![[LWN Logo]](/images/lwn.banner.gif)
Date: Tue, 6 Apr 1999 10:14:14 -0600 (MDT) From: mea culpa <jericho@dimensional.com> To: InfoSec News <isn@repsec.com> Subject: [ISN] REVIEW: "Hacker Proof", Lars Klander Forwarded From: "Rob Slade" <rslade@sprint.ca> BKHKRPRF.RVW 990228 "Hacker Proof", Lars Klander, 1997, 1-884133-55-X, U$54.95/C$74.95 %A Lars Klander lklander@jamsa.com %C 2975 S. Rainbow Blvd., Suite 1, Las Vegas, NV 89102 %D 1997 %G 1-884133-55-X %I Jamsa Press/Gulf Publishing Co. %O U$54.95/C$74.95 800-432-4112 fax 713-525-4670 starksm@gulfpub.com %P 660 p. + CD-ROM %T "Hacker Proof: The Ultimate Guide to Network Security" There is a great deal of information on security contained within this book. Unfortunately, it is presented without a cohesive framework. The overall impression is good. A lot of the forms that would make up a useful work are followed, such as a summary (rather ironically, in view of the scattered nature of the text, called "Putting It All Together") and a set of resources at the end of every chapter. The author seems to be easily distracted, continually jumping to the next, more sensational, topic. Although not divided into parts, the contents do have some logical divisions. Initially, we are presented with what seems to be intended as background material, although the scattergun approach leaves all of the synthesis up to the reader. Chapter one is a rather unfocussed introduction, talking as much about Internet technologies as about security. Errors are rather common, ranging from chunks missing out of sentences to figures with no cutlines to security weaknesses that are essentially duplicates of each other to mailing lists that haven't distributed material for years (with contact addresses that are even older). Theoretically the networking concepts and details in chapter two might aid in understanding system vulnerabilities, but in the fact of the book they do not seem to be used effectively. The discussion of firewalls does not provide sufficient information about either the needs, weaknesses, or possible inconveniences of the different types in chapter three. The material on encryption, in chapter four, mentions a number of the currently important standards, but the explanations are so flawed that the chapter could not be used to inform a decision on the strength or use of a cryptographic system. Material on the use of digital signatures is fairly short, and the remainder of chapter five rehashes, with really expanding, old ground. Another section tries to delve into more networking protocols. Chapter six, on HTTP (HyperText Transfer Protocol), is somewhat disjointed, and, again, fails to seriously examine the security implications. S-HTTP (Secure HyperText Transfer Protocol), in chapter seven, deals mostly with packets and commands, although it does have some limited discussion of function. The Secure Socket Layer (SSL) seems to look primarily at arcana rather than use. Chapter nine looks at a few common forms of attack, but presents information somewhat at random. Kerberos is reasonably well described in chapter ten. Some types of electronic commerce technology are mentioned in chapter eleven. There is an extremely limited look at auditing in chapter twelve, first for UNIX and then for NT. A very rough look at security issues within the Java programming language makes up chapter thirteen. Chapter fourteen's look at viruses has good basic explanations, but is unreliable in practice. The remaining chapters generally look at security for specific systems. Chapters fifteen to seventeen very quickly talk about individual security functions in NT, NetWare, and UNIX, but fail to analyze, for example, the effective rights granted by combinations of the different privilege granting mechanisms. SATAN (System Administrator's Tool for Analyzing Networks) for UNIX and Kane Security Analyst for NT get quick overviews in chapter eighteen. Chapter nineteen presents a number of security vulnerabilities with the Netscape and particularly the Internet Explorer Web browsers. CGI (Common Gateway Interface) form weaknesses are discussed in chapter twenty, but with so many different languages that the ultimate advice is simply don't make a mistake when programming. The final chapter is a reasonable look at security policies. However, with some many items missing from the background provided, the chance of producing a good policy at this point is relatively small. As with "Maximum Security" (cf. BKMAXSEC.RVW), this book attempts to cover the enormous field of security by throwing out as many bits as possible. Therefore large holes are apparent in the coverage. In addition, the book lacks an overall framework that could be used to build a security structure and point the way to vulnerabilities that were not addressed. For those who already are well comfortable with security as a concept, this volume does have a lot of references that might be of use. For those new to the topic, it is not reliable enough to start with. copyright Robert M. Slade, 1999 BKHKRPRF.RVW 990228 -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com]