Saturday, August 08, 2009

Book Review “Chained Exploits”

As you might guess, I often read security books for fun, not for solving  a particular technical problem. So I approached “Chained Exploits” by Andrew Whitaker, et al with that filter in mind. The book worked just fine for that purpose – it is well-written and has a story line, while covering enough technical details to be educational (for those who are reading it to learn about security and not just for fun). It covers the exploits of a malicious hacker “Phoenix” who fulfills the assignments of some underground criminal mastermind and sometimes just goes and 0wns somebody on his own. Obviously, the book does not cut it as “fiction” since it has actually commands, configuration, etc.

The book is not about a new cutting edge technique or an “oh-day”, its main goal is to actually tie “that security stuff” together for folks who are not skilled with it yet. IMHO, IT folks getting into security will benefit from it the most. If you 0wn boxes for fun and profit, you will not learn anything fundamentally new about security, but likely will have fun in the process. Think about it as “Life-like Security Horror Stories” or realistic scenarios. Still, these are a bunch of good story of how mundane, “uncool” attacks tie together to achieve some rampant 0wnage, like having people at a hospital almost die as a result of one particular scenario…

Each story covers motivation and goals of the attach, planning stage, sometimes failed attempts (and why they fail), tool selection and some guidance on tool use. Then it explains what happens and finally covers countermeasures that could have stopped it.

The book bears unfortunate, but noticeable signs of being written by multiple people who didn’t talk to each other much.

Finally, the name (“Chained Exploits”) first turned me away from the book, I thought it was kinda silly; now I suspect that it will attract some folks to the book.

Recommendation: definitely worth a read if you are new to security, especially if moving from IT. Useful for students in computer science classes to get motivated about security. Also useful for technical management to learn what is not just possible, but very real.   Finally, useful for security folks – as a fun read – and also as a reminder about things in their own (still their own, not 0wned…) environments.

Possibly related posts:

Dr Anton Chuvakin