New Design and Upcoming Book Reviews

Jan 112012

Today, while updating this VPS, I took the opportunity to change the style/design of mcgrewsecurity.com. I’m especially proud of the new logo. It’s a combination of several out-of-copyright book scans, and my co-worker Kendall’s keen observation that the bit of the key looked like an RJ-45 Ethernet port. A bit of work later and now it very much looks like one.

Over the past several months, No Starch Press has been kind enough to send along review copies of several of their recent security-related book releases. Soon you’ll start seeing my reviews being posted. Overall, I can say I’m very impressed.

Book Review: BackTrack 4: Assuring Security by Penetration Testing

book review 10 Responses »

Jul 022011

I’ve put off doing this review for too long. I was sent this book close to its release date, and made quick work of reading through it and making notes for the review. As you’ll see in this post, I don’t think much of it, and I wasn’t looking forward to making such a negative post about it. I would just let it slide, as I prefer to post reviews of books that I like and recommend at least to some extent, but Packt Publishing are heavily promoting this book and I’ve seen several people I know purchase or consider purchasing it. For that reason, I feel like it’s a good idea to warn the target audience of this blog away from it.

At a first glance, it’s easy to be skeptical of this book due to the fact that it had the misfortune of being a Backtrack 4 book published at almost the exact time Backtrack 5 came out. This doesn’t bother me so much. If it were written well, it could easily make up for any differences in the details between versions. Unfortunately, being dated is the least of this book’s problems.

The vast majority of the book is padded with a grocery list of what appears to be each and every tool in the Backtrack distribution. Comprehensive coverage is fine, though each tool is only given the very briefest of coverage, with almost no coverage or consideration to educating the reader on how the tools work or the background needed to effectively use them. New terms and concepts are thrown at the user relentlessly without introduction or explanation. This book falls into a useless “middle” state where a beginning user would be better served by a book that gives more depth of coverage for a handful of tools (see Web Application Hacker’s Handbook), while still failing to serve an advanced user that could find the same information quickly in a man page. The book falls well short of its goal of serving as a “single professional, practical, and expert guide to develop hardcore penetration testing skills from scratch”.

There are many instances of wasted space in the book as well. A straight copy-paste of /etc/services is the worst offender. The text doesn’t exactly live up to the promises of its table of contents either. A segment on “Writing exploit modules” simply takes the reader through the source code of an existing metasploit module, with only the barest of commentary that makes one wonder if the authors understand how it works, much less whether or not the reader will be able to write one (or even read one) in practice.

Aside from the “list of things” approach that takes up the majority of the book, there is a fair amount of text about the penetration testing process that, if executed properly, would make an excellent introduction to newcomers. Unfortunately, it’s written as though the authors intentionally wanted it to be impenetrable and difficult to understand. The following sentence is a representative example:

Since the exponential growth of an IT security industry, there are always an intensive number of diversities found in understanding and practicing the correct terminology for security assessment.

Some of it’s just plain wrong. A set of paragraphs equate “black hat” hacking with “black box” testing, and goes on the state the same about “white” and “grey”. It’s difficult to imagine that anyone in penetration testing believes that. The authors take the reader through overwrought descriptions of various testing “methodologies” (the OWASP top ten is not a methodology), and then throw them out in favor of an over-simplified “Backtrack Testing Methodology” that appears to be a simple depth-first traversal of the BT4 menu options.

While it may be tempting to buy this book as a quick reference or summary of all of the tools, I would not encourage it. I would strongly discourage anyone thinking to start out, or get up to speed in penetration testing from buying this book. It’ll just frustrate you. For more experienced readers, there are books that are far more worthy of your time and money.

http://www.packtpub.com/backtrack-4-assuring-security-penetration-testing/book

(More) (Massive) Plagiarism in Security Books

book review 6 Responses »

Aug 192010

A while back, I was intrigued by the then-impending release of Gregory Evans’ book, How To Become the World’s No. 1 Hacker. I realized that, even as a self-published book, it would get a lot of attention from people getting started in security, if for no other reason than it’s “extreme” (and promising!) title. I put in a request for a review copy so that I could give some sort of recommendation one way or the other to students taking security classes here, and others that might stumble across this blog.

The review copy arrived, and I immediately got the same feeling as I got when I took a careful look at the original revision of Dissecting the Hack: that the listed authors of the book did not create the content they were presenting as their own. Googling random samples of the text throughout the book confirmed my suspicions. I switched gears and began documenting all the instances of plagiarism, much as I did for Dissecting.

A few chapters in, I was rescued from this drudgery (and no small amount of drama) by Ben Rothke, who wrote a short series of excellent posts exposing the plagiarism in Gregory’s book. He did a great job of documenting it, and hopefully it will inform potential purchasers/readers.

Ben has now done it again with a review of Ali Jahangiri’s The Security Policy Cookbook: A Guide for IT and Security Professionals. His post is titled Is 2010 the year of the plagiarized security book?, and Ben not only exposes the large amount of unattributed material in this book, but also explains the problems with copy-and-paste security policy design.

With three books in the past year having a significant amount of plagiarism, I figured this would be a good time to share a little bit of my own commentary on the situation. This is a collection of thoughts, observations, and opinions that I’ve expressed in other formats (Twitter, email, in person) with various members of the security community, gathered up into this one post.

What is plagiarism?

