Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research Review

Average Reviews:

(More customer reviews)I'm going to take a harsh stance on this book, mostly because this book had potential to really build upon all the information publicly available for Metasploit and really make a great book on Metasploit internals and advanced usage. Instead it seems like current public/free information was just rehashed and new information not updated for the 3.x branch of MSF.
What I consider the "meat" of this book, and what should have made this a 4 or 5 star book, covers the Metasploit Framework 2.x branch and NOT the current 3.x branch. By "meat" I mean the case studies covering exploitation using MSF. The major difference between the two is that 2.x was written in Perl and 3.x in Ruby. To be fair the first 5 chapters cover using MSF 3.x, but I really didn't feel they covered much, if anything, that's not out on the net with the exception of Chapter 5 (Adding new Payloads). "Using" Metasploit has been covered a million times in a million other books. A book specifically on Metasploit should have covered things not covered in every other hacking book.
Chapter 1 is an "Introduction to Metasploit." If you haven't ever used the tool and didn't want to RTFM, then "maybe" it would be useful for you. Most of the material I felt could be found on the Metasploit main support page, the wiki, or via google, but mostly the first two. I'm also not sure why there are pages and pages of current payloads and exploits with no explanations as to why I would use one type of payload versus another especially for the obscure ones like find tag or ordinal payloads. Doing a "show exploits" or "show payloads" without dialogue on the differences adds little value. The Leveraging Metasploit on Penetration Tests section is one paragraph :-(
Chapter 2 is "Architecture, Environment, and Installation." There are 2-3 pages on locking down a system. Why is that included? Very random. Let me cover the installation covered in the book for you. Windows, double click the executable. *nix, download via svn. That's about the level of detail we get...sigh :-(
Chapter 3 is a whopping 7 pages including the FAQ section on "Metasploit Framework and Advanced Environment Configurations." That chapter covers what is in the directories of your msf installation and using the setg command.
Chapter 4 is "Advanced Payload and Add-on Modules." Covers some old information on meterpreter and some meterpreter basics, the stuff on the net covers it in far more detail. Decent coverage of the VNC Inject payload, crappy coverage of the PassiveX payload, ok coverage of auxiliary modules and a mention of db autopwn.
Chapter 5 is "Adding New Payloads." Chapter 5 is the best chapter in the book because it discusses something...here it goes...NEW! and related to MSF 3.x. Chapter 5 is an excellent chapter walking us thru building a SIP Invite spoofer auxiliary module. Had the whole book been of this caliber it would have been a 5 star book.
The case studies should have been rewritten to work with MSF 3.x, they are all for 2.x. They are good and contain the required detail (but I didn't not work through all the examples yet) Things are similar between the branches and you can probably muddle through the conversions but it makes no sense for the first half of the book to be about 3.x and the meat to be about 2.x. At a minimum a chapter or section on converting exploits from 2.x to 3.x was in order, but was not included.
I didn't find Appendix B, "Building a Test Lab for Penetration Testing" to be all that helpful either. I think it's a reprint from Penetration Tester's Open Source Toolkit v2, but can't confirm because I don't have that book.


Click Here to see more reviews about: Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research

This is the first book available for the Metasploit Framework (MSF), which is the attack platform of choice for one of the fastest growing careers in IT security: Penetration Testing. The book and companion Web site will provide professional penetration testers and security researchers with a fully integrated suite of tools for discovering, running, and testing exploit code.This book discusses how to use the Metasploit Framework (MSF) as an exploitation platform. The book begins with a detailed discussion of the three MSF interfaces: msfweb, msfconsole, and msfcli .This chapter demonstrates all of the features offered by the MSF as an exploitation platform. With a solid understanding of MSF's capabilities, the book then details techniques for dramatically reducing the amount of time required for developing functional exploits.By working through a real-world vulnerabilities against popular closed source applications, the reader will learn how to use the tools and MSF to quickly build reliable attacks as standalone exploits. The section will also explain how to integrate an exploit directly into the Metasploit Framework by providing a line-by-line analysis of an integrated exploit module. Details as to how the Metasploit engine drives the behind-the-scenes exploitation process will be covered, and along the way the reader will come to understand the advantages of exploitation frameworks. The final section of the book examines the Meterpreter payload system and teaches readers to develop completely new extensions that will integrate fluidly with the Metasploit Framework. A November 2004 survey conducted by "CSO Magazine" stated that 42% of chief security officers considered penetration testing to be a security priority for their organizations The Metasploit Framework is the most popular open source exploit platform, and there are no competing books The book's companion Web site offers all of the working code and exploits contained within the book

Click here for more information about Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research

Read More...

Information Security: A Strategic Approach Review

Average Reviews:

(More customer reviews)As an professor that teaches information security at the undergraduate and graduate level I was interested in this book to enhance the strategic direction of my courses. As we all know, most of the problems with info security can be attributed to management and personnel, not technology. This book does a good job of framing and explaining a strategic approach. Although I will not require of my students, I will recommend as a way of understanding the big picture of security. Too often we learn bits and pieces of a subject and never understand how all the pieces fit together. This book does a good job of putting all of the pieces together in a nice strategic approach.

Click Here to see more reviews about: Information Security: A Strategic Approach

Bridging the gap between information security and strategic planningThis publication is a reflection of the author's firsthand experience as an information security consultant, working for an array of clients in the private and public sectors. Readers discover how to work with their organizations to develop and implement a successful information security plan by improving management practices and by establishing information security as an integral part of overall strategic planning.The book starts with an overview of basic concepts in strategic planning, information technology strategy, and information security strategy. A practical guide to defining an information security strategy is then provided, covering the "nuts and bolts" of defining long-term information security goals that effectively protect information resources. Separate chapters covering technology strategy and management strategy clearly demonstrate that both are essential, complementary elements in protecting information.Following this practical introduction to strategy development, subsequent chapters cover the theoretical foundation of an information security strategy, including:* Examination of key enterprise planning models that correspond to different uses of information and different strategies for securing information* Review of information economics, an essential link between information security strategy and business strategy* Role of risk in building an information security strategyTwo separate case studies are developed, helping readers understand how the development and implementation of information security strategies can work within their own organizations.This is essential reading for information security managers, information technology executives, and consultants. By linking information security to general management strategy, the publication is also recommended for nontechnical executives who need to protect the value and security of their organization's information.

Click here for more information about Information Security: A Strategic Approach

Read More...

Dissecting the Hack: The F0rb1dd3n Network Review

Average Reviews:

(More customer reviews)Let me get this out of the way: If books could be reviewed as "first effort" this would be a five/five. For a really ambitious book out of the gate it does a decent job of hitting tons of domains from multiple angles to inform, excite, and influence the thought processes of the reader.
To be even more honest had I thumbed through this book before buying it I would not have bought it. A lot of alarms can go off when you see pictures of vendor equipment, tables of network services, and a touch of conspiracy theory in places. Not that those things are inherently bad but it's only a 400 page tome so that's a lot of real estate to be worried about misusing. The authors use those pages as well as can be expected and in a way that even the most jaded readers should be able to ~respect~ if not always appreciate.
I'm not being hard on this book, trust me. It's now the third book, along with Silence on the Wire, and Anderson's Security Engineering, I expect all newer ITSec professionals to read early and often. I don't judge a non-textbook by the accuracy or timeliness of every statement. Or the quality of the story telling or case studied. I judge these types of books by their ability to affect ~thought processes~, ~perspective~, and ~risk analysis~... and I think this book is a winner on all three counts. It is all about influencing thought, not hand-feeding PRECISE EXACTING and ultimately useless step-by-step hacks.
Solid 4/4.5 star on any scale and a 5/5 for a new set of authors. I hope the editors and publisher give them the opportunity to add about 120/150 pages and build a community. One last note, the books and resources noted within this book are good stand-up lists and should not be overlooked either. The single paragraph stories from the web or people profiles are not to be skipped over.

Click Here to see more reviews about: Dissecting the Hack: The F0rb1dd3n Network


Dissecting the Hackis one heck of a ride! Hackers, IT professionals, and Infosec aficionados will find a gripping story that takes the reader on a global trip through the world of computer security exploits. One half massive case study, one half technical manual, Dissecting the Hack has it all - learn all about hacking tools and techniques and how to defend your network against threats.

