise definitions, each chapter references real world examples to help illustrate each point and make the reader aware of the real and imaged concerns associated with each.

Chapter 1 – “Morality and the Law”: If you can judge a book by the first chapter, this book is a great read. The introduction to morality and the law starts out with clear explanation of what morality is, moral theories, moral decision making, as well as listing well established and general moral codes (such as ‘the golden rule’). By defining such concepts as ‘guilt’ and ‘judgment’, the reader is well equipped to move on and explore the different facets of ethics, morals, and how they apply to technology.

Chapter 2 – “Ethics, Technology, and Values”: The various definitions of ethics and the theories of ethics is explained very well. Providing short descriptions of major ethical theories, you begin to realize there are many more concerns than may meet the eye. Continuing on, Kizza creates an equation to explore the relation between ethics and the human mind. This chapter also goes in depth on Codes of Ethics, defines Computer Ethics, and explains why you should study Computer Ethics.

Chapter 3 – “Ethics and the Professions”: Chapter three delves into defining professional requirements and the codes that may apply to them. Kizza describes four codes: professional, personal, institutional, and community. From here, the four ‘pillars’ of professionalism are outlined and described: Commitment, integrity, responsibility, and accountability. The rest of this chapter deals with the making of an ethical profession, and the attributes that go with it.

Chapter 4 – “Anonymity, Security, and Privacy”: After defining each of these concepts, real world examples are provided to illustrate each, and help show the reason each is valuable and noteworthy. Perhaps the strongest point is the definition and breakout of ‘privacy’, and what it truly entails.

Chapter 5 – “Intellectual Property Rights and Computer Technology”: Before you can define intellectual property rights, you must qualify what property is in the technical and digital world. Once defined, there are several factors that affect the value and right of use including ‘public domain’, copyright, patents, ‘trade secret’ status, trademarks, and more. Last, you must define ownership as well as define what infringement really is. This chapter also goes into how you can better protect what is valuable to you or your company.

Chapter 6 – “Computer-Augmented Environments: The Workplace”: A few years ago, the ‘workplace’ was easily defined by four walls in a set location. In today’s world, travelling, home and virtual offices have replaced that idea. Chapter six defines this changing world and considers the effects and benefits of each. Section 6.4 goes into explicit detail about the implications and considerations of workplace privacy and surveillance. How do you monitor virtual workers? What rights do you have to monitor home activity?

Chapter 7 – “Software Issues”: Since software in one form or another controls every computer or computer component, it becomes a more important and fundamental part of our life. Even though we may not understand the languages that make up the software, we must be aware of the elements of software that affect its use. Verification and Validation, reliability, security, safety, and quality are some of the major points examined and brought to light. Section 7.2 delves into the various reasons of why software fails and who is responsible. More importantly, it covers what consumer protection exists, the rights of software buyer’s, and more.

Chapter 8 – “New Frontiers for Ethical Considerations: Artificial Intelligence, Cyberspace, and Virtual Reality”: Most literature on future concepts in computing typically lack material justifying one stance or another. This book differs as it provides solid definitions of areas of computers barely defined, and more importantly, provides reference to existing work in the fields of AI and VR.

Chapter 9 – “Ethical and Social Issues in Cyberspace”: Perhaps one of the most obscured and widely (mis?)used words to describe computer culture is ‘cyberspace’. Rather than try to force an unwieldy definition on the word, Kizza gives the reader a foundation and quick background for the word. That in mind, he moves on to cover the role of copyright, patents, identity, censorship, privacy, and security and how they are affected, as well as how they affect cyberspace.

Review: @Large

[The date of publication is not known.]

The Strange Case of The World’s Biggest Internet Invasion
David H. Freedman and Charles C. Mann
ISBN: 0-684-82464-7, Hardback: $24.00

From the inside cover: “At Large is the astonishing, never-before-revealed tale of perhaps the biggest and certainly the most disturbing computer attack to date, with ominous implications for the Internet, the digital highway over which much of the nation’s business is now conducted…”

The idea of the book is to convey a story about a young man who methodically hacked various computer systems on the internet, hitting everything from prestigious colleges to military installations. Throughout the book, it goes back and forth between the hacker and the various admins and federal agents who are after him.