Plagiarism is the act of representing another’s work as your own, without attribution to the original source. This sounds very simple, but once one accuses the other of it, the excuses and arguments get twisted very quickly. The litmus test should be: would a reader be reasonable in assuming that the listed author wrote this material? The only place where this gets sticky is in the case of legitimate (and more importantly, willing) ghost writers, which is not really an issue in any of these security books (though it was claimed for one).

Plagiarism is, on the surface, related to legal issues of copyright, intellectual property, and fair use. It is, however, a different issue. One may be within the boundaries of the law in the case of public domain and other very-loosely-licensed material, and yet still be deceptive and dishonest towards the readers who shell out money and time on a book.

This is not a matter of “standing on the shoulders of giants”, basing your work off of others’ and expanding upon it with your own commentary and research. This is about the wholesale copying, pasting, and laying claim to others’ work.

Why is this a problem?

I touched on this a bit in the previous question. The victims of plagiarism are the readers, who are being deceived by the plagiarists, and the original content creators, who get no credit for their original work.

Readers purchase books with the intention of getting the author’s take, or presentation, of a subject. A reader might decide that it’s okay to buy a book that contains material from another book (legit example: No Tech Hacking), or that contains material that’s freely available online. If your book presents its material as being created by the listed author, but it wasn’t, then you’ve robbed the reader of being able to make that decision.

The purpose of a book is not only to provide information and/or entertainment to the reader, but also to serve as a testament to the author’s expertise, ability to communicate, and respect in their chosen field. Even those who don’t read the books will be able to verify that an individual is at least well-versed enough on a subject to have written a book on it. This helps a lot with self-promotion and recognition. It’s easy to see that book authors are held in high esteem in the security community. A plagiarist cheats their way into this position by assuming the title of “author” without putting in the effort normally needed to create the content. At the same time, the original author of the content is not seeing this esteem or status that would normally be associated with having their work in print.

Is this a serious problem with security books?

Good question. The three examples discussed above are the only ones that I am aware of. They’re huge, egregious examples, but it’s possible that smaller instances exist and haven’t been noticed. Has anyone else noticed more?

The motive is there. Name recognition is very important/sought-after in the security community. It’s tempting to take the shortcut.

Opportunity? Two out of the three above examples are self-published, in which case: who’s going to stop them from trying. Dissecting was from an actual publisher, Syngress, though it revealed a failure in the editing process that is unlikely to happen again, now that they have been burned once.

After the community’s negative reaction to Gregory Evans’ book, it would seem that most would think twice about pulling the same stunt. Then again, many that would are likely new to security or not connected to the community of twitterers, bloggers, conference attendees, etc. While Evans was on some folk’s radar prior to these events, he wasn’t as widely known before as he is now. It may be the case that some people underestimate the ability of the community to identify and react to misrepresentation. As with Evans, this appears to be the case with Ali Jahangiri.

Who is Responsible?

In at least two of the prior cases of plagiarism in security books, blame was passed along to other people responsible for the content. Regardless of who committed the act, those who have their name on the book and see/approve it before it goes to print or the shelves are ultimately the ones who are responsible for the content. The editors and publishers (if there are any) are also responsible.

Conclusion

As a reader, keep a critical and skeptical eye when reading a book if it seems suspicious. Investigate and document what you find. Expose what you feel is not right. If you want to avoid getting duped, try to find reviews from sources you trust before buying.

As an content creator, do what you can, or at least can afford, to protect your material. Legal action may be expensive in both time and money, but you can at least request that your material be pulled or attributed (and document that correspondence). It will also deflate the plagiarist’s excuses if you come forward and publicly state that you never consented to that use of your material.

I’m not sure how much of a problem it will be going forward, but it’s definitely something to keep an eye on.

The Security Policy Cookbook: A Guide for IT and Security Professionals

Book Review: Revised Edition of Dissecting the Hack – The F0rb1dd3n Network

book review 2 Responses »

Jul 272010

Last year, I reviewed Jayson Street’s Dissecting The Hack: The F0rb1dd3n Network, uncovering a massive amount of plagiarism that resulted in the book getting pulled, pending a revision. Here are the posts that chronicle those events:

The original review – …before I realized the extent of the plagiarism. To summarize: I enjoyed the book’s fictional section, despite some flaws. I had far more complaints with the “Security Threats Are Real” (STAR) section, which seemed very disjointed and unfocused.
Amending My F0rb1dd3n Network Review – …upon a closer look, it became apparent that readers (and reviewers) were misled. The vast majority of the STAR section (comprising of all but 120 pages of the book’s total of 400) turned out to be plagiarized from various sources (primarily Wikipedia). I documented it and made this post to warn potential readers. The authors responded, pointing to the technical editor as the cause.
Syngress Response to Plagiarism in Dissecting the Hack: The F0rb1dd3n Network – Syngress released a statement confirming the authors’ take on what happened, and announced that there would be a revised release of the book.

On July 15th, a revised edition was released, and I requested a review copy so that I could see what had changed, and provide this new review.

What do you get?

The book has the same basic appearance as the previous version, with the addition of a third author, Brian Baskin, on the cover. On the title page, Marcus Carey is added (in a smaller font) as an author, and Dustin D. Trammell is listed as the new technical editor. Apart from “Revised Edition”, there is no discussion or acknowledgment of the book’s past.