Yes, the security threats are real - read more about the tactics that you see executed throughout the story in the second half of the book where you will learn to recon, scan, explore, exploit and expunge with the tools and techniques shown in the story. Every hack is real and can be used by you once you have the knowledge within this book!

Utilizes actual hacking and security tools in its story- helps to familiarize a newbie with the many devices and their code
Introduces basic hacking techniques in real life context for ease of learning
Presented in the words of the hacker/security pro, effortlessly envelops the beginner in the language of the hack

Click here for more information about Dissecting the Hack: The F0rb1dd3n Network

Read More...

UNIX and Linux Forensic Analysis DVD Toolkit Review

Average Reviews:

(More customer reviews)The title may mislead readers to believe that this book discusses actual forensics of Unix and Linux systems. It does not. The authors waste precious pages in this short book discussing their favorite cool Linux apps like Nessus and Metasploit but don't have any meaningful discussion about the various flavors of Unix: AIX, Solaris, *BSD, etc. Their "Unix and Linux" forensic book is almost entirely about Linux. There is no thoughtful discussion about filesystem forensics; no technical detail helpful to Forensic Examiners.
The few moments where the authors approach a meaningful forensic topic, the reader is redirected to an online resource rather than provided an analysis or explanation within the book.
The book title may lead readers to believe that an accompanying DVD contains a Unix forensic toolkit of some kind. In fact, there is only 1.8 MB of documents and no tools save for a few (4) short Bash scripts that hardly cover a thorough forensics examination: live or otherwise. One of the scripts is only one line. One of these documents is an incomplete 3.5 page summary of Sleuthkit tools. By "incomplete" I mean that it is apparent that the author decided to quit writing. Apparently there was no room in this 236 page, 14-gauge font book to cover in any detail the different Unix filesystems, data acquisition, data carving or static filesystem analysis. But the authors make plenty of room to discuss scanning with Unix tools (nmap, nessus, etc.).
There is a section entitled "Malware" except that no malware sample is actually examined. The reader is briefly introduced to Panda's AV scanner and is walked through how to use ClamAV as if that is the only AV scanner available for either a Unix user or Forensic Examiner. Forensic Examiners should pay very close attention to AntiVirus product comparative reviews.
The book cover boasts that this is the "only digital forensic analysis book for *nix". Indeed there may be little in the way of books solely dedicated to Unix forensics but other books cover Unix forensics with greater detail than this one. For example, Brian Carrier's "Filesystem Forensic Analysis" or Jones, Bejtlich and Rose's "Real Digital Forensics".
The book cover also boasts that readers can "Hit the ground running" with the information within. Unfortunately, if readers expect the content to help them bridge a gap between Windows and Unix, they will hit the ground with a resounding thud. If any Forensics Examiner finds value in the content of this book for actual Unix forensic investigations, I would question that examiner's experience and training.
If the authors wanted to write a book about cool Linux tools or network scanning, they should have entitled the book differently. Perhaps "A Beginner's Guide to Using Linux and Linux Security Applications".
I felt the title was misleading and false advertising. The authors take advantage of the word "Forensics" to sell a book that is not about forensics. For $53.95 I expected much more and was extremely disappointed and disgusted at the inferiority of the content.

Click Here to see more reviews about: UNIX and Linux Forensic Analysis DVD Toolkit

This book addresses topics in the area of forensic analysis of systems running on variants of the UNIX operating system, which is the choice of hackers for their attack platforms. According to a 2007 IDC report, UNIX servers account for the second-largest segment of spending (behind Windows) in the worldwide server market with $4.2 billion in 2Q07, representing 31.7% of corporate server spending. UNIX systems have not been analyzed to any significant depth largely due to a lack of understanding on the part of the investigator, an understanding and knowledge base that has been achieved by the attacker. The companion DVD provides a simulated or "live" UNIX environment where readers can test the skills they've learned in the book and use custom tools developed by the authors.The book begins with a chapter to describe why and how the book was written, and for whom, and then immediately begins addressing the issues of live response (volatile) data collection and analysis.The book continues by addressing issues of collecting and analyzing the contents of physical memory (i.e., RAM).The following chapters address /proc analysis, revealing the wealth of significant evidence, and analysis of files created by or on UNIX systems.Then the book addresses the underground world of UNIX hacking and reveals methods and techniques used by hackers, malware coders, and anti-forensic developers.The book then illustrates to the investigator how to analyze these files and extract the information they need to perform a comprehensive forensic analysis.The final chapter includes a detailed discussion of Loadable Kernel Modules and Malware. The companion DVD provides a simulated or "live" UNIX environment where readers can test the skills they've learned in the book and use custom tools developed by the authors.Throughout the book the author provides a wealth of unique information, providing tools, techniques and information that won't be found anywhere else.Not only are the tools provided, but the author also provides sample files so that after completing a detailed walk-through, the reader can immediately practice the new-found skills.* The companion DVD for the book contains significant, unique materials (movies, spreadsheet, code, etc.) not available any place else.* This book contains information about UNIX forensic analysis that is not available anywhere else. Much of the information is a result of the author's own unique research and work.* The authors have the combined experience of Law Enforcement, Military, and Corporate forensics. This unique perspective makes this book attractive to ALL forensic investigators.

Click here for more information about UNIX and Linux Forensic Analysis DVD Toolkit

Read More...

PC Magazine Fighting Spyware, Viruses, and Malware Review

Average Reviews:

(More customer reviews)Tittel can certainly unsettle the reader! He warns of the increasing encroachments against your computer. The biggest single danger is that this might be your home computer. Not a computer at your workplace, for which you might be able to ask a sysadmin for help.
So it's you and Tittel against the 3 menaces. Be aware that the terminology in the text and title may vary from what others use. Often, malware is taken to include viruses. I think he chose to break viruses out separately from malware so that the title would outreach to more people. Malware is still somewhat of a techie term, while spyware and viruses have broader recognition.
Naturally, since we're discussing personal computers, the text tends to focus on those running a Microsoft operating system. But in fact, much of his advice applies to Macs and linux/unix machines. Though users of the former 2 types might take heart in knowing that most viruses or worms won't go after their machines.
Tittel explains that increasingly, it's harder to draw clear lines between malware, spyware and adware. But he shows how to use existing anti-malware products that can scan for these and remove them. These products use combinations of signatures of known malware, and also search for "strange" activity that is typical of malware. However, since new variants of malware are continually being developed and found, you should always download the latest sets of signatures from your vendor, before running the tests.
Tittel also gives a succinct description of phishing. A particularly virulent type of malware that has increased enormously in the last 2 years. He suggests that you scrutinise the links and be very wary of any message that asks for personal information; either in a reply, or in a web page pointed to from that message. Unfortunately, the phishers continue to refine their tactics and many users simply aren't savvy enough to follow Tittel's suggestions. These users may be a minority, but there are enough of them to make this worthwhile for the phishers.

Click Here to see more reviews about: PC Magazine Fighting Spyware, Viruses, and Malware

Think there's no malicious software on your computer? PC Magazine thinks you should think again.Scans by ISPs have revealed as many as twenty-eight spyware programs running on the average home computer--like yours. That's a lot of people prying into what's on your PC, and a DSL or cable connection is a virtual welcome mat. But by following Ed Tittel's advice, you can learn how invasions occur, spot an infestation, repair damage that's already done, and slam the door on those who want to hijack your PC--along with your wallet.Here's how you can* Learn to recognize when a Trojan horse, a virus, adware, or spyware has invaded your PC* Get the tools that can cure an infection* Dig into the Windows Registry to remove the nastiest of bugs* Prevent a recurrence with personal firewalls and protective software* Deal with the onslaught of spam* Keep your defenses up-to-dateGive it the bootIf you believe you've caught something and you're willing to kiss everything goodbye that you've added to or changed ... since the last time you booted up your computer ... try this. While Windows is first booting up, hit the F8 key .... Choose the Last Known Good Configuration option, and Windows should boot running the version of the Registry that existed the last time your system booted--that is, before you got infected.-- From Chapter 4

Click here for more information about PC Magazine Fighting Spyware, Viruses, and Malware

Read More...

