Hacker\'s Challenge falls between the cracks

By   |  June 30, 2003

Hacker\’s Challenge 2
Mike Schiffman, Bill Pennington, Adam J. O\’Donnell and David Pollino
Published by McGraw Hill Osborne
Price: R514,95
Book supplied by Intersoft

Lets face it, hacking is boring. Despite what Hollywood would have us believe, real hacking is done by pubescent teenagers in dark rooms, late at night probably using old, dusty and well worn hardware. The actual act of hacking a computer system or network is generally a painstaking and bloody-minded process of trial and error certainly no more glamorous than completing your income tax forms and fighting with the receiver of revenue over that R2,50 rebate due you.

With this in mind, any book detailing any form of hacking faces a number of formidable
challenges. Firstly the book must somehow capture the imagination of the reader before delving into the details, secondly the book must carefully target its intended audience and finally the authors must present the details in an easy to read yet sufficiently
comprehensive format.

Hacker\’s Challenge 2 grabbed my attention with the blurb claiming \”This unique volume tests your computer forensics and response skills with all brand-new, real life security
incidents\”. Knowing how reticent companies are to admit to having been hacked (should they even have the skills to detect it), this book offered a tantalising peek into unknown territory. Well it was a good try anyway!

On the first count of grabbing the imagination of the reader I would have to applaud the
efforts of the authors. While understandably having to protect the anonymity of the companies involved,the authors have prefaced most of the nineteen incidents with a well spun tale. No systems administrator reading this book will fail to chuckle quietly and see something of themselves in the thoughts of the administrators in these pages. That said, the interaction between the \”script kiddie\” and the wiser, older \”security guru\” of challenge number ten was rather contrived and made for painful reading. The social engineering example of challenge number eight was rather inappropriate and begs the question why the authors could not find something more suitable.

This book mostly fails in my eyes on the second and third counts. On the one hand the
incidents are detailed well and the authors have mostly distilled the pertinent information from what must have been thousands of pages of forensic evidence. However for the reader to fully grasp the details of each incident he will have to have some knowledge at least, of a broad range of technologies and products. He will need to be familiar with Cisco PIX, routers and IOS, firewalls and firewall rule-bases in general, C/C++ programming and SQL. In addition the reader must be intimately familiar with TCP/IP and sniffing and analyzing network traffic. If a potential reader has never used a tool such as tcpdump or windump, then this book should be given a wide berth.

On the other hand, the solutions to each of the incidents are given a cursory treatment at best. When discussing exploits used by the attackers the authors rarely give any detail on the inner workings of the exploits and when they do, the attempt is wholly unsatisfactory. The log files which are often tediously reproduced are never done any justice by way of reciprocal analysis. By the presentation of the incidents, I would expect that this book is targeted at a sophisticated and experienced security administrator yet the solutions appear to do their best to steer away from too much techno-speak seemingly targeted at a less technical (managerial perhaps) audience. The result is that readers from both sides of the technology divide will find this book frustrating.

On the positive side, this book does well in covering, albeit lightly, most of the typical
security incidents companies are likely to face. These incidents range from the familiar
buffer overflows, social engineering, man-in-the-middle and denial of service (DOS) attacks to probably the less familiar code development sabotage. I believe that an experienced trainer could make good use of this material as part of a training course and should any middle to upper management successfully negotiate the techno-speak they will likely have their eyes opened to the big and nasty world that lurks not far from the safety of their offices.


Comments are closed