The book has gone on a bit of a diet, roughly 70 pages. This is a good thing, however, as the old STAR section was mostly irrelevant filler. The fiction remains, virtually untouched from the previous version, at about 120 pages of the book’s 330 page. The new STAR section is original content now, which is, of course, a dramatic improvement.

The Fiction

My comments from my first review mostly stand here. The fictional F0rb1dd3n Network story was always an original creation of Jayson and Kent’s. I am a big fan of the concept of “hacker fiction”, the likes of which you’ll find in another Syngress series, Stealing the Network. I am definitely supportive of any attempts at writing new material in this genre.

As a story, I enjoyed this section of the book, but found it to be very short. The plot is very much what one would expect out of a techno-thriller TV show (perhaps an episode of Leverage) and you get about the same degree of character development. Unlike the Stealing The Network series, explanations of the attacks are saved for the STAR section, rather than given in-character in the story. While I can see that this helps moves the story along, I think it makes the fiction seem quite short. When it ends, you’re left wondering about some things that probably could have been wrapped up within this story, particularly an incident of “dark-grey-hat” hacking the protagonists vow to atone for, but that is never revisited. It may be something that’s saved for a sequel, but it reads like the authors simply forgot about it by the end of the story.

I’m being critical here, but I really did like the story, as a whole, and I hope that there is an opportunity for the authors to continue it. If you liked Stealing the Network, you’ll definitely enjoy it. It ranks right up there with the best writing in that series.

(As an aside, if you want some awesome hacker fiction, check out Daniel Suarez’ Daemon and its sequel Freedom(TM))

While one of the selling points of the book is that all of the attacks discussed in the fiction are real and documented in greater detail in STAR, there are some minor quibbles with that. There are times in the story where it seems as though the authors have hit the limits of their own experience with attacks, on more difficult topics like reverse engineering and exploit development. In the handful of times this comes up, artistic license is taken, hands are waved, meaningless phrases are thrown around (“pop the sled on that buffer”) and the story moves on without one of those STAR references. Only once does a technical error directly impact the story, and honestly it’s not something even most security professionals would have caught. These are small issues, though I would have liked it if some outside help would have been brought in to lend some authenticity to those points and document them in STAR.

The “Security Threats Are Real” (STAR) section

The STAR section is greatly improved. Gone are the page-chewing screenshots of blogs and descriptions of unrelated tools. There is a greater focus on describing the attacks that are in the story than in the previous edition. Overall, it reads as being much more professional.

It’s a good first-read for people interested in computer security. There are some technical issues and organizational issues (some topics don’t really fit with the phase of attack they’re classified in), but it’s good for someone who’s gauging their potential interest in security. Experienced readers might be slightly disappointed. There is a lot of material on hacker culture that is heavily skewed to the authors’ experiences with various events, people, and conferences, which the uninitiated might take as gospel for the entire scene. I think that a lot of this could have been trimmed down (perhaps placed on the website) to give a more in-depth and complete coverage of the attacks in the fiction section.

Should you buy it?

I believe that most of the regular readers of this site are the more technical members of the security community: penetration testers, folk who do forensics and incident response. Readers in these are similar areas that are already “in” security will get a fun read out of this book (and it’s worth it for that, especially if you’re pining for more Stealing the Network) but are not likely to pick up any new skills.

If you’re new to this stuff, or if you’re testing the waters to see if security even catches your interest in the first place, this book might be an entertaining way to learn some basic concepts. You’ll pick up a few simple skills, and you’ll have some points at which you can start researching something that interests you. While I don’t see this book as keeping the attention of non-technical people that wish to stay non-technical, if you’re a motivated learner, it’s a decent place to start.

Overall: It’s a great book for the audience it should be marketed to. Good work and congratulations to Jayson, Kent, Brian, Marcus, and Dustin Trammell for fixing up the book and seeing it through to the end.

http://www.mcgrewsecurity.com/2009/10/12/book-review-dissecting-the-hack-the-f0rb1dd3n-network/

Syngress Response to Plagiarism in Dissecting the Hack: The F0rb1dd3n Network

book review 2 Responses »

Oct 222009

Laura Colantoni of Syngress posted the following statement, regarding the recent discovery that a large portion of Dissecting the Hack: The F0rb1dd3n Network is plagiarized. My commentary follows the statement:

The team at Syngress recently found out through our Twitter feed that Dissecting the Hack might have plagiarized material. The twitter feeds led us here where Wesley listed at least 125 instances of plagiarism—mostly from Wikipedia.

After talking to all involved we have determined the following:
•The book’s technical editor is the source of this plagiarism. He greatly overstepped his role.
•He did, in fact, plagiarize despite signing an agreement that explained his role was to fact check and prevent plagiarism.
•The book’s authors, Jayson Street and Kent Nabors were not involved.

As soon as we learned about this issue, we ‘froze’ the status of the books. On Monday, October 19th we made the decision to destroy all remaining titles.

We’ve learned a lot of interesting lessons in the past few days. I suspect the most important is the value of a new anti-plagiarism software program. If you have suggestions on really good ones please feel free to send them my way. But equally important has been the goodwill and generosity of so many people in this community. Our editor and the book’s authors are already working on a plan to move forward due in no small part by experts in the community who have agreed to help us replace all of the plagiarized material with new content. The previous technical editor will in no way be involved with this new project— or with any future Syngress projects. We will hire a new technical editor to review the content.