Stealing the Network: How to Own a Shadow Review

Average Reviews:

(More customer reviews)Did you enjoy the previous three Stealing the Network books? Are you looking for more? Then move along now, nothing to see here.
The prior books were interesting because they introduced the reader to new ideas or new angles on old ideas, then moved on without belaboring them. If you wanted more details, there were often URLs provided. The last two tied the stories together with the intriguing Knuth character. But the folks running the project chose to switch to a new format, with fewer characters and stories, not to mention fewer authors, and fewer ways to split the profits.
After three books with the same (proven) formula, it's understandable the authors would want to try something new. Alas, it's a disaster.
Welcome to "How to Own a Shadow," aka "The SQL Injection Adventures of Pawn." Pawn is one of the new characters in this volume, and is the first StN character I hoped would get shot to death by the cops in a mini-mall parking lot. Yes, he's that irritating. Particularly after reading 40 pages about his childhood as a high-functioning autistic (or something like that), and around 100 pages of him performing SQL injection attacks. Most of which is totally unrelated to Knuth. Note to the authors: SQL injection is interesting, but if you want to write a book about it, just write a book about it. I even gave you a title, what more do you want? You can even recycle much of this book, like you recycled part of the last one here.
Oh, you noticed the real subtitle of the book, "The Chase for Knuth." First, one chases _after_ fugitives, and hunts or searches _for_ them. Not that it matters, because there's not much chasing or hunting going on in this book. There isn't much Knuth, either. We see him in the first hundred pages, which is mostly about his son analyzing poker software. That's the last we see of either of them. Because, really, this is "The Biography of Pawn." We do get 50 pages of Knuth at the end of the book, but don't get excited: it's all from the last book, added as obvious filler.
Speaking of filler, there's a 17 page advertorial thrown in for BiDiBLAH, which is commercial software by SensePost. Oddly enough, they're listed as technical advisors for the book. I'm sure it's a fine app, but the authors have forgotten about Knuth again, since it has nothing to do with the story. If it had been relevant, it might have been a less obnoxious addition.
Not everything is bad. There's a brief bit about RFID, which of course turns into how to use RFID for SQL attacks. We get to meet Knuth's supposedly dead wife, and a charming shrew she is. All in all, though, this book isn't worth reading unless you're a truly devoted fan of the series, or SQL. I'm still a fan of the previous books, and I hope the authors can recapture what made them so intriguing for their next book. I won't be buying that one until I'm sure it's not Book Two of the Pawn Saga, however.

Click Here to see more reviews about: Stealing the Network: How to Own a Shadow

The best-selling Stealing the Network series reaches its climactic conclusion as law enforcement and organized crime form a high-tech web in an attempt to bring down the shadowy hacker-villain known as Knuth in the most technically sophisticated Stealing book yet.Stealing the Network: How to Own a Shadow is the final book in Syngress' ground breaking, best-selling, Stealing the Network series. As with previous title, How to Own a Shadow is a fictional story that demonstrates accurate, highly detailed scenarios of computer intrusions and counter-strikes. In How to Own a Thief, Knuth, the master-mind, shadowy figure from previous books, is tracked across the world and the Web by cyber adversaries with skill to match his own. Readers will be amazed at how Knuth, Law Enforcement, and Organized crime twist and torque everything from game stations, printers and fax machines to service provider class switches and routers steal, deceive, and obfuscate. From physical security to open source information gathering, Stealing the Network: How to Own a Shadow will entertain and educate the reader on every page. The book's companion Web site will also provide special, behind-the-scenes details and hacks for the reader to join in the chase for Knuth. The final book in the Stealing the Network series will be a must read for the 50,000 readers worldwide of the first three titles The companion Web site to the book will provide challenging scenarios from the book to allow the reader to track down Knuth Law enforcement and security professionals will gain practical, technical knowledge for apprehending the most supplicated cyber-adversaries

Click here for more information about Stealing the Network: How to Own a Shadow

Read More...

Hacking Wireless Networks For Dummies (For Dummies (Computers)) Review

Average Reviews:

(More customer reviews)Think your wireless network is secure from unauthorized use or attack? It's probably not. I just finished reading Hacking Wireless Network For Dummies by Kevin Beaver and Peter T. Davis, and this is one of the most practical books I've ever read for testing a network against attack.
Contents:
Part 1 - Building the Foundation for Testing Wireless Networks: Introduction to Wireless Hacking; The Wireless Hacking Process; Implementing a Testing Methodology; Amassing Your War Chest
Part 2 - Getting Rolling with Common Wi-Fi Hacks: Human (in)Security; Containing the Airwaves; Hacking Wireless Clients; Discovering Default Settings; Wardriving
Part 3 - Advanced Wi-Fi Hacks: Still at War; Unauthorized Wireless Devices; Network Attacks; Denial-of-Service Attacks; Cracking Encryption; Authenticating Users
Part 4 - The Part of Tens: Ten Essential Tools for Hacking Wireless Networks; Ten Wireless Security-Testing Mistakes; Ten Tips for Following Up after Your Testing
Part 5 - Appendixes: Wireless Hacking Resources; Glossary of Acronyms
Index
The target of this book is the security professional involved in testing networks to make them more secure. There's a heavy emphasis on "ethical hacking", or learning how to test a network's security without doing harm or using the information in a destructive fashion. A security consultant using this book would learn how to pre-plan a test, work with the company to make sure they were properly authorized, and then write up the results in a professional manner. That aspect of the book is impressive, and it helps to frame the information in the right light (not as a textbook on how to break into networks).
From a practical standpoint, this book excels. Each of the chapters covers the theory behind how or why a certain aspect of a wireless network would be vulnerable to an attack or exploit. Then the authors cover a number of open source and commercial software packages that are available to focus on that area. For instance, chapter 14 goes into why WEP encryption is flawed and how it can be broken with relatively little effort. It's followed by an explanation on how WPA addresses some of those issues. Finally you get coverage on available tools that are used to crack WEP and how you can use them to test your own network.
Highly practical and heavy on application... If you're a security professional with responsibility for your organization's wireless network, you need to read this book. And if you're a techno-geek with your own wireless network, you'll want to get this book to play around. I know I will be doing a little hacking at Chez Duffbert...

Click Here to see more reviews about: Hacking Wireless Networks For Dummies (For Dummies (Computers))

Become a cyber-hero - know the common wireless weaknesses
"Reading a book like this one is a worthy endeavor toward becoming an experienced wireless security professional."--Devin Akin - CTO, The Certified Wireless Network Professional (CWNP) Program
Wireless networks are so convenient - not only for you, but also for those nefarious types who'd like to invade them. The only way to know if your system can be penetrated is to simulate an attack. This book shows you how, along with how to strengthen any weak spots you find in your network's armor.
Discover how to:
Perform ethical hacks without compromising a system
Combat denial of service and WEP attacks
Understand how invaders think
Recognize the effects of different hacks
Protect against war drivers and rogue devices

Click here for more information about Hacking Wireless Networks For Dummies (For Dummies (Computers))

Read More...

Securing the Borderless Network: Security for the Web 2.0 World Review

Average Reviews:

(More customer reviews)I am giving this four stars because in June 2010, this really helps me see the big picture from a seasoned tech executive, Harvard MBA's point of view. Through no fault of his own, the manuscript will age fast and be less valuable fast. For instance, chapter 6 doesn't have the iPad however, it does have the Apple Newton from 1993. There is a lot of history built into Gillis's research and I found that really helpful, we have to know where we have been to understand where we are going. If you need to understand the emerging trends in security and computing in general and it is still 2010, I recommend you buy this book. If it is later than 2010 and it is not second edition or updated, ask around for a copy to borrow. I guess I am a bit of a Gillis fan, I only recycled his Get the Message from 2004 last month.

