Security Book Review: Mobile Malware Attacks and Defense

Mobile Malware Attacks and Defense
Author: Ken Dunham et. al.
Editorial: Syngress
Publication date: November 14, 2008
ISBN-10: 1597492981
ISBN-13: 978-1597492980


Summary: An historical reference of mobile malware and threats, plus a technical introduction to its analysis and in-depth inspection.

Score: 4/5

Review:
Security threats on mobile platforms are one of the key topics and main targets for the next couple of years, given the ubiquity and popularity of these devices, plus their advanced capabilities and use of sensitive application: micro payments, online banking and e-commerce, access to "the cloud", etc.

This book is one of the few references, if not the only one (till very recently), focused on the multiple security aspects of the mobile ecosystem. As such, it constitutes a great historical reference about what mobile malware (referred as MM) and threats were until its publication, in late 2008.

The book starts by introducing mobile malware, although it can be a bit confusing for the novice reader, as it mixes up attacks, tools and threats (most them Bluetooth based), and for example, WiFi is not even mentioned (yet). The next chapter (ch 2) provides an interesting overview on how mobile malware shows up in a terminal from a user perspective, including the most common behaviors and the kind of interaction expected from the user. It would be great to have a detailed explanation of the propagation method, as with CommWarrior, for all the samples analyzed in this chapter.

The next three chapters (ch 3-5) are a really valuable historical reference about mobile malware, including its timeline, how it has evolved since 2000 till 2008, the types of threats, categorized by malware families, the most significant or famous specimens, such as Cabir in the Bluetooth side, plus an extensive taxonomy of mobile malware and threats based on the infection strategy, distribution and payload. Although some tables, with more than 400 references, could have been moved to an appendix to facilitate the reading, this set of chapters summarizes how mobile malware seriously started, back in 2004, and evolved over time. The comparison of different pieces of malware, and the extra analysis of the most relevant specimens, together with the technical details they used to survive, makes this section of the book a very good "encyclopedia".

Then, the book reflects the influence of multiple authors, presenting different unconnected and independent chapters. The phishing, SMSishing and Vishing chapter moves out of the mobile space, covering lots of details about these threats on traditional environments, such as common web browser based solutions, and the usage and purpose of the network captures attached is still not clear to me. I still remember my surprise from a technical perspective when I read that the transmitted data between the client and the verification server could not be identified, as they were using an SSL connection: "What about using a HTTP(S) interception proxy?" Finally, it includes an extensive phishing academic research mainly based on Bayesian networks and a distributed framework, which on my opinion, is clearly out of the scope of the book.

The more technical chapters come next; chapter 7 focuses on the core elements for the most widely used mobile platforms, their protection mechanisms and how they have been bypassed in the past, covering mainly Windows Mobile (WM), iPhone, Symbian, BlackBerry and J2ME (Java). It includes a extremely short summary on prevention and exploitation. This is complemented by the techniques, methods and tools available for the analysis of mobile malware (ch 8), the in-depth details for the disassembly and debugging of associated binaries (ch 10), plus the strategy and main constraints to perform a forensic analysis on this type of devices (chapters 8 and 9). This is by far the most relevant technical portion of the book.

The book follows the old and useful Syngress layout tradition of adding a few common sections at the end of each chapter to reinforce the material covered: Summary, Solutions Fast Track, and FAQ.

The first portion of the book (ch 1-5) will be an eye opener for a non-technical audience; highly recommended, together with the last chapter (ch 11) focused on the defensive side and how to mitigate all the threats covered along the book. The second portion for the book (ch 7-10) is focused on security professionals, mainly incident handlers and forensic analyst that need to deal with the technical aspects of mobile attacks and infections.

Due to the new mobile threats and issues that turned up in 2009 for the advanced smartphone platforms (like iPhone or Android), and the trend for new and more dangerous specimens expected in 2010, a second volume or edition would be a must.

UPDATE: Amazon review (first one).

Security Book Review: The IDA PRO Book

The IDA PRO Book
Author: Chris Eagle
Editorial: No Starch Press
Publication date: August 12, 2008
ISBN-10: 1593271786
ISBN-13: 978-1593271787


Summary: Do you really want to master the art of disassembly? Start here!