Our plan is to publish a revised edition with this new content. We’re also working on placing all the new content on completely open websites so that anyone who did have a copy of the book can get electronic access—anyone who heard about the book and wants to check it out can do a quick preview before purchasing.

I’ve talked to several experts in the field who shared good suggestions on how to ensure we deal fairly with our customers. We’ve taken the last couple days to check them all out and to try to balance them with some of the realities of doing business with global sales channels and a variety of contractual obligations. Then we took a deep breath and decided to follow the old K.I.S.S. rule. To keep it simple, we’ll accept back ‘old’ books from current customers and replace them with the new version as soon as it publishes. And we’ll also do multiple postings of the new material and keep it open to all for the life of the title. We post this information in a variety of sources and take out an ad or two in info sec publications. We’ll always have latest up-dates on syngress.com and on dissectingthehack.com.

Although I realize it’s my job to say this, I honestly believe this is a great book and can’t wait to get the REAL version in my hands and yours.

My take on this:

Syngress has done an excellent job of supporting the project and the authors of the book in this case, something that I am glad that they have done. Unfortunately, this seems to have taken a higher priority than addressing the customers and readers. One only has to look at the wording of this statement to see that this is more about the authors and the experts in the community (people who have a direct impact on Syngress’ reputation), than the customers who have paid their own money for a book that they had no way of knowing was a fraud.

While I approve of them continuing the project, reconstructing the STAR section of the book with actual content, I feel that it is dishonest to drag customers, who have already purchased the book, along for an indeterminate amount of time while this is completed. The money that these customers have spent on the book was with the expectation that they were getting a complete book then. If a customer is willing to wait and exchange it, then that’s great and I imagine most customers will opt into that, but it’s simply wrong to hold that customer’s money hostage with the promise of future content without their consent. To put it simply:

Existing owners of this book have every right to request and receive a refund for it, if they want one, as they acquired it under the false pretense that it is an honest work.

This is something that I insisted upon in my private communications with Syngress, however they have chosen to ignore it in this statement. This is not the “K.I.S.S. principle” at work, as Laura puts it. The situation became miles beyond “simple” the moment the book was published. This is about Syngress keeping the money that they have already made from customers for a book that consists mostly of others’ (not just Wikipedia’s) copyrighted content.

This is unfortunate, because otherwise they are taking a great stance with it. They’re honest about the problem, and where the blame should be placed. I’m actually looking forward to the new edition of the book. Syngress has gone a long way to make this right to its readers, and I hope that they decide to take the above into consideration and take the final steps that are necessary to really make it right.

Edit:

Just to clarify: my beef right now is solely with the publisher’s handling. The project to create a legitimate STAR section is alright in my book. I have signed up on their new social networking site for the project and posted the following, offering my help. Jayson thought it would be nice for me to reproduce it here, so here you go:

While I have been the one to stir up a lot of the dust around this project recently, I do want you to know I like it. I like the idea of hacker fiction. I like the idea of Syngress becoming a more mature publisher (even though it sucks that this project had to be the tipping point). Most of all, I like the people who are a part of the project and that are becoming part of the community.

I have said this to Jayson and others on varying levels of public/private channels, but to make it clear: I am willing to help out and contribute to creating a new STAR section in any way that I can. I can write, I can edit. If someone else wants an interview for a topic that I’m competent on, I am happy to sit down with them on IM, Skype, phone. If you don’t want that, I can review a pre-print copy. And finally, failing all that, I’ll give the final published copy a serious review on my site (though I won’t be doing that if I am asked to participate: conflict of interest).

I do want to see it succeed. Anyone else here who’s willing to throw in a sword or axe, chime in.

If you are an infosec geek and want to contribute to their project, show support for it, or just want to see it in the making, then you should go and check it out.

Amending my F0rb1dd3n Network Review

book review 35 Responses »

Oct 162009

Jayson called me regarding this post, and I promised to let him tell his side of the story, right here, at the top of the post, so here it is:

I am more stunned than anyone on finding this out. When Kent and I finally got the book deal from Syngress we were overjoyed and immediately felt the pressure of completing the book by our deadline. We had been so involved in getting the first part completed that we turned to Dustin L. Fritz to step in to write the 2nd part.

Dustin served as the Technical Editor and we were assured that he would be able to complete the 2nd part in time to meet the deadline. I trusted the material that Dustin delivered was either original or properly sourced. As people heard me say before this discovery, I gave proper credit to Dustin for the 2nd part.

I do feel betrayed that someone I trusted appears to have taken short cuts and not delivered original material. The Information Security community is about trust and I apologize to those who should feel betrayed. This is not trying to lay blame this is trying to get the full story out there. This book has my name on it so therefore the ultimate blame is with me.

I want to also apologize to Syngress, Rachel, and Angelina who were behind me 100% for this project. I will personally work to correct any plagiarism or copyright issues in this work.

Edit: Co-author Kent Nabors posted his response in the comments below (where the discussion is going very well), and I have made a couple of small edits to the post to more accurately reflect the fraction of the book made up by the STAR section (from all but 170, to all but 125).

Edit: Dustin L. Fritz (of The CND Group) has left the following comment regarding plagiarism in this book:

This was an honest mistake and I sincerely apologize for any miscommunication. I hope that the correct and proper citations can be added soon and that all questions regarding copyright and plagiarism issues can be resolved. I hope the book can still be enjoyed as a valuable contribution to the information security community and I hope it will go on to fulfill its objective in reaching anyone who desires to learn more about hacking and security. I want to specifically apologize to Jayson, Kent, Syngress, Rachel, Angelina, all the readers, reviewers, and others who have taken offense. I want to fix this and I sincerely appreciate everyone’s positive support!