Click Here to see more reviews about: Securing the Borderless Network: Security for the Web 2.0 World

Securing the Borderless Network: Security for the Web 2.0 WorldTom GillisSecuring the Borderless Network reveals New techniques for securing advanced Web 2.0, virtualization, mobility, and collaborative applicationsToday's new Web 2.0, virtualization, mobility, telepresence, and collaborative applications offer immense potential for enhancing productivity and competitive advantage. However, they also introduce daunting new security issues, many of which are already being exploited by cybercriminals. Securing the Borderless Network is the first book entirely focused on helping senior IT decision-makers understand, manage, and mitigate the security risks of these new collaborative technologies. Cisco® security technology expert Tom Gillis brings together systematic, timely decision-making and technical guidance for companies of all sizes: information and techniques for protecting collaborative systems without compromising their business benefits. You'll walk through multiple scenarios and case studies, from Cisco Webex® conferencing to social networking to cloud computing. For each scenario, the author identifies key security risks and presents proven best-practice responses, both technical and nontechnical. Securing the Borderless Network reviews the latest Cisco technology solutions for managing identity and securing networks, content, endpoints, and applications. The book concludes by discussing the evolution toward "Web 3.0" applications and the Cisco security vision for the borderless enterprise, providing you with a complete security overview for this quickly evolving network paradigm.

Click here for more information about Securing the Borderless Network: Security for the Web 2.0 World

Read More...

IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job Review

Average Reviews:

(More customer reviews)Information security is a hot career area and is among the strongest fields within IT for growth and opportunity. With excellent long-term career prospects, increasing cybersecurity vulnerabilities and an increase in security & privacy regulations and legislation, the demand for security professionals is significant. Even with a bright future, that does not necessarily mean that a career in information security is right for everyone. What differentiates an excellent security professional from a mediocre one is their passion for the job. With that, IT Security Interviews Exposed is a mixed bag of a book. For those that are looking for an information security spot and have the requisite passion for the job, much of the information should already be known. For someone who lacks that passion and simply wants a security job, their lack of breadth will show and the information in the book likely won't be helpful, unless they have a photographic memory to remember all of the various data points.
If you find information security challenging and either want a job in the field or are looking for a better job in the field, the book will be quite valuable. But for those looking for a hot security job, their lackings will likely show through on in interview, even with the help of this book.
As to the actual content, chapter 1 provides a good overview of how to find, interview and get a security job. The chapter contains many bits of helpful information, especially to those whose job seeking skills are deficient. A good piece of advice the author's state is that one should never pay a fee for headhunting services. There are many people that call themselves recruiters, but are nothing more than fax servers who charge for the service. The burden to pay is always on the hiring firm, and a job seeker should be extremely suspicious of anyone requesting a fee to find them a position.
I would hope that in future editions of the book, the authors expand on chapter one. The chapter itself in fact could easily me made into a book in its own right. As part of the job search process, many job searchers often do not ask themselves enough fundamental questions if they are indeed in the right place in their career. Such an approach is taken by Lee Kushner, founder and CEO of the information security recruitment firm LJ Kushner and Associates. Kushner formulated the following 7 questions that every information security job candidate should ask themselves:
1. What are my long and short term plans?
2. What are my strengths and weaknesses?
3. What skills do I need to develop?
4. Have I acquired a new skill during the past year?
5. What are my most significant career accomplishments and will I soon achieve another one?
6. Have I been promoted over the past three years?
7. What investments have I made in my own career?
The other 9 chapters of the book all have the same format; an overview of the topic, and then various questions and interviewer may pose. The reality that these topics of network and security fundamentals, firewalls, regulations, wireless, security tools, and more, are essential knowledge for a security professional. Anyone trying to go through a comprehensive information security interview and wing it by reviewing the material will likely only succeed if the interviewer is inept. Anyone attempting to mimic the questions and answers in the book in a real-world interview will immediately be found to be a sham if the interviewer deviates even slightly from the script, which should be expected.
What really separates a good candidate from a great candidate is hands-on, practical and real-world security experience. Such a candidate won't need a question and answer format to showcase themselves in an interview. Their experience should shine, and not their ability to rattle of security acronyms.
If a company is serious about hiring qualified people, the interview process should not be about short technical questions and acronym definitions. It should entail an open discussion with significant give and take. Having a candidate detail their methodology for deploying and configuring a firewall should be given more credence than their ability to define the TCP the three-way handshake.
Ultimately, the efficacy of the book is in the disposition of the reader. For the security newbie who wants a crash course in security in order to quickly land a security job, heaven help the company that would hire such a person. While one should indeed not judge a book by its cover; this book's cover and title may lead some readers to think that the book is their golden ticket to a quick landing into a great career. The breadth of information that a security professional needs to know precludes and short of cramming or quick introductions. Those with a lack of security experience attempting to use this book to hide their shortcomings will only embarrass themselves on an interview.
On the other hand, for the reader who has a background in information security who wants an update on network and security fundamentals, they will find IT Security Interviews Exposed a helpful title. The book contains a plethora of valuable information written in a clear and easy to read style. In a little over 200 pages, the book is able to provide the reader with a good review of what they know or may have forgotten. Used in such a setting by such a reader makes the book a most helpful tool for the serious security professional looking to advance their career.


Click Here to see more reviews about: IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job


Technology professionals seeking higher-paying security jobs need to know security fundamentals to land the job-and this book will help
Divided into two parts: how to get the job and a security crash course to prepare for the job interview
Security is one of today's fastest growing IT specialties, and this book will appeal to technology professionals looking to segue to a security-focused position
Discusses creating a resume, dealing with headhunters, interviewing, making a data stream flow, classifying security threats, building a lab, building a hacker's toolkit, and documenting work
The number of information security jobs is growing at an estimated rate of 14 percent a year, and is expected to reach 2.1 million jobs by 2008

Click here for more information about IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job

Read More...

Steal This Computer Book 4.0: What They Won't Tell You about the Internet Review

Average Reviews:

(More customer reviews)Overall this is a good book. The first part is sorta stupid, though. It talks mainly about how not to only listen to one person but to get information from multiple sources. It could be summed up in about a page.
Chapter 4 talks about buying computers and software. It helped me out by giving me some tricks to do next time I buy a computer.
Chapter 5 tells you about keeping your files secure with encryption. It tells you about some different types of encryption algorithms and how to write your own encryption programs. It also shows you how to play some dirty tricks. It talked about using anonymous remailers to send anonymous email and talked about just how anonymous they were. It even told you how to surf the web anonymously so that people couldn't receive information about your computer, browser, and more.
Chapter 6 told about phone phreaking history such as captian crunch. Wallace then goes on by telling you possibly things that could've happened but didn't. When telling these stories he tries to make himself sound like a phreaker but he didn't even do anything. Then, he tells your some really obvious stuff like "To start phone phreaking, you need access to a telephone." and "phreaking from your own phone will let the telephone company trace it to your house." I don't know if he couldn't think of anything else or he thinks you are really stupid. After that, he talks about phreaking color boxes and then goes on to voice mail hacking. Then, he talks about cellular phone fraud and tv satellite descrambling.
Chapter 7 talks about defeating windoz 3.1/95/98 screen saver passwords which if you ever tried you should've done it on the first or second try. It also talks about cracking program passwords and then it goes on to defeating parental control software. If you can't access certain web pages, Wallace tells you how by having the html code emailed to you. He also shows you how to read banned books in secret.
Chapter 8 talks about harassing online services, how pedophiles stalk innocent children and what you can do to stop them. He tells you about generating fake credit card numbers and making your own online harassment program.
Chapter 9 talks about stopping spam. It shows you multiply ways to take revenge on spammers. If the spammer used a forged email address, Wallace shows you how to track down the spammer like two magnets attracting each other.
Chapter 10 shows some pictures of acctual hacked web sites and how to hack them.
Chapter 11 shows you how to track people down by using specific things about them. For example if you only had their SSC# how you could still find them no matter where they were. At the end of the chapter, he shows you how to hide yourself if you don't want to be tracked down or how to let someone easily find you if, for example, you gave your child up for adoption years ago and you don't want to contact him/her but you do want to let them find you if they ever wanted you.
Chapter 12 shows you about ConGames on the Internet. It shows you how to do them and how to protect yourself from them.
Chapter 13 Viruses Part I. ( I heard that the plural form of virus is exposed to be virii, just like the plural form or fungus is fungi but in the book it is written viruses so that's how I will spell it.)
This chapter expains what viruses are, the parts of them, how to tell if you have a virus on your computer, the different infection methods, if all viruses are bad and how to learn more about them.
Chapter 14 Viruses Part II.
This chapter shows the different methods of how an antivirus program works and what to do if you find a virus ( If you say any idiot knows that if you find one you should delete it, but you could also send it in to an antivirus program if you think it is a uncommon virus, keep a copy of it, modify the virus and make a new one and many other things.)
Chapter 15 tells you about writing your own computer virus. Wallace also tells you to watch out because viruses sometimes attack their own creators. He tells you some true things about antivirus companies like how they hire virus writers to help them detect viruses (makes sense, doesn't it) and how that their isn't any evidence of this, but that they may hire the virus writers to write a virus that only they have the antidote for so people will buy their program to detect it.
Chapter 16 is about Java applets. I haven't read all of it but so far so good.
Appendice A is the glossary with a decent amount of terms covered in the book. I really haven't used it too much because I never needed to.
Appendice B is Visual Basic 3.0 ( a very easy programming language that I suggest you learn ) source code for altering Mega$hack. A program he discusses in 12. ( it is used by cons but he alters it so they get a taste of their own medicine.) The source code is written on the page so you will have to type it into your Visual Basic Compiler.
Appendice C is about additional resources. It is compiled of online magazines, webpages, hacker conventions and more.
Summary: This book is for you if you are interested in the above things. The websites and newsgroups in the book lead to nothing except for a few like metacrawler that he obviously was paid to advertise for. If you are still unsure after unreading all the reviews, go to a local bookstore and see if they have this book there. If they do then look at it, see if you like it and if so, compare the prices of Amazon plus the shipping and time to the prices of the bookstore. I hope that this review helped you because I know what it is like to have one person rate it 5 stars and another person rate it 1 star. Sinse this is a pain, I figured that instead of giving my opinion, I would tell you what the book had in it.

