Phishing: Cutting the Identity Theft Line Review

Average Reviews:

(More customer reviews)Phishing is the scourge of the internet right now. Rachael Lininger and Russell Dean Vines have done a pretty good job in helping individuals and companies understand the problem with their book Phishing - Cutting The Identity Theft Line (Wiley).
Chapter List: Phishing for Phun and Profit; Bait and Switch: Phishing Emails; False Fronts: Phishing Websites; Are You Owned: Understanding Phishing Spyware; Gloom and Doom: You Can't Stop Phishing Completely; Helping Your Organization Avoid Phishing; Fighting Back: How Your Organization Can Respond To Attack; Avoiding the Hook: Consumer Education; Help! I'm a Phish! Consumer Response; Glossary of Phishing-Related Terms; Useful Websites; Identity Theft Affidavit; Index
It used to be I'd see one or two "requests" a week to update my personal information for places like eBay or Citibank. Now it's closer to two or three a day. I'm well aware that these phishing attempts are scams meant to commit identity theft, but apparently we internet-savvy people are in the minority. Lininger and Vines have written a very readable and understandable guide to phishing that can easily be given to nearly anyone to help them protect themselves. The uninitiated will quickly grasp the idea that they shouldn't be responding to emails like these, and as a result they'll be much safer. People who are internet-savvy will learn the tricks that are used by the phishers to make links appear to be something other than what they truly are. Even organizations can benefit from the chapters on what they should do if they find that their servers have been co-opted to run a phishing scam.
Very practical material with the benefit of being a book that's fun to read. This is information that needs to be in the hands of all internet users these days...

Click Here to see more reviews about: Phishing: Cutting the Identity Theft Line

"Phishing" is the hot new identity theft scam. An unsuspecting victim receives an e-mail that seems to come from a bank or other financial institution, and it contains a link to a Web site where s/he is asked to provide account details. The site looks legitimate, and 3 to 5 percent of people who receive the e-mail go on to surrender their information-to crooks. One e-mail monitoring organization reported 2.3 billion phishing messages in February 2004 alone.
If that weren't enough, the crooks have expanded their operations to include malicious code that steals identity information without the computer user's knowledge. Thousands of computers are compromised each day, and phishing code is increasingly becoming part of the standard exploits.Written by a phishing security expert at a top financial institution, this unique book helps IT professionals respond to phishing incidents. After describing in detail what goes into phishing expeditions, the author provides step-by-step directions for discouraging attacks and responding to those that have already happened.
In Phishing, Rachael Lininger:

Offers case studies that reveal the technical ins and outs of impressive phishing attacks.
Presents a step-by-step model for phishing prevention.
Explains how intrusion detection systems can help prevent phishers from attaining their goal-identity theft.
Delivers in-depth incident response techniques that can quickly shutdown phishing sites.

Click here for more information about Phishing: Cutting the Identity Theft Line

Read More...

Chained Exploits: Advanced Hacking Attacks from Start to Finish Review

Average Reviews:

(More customer reviews)I looked forward to Chained Exploits (CE) by Whitaker, Evans and Voth with much anticipation as the concept is a much needed addition to the lexicon on information security. Often academic fields are severely limited by the vocabulary available to discuss issues and the "chained exploit" is sure to become a mainstay in the discourse of information security. Despite my enthusiasm for the concept, however, I was disappointed by the material presented in CE. The genius of the chained exploit is that it upends the traditional threat matrix, typically presented as:
[value of resource] x [likelihood of exploit] = [risk level]
For example, a high value resource that is unlikely to be exploited should be ranked as a low risk, as should a low value resource that is likely to be exploited. Think of this in terms of a temporary database of publically available information used to populate a user demonstration website that is wiped out every 24 hours. If that information is compromised it has no value, so even if the compromise is likely it is a low risk system. Conversely if a system that contains critical financial information is confined to a single workstation that is removed from any networking and housed in a guarded facility it too is a low risk system (since the likelihood of compromise is low).
Unfortunately many auditors make risk assessments based on circumstances in a vacuum. This is where the concept of "chained exploits" becomes so valuable. For instance, if a vulnerability were discovered in a local binary accessible to users that allows privilege escalation, but the local binary exists on a system that has no users (other than administrators who already have root privileges) it is often considered a low risk. Many times patches for these sorts of vulnerabilities are not installed because the patch could introduce instability and would not be considered worthy of the expense given the low risk. Similarly a vulnerability could be discovered in a web service that when exploited could allow a remote attacker to gain an unprivileged local account that, say, only had access to read and write to the /tmp directory. This could also be considered a low risk since such limited access wouldn't present any threat to the system. However, if you "chained exploits" for the two vulnerabilities you suddenly have a condition where a remote attacker can gain a local account and elevate their privilege! This contravenes the low risk ranking of the individual vulnerabilities. When combined they suddenly become a very high risk to the system.
It was this sort of "chain" that I hoped CE would explore. Instead the material presented in the book consisted of context to several high risk vulnerabilities to explain why they might be used in tandem. For instance, the book would propose a scenario where a remote attacker installed a backdoor rootkit on a corporate network workstation then used that workstation to access the central database using default system administrator credentials. Each of the conditions used in these "chains" are extremely high risk already, and thus the book doesn't present any new material for seasoned information security professionals to consider.
For a novice this book is a great resource. It is full of the sorts of horror stories that professionals are all too familiar with, but could potentially be eye opening for a neophyte or someone unfamiliar with computer security. At the very least it is a page turning exploration of very real and often under appreciated risks to enterprises.
I was disappointed that the book didn't raise the level of discourse in the information security field but I suspect that wasn't the point of Chained Exploits. Instead it reads like a greatest hits sequence prepared by veteran penetration testers. It makes for interesting reading, but it isn't particularly informative. Don't look for any new 0 day exploits (or even a discussion of how to find such flaws). Instead the book contains a litany of well known routes to system compromise and illustrative narratives that tie them together in real world scenarios.