Score: 5/5

Review:
Honestly, when picking up a book that is focused on a single tool, as in this case, my main concerns are: how linked (and limited) the content is to the tool and its capabilities, if the book can become obsolete soon with new versions of the tool, and what else the material offers to the specific field out of the tool.

In this case, it is fair to say that IDA Pro (http://www.hex-rays.com/idapro/) is the most popular disassembly tool (and debugger now) in the market during the last decade, so covering it is like going deeper into the field of malware analysis, software reverse engineer and vulnerability research. Beginners can start playing with the evaluation version, while professionals have been using the Pro version for a long time.

Apart from that, the moment I realize Chris Eagle was the book author, it added some excitement to the mix. I know Chris when we released the Scan of the Month 32 challenge on the Honeynet Project (http://old.honeynet.org/scans/scan32/), back in 2004. The challenge was focused on analyzing a home-made malware binary, called RaDa, and Chris was the winner (http://old.honeynet.org/scans/scan32/sols/1-Chris_Eagle/); he even developed an IDA Pro script to unpack the binary and solve it.

Therefore, the book title does not make any justice to its contents :), as this is not only The IDA PRO Book or the unofficial guide, but the modern software disassembly (static binary analysis) masterpiece and The IDA Pro Bible.

The first two chapters are a must for anyone starting in the world of reversing and disassembly. Something I really liked about the introductory chapters is how the author establishes the relationships between the different functionality available in IDA, and other (more traditional) single tools offering similar capabilities.

Then, the book goes in depth into IDA, getting started, covering the interactive interface and navigation capabilities, including the well-known and the most hidden features, explaining how to manage data types, structures and projects, the beauty of cross-references and graphs, and how to extend and customize IDA for extra advanced analysis (libraries, IDC scripts, plugins, modules, etc). It offers the advance readers the required skills and tools to move their analysis activities to the next level.

Every chapter is preceded by a great introduction explaining what is it about, and when and why this chapter is important for the analyst. Chapters do not simply move over the different menus and capabilities of IDA Pro, but describe them within a context based on the author experience after years of binary analysis, going in depth into the essence and goal of a given feature, the way to use it and the common drawbacks. Chris also uses his experience to highlight what is the most typical finding and tool output in various scenarios and why.

The book ends up with a few chapters that challenge the reader to put in action the skills learned throughout the book into real-world applications. Finally, it covers the new debugging capabilities (dynamic binary analysis) available since IDA version 4.5. For those starting in the field, appendix A points out the differences between the free and the commercial IDA version, and how these may influence your interest on specific book chapters.

The book is highly recommended to both beginners and intermediate/advanced users and professionals, and definitely it is a dense (like the tool it covers) but very easy to read book that becomes a reference in your bookshelves the minute it reaches your hands. Besides that, its contents won't easily become obsolete with new IDA Pro version. It is not a book to read in a couple of nights; this is the kind of "practical" book that I strongly recommend to read with a computer and a running copy of IDA handy, so that you can test all the tips and tricks and practice the topics being discussed.

UPDATE: Amazon review.

Security Book Review: Chained Exploits

Chained Exploits: Advanced Hacking Attacks from Start to Finish
Author: A. Whitaker, K. Evans, J. B. Voth
Editorial: Addison-Wesley Professional
Publication date: March 9, 2009
ISBN-10: 032149881X
ISBN-13: 978-0321498816



Summary: A multi-scenario hacking adventure novel focused on combined real-world attacks.

Score: 5/5

Review:
The penetration testing (and criminal) field has focused during the last years on increasing the foothold on compromised systems, proving advanced pivoting and post-exploitation techniques that might help to expand the compromise to other systems or critical resources. This book is a novel that describes these reality by telling hacking stories where multiple techniques, tools and vulnerable input vectors are exploited in order to accomplish a variety of clearly defined attacks and goals.

Each chapter is a well structured story describing multiple attack scenarios. From credit card theft, to insider threat, going through corporate espionage focused on stealing confidential intellectual property, the launch of a DoS attack in a key point in time, the risk and exploitation of inter-corporation network connections, physical access to healthcare records, up to social networking and wireless break-ins.

The book is a modern fictional narrative with technical touches, covering attacks from start-to-finish in elaborated stories (my score evaluates the book from this perspective). However, by reading the book description, you might expect a deeply technical book that will teach you how to perform those attacks, and... it is not.