Click Here to see more reviews about: Steal This Computer Book 4.0: What They Won't Tell You about the Internet

Click here for more information about Steal This Computer Book 4.0: What They Won't Tell You about the Internet

Read More...

Build Your Own Security Lab: A Field Guide for Network Testing Review

Average Reviews:

(More customer reviews)I'll be completely honest. I went through this in about two hours, and I plan on returning it. It simply didn't have anything new for me. I was expecting it to be more along the lines of setting up a virtual network, attempting to hack the VMs, and then checking the procedures to see if you did it right.
Instead, this book covers things like how to install OSes into VMs, gives basic overviews of tools, etc. However, this is a great book if you're at the appropriate level for it. I think this makes a good follow-up to CompTIA's Security+ certification. It'll help novices get their feet wet with actual hands-on activities. I've done nearly everything in this book on my own, and that's really the only problem with it. While I didn't pay a great deal of attention to every bit of text, it seemed to be technically accurate and free from errors.
I wish I could give a more detailed review, but I thought I'd at least post this since no one has reviewed it yet. Just take your skill level into account when considering this title. If you want more advanced books, check out the Hacking Exposed series, Grey Hat Hacking, and the Penetration Tester's Open Source Toolkit.

Click Here to see more reviews about: Build Your Own Security Lab: A Field Guide for Network Testing

If your job is to design or implement IT security solutions or if you're studying for any security certification, this is the how-to guide you've been looking for. Here's how to assess your needs, gather the tools, and create a controlled environment in which you can experiment, test, and develop the solutions that work. With liberal examples from real-world scenarios, it tells you exactly how to implement a strategy to secure your systems now and in the future.
Note: CD-ROM/DVD and other supplementary materials are not included as part of eBook file.

Click here for more information about Build Your Own Security Lab: A Field Guide for Network Testing

Read More...

Chained Exploits: Advanced Hacking Attacks from Start to Finish Review

Average Reviews:

(More customer reviews)I looked forward to Chained Exploits (CE) by Whitaker, Evans and Voth with much anticipation as the concept is a much needed addition to the lexicon on information security. Often academic fields are severely limited by the vocabulary available to discuss issues and the "chained exploit" is sure to become a mainstay in the discourse of information security. Despite my enthusiasm for the concept, however, I was disappointed by the material presented in CE. The genius of the chained exploit is that it upends the traditional threat matrix, typically presented as:
[value of resource] x [likelihood of exploit] = [risk level]
For example, a high value resource that is unlikely to be exploited should be ranked as a low risk, as should a low value resource that is likely to be exploited. Think of this in terms of a temporary database of publically available information used to populate a user demonstration website that is wiped out every 24 hours. If that information is compromised it has no value, so even if the compromise is likely it is a low risk system. Conversely if a system that contains critical financial information is confined to a single workstation that is removed from any networking and housed in a guarded facility it too is a low risk system (since the likelihood of compromise is low).
Unfortunately many auditors make risk assessments based on circumstances in a vacuum. This is where the concept of "chained exploits" becomes so valuable. For instance, if a vulnerability were discovered in a local binary accessible to users that allows privilege escalation, but the local binary exists on a system that has no users (other than administrators who already have root privileges) it is often considered a low risk. Many times patches for these sorts of vulnerabilities are not installed because the patch could introduce instability and would not be considered worthy of the expense given the low risk. Similarly a vulnerability could be discovered in a web service that when exploited could allow a remote attacker to gain an unprivileged local account that, say, only had access to read and write to the /tmp directory. This could also be considered a low risk since such limited access wouldn't present any threat to the system. However, if you "chained exploits" for the two vulnerabilities you suddenly have a condition where a remote attacker can gain a local account and elevate their privilege! This contravenes the low risk ranking of the individual vulnerabilities. When combined they suddenly become a very high risk to the system.
It was this sort of "chain" that I hoped CE would explore. Instead the material presented in the book consisted of context to several high risk vulnerabilities to explain why they might be used in tandem. For instance, the book would propose a scenario where a remote attacker installed a backdoor rootkit on a corporate network workstation then used that workstation to access the central database using default system administrator credentials. Each of the conditions used in these "chains" are extremely high risk already, and thus the book doesn't present any new material for seasoned information security professionals to consider.
For a novice this book is a great resource. It is full of the sorts of horror stories that professionals are all too familiar with, but could potentially be eye opening for a neophyte or someone unfamiliar with computer security. At the very least it is a page turning exploration of very real and often under appreciated risks to enterprises.
I was disappointed that the book didn't raise the level of discourse in the information security field but I suspect that wasn't the point of Chained Exploits. Instead it reads like a greatest hits sequence prepared by veteran penetration testers. It makes for interesting reading, but it isn't particularly informative. Don't look for any new 0 day exploits (or even a discussion of how to find such flaws). Instead the book contains a litany of well known routes to system compromise and illustrative narratives that tie them together in real world scenarios.

Click Here to see more reviews about: Chained Exploits: Advanced Hacking Attacks from Start to Finish

The complete guide to today's hard-to-defend chained attacks: performing them and preventing themNowadays, it's rare for malicious hackers to rely on just one exploit or tool; instead, they use "chained" exploits that integrate multiple forms of attack to achieve their goals. Chained exploits are far more complex and far more difficult to defend. Few security or hacking books cover them well and most don't cover them at all. Now there's a book that brings together start-to-finish information about today's most widespread chained exploits–both how to perform them and how to prevent them. Chained Exploits demonstrates this advanced hacking attack technique through detailed examples that reflect real-world attack strategies, use today's most common attack tools, and focus on actual high-value targets, including credit card and healthcare data. Relentlessly thorough and realistic, this book covers the full spectrum of attack avenues, from wireless networks to physical access and social engineering. Writing for security, network, and other IT professionals, the authors take you through each attack, one step at a time, and then introduce today's most effective countermeasures— both technical and human. Coverage includes:Constructing convincing new phishing attacksDiscovering which sites other Web users are visitingWreaking havoc on IT security via wireless networksDisrupting competitors' Web sitesPerforming–and preventing–corporate espionageDestroying secure filesGaining access to private healthcare recordsAttacking the viewers of social networking pagesCreating entirely new exploitsand moreAndrew Whitaker, Director of Enterprise InfoSec and Networking for Training Camp, has been featured in The Wall Street Journal and BusinessWeek. He coauthored Penetration Testing and Network Defense. Andrew was a winner of EC Council's Instructor of Excellence Award.Keatron Evans is President and Chief Security Consultant of Blink Digital Security, LLC, a trainer for Training Camp, and winner of EC Council's Instructor of Excellence Award. Jack B. Voth specializes in penetration testing, vulnerability assessment, and perimeter security. He co-owns The Client Server, Inc., and teaches for Training Camp throughout the United States and abroad.informit.com/awCover photograph © Corbis /Jupiter Images$49.99 US $59.99 CANADA

Click here for more information about Chained Exploits: Advanced Hacking Attacks from Start to Finish

Read More...