I appreciate Dustin’s comment, however (as we discussed at length on the phone this morning) I disagree partially with it being an honest mistake. When one has demonstrated in other parts of the same book, and at presentations at venues such as DojoSec, that he or she is capable of quoting and citing things properly, and knows that permission should be asked before reproducing material, it’s no accident when large sections of text are lifted from non-attributed sources and presented as the authors’ work. The argument was made that the work was never put forth as the authors’ words, but the below information and anyone with a copy of the book can verify that this is not the case.

My original post continues from this point.

—

I am posting this as an amendment to my review of Jayson Street and Kent Nabor’s Dissecting the Hack: The F0rb1dd3n Network. It turns out that a large portion of the book being presented as the author’s original work (almost the entirety of the STAR section, which is all but 125 of the book’s 400) is actually plagiarized from various online sources (primarily Wikipedia). Not much in information security angers me, but it does anger me when authors attempt to present others’ work as their own, misleading their readers and reviewers (many of which have given very positive reviews to this book).

While I was in the process of reading and reviewing Dissecting the Hack: The F0rb1dd3n Network, I promised Jayson that I would provide notes that I had taken in the process of reviewing the book. A few days ago I posted that review, and today I reviewed my notes and edited them to be more readable than they were for his benefit.

In the process of editing those notes, I reviewed each of the problems they addressed, including where I had stated that many quoted materials were not attributed to any source. I had also noticed normally formatted, apparently author-written text that was actually an excerpt from a Wikipedia article in one place. At the time and in my notes, I figured that it was likely a typesetting error.

Unfortunately, this evening, I found out that this is not the case.

After reviewing my notes, I noticed other strange wording in the STAR section, which comprises all but 125 of the book’s 400 pages. I chose some excerpts at random, and Google’d what should have been unique phrases from them. In most cases I was given results on Wikipedia, where the text of the entry matched the text of the book exactly. This worried me greatly.

For several hours this evening, I have gone through STAR, section by section, locating the sources of plagiarized material. The majority of the text presented as the word of the authors’ (normal typesetting, not quoted or attributed) is directly ripped off from a number of online sources, primarily Wikipedia. For the most part, only the sections that directly reference the characters in the story portion of the book can be trusted.

I kept notes this evening, and I have created the table below, which documents 55 instances in The F0rb1dd3n Network where the contents are directly taken from Wikipedia and other online sources. Most of these are quite blatant, taking exact sentences and paragraphs from Wikipedia articles and using those to form the entirety of the book’s explanation of the topic. In most cases, all that is added are references to screenshots, and small wording and paragraph break changes.

Before I found so many examples, I thought that this might be a product of my own academic background holding this non-academic text to too high of a standard, but the massive scale of it constitutes plagiarism by any rational definition, and specifically violates Wikipedia’s copyright rules, among others’ rights. It is an insult to those that have taken the time to review it, and to those who have paid for the book under the assumption that it is an original work. I find it hard to believe that the authors did not feel that this was wrong, and can only assume that the editors were unaware.

The following table lists page numbers, the topic being discussed, a URL of the original material, and a “length” which roughly describes how much material is lifted. In this field, “Entire description” indicates that the entirety of the discussion of the topic in the book is taken directly from the source URL. Other descriptions attempt to explain how much material was “lifted”, though it’s inexact, as paragraph breaks are changed from the source to the book. In some cases, I had to go back to previous revisions of Wikipedia articles to determine what was copied, and so the revision I list may or may not be the exact revision the author used.

If you have a copy of this book that you bought or received for review, I encourage you to take a look at these pages and source URLs to see what I’m talking about:

page	topic	original source	length
135	OSI Model	http://en.wikipedia.org/wiki/OSI_model	2 paragraphs and a table
141	Maltego	Old description from paterva.com	1 sentence
146	DNSPREDICT	Many sources (likely original tool site)	Entire description
149	Kismet	http://en.wikipedia.org/wiki/Kismet_(software)	Entire description
151	Netstumbler	http://en.wikipedia.org/wiki/NetStumbler	Entire description
153	SuperScan	http://en.wikipedia.org/wiki/Superscan	Entire description
154	Nmap	http://en.wikipedia.org/wiki/Nmap	Entire description
155	Paratrace	http://linux.die.net/man/1/paratrace	Entire description
156	Scanrand	http://linux.die.net/man/1/scanrand	Entire description
157	Amap	http://freeworld.thc.org/thc-amap/	Entire description (short)
161	Plug-in	http://en.wikipedia.org/wiki/Plug-in_(computing)	Paragraph description
164	Vulnerability Scanner	http://en.wikipedia.org/wiki/Vulnerability_scanner	Entire description
164	IBM Internet Security Systems	http://en.wikipedia.org/wiki/IBM_Internet_Security_Systems	Entire description & history
165	Nessus	http://en.wikipedia.org/wiki/Nessus_(software)	Entire description
166	Nessus Goes Closed License	http://en.wikipedia.org/wiki/Nessus_(software)#History	quoted
167	Tenable NeWT Pro 2.0	Press release? http://www.highbeam.com/doc/1G1-115844766.html	Entire description
168	Rapid7	http://en.wikipedia.org/w/index.php?title=Rapid7&oldid=301929477	Entire description
169	Microsoft Baseline Security Analyzer	http://en.wikipedia.org/w/index.php?title=Microsoft_Baseline_Security_Analyzer&oldid=225194910	Entire description
170	eEye Retina	http://en.wikipedia.org/wiki/Retina_Vulnerability_Assessment_Scanner	Entire description
177	Exploits	http://en.wikipedia.org/wiki/Exploit_(computer_security)	Entire description (full page of text)
179	Buffer Overflows	http://en.wikipedia.org/wiki/Buffer_overflow	Entire description
180	SubSeven and Stopping SubSeven	http://en.wikipedia.org/w/index.php?title=Sub7&oldid=299155522	Entire description
186	Metasploit	http://en.wikipedia.org/wiki/Metasploit	Entire description
187	Core Impact	http://en.wikipedia.org/w/index.php?title=Core_Impact&oldid=295444915	Entire description
193	Registry Keys	http://en.wikipedia.org/wiki/Windows_registry	Entire description
194	Securing your logs	http://codeidol.com/sql/network-security-hack/Windows-Host-Security/Secure-Your-Event-Logs	Entire how-to
195	Event Viewer and HOW TO: Event Log Types	http://support.microsoft.com/kb/308427	Entire description
197-200	Last User Logged in	http://www.technixupdate.com/change-or-hide-the-last-username-logged-on-username-dialog-box/	Entire how-to copied
201	Last True Login Tool	Many – Likely old description from website	Entire description
202-204	Last logoff script	http://dovestones.com/active-directory/true-last-logon/last-logoff.html	Entire how-to
205-208	Windows Security Log	http://en.wikipedia.org/wiki/Windows_Security_Log	Entire article
223	Description of NIST	http://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology	Two paragraphs
233-235	CompTIA	http://en.wikipedia.org/wiki/CompTIA	Entire description
236	EC-Council	http://en.wikipedia.org/wiki/EC-Council	Entire description
236-237	(ISC)2	http://en.wikipedia.org/wiki/ISC2	Entire description
244	One-time Passwords	http://en.wikipedia.org/w/index.php?title=One-time_password&oldid=306538660	Paragraph and list
246	Honey Pot	http://en.wikipedia.org/wiki/Honeypot_(computing)	Paragraph
253	Firewall	http://en.wikipedia.org/wiki/Firewall	Paragraph
255-256	Full-Disk Encryption	http://en.wikipedia.org/wiki/Full_disk_encryption	Three sections
257-258	Snort	http://en.wikipedia.org/w/index.php?title=Snort_(software)&oldid=273431896	Entire description
258-264	IPS	http://en.wikipedia.org/wiki/Intrusion_prevention_system	The entire wikipedia article copied over multiple pages!
278	Wireshark	http://en.wikipedia.org/wiki/Wireshark	Several sentences from the article
279	PGP	http://en.wikipedia.org/w/index.php?title=Pretty_Good_Privacy&oldid=304558754	Two paragraphs of description
281	Personal firewalls	http://en.wikipedia.org/wiki/Personal_firewall	Short description
285	Perl	http://en.wikipedia.org/wiki/Perl	Entire description
292	Bluesnarf	http://en.wikipedia.org/wiki/Bluesnarfing	Entire description
299	Bleeding edge technology	http://en.wikipedia.org/wiki/Bleeding_edge	description and list
303-305	ECHELON	http://en.wikipedia.org/wiki/Echelon_(signals_intelligence)	Entire description + photo
310	Ghost Rat	http://en.wikipedia.org/wiki/Ghost_Rat	Two paragraphs
332	2600 Magazine	http://en.wikipedia.org/wiki/2600:_The_Hacker_Quarterly	Entire description
333-334	Gary McKinnon	http://en.wikipedia.org/wiki/Gary_Mckinnon	Entire description
336	PSP Hack	http://www.dcemu.co.uk/vbulletin/showthread.php?t=33928	Tutorial
396	World of Warcraft	http://en.wikipedia.org/wiki/World_of_warcraft	Large paragraph
399-400	Infragard	http://en.wikipedia.org/wiki/Infragard	Entire description
404	Bump Keys	http://en.wikipedia.org/wiki/Bump_key	Entire description

Book Review: Dissecting the Hack – The F0rb1dd3n Network

book review 5 Responses »

Oct 122009

Edit: I have added an amendment to this review in this post, when it became obvious to me that the majority of the material in the STAR portion of this book is plagiarized.

Jayson E. Street and Kent Nabors’ The F0rb1dd3n Network is the first in what is proposed to be a new series of “hacker fiction” from Syngress, under the banner Dissecting the Hack. This genre is still in its infancy, so the only other point of comparison that comes to mind is the Stealing the Network series from the same publisher. Despite STN‘s flaws, I enjoyed the stories the series had to tell, and looked forward to the review copy of F0rb1dd3n Network that arrived last week.

The F0rb1dd3n Network‘s format is different from STN‘s. The fictional story is separated from the second part, which serves as a technical reference that explains the technology and attacks mentioned in the story. A “How to Read” introduction explains that the reader can read either or both sections. I felt that it was best to just take the book in linearly, reading the story first, then the “Security Threats Are Real” (STAR) section.