Click Here to see more reviews about: Chained Exploits: Advanced Hacking Attacks from Start to Finish

The complete guide to today's hard-to-defend chained attacks: performing them and preventing themNowadays, it's rare for malicious hackers to rely on just one exploit or tool; instead, they use "chained" exploits that integrate multiple forms of attack to achieve their goals. Chained exploits are far more complex and far more difficult to defend. Few security or hacking books cover them well and most don't cover them at all. Now there's a book that brings together start-to-finish information about today's most widespread chained exploits–both how to perform them and how to prevent them. Chained Exploits demonstrates this advanced hacking attack technique through detailed examples that reflect real-world attack strategies, use today's most common attack tools, and focus on actual high-value targets, including credit card and healthcare data. Relentlessly thorough and realistic, this book covers the full spectrum of attack avenues, from wireless networks to physical access and social engineering. Writing for security, network, and other IT professionals, the authors take you through each attack, one step at a time, and then introduce today's most effective countermeasures— both technical and human. Coverage includes:Constructing convincing new phishing attacksDiscovering which sites other Web users are visitingWreaking havoc on IT security via wireless networksDisrupting competitors' Web sitesPerforming–and preventing–corporate espionageDestroying secure filesGaining access to private healthcare recordsAttacking the viewers of social networking pagesCreating entirely new exploitsand moreAndrew Whitaker, Director of Enterprise InfoSec and Networking for Training Camp, has been featured in The Wall Street Journal and BusinessWeek. He coauthored Penetration Testing and Network Defense. Andrew was a winner of EC Council's Instructor of Excellence Award.Keatron Evans is President and Chief Security Consultant of Blink Digital Security, LLC, a trainer for Training Camp, and winner of EC Council's Instructor of Excellence Award. Jack B. Voth specializes in penetration testing, vulnerability assessment, and perimeter security. He co-owns The Client Server, Inc., and teaches for Training Camp throughout the United States and abroad.informit.com/awCover photograph © Corbis /Jupiter Images$49.99 US $59.99 CANADA

Click here for more information about Chained Exploits: Advanced Hacking Attacks from Start to Finish

Read More...

The Myths of Security: What the Computer Security Industry Doesn't Want You to Know Review

Average Reviews:

(More customer reviews)Let me start by saying I usually like John Viega's books. I rated Building Secure Software 5 stars back in 2005 and 19 Deadly Sins of Software Security 4 stars in 2006. However, I must not be the target audience for this book, and I can't imagine who really would be. The book mainly addresses consumer concerns and largely avoids the enterprise. However, if most consumers think "antivirus" when they think "security," why would they bother reading The Myths of Security (TMOS)?
TMOS is strongest when Viega talks about the antivirus (or antimalware, or endpoint protection, or whatever host-centric security mechanism you choose) industry. I didn't find anything to be particularly "myth-shattering," however. I have to agree with two of the previous reviewers. Many of the "chapters" in this book could be blog posts. The longer chapters could be longer blog posts. The lack of a unifying theme really puts TMOS at a disadvantage compared to well-crafted books. I was not a huge fan of The New School of Information Security or Geekonomics (both 4 stars), but those two titles are better than TMOS.
If you want to read books that will really help you think properly about digital security, the two must-reads are still Secrets and Lies by Bruce Schneier and Security Engineering, 2nd Ed by Ross Anderson. I would avoid Bruce's sequel, Beyond Fear -- it's ok, but he muddles a few concepts. (Heresy, I know!) I haven't read Schneier on Security, but I imagine it is good given the overall quality of his blog postings.
If you want to shatter some serious myths, spend time writing a book on the "80% myth," which is stated in a variety of ways by anyone who is trying to demonstrate that insider threats are the worst problem facing digital security. If you're going to pretend to debunk open source security, why not back it up with some numbers? Studies have been published recently, and original research and results would be welcome. How about demonstrating that user awareness training wastes money, because enough marks fall prey anyway? I'd also like to see research showing that frequent password changes are worse for security, not better. Wrap all of that in a coherent manner with substantial chapters and you have a real TMOS book.

Click Here to see more reviews about: The Myths of Security: What the Computer Security Industry Doesn't Want You to Know


If you think computer security has improved in recent years, The Myths of Security will shake you out of your complacency. Longtime security professional John Viega, formerly Chief Security Architect at McAfee, reports on the sorry state of the industry, and offers concrete suggestions for professionals and individuals confronting the issue. Why is security so bad? With many more people online than just a few years ago, there are more attackers -- and they're truly motivated. Attacks are sophisticated, subtle, and harder to detect than ever. But, as Viega notes, few people take the time to understand the situation and protect themselves accordingly. This book tells you:



Why it's easier for bad guys to "own" your computer than you think
Why anti-virus software doesn't work well -- and one simple way to fix it
Whether Apple OS X is more secure than Windows
What Windows needs to do better
How to make strong authentication pervasive
Why patch management is so bad
Whether there's anything you can do about identity theft
Five easy steps for fixing application security, and more

Provocative, insightful, and always controversial, The Myths of Security not only addresses IT professionals who deal with security issues, but also speaks to Mac and PC users who spend time online.

Click here for more information about The Myths of Security: What the Computer Security Industry Doesn't Want You to Know

Read More...