Stealing the Network: The Complete Series Collector's Edition, Final Chapter, and DVD Review

Average Reviews:

(More customer reviews)I have just finished a marathon session of reading "Stealing the Network: The Complete Series Collector's Edition" and I have a very conditional review of it: It's a must-have if you don't already own the previous editions of these guilty pleasures. If you are already a fan, however, prepare to be let-down by the compilation.
The stories of the Stealing the Network series entertain in the same way that "war stories" from fellow hackers and security professionals often keeps a more intimate audience's interest: by mixing intriguing situations with juicy technical detail that can serve as a useful take-away. No one will accuse these books of containing fine literature, but that's not really the point. The stories are well written enough to keep you wanting to know what will happen next, while the technical information is as accurate as you're likely to see in fiction. Segments involving hacking are written and illustrated with enough attention to detail and length to serve as introductory educational tutorials for the topics (including web application hacking, reverse engineering, and wireless security). Most of these scenarios are believable as parts of larger-scale operations.
The first book of the series consists of independent short-stories based around characters of the authors' creation. The other three books in the compilation tell an over-arching story of a larger "operation", which involves many characters and their independent stories. The second book, "How to Own a Continent", is probably my favorite, along with the first ("How to Own a Box"), for keeping things simple, technical, and focusing on the individual stories. The third book, "How to Own an Identity" suffers from having worse editing then the rest of the series, and may lose some readers' interest. The fourth book ("How to Own a Shadow") reads a lot better, and wraps the overall story up well, however it focuses only on a relative handful of the series' characters.
As a compilation, this Collector's Edition leaves much to be desired. While the original description for this edition described the books contained within as being "author-annotated", this is not the case. The individual books are reproduced exactly as they were in their original editions, with no additional commentary from the authors, and with all the same problems as the originals. For example, screenshots in the first chapter of the first book are the same illegible black squares that were in the original edition of the book published 7 years ago. The annotations along with other features described in the original description (emails, photographs) that would provide a lot of interesting background material, would have made this compilation a must-buy.
The extra content that you are receiving is a brief new forward by Jeff Moss, and a "Final Chapter" by Ryan Russell. The new chapter is about 20 pages long, and gives the story-line a proper ending. I won't ruin anything about it, but I will say that I enjoyed it. Syngress has promised in the description of the book to make this content available separately in electronic form in six months.
The included DVD is described on the back-cover copy as being "full" of behind-the-scenes stories. In reality, you will only find 20 minutes of interviews with a few of the authors. I enjoyed these interviews, however, much like the print companion, I felt like more should have been done. Also beware that there are problems with the audio on the DVD. When played on my MacBook, there was noticeable crackling/popping in the audio of the DVD. The same noise was present, but less noticeable when played through a stand-alone DVD player through a television.
To summarize, I like the books, and find them as entertaining as I did when they were originally published, and I like the new hardcover binding. I do think that it is unfortunate that the "Stealing the Network: The Complete Series Collector's Edition" does not meet its potential to be more than the sum of its parts. There seems to have been intent at some point to add value to the set, but it wound up simply being a rough concatenation of the individual books.
If you haven't read these books, then I very much recommend picking up this set. It's 1,000 pages of interesting stories and technical material. If you already have the previous editions of the Stealing the Network Series, however, you might find it hard to justify paying for them again.

Click Here to see more reviews about: Stealing the Network: The Complete Series Collector's Edition, Final Chapter, and DVD


"Stealing the Network: How to Own the Box is a unique book in the fiction department. It combines stories that are fictional, with technology that is real. While none of the stories have happened, there is no reason why they could not. You could argue it provides a road map for criminal hackers, but I say it does something else: it provides a glimpse into the creative minds of some of today's best hackers, and even the best hackers will tell you that the game is a mental one." - from the Foreword to the first Stealing the Network book, How to Own the Box, Jeff Moss, Founder & Director, Black Hat, Inc. and Founder of DEFCON

For the very first time the complete Stealing the Network epic is available in an enormous, over 1000 page volume complete with the final chapter of the saga and a DVD filled with behind the scenes video footage!

These groundbreaking books created a fictional world of hacker superheroes and villains based on real world technology, tools, and tactics. It is almost as if the authors peered into the future as many of the techniques and scenarios in these books have come to pass.

This book contains all of the material from each of the four books in the Stealing the Network series.

All of the stories and tech from:


How to Own the Box

How to Own a Continent

How to Own an Identity

How to Own a Shadow

Plus:


Finally - find out how the story ends! The final chapter is here!

A DVD full of behind the scenes stories and insider info about the making of these cult classics!
* Now for the first time the entire series is one 1000+ page book* The DVD contains 20 minutes of behind the scenes footage* Readers will finally learn the fate of "Knuth" in the much anticipated Final Chapter

Click here for more information about Stealing the Network: The Complete Series Collector's Edition, Final Chapter, and DVD

Read More...

How to Break Web Software: Functional and Security Testing of Web Applications and Web Services. Book & CD Review

Average Reviews:

(More customer reviews)I recently finished reading How to Break Web Software: Functional and Security Testing of Web Applications and Web Services by Mike Andrews and James A. Whittaker. I, like many of you, develop web software for a living. I've always taken security seriously and occasionally sneered when I ran across examples of common mistakes. Having said that, this book was an eye opener for me.
The book covers common exploits such as bypassing input validation, SQL injection, and denial of service. There were also several types of attacks I hadn't really considered before. I won't list them here because someone would undoubtedly say, "I can't believe he didn't know about that one!" The authors cover 24 different types of attacks in all. The book also includes coverage of web privacy issues and security related to web services.
Finally, as icing on the cake, a CD is included that contains many tools that will find permanent spots in your arsenal. There are tools to do things like scan web servers for common exploits, mirror sites for local analysis, and check SSL cipher strengths. My favorites are the local proxies that will allow you to view and modify posts as they travel from the client and the server. I always knew I could do this, but didn't know how easy it is. The CD also contains the source code of an example site that includes many flaws for you to practice.
This book is written for software professionals to help them put the hackers out of business. So, it necessarily includes hacker techniques. If you develop or test web software, you should read this book before the hackers do. :-)

Click Here to see more reviews about: How to Break Web Software: Functional and Security Testing of Web Applications and Web Services. Book & CD

Since its early days as an information exchange tool limited to academe, researchers, and the military, the web has grown into a commerce engine that is now omnipresent in all facets of our lifes. More websites are created daily and more applications are developed to allow users to learn, research, and purchase online. As a result, web development is often rushed, which increases the risk of attacks from hackers. Furthermore, the need for secure applications has to be balanced with the need for usability, performance, and reliability. In this book, Whittaker and Andrews demonstrate how rigorous web testing can help prevent and prepare for such attacks. They point out that methodical testing must include identifying threats and attack vectors to establish and then implement the appropriate testing techniques, manual or automated.

Click here for more information about How to Break Web Software: Functional and Security Testing of Web Applications and Web Services. Book & CD

Read More...