    To sum up the timeline of events:

    kid hacks system
    admin gets mad, tries to get feds to bust him
    kid hacks systems
    more admins get mad, try to get cert/feds to bust him
    kid hacks systems
    even more admins get mad, try to get cert/feds/cops to bust him
    feds do nothing
    kid hacks systems
    cert does nothing
    kid hacks systems
    cops do nothing
    kid hacks systems
    admins watch him more
    kid hacks systems
    few feds get ambitious, start investigation
    kid hacks systems
    feds monitor him
    kid hacks systems
    feds bust him
    kid is scared
    feds decide not to bust him

There you go. That sums up the entire book by leaving out an abundance of adjectives and dramatic writing. The kid was not a spy, did not work for anyone, and was only in it for the fun/challenge. Throughout the book, the authors attempt to convey a sense that the end of the world may come around by this one kids actions, yet are unable to convincingly communicate that. As they continually point out, the kid was just looking around. He was not a super duper huge big large giant spy (trying to use as many adjectives as they do).

As with most books like this, the authors seem to have lost a degree of technical accuracy. They call MS-DOS “Microsoft Digital Operating System” (uh, that’s DISK, not digital) on page 68, and go on to say it is “currently the operating system for most personal computers”. Furthermore, at one point they talk of two admins who were watching the hacker via log files. “There was no way to know who was logged into the system at the change time of the log-in program.” The first reference talks about system logs (ie: syslog, messages, etc). They make no mention that the hacker destroyed any of the “*tmp” files. In that case, that elusive command ‘last’ would have provided the information the two ‘genius’ admins needed. But wait… if we jump to page 129 we see the same admin “[keep] invoking the Last command, which checks who recently came on-line.” Little technical inaccuracies like that make technical people question the book. If they miss such trivial things like these, what else did they miss?

The last thing to consider about the entire story is when it took place. A specific time frame isn’t mentioned, but it is more than obvious that it took place years back. This was before the FBI had considered putting together a crime unit, and very close to the whole MOD bust. That places it between 90 and late 91. At that time, the internet was learning about security. At that point in time, there were basically no security measures being taken on any system, while hacker tools grew stronger and stronger. There was more trading going on between hackers, more cooperation. Bottom line: it was fairly easy to break into places.

Compare it to now, in a world of firewalls, packet filters, strong real time encrypted data transfers, password shadowing, increased logging and auditing. Yet in today’s internet, there are dozens of hackers that put “Phantom Dialer” to shame. Some of them break through firewalls, install trojans (that work), put up sniffers that are near impossible to find, and stay hidden on systems for years before leaving them. Supposed security experts have their machines compromised by these experts. Yet I am supposed to believe that a hacker kid 7 years ago was more of a threat than some of the ones today? Personally, I don’t think so. I knew hackers back then, I know hackers today. And I would place all of my fear in today’s if I had to.

Overall, this book sucked. After going some 200 pages, the ending came crashing down in the most un-dramatic fashion I have ever seen. Especially after all the drama that was poured into the first part of the book. No clear explanation was given as to why the feds didn’t prosecute as the cover hinted it would do. Only speculation as to what on. In the final section, the authors go on to reveal that they couldn’t get ahold of two key hackers they continually refer to. So now we have to question the accuracy of the details of their involvement. Add that up and we have an interesting story completely lacking in believability, with an inadequate ending that doesn’t explain anything. If you are interested in the book, borrow my copy and read the Epilogue. It is a nice summary of concerns the internet faces… wait. Just pick up any white paper on internet security and you will get more details.

Review: The Complete Idiot’s Guide to Protecting Yourself Online

[The date of publication is not known.]

The Complete Idiot’s Guide to Protecting Yourself Online
Preston Gralla
0-7897-2035-3, 348 pages, Que: Alpha Books

Are you a Windows95 user? Do you use America Online and read mail with Outlook Express? Browse the web with Internet Explorer? New to the Internet and have concerns about your safety and privacy? If you answered ‘yes’ to all of the above, this book is just right for you.

With millions of people interacting in any fashion, there are bound to be bad elements that have no regard for you, your family, or your privacy. They seek to profit in one way or another at your expense. Fending off the wave of evil doers can be a daunting task to say the least. In this book, Preston Gralla attempts to cover all the bases that you should be concerned about. These concerns include privacy, chat forums, newsgroups, shopping, viruses, and a whole lot more.

Gralla offers quick and easy to implement solutions to problems you may face online. Step by step instructions accompanied by screenshots puts some of the power of privacy and anonymity back into the hands of the end user. Offering tips and tricks on how to configure utilities like your web browser, IRC program, and mail reader, the book shows you just how much information you give out every time you visit a web site. Gralla includes a wide variety of web sites and resources for you to find more information or utilities to better help protect yourself.