Every attack story is introduced by setting the stage and the overall attacker approach. Besides that, it is surrounded by a few final defensive tidbits and conclusions, describing countermeasures to mitigate the various attacks covered. This book may act as an excellent eye opener for managers and top level positions (see recommended audience below) in order to understand how small security investments and tweaks can definitely help to increase the overall protection of a target environment substantially.

Unfortunately, from a technical perspective, some of the technical details have not been thoroughly reviewed, such as the output of nmap (order of ports), the unexplained switching of target systems from Vista to XP, the targeting of RDP while not on the port scan (chapter 4) , or the coverage of some tools. Some attacks are a bit outdated, such as the silent winpcap installation to capture traffic from a target box. However, I must admit this book inspired some of the components of a recent "Prison Break" hacking challenge I released this summer (2009).

Specific portions of the book and, overall, the story plot, is well written from a novel perspective, and as particular attacks are progressing, it made me feel the common excitement we get when we are involved in a real penetration test and successfully progressing through the targets, getting the adrenalin going.

This book is highly recommended for people entering in the security field, and for experienced technical security pros in two ways. On the one hand, it's an enjoyable and entertaining novel for a weekend or vacation period. On the other hand, it is a very good reference to give to managers and CxO positions so that they can get a feeling of how real-world attacks look like nowadays and the kind of targeted threats they may face.

UPDATE: Amazon review.

Security Book Review: VMware vSphere and Virtual Infrastructure Security - Securing the Virtual Environment

"VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment"
Author: Edward L. Haletky
Editorial: Prentice Hall PTR
Publication date: July 2, 2009
ISBN-10: 0137158009
ISBN-13: 978-0137158003



Summary: The reference for securing virtual environments, in particular, VMware-based.

Score: 5/5

Review:
In the first half of this year (2009), I was involved on extending my previous research on virtualization security, and specifically, I focused on securing and hardening VMware ESX environments. This stirred up my interest on this book. To sum up what this book is all about: "I would have loved to have this book handy back by that time, as it would have saved me tons of time" Instead, I had to read and compare multiple VMware security guides from VMware, CIS, NIST, etc, and perform an extensive hands-on research on my own.

The book offers a very solid and broad analysis of multiple security issues on virtual environments, covering not only the technical aspects associated to the virtualization hosts, virtual machines, and virtual data and storage networks, but also management and operational issues, availability concerns, and other common related tasks on newly deployed, or already established, virtualization setups.

The first two chapters focus on security threats and attacks, a basic foundation required for the cross-references available throughout the book, that can be skipped by the on-the-field security readers.

The next three chapters focus on offering best practices and security recommendations for different key components of any virtualization platform, such as the hypervisor, the storage network, and virtual clusters. The next couple of chapters cover most of the security aspects that must be considered on the design, deployment and operation of a virtual environment.

Although all these chapters provide a very good quality security advice, it is not complemented with hands-on examples. I think this could be improved by adding more detailed sections describing step-by-step how to complete the security recommendations exposed, not just what need to be done. However, I understand it is required to cut the size of the book at some point. A good example of how to extend this idea can be observed on chapter 6, where the integration between VMWare ESX and a directory service is covered in depth.

However, both the technical and operational aspects are integrated smoothly, offering a great in-depth overview. Apart from that, the whole recommended list of things to consider in order to get a more secure virtualization infrastructure is summarized in a useful set of boxes called "Security Notes" and spread all throughout the book. These boxes can be easily used as a checklist when deploying or assessing the security of virtual solutions.

My favourite chapters are chapter 8, and specially 9, where virtual machine and virtual networking security is analyzed, respectively. Chapter 9 offers a whole set of networking scenarios and discusses pros and cons to the number of (physical and virtual) network cards and its configuration. A very practical and thorough work!

The book ends up with three special chapters. Chapter 10 covers the new VMware virtual desktop infrastructure (VDI) and the security issues around it. Due to all the client-based attacks nowadays, most probably it is going to be a de-facto standard pretty soon, so getting involved on the virtualization of client systems is a must. Chapter 11 provides a detailed guide to harden VMware ESX and ESXi hosts, a mandatory initial process for every new virtual deployment. Finally, chapter 12 provides a quick and interesting introduction to digital forensics (and data recovery) on virtual enviroments, mainly focused on how to deal with virtual file systems, such as VMFS, VMDKs, and raw disks. A quick recommended read for forensic analysts interested on expanding their skills to virtual victims.