Cyberpower and National Security (National Defense University) Review

Average Reviews:

(More customer reviews)Last week at the InfowarCon Dan Kuehl handed me a copy of "Cyberpower and National Security." This has been a topic Dan has been exploring in some detail for quite a while. I first met Dan in 1996 when I was a student at the USMC Command and Staff College. Dan was already writing and exploring concepts related to cyber power and information warfare, and his deep focus and insights into this still emerging mission area continues today.
About the book, it is big. Not just in pages (it weighs in at 642 pages). It is big in info. Chapters are written by some of the greatest thinkers of the Cyber War mission area. Folks like Dan Kuehl, Edward Skoudis, Greg Rattray, Martin Libicki, Irving Lachow, Tim Thomas, Tom Wingfield and of course the editors Franklin Kramer, Stuart Starr and Larry Wentz. These and the other contributors are all well respected thought leaders and each provide insights I believe will be of use to today's strategic planners.
As for the content, it starts with a great foundation and overview of what is meant by Cyberspace (building on Dan Kuelh's well articulated definition) and also spells out key issues that policy makers and national security strategists must tackle. It then spells out changes in cyberspace including projections into the near future, and ends with an analysis of the impact of all these changes- including the considerations we must think through in our strategic deliberations.
I now consider this book a critical foundational work that should be studied by anyone who seeks to dialog on modern national security issues. This book does for the strategic domain what the Common Audit Guidelines did for the operational cyber domain. Cyberpower and National Security (National Defense University)

Click Here to see more reviews about: Cyberpower and National Security (National Defense University)

The cyber domain is undergoing extraordinary changes that present both exceptional opportunities to and major challenges for users of cyberspace. The challenges arise from the malevolent actors who use cyberspace and the many security vulnerabilities that plague this sphere. Exploiting opportunities and overcoming challenges will require a balanced body of knowledge on the cyber domain. Cyberpower and National Security assembles a group of experts and discusses pertinent issues in five areas.The first section provides a broad foundation and overview of the subject by identifying key policy issues, establishing a common vocabulary, and proposing an initial version of a theory of cyberpower. The second section identifies and explores possible changes in cyberspace over the next fifteen years by assessing cyber infrastructure and security challenges. The third section analyzes the potential impact of changes in cyberspace on the military and informational levers of power. The fourth section addresses the extent to which changes in cyberspace serve to empower key entities such as transnational criminals, terrorists, and nation-states. The final section examines key institutional factors, which include issues concerning governance, legal dimensions, critical infrastructure protection, and organization.Cyberpower and National Security frames the key issues concerned and identifies the important questions involved in building the human capacity to address cyber issues, balancing civil liberties with national security considerations, and developing the international partnerships needed to address cyber challenges. With more than two dozen contributors, Cyberpower and National Security covers it all.

Click here for more information about Cyberpower and National Security (National Defense University)

Read More...

Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance (Theory in Practice) Review

Average Reviews:

(More customer reviews)I want to be fair here. I bought this book not to read hype on what looks like an emerging technology, albeit massively overhyped but, rather, to read about legal and business issues that might moderate its acceptance. To be fair, I will return to give my appraisal after I have finished but I was forced to share this so as to, perhaps, give pause to others interested in buying this book. I've seen webinars that refer to cloud computing as 2-10 technology, massively hyped for 2 years and will take the next 10 for the industry to sort out where it fits (and maybe more importantly where it does not.
The first two glaring take-aways I've seen in this book is 1) the mashing of social web to cloud computing, vis-a-vis considering MySpace, FaceBook, and other social web sites as examples of cloud computing, they are not; 2) the notion that end users will be writing their own programs in the clouds vs. the, since the dawn of software development, programmer (or more recently developers) writing the programs, tech writers writing the documentation, marketeers hyping the program and end users buying or using, with embedded ads, the software. Both of these are orthogonal to 'cloud computing'. While it may be someday, in a "Battlestar Gallactica" age end users may speak to their computer in whatever language they speak and tell it what they'd like it to do. For now it takes specialized training and while the computer languages used are different syntactically from those used in the '60s and '70s, fundamentally they are not different at all. Of course someday maybe everyone will be flying their cars to work and to play. On your next flight anywhere, tap the pilot and ask him how much specialized training he's had in order to taxi a plane, much less leave the ground and return it in one piece to where ever they said they would land it.
The authors talk about computing being a utility as electricity providers (or cable providers) yet they also talk about global compute clouds. Are there global utility companies? They talk about replacing NetBeans, Eclipse, Microsoft Visual Studio (IDEs) with some Utopian ephemeral global software development environment where the tools and end products exist virtually in some ether. None of that has to do with IT Governance and Security much less Amazon, Terramark, Eucalyptus, RightScale, or CloudSwitch. Where they have another 10-11 chapters I withhold final judgment but I felt I owed it to others innocently looking for a good source of information, not hand-waving on this subject. Just as with any emerging technology or software development language there are plenty of people that emerge from the woodwork to write a book on it, totally independent of their experience with it. Confusing Cloud Computing and Web 2.0 is not going to garner confidence. If unwary readers do not discover this until after they have purchased the book, it will not make any difference.
As a professional software developer I can tell you provisioning an image for execution in the cloud is more intensive than provisioning a bare metal server. End users are not going to be doing anything more than issuing a run command on a pre-existing image.
Here is my take: Running your business at an undisclosed facility managed by Amazon (or others) is no more cost effective than running your business out of a service center was in the 70's or 80's. If you don't physically control the data, you don't physically control access to it either. Nowadays you are under legal obligation to do so. I spent the money on this book hoping there was more substance to the security, privacy, and governance aspects of cloud computing than I just summarized.
Since one of the authors has decided to launch personal attacks on me, I will continue with my review with Chapter 3. I didn't really pick up on this in chapters 1 and 2 but I am now concerned about who edited this book. Even at the high school level children are taught to never ever cite Wikipedia for their references. I noticed the bulk of the footnotes cited are wikipedia. Since the source of information found on Wikipedia is unknown, its validity is also unknown. The professional standard for citations are peer reviewed sources. By using these there is a level of confidence a claim made, by virtue of it's citation is likely of high quality.
An assertion, I believe, made several times, and characterized on pg 52, "The new mantra of 'the browser is your operating system...browsers have become the ubiquitous operating systems for consuming cloud services". I would call to the reader's attention in any legitimate Computer Science source the definition of an operating system. Internet Explorer is not an example of an operating system. Furthermore, services, clouded or not, where the Internet browser is the user interface (UI or GUI in this case), are but one type of solution space, often characterized as LAMP or Linux, Apache, MySQL, and PHP. This is totally independent of cloud anything. I contend whenever one writes a book (or publishes one) there are two axises of importance, the first being is the material relevant to the topic and is the material factually accurate. While one might chose to host multiple web containers in the 'cloud' to take advantage of the elasticity of the cloud for scaling up and down with volume, another pervasive class of problem that takes place in a cloud-like environment is compute scaling, such as can be seen in grid computing. In this space a problem may arise where 100 or 1000 processors are required to solve a compute intensive problem but only for a few hours. This, as opposed to 24x7x365, is an excellent usage of public cloud (burst mode). To the extent the author is, thus far, focusing on web based interaction with the cloud he calls out but never elaborates on why there is any more vulnerability for a web container hosted at an Amazon secure facility, for instance, than there is within one's own perimeter. The threat vector is port 80 or port 8080. Of course, if there really is one, the obvious solution is to use off port, two phase SSL, where both the client side and server side are digitally authenticated and encrypted and host the open (proxy) website(s) within your perimeter. In either case the DoS attack on port 80 or 8080 is independent of the location of the web container. Isn't that correct Tim?
In chapter 3, pg 52, "Using hijacked or exploited cloud accounts, hackers will be able to link together computing resources to achieve massive amounts of computing without any of the capital infrastructure costs". Really? what about the account owner seeing running instances on their accounts they aren't using? How long does it take for a credit card owner or provider to realize an account is being misused? There is an easier vector for this, they are called bots and have been around for years. One need but Google the program Asphyxia. If you, for any decision, had a choice of hard vs. easy...which do you think a hacker would take?
In chapter 3, the author discusses type 1 and type 2 hypervisors. This is something of an arcane distinction but he refers to Xen as type 1, bare metal. This actually is incorrect as Xen is hosted by an operating system meaning it is not bare metal [...]. The authors spend much time on Xen, which is relevant from the perspective of security attacks against it but in that vein not a single mentioned, that I have found, is made of KVM which is part and parcel of all remotely recent versions of Linux from, I believe 2.6.20 and up. Ubuntu Enterprise Cloud is based on KVM, as is RedHat's virtualization and cloud family. But, this is why they make second editions.
Another assertion the authors make in chapter 3 (pg 59), "Security requirements such as an application firewall, SSL accelerator, cryptography, or rights management... are not supported in a public SaaS, PaaS, or IaaS cloud". Huh???? I refer the reader to Amazon's VPC, Intel's Service Gateway, SELinux, UFW. That is simply a patently false statement. Of course you can host your applications on an instance of an image configured with SELinux in enforce mode, fully firewalled, with no open connections on unsecured ports, and be quite secure. However, if this book was written in 2008 only to be published in early 2009 this may have been a more true statement then. However few people knew what cloud was in early 2009 and the entire field has rapidly evolved since the authors wrote this book. This is why it is necessary for authors, and publishers, to maintain an errata site, perhaps in the cloud, where corrections and retractions to, best case dated, worst case patently false, statements can be made. Intel, by the way, is also producing encrypting NICs (network interface cards).
While I still subscribe to my previous comment about if you don't control your data you don't control who has access to it, I do have an addendum to it. Cloud computing is a rapidly evolving field. A book, written by anyone, 2 years or more ago on cloud computing is, almost by definition, wrong or highly questionable. Technology simply moves faster than publishers generally do. If you have data that you don't want to or, legally, can not share it, in all likelihood, does not belong in a public cloud. If you are risk averse, it does not. If you are risk tolerant then the decision should be dependent on talking to vendors, cloud and operating system (no, not web browsers). What are the cloud vendor's SLA, what is the insurance on data breaches, what is the state of the art vis-a-vis SELinux, encrypting NICs, encrypted databases, the cloud vendor's physical security, software security, etc. Who had physical access to software keys?
We are a long way from the George Jettson world. In our lifetime people won't be flying their cars to work. Provisioning of data...Read more›