Building on the fundamentals of the technology that makes the Internet work, terms like TCP/IP, MTA and FTP are demystified. With this level of understanding, technology that seemed out of reach or incomprehensible become more clear. By the end of the book, neophyte Internet users should have a basic fundamental understanding of the elements that lead to security and privacy.

When browsing the web, beware of cookies that can monitor your browsing activity. While on IRC or chat forums, ignoring harassing chatters is often a few clicks away. Anonymous remailers allow you to contact anyone while fully hiding your identity. Usenet, mail lists and chat forums are just a few places spammers harvest your email address in order to send you unsolicited spam mail. PGP is a free and powerful encryption utility that helps protect your communications from prying eyes. These are but a few of the valuable tips dispensed throughout the book.

Portions of the book attempt to portray the threats you face but are a bit naïve. Some statements Gralla make tend to be all inclusive and therefore a bit inaccurate. Fortunately, some of these sweeping comments are further qualified and explained later in the book. One of Gralla’s tools for passing information to the reader is repetition. It is not uncommon to read some of the same material two or three times, slightly reworded or included in ‘Extras’.

Gralla’s goal with this book is to educate the average end user about personal security and privacy. The Complete Idiot’s Guide to Protecting Yourself Online does just that. In a matter of hours, new users to the Internet can find out the essentials needed to guarantee their security and privacy.

Review: Hacking Exposed: Network Security Secrets & Solutions

[The date of publication is not known.]

Hacking Exposed: Network Security Secrets & Solutions
Stuart McClure, Joel Scambray, George Kurtz
0072121270, 484 pages, McGraw-Hill

Since 1991, I have been involved in the security field in one way or another. Starting as a casual hobby and evolving into a career, it has been a predominant part of my life. In my spare time I have run a number of FTP archives, Web sites and participated in many mail lists. Because of this, many people seek me out for advice and answers. In all these years, the most frequently asked question of me has no simple answer. “How do I hack?” To date I have answered this with a wide variety of responses depending on how the question was asked, who asked it, and my general mood.

Lucky for me, I now have a quick and dirty way out of what sometimes proved to be a three page response to the question. While I have always maintained (and still do) that hacking can not truly be taught, some aspects certainly can be. The technical steps behind computer intrusion can be shared by knowledgeable people, giving a solid foundation for the steps and procedures required in compromising the security of a system. That is the goal of this book, and it does it quite well. To those with a basic understanding of how computers and networks operate, this book will teach them the basics of remote system auditing (also known as controlled penetration).

The book is divided into four main sections: Casing the Establishment, System Hacking, Network Hacking, and Software Hacking. Each section is further divided into separate chapters which cover various methods of system intrusion on different platforms. By breaking it down and separating information related to Unix and Windows NT, it adds clarity and avoids confusion between tools and techniques specific to a particular platform.

In Casing the Establishment, you learn the fine art of remote reconnaissance of machines on a remote network. To a dedicated security auditor, remote machines can give away a world of information that aids them in subsequent attacks. Oftentimes administrators are not aware of just how much information is shared out. The ability to pick this information out and use it to your advantage can often make the difference between gaining access and complete failure.

System Hacking goes into the specific details of breaking into remote hosts. Covering Windows, Novell and Unix, the authors cover a wide variety of methods, many of which are lost to newcomers to security auditing. Readers learn the nuances of brute force attacks, buffer overflows, symlink attacks and a lot more.

Network Hacking looks at the bigger picture and considers multiple machines as the intended target. Covering dial-ups, Virtual Private Networks (VPNs), routers and more, these chapters aim to hit the critical infrastructure of many networks. Another critical appliance in any sensitive network is the Firewall. The final chapter in this section gives several ways to poke holes in the firewall so that it no longer acts as a complete dead end for you.

Software Hacking delves into details of Denial of Service (DoS) attacks, remote access software, and advanced techniques. With more and more corporations using remote access software, they are finding it is leaving them wide open to attacks. These software packages are often a security auditors dream.

To everyone who has ever asked me ‘how to hack’, or anything to do with system penetration, start with this book. Read it cover to cover and you will save yourself a lot of time and effort otherwise wasted with search engines and outdated text files.

Review: EDI Security, Control, and Audit

[The date of publication is not known.]