I enjoyed the story, however those reading the book for “hacker fiction” should be aware that this part is only 127 of the book’s 410 pages, and goes by very quickly. The plot has the pacing of an action movie or police/detective TV series, so don’t expect much development in the characters, nor much attention to the hacks performed by them (the latter is to be taken care of in the “STAR” section). The advertising for this book includes the statement “Every attack is real.”, which is true for the most part, but if you’re really picking nits you may be able to spot a few “hand-waving” moments. Overall though, it’s entertaining, and if you enjoyed the stories in STN, you’ll probably like this one.

The second part, STAR, is both a review of penetration testing methodology and a collection of more in-depth coverage of attacks, technology, and cultural references made in the story portion of the book. This is where I felt that the book was a let-down from its promise. Much of this section, which appears to be thick with content, is actually space wasted. Among the worst offenders are large screenshots, many of which have no direct reference in the text to explain the contents; numerous screenshots of websites with no real content showing; and pages of book recommendations with large (and low resolution) images of their covers. A lot of space is also taken up by “Public Record on Tap” sections, which are simply reprints of short articles available on the web. Many of these are not attributed to any author or source, and it took some Googling to find out that they were largely copied and pasted from Wikipedia. Outside of these sections, I noticed at least a couple of instances where content was copied from Wikipedia or vendor websites without attribution or any indication that it was a quote from elsewhere (I hope that this is just an oversight). I got the feeling that the author was getting tired and started “phoning it in” towards the end (a short bio of HD Moore that doesn’t mention Metasploit?). I understand the desire to make a book seem large, however much of it could have been replaced with more information on the attacks described in the fictional story (even some that had no mention in STAR at all). I would have preferred to hear the author’s take on many of the topics, rather than snippets of text from the web.

There is also the confusion of the target audience for this book. The website for the book has a video that explains that it is for management to understand security and buy in to it. The back-cover sells it to “Hackers, IT Professionals, and Infosec aficionados (as well as everyday people interested in security)”. This kind of description is symptomatic of many books being published that are trying to widen their market. My feeling is that it’s going to be difficult to get some of these audiences interested in this book. Many people in management roles, as well as established professionals (and hackers) in the security field, are not going to be able to relate easily to the kids that are the main characters in the story. People who have been involved in security won’t find many new techniques or insight in the STAR section (literally, because so little of it is original content from the authors). This leaves beginners to the security field and laymen who have this as their first exposure to the field. For them, it would probably be an interesting book (that might leave them hanging on some points).

I think this format has promise, enjoyed the fiction, and I look forward to future volumes of the story. More mature protagonists and situations would be welcome, to better relate to the audiences that can benefit from the book the most. The STAR section in future books should also focus more on the happenings of the story, and consist of more prose from the authors than filler.

Book Review: The Rootkit Arsenal

book review 10 Responses »

Oct 072009

Bill Blunden’s book, The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, is one of the hidden gems in computer security books, and I hope that I can convince you to give it a look. This review has been too-long to arrive, as I haven’t had the time to read that I would like. That said, I felt it was very important to finally get the review up, as this is a book that I’m sure my regular readers will enjoy.

I first spotted this book on a vendor table at Defcon, and it stood out among the rest mostly because *I hadn’t heard of it*. I try to keep up with new book releases, especially on attack-oriented topics that would be of interest to the penetration testers and vulnerability analysts that read this blog. It was surprising to me that one had flown under the radar. I picked it up and flipped through the table of contents (which I encourage you to do as well), and was very impressed with the amount of material it covers.

I looked up the author, and was disappointed to realize that I had missed his talk at Blackhat earlier that week (looking forward to the video). I contacted him, and he was kind enough to supply a review copy of the book. It arrived very quickly, with a humorous personal note on the inside cover, and ever since, I have been learning a lot from it.

The author’s style is excellent. The material is technical and has the potential to be very dry, but the text has a very conversational tone, as if it were being presented as a lecture for a (particularly good) class. Each concept is tied back to the main topic: hiding operations and data from the user and operating system, and frustrating forensic analysis. The book reads very well, presenting enough context that you can understand it if you’re reading away from a computer, and enough detail that you can follow along and experiment with it if you are at your desk.

I appreciate that this book does not attempt to hold the reader’s hand throughout with the ethics of developing rootkits. The author takes a brief moment at the beginning of the book to explain the legitimate needs for security professionals to be familiar with rootkit techniques and development, and points out that the information can be found elsewhere. After this point, the book assumes a level of maturity in its reader that is greatly appreciated.

The first part of the book, “Foundations”, has an excellent introduction to IA32 architecture and Windows internals that I have never seen so well-described for beginners. Even if you aren’t interested in rootkits, this portion of the book is something I would recommend to anyone getting started in related fields, like reverse-engineering or exploit development. Digging further into the text, the second section on “System Modification” makes up the “meat” of the book, delving into the details of subverting Windows internals in many different ways. As technical and in-depth as the book gets, though, it never seems to leave the reader behind. Each new concept is well-explained and builds upon the material the reader has already learned. You may have to go through the text slower than you had anticipated, and go back to review previous material, but you’re never left feeling hopelessly lost.

The remainder of the book is a treat, as well. I can’t recall another book that goes into any kind of detail on defeating forensic analysis of memory and file systems. Anyone interested in developing forensic tools or curious about how analysis with tools like Encase and FTK might be subverted, should give it a read. The author closes the text with some strategic guidelines for rootkit development, and his own thoughts on how evasion and deception can be used to similar ends on a larger scale than operating systems.