Click Here to see more reviews about: Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance (Theory in Practice)


You may regard cloud computing as an ideal way for your company to control IT costs, but do you know how private and secure this service really is? Not many people do. With Cloud Security and Privacy, you'll learn what's at stake when you trust your data to the cloud, and what you can do to keep your virtual infrastructure and web applications secure. Ideal for IT staffers, information security and privacy practitioners, business managers, service providers, and investors alike, this book offers you sound advice from three well-known authorities in the tech security world. You'll learn detailed information on cloud computing security that-until now-has been sorely lacking.

Review the current state of data security and storage in the cloud, including confidentiality, integrity, and availability
Learn about the identity and access management (IAM) practice for authentication, authorization, and auditing of the users accessing cloud services
Discover which security management frameworks and standards are relevant for the cloud
Understand the privacy aspects you need to consider in the cloud, including how they compare with traditional computing models
Learn the importance of audit and compliance functions within the cloud, and the various standards and frameworks to consider
Examine security delivered as a service-a different facet of cloud security

Click here for more information about Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance (Theory in Practice)

Read More...

Googling Security: How Much Does Google Know About You? Review

Average Reviews:

(More customer reviews)It has been suggested that if one was somehow able to change history so that aspirin had never been discovered until now, it would have died in the lab and stand no chance of FDA approval. In a report from the Manhattan Institute, they write that no modern drug development organization would touch it. Similarly, if we knew the power that Google would have in 2008 with its ability to aggregate and correlate personal data, it is arguable that various regulatory and privacy bodies would never allow it to exist given the extensive privacy issues.
In a fascinating and eye-opening new book Googling Security: How Much Does Google Know About You?, author Greg Conti explores the many security risks around Google and other search engines. Part of the problem is that in the rush to get content onto the web, organizations often give short shrift to the security and privacy of their data. At the individual level, those who make use of the innumerable and ever expanding amount of Google free services can end up paying for those services with their personal information being compromised, or shared in ways they would not truly approve of; but implicitly do so via their acceptance of the Google Terms of Service.
While the book focuses specifically on Google, the security issues detailed are just as relevant to Yahoo, MSN, AOL, Ask and the more than 50 other search engines.
Until now, Google and security have often not been used together. As an example, my friend and SEO guru Shimon Sandler has a blog around search engine optimization (SEO). In the over three years that his blog has been around, my recent post on The Need for Security in SEO was the first on topic of SEO security. Similar SEO blogs also have a very low number (and often no) articles on SEO and security. Sandler notes that when he mentions privacy issues around search to his clients, it is often the first time they have thought of it.
The book opens with the observation that Google's business model is built on the prospect of providing its services for free. From the individual user's perspective, this is a model that they can live with. But the inherent risk is that the services really are not completely free; they come at the cost of the loss of control of one's personal information that they share with Google.
The book lists over 50 Google services and applications which collect personal information. From mail, alerts, blogging, news, desktop, images, maps, groups, video and more. People are placing a great deal of trust into Google as each time they use a Google service, they are trusting the organization to safeguard their personal information. In chapter 5, the book lists over 20 stated uses and advantages of Google Groups, and the possible information disclosure risks of each.
In the books 10 chapters, the author provides a systematic overview of how Google gets your personal data and what it does with it. In chapter 3, the book details how disparate pieces of data can be aggregated and mined to create extremely detailed user profiles. These profiles are invaluable to advertisers who will pay Google dearly for such meticulous user data. This level of personal data aggregation was impossible to obtain just a few years ago, given the lack of computing power, combined with the single point of user data. The book notes that this level of personalization, while golden to advertisers, is a privacy anathema.
Chapter 6 is particularly interesting in that it details the risks of using Google Maps. Conti explains that the privacy issue via the use of Google Maps is that it combines disclosure risks of search and connects it to mapping. You are now sharing geographic locations and the associated interactions. By clicking on a link in a Google map, the user discloses and strengthens the link between the search they performed and what they deemed as important in the result. By aggregating source IP addresses and destinations searches, Google can easily ascertain confidential data.
After detailing over 250 pages of the risks of Google and related services, Chapter 9 is about countermeasures. Short of simply not using the services, the book notes that there is no clear solution for protecting yourself and company from web-based information disclosure. Nonetheless, the chapter lists a number of things that can be done to reduce the threat. Some are easier, some are harder; but they can ultimately add up to a significant layer of protection. Chapter 9 details 11 specific steps that help users appreciate the magnitude of their disclosures and make informed decisions about which search services to use.
Googling Security: How Much Does Google Know About You? is an important book given that far too many people do not realize how much personal information they are disclosing on a daily basis. An important point that the book makes is that small information disclosures are not truly small when they are aggregated over the course of years. Advances in data mining and artificial intelligence are magnifying the importance of the threat, all under the guise of improving the end-user experience. The book emphasizes the need to evaluate the short-term computing gains with the long-term privacy losses.
The final chapter notes that apathy is the enemy. As a user becomes aware of the magnitude of the threat, they will see it grow every day. But the next step is to take action. Be it with technical countermeasures, taking your business where privacy is better supported, or petitioning lawmakers.
As to the underlying question, "how much does Google know about you?", the answer is that it is a colossal amount, far more than most people realize. For anyone who uses the Internet, Googling Security should be on their list of required reading. The risks that Google and other search engines present are of great consequence and can't be overlooked. If not, privacy could slowly be a thing of the past.


Click Here to see more reviews about: Googling Security: How Much Does Google Know About You

What Does Google Know about You? And Who Are They Telling?When you use Google's "free" services, you pay, big time–with personal information about yourself. Google is making a fortune on what it knows about you…and you may be shocked by just how much Google does know. Googling Security is the first book to reveal how Google's vast information stockpiles could be used against you or your business–and what you can do to protect yourself.Unlike other books on Google hacking, this book covers information you disclose when using all of Google's top applications, not just what savvy users can retrieve via Google's search results. West Point computer science professor Greg Conti reveals the privacy implications of Gmail, Google Maps, Google Talk, Google Groups, Google Alerts, Google's new mobile applications, and more. Drawing on his own advanced security research, Conti shows how Google's databases can be used by others with bad intent, even if Google succeeds in its pledge of "don't be evil."Uncover the trail of informational "bread crumbs" you leave when you use Google search

Click here for more information about Googling Security: How Much Does Google Know About You

Read More...