There are a few things I feel will improve the book contents. Unfortunately, due to the publication deadline, its coverage of the latest VMware vSphere virtual architecture is pretty limited, as the author clarifies. Besides that, considering the frequent security updates and patches released by virtualization vendors, I would have liked to find a better coverage of best practices to update the virtual infrastructure itself. Finally, as mentioned previously, about half of the book includes detailed how-to sections describing how to apply the recommended settings, but the other half misses that how-to portion. I understand this may be a limitation to make the book size manageable (it's over 500 pages now).

This book is highly recommended for IT and security architects, involved in the design of new virtual solutions, as well as virtualization administrators and anyone in charge of the maintenance of a virtual infrastructure. From a security perspective, people evaluating, assessing, and suggesting improvements for virtual solutions should read the book in order to have a full overview of all the security threats and possible countermeasures. Overall, the book is a must read for anyone already involved, or planning to get involved, in virtualization. It really helps to acquire a very broad and extensive knowledge of the security considerations that apply to such a complex and modern IT architectures.

UPDATE: Slashdot review, Amazon review.

Security Book Review: "Nmap Network Scanning"

"Nmap Network Scanning"
Author: Gordon "Fyodor" Lion
Editorial: Nmap Project
Publication date: January 1, 2009
ISBN-10: 0979958717
ISBN-13: 978-0979958717



Summary: The Art of Network Mapping and Scanning Masterpiece.

Score: 5+/5

Review:
I could summarize this book review by saying this is THE nmap reference book, what in itself would be an obvious conclusion I already expected before reading a single page, just by looking at the author name. Fyodor is the creator of nmap, a tool he has carefully fed and taken care of during all these years, and slightly knowing him from the Honeynet project, I couldn't expect less.

"Nmap Network Scanning" is a masterpiece that teaches the reader the Art of Network Mapping and Scanning, and definitely, one of the best books I've read in years. Honestly, there are only a few minor things regarding network scanning you cannot accomplish with a single tool, the current nmap version. The book takes advantage of it.

The official nmap reference guide is simply included on chapter 15, while the rest of the book steers the reader through the nifty art of network mapping and scanning. It disects the network scanning phases and techniques, describing the different options and tool arguments available throughout practical examples and real-world usage tips, here and there, that will improve all your scanning techniques. This is a never-ending book that took Fyodor 5 years to write, and it clearly spreads his experience testing and analyzing networks. This is specially true in the "Solution" section at the end of some chapters, where real-world scenarios are efficiently solved.

Additionally, the book clearly pinpoints the limitations for the multiple platforms (eg. Windows vs Linux) and scenarios (eg. privileged vs non-privileged user) nmap can run on. Besides that, it summarizes most nmap internals without requiring you to dive deep into the source code, what is a challenge in itself. All this information is complemented with some real challenges you find as a penetration tester today, such as the limitations to spoof Internet traffic from legal ISP, a topic I've been researching about recently.

The most advanced and technical chapters are chapter 7 and 8, detailing the inner workings of the nmap service, application, and OS fingerprinting modules, and chapter 9, providing the NSE knowledge required to read and develop your own nmap scripts.

This is the type of book I recommend you to read in front of your computer, practicing simultaneously. Open a terminal, enable your network connection, and run the latest nmap version as you read throughout the book while testing the different options and examples. You can use multiple target virtual machines to experiment with, or if not available, the scanme.nmap.org site (use with caution). One thing is sure: you will have a lot of fun!

I have been using nmap since 1999, and found the book fits a broader audience, from the novice reader (please, do not get overwhelmed initially by all the available nmap options and scan types), that can learn the principles of the scanning techniques used (the packet flow diagrams on the port scanning chapter are specially helpful), up to the advanced professional, explaining what's behind the scenes of every technique and nmap argument, at the OS and network traffic level. The book applies to most security professionals, from security administrators that need to manage and secure their environments, to penetration testers interested on driving their skills to a new level.

This is the kind of book that feeds your creativity and research motivation. Fyodor, once again, promotes along the book the open-source philosophy, the need to share and contribute to the community, in this case in the form of OS and service fingerprints, NSE scripts, or just reporting nmap bugs.

Some minor things I would have liked to see mentioned for an