EDI Security, Control, and Audit
Albert J. Marcella, Jr. and Sally Chan
0-89006-610-8, Artech

Electronic Data Interchange (EDI) is a computer-to-computer or application-to-application exchange of business information in a standard format. In 1992, there were over 31,000 known EDI users, with a steady increase since 1987. EDI users can be found in such industries as transportation, retail, grocery, automobiles, warehousing, pharmaceuticals, healthcare and financial institutions.

“EDI will change our lives, just as computers did. It will redefine the ways we work as it pushes us toward a knowledge-based society in which we pursue intellectual challenges while routine, noncreative tasks are assigned to computers.” – Gene A. Nelson

As a comprehensive book on EDI, several parts of the book deal more with the operation and setup of such a network. This leads into the areas that explain in technical detail the security and auditing of EDI networks. Beginning with the basics of EDI, the book walks through the pros and cons of such networks. It gives guidelines for who should implement and use it, operating issues, risks, control concerns and more. These sections are brief and to the point, suitable to give to non technical managers who may be considering EDI as a solution.

The following three chapters (2 – 4) delve into the technical aspects and the standards governing their development and operating procedures. Covering infrastructure and standards, networks and telecommunications, and cross-vulnerabilities in EDI Partnerships, these chapters give a solid understanding of the issues at hand. This reading is not suggested for the technical neophyte!

Dropping back out of the technical jargon, Chapter 5 (Managing Interenterprise Partnerships) seems to be more suited toward managers and legal staff. The next chapter jumps back into technical land and covers Application Control Issues, Security/Environmental/Project controls, Inbound/Outbound Control Issues and more. Maintaining the ping-pong style of writing, Chapter 7 (EDI Management and Environmental Control) delves into higher level project and planning.

If your organization uses EDI, or is considering implementing it, this book is for you. Both management and the technical staff can get something out of this book by passing it back and forth to read chapters. For a one stop shop on EDI, this is it.

Review: Security Warrior

[The date of publication is not known.]

Security Warrior
Cyrus Peikari & Anton Chuvakin
Paperback – 581 pages (January, 2004)
$44.95 – O’Reilly ISBN: 0-596-00545-8

Security Warrior is one of the latest books that attempts to cover hacking and security information in a way that appeals to all levels of the field. Most books of this nature will present a wide variety of concepts and technologies that fall under the “security” blanket. These topics usually include an introduction to security, networking, reconnaissance, social engineering, attack and defense. As with most professions, attempting to disclose the ins and outs in a comprehensive manner would take volumes of information and could never be summed up in a single book.

Breaking away from the mold, Security Warrior stands out in a crowd of security books by delving into the world of software cracking through reverse engineering. While this is not a skillset many security personnel use or know, it can be a very handy skill to have. Peikari and Chuvakin spend almost one third of the book on reverse engineering by providing detailed explanations, real world examples and even exercises to test your ability to break past software that restricts your access to a program on your own computer. While the skill of reverse engineering is useful, it is also fairly intensive and requires a solid programming knowledge. The extensive use of program source code in the book can get a bit overdone as most people reading the book will already understand it and find no use for it typed out in a book, or find themselves lost after the second line.

The next major section covers the basics of networking and reconnaissance as relates to security testing. After a brief outline of TCP/IP and other protocols that make this big Internet thingy work, they immediately dive into the art of Social Engineering before going back to network recon, OS fingerprinting and hiding your attacks. While this information is all valuable, the sudden turn to Social Engineering in the middle of technical network attacks is disjointed to say the least.

Once you have identified your targets via network recon, the next step is to figure out what specific platform attacks may work for you. Unfortunately, you need to read the chapter on Unix defense before Unix attacks in this book. While the order of the chapters is a minor nuisance, the author’s consistency is a tad annoying. After learning about Unix defense and attack, you then get treated to Windows Client Attacks and Windows Server Attacks. Apparently, the chapter on Windows defense got left on the cutting room floor. Even more odd is the next chapter on SOAP XML Web Services Security followed by the SQL Injection attack chapter. While these are all well written chapters that convey the information very cleanly, the order and choice of topics is very messy.

The last section covers Advanced Defense and goes into audit trails, intrusion detection, honeypots, incident response and forensics. Each chapter receives a good share of attention and falls back into an orderly fashion for dispensing the details of each technology. This material is a solid conclusion to a book that has a place in the security professional’s library. For someone just entering the security circle, this book will be a rough start.