This is now one of my favorite computer security books, and I believe that if you review its contents, you’ll find that you’re getting a great value for your money. If you are familiar with C and have a beginner’s knowledge of IA-32 assembly, you should have the prerequisites you need to follow along with this book. I highly recommend it, and hope that it becomes less-hidden of a gem that it already is.

The Rootkit Arsenal, at the author’s site, Below Gotham Labs

Misleading description of the Stealing the Network compilation

book review, Uncategorized 6 Responses »

Jul 142009

This is just a quick note to serve as a warning to anyone who might be considering buying “Stealing the Network: The Complete Series Collector’s Edition” after reading the description on the Elsevier site:

http://www.elsevier.com/wps/find/bookdescription.cws_home/715444/description

While I was reading the book and preparing my review, I found that the publisher’s description was inaccurate and misleading, emailed a contact at Syngress, and I thought I had verified that it had changed. Either I was mistaken and was only looking at the more-accurate Amazon product description, or the changes on the Elsevier site have been reverted.

Here’s what it looks like right now:

The “Stealing the Network Series” has developed a passionate, cult following which includes more than 30,000 readers. Over 3,000 readers have registered their copies of Stealing on the Syngress Web site. The Stealing book signings at the Black Hat Briefings in Las Vegas have become an annual event, attracting hundreds of readers, who want to meet the authors who serve as the heroes and villains of the series. These are true fans. They want the inside scoop. They want their picture taken with the legend, Kevin Mitnick. They want to know if the elaborate hacks in the stories are actually based on real-life, close-encounters. They want to know it all?.Did Jay Beale base his character on the movie “Real Genius”?…..Does FX ever smile?…How tall is Thor?…Is ?Blah? really Roelof Temmingh? Did the guys from Sensepost really receive death threats in South Africa for ?revealing too much?. But maybe most importantly?..they want to know: How does the story end?

Stealing the Network: The Complete Series Collector’s Edition, Final Chapter, and DVD answers all these questions and more. Not only will longtime fans of the series find out how the story ends in the much anticipated “Final Chapter” (The “Final Chapter” will also be available separately as an E-Only product six months after publication of the Collector’s Edition). They will get much more than this. The collector’s edition also contains author-annotated versions of the entire series: How to Own the Box, How to Own a Continent, How to Own and Identity, and How to Own a Shadow. For the first time, the authors will reveal which of the stories and characters are actually based on fact. The authors will share e-mails they exchanged during the writing of the books….and even a few flames directed at one another! Fans of the series have always been attracted to the “rock stars” of the hacking underground who have contributed to the series over the years including: Dan Kaminsky (Effugas), Fyodor, Tim Mullen (Thor), Johnny Long, Ryan Russell (Blue Boar), Jay Beale, Joe Grand (Kingpin), Jeff Moss, and Kevin Mitnick…just to name a few. Friends and foes alike of the authors scour the internet for information on the authors, and some some have even successfully hacked into their computers and e-mail to find out more about them. Now…they can find out everything they ever wanted to know without risking federal prosecution in Stealing the Network: The Complete Series Collector’s Edition, Final Chapter, and DVD.

In addition to The Final Chapter and the Annotated Complete Series, the fanatics will also receive a DVD containing extended, personal interviews with the primary authors and editors of the series. The DVD also contains digital photographs from exclusive and secretive author dinners and meetings at Black Hat and Defcon.

Long time fans of the series as well as a new generation of hackers will be drawn to this unique collector’s edition either for themselves or as a gift for their favorite hacker.

This is an excellent description of what the book should have been. Unfortunately it’s not the book that you’re ordering. I’m sure the intent was to have all of these features that would make it a must-buy for fans of the series, but it just doesn’t. None of the books in the compilation are “author-annotated”. There is one email shared in the introduction, not the back-and-forth and flames the description claims. There are no photos on the DVD. These are all features that were intended for the book, but did not make the cut (presumably a deadline thing).

What you get:

A new foreword
Each book in the series, as it was published, no editing/corrections, bound together
The final chapter
A 20-minute DVD that has weird audio issues in some players
That’s it.

Depending on how much you pay for it, it could be a really good deal if you do not already have the series (which I do like).

I tried to get the publisher to change the misleading description back when I wrote my review, but apparently it didn’t do any good. I’m just posting this to make sure that readers of this site and others that stumble across it googlin’ are informed.

Download Stealing the Network's "The Final Chapter" for free until May 6

book review, fun 2 Responses »

May 042009

If you read my review of Stealing the Network: The Complete Series Collector’s Edition, then you’d know that the only real additional content in the new edition is a new chapter by Ryan Russell: “The Final Chapter”. I liked Ryan’s conclusion to the story, but I doubt that many people who already own the other Stealing the Network books would want to purchase the compilation just for that.

Now, and if you act fast, you won’t have to. It turns out that the Windows Secret Newsletter is giving away a PDF which contains the entirety of “The Final Chapter” (preceded by a sample of 5 pages of text from another chapter). It’s only available until May 6th, though, so you’ll want to go ahead and act if you want it.

All you have to do is subscribe to their newsletter, and you’ll be given a link to download the PDF. They don’t even verify your email address before giving you the link, so I’d advise just punching anything that works into the field:

http://windowssecrets.com/

Enjoy!

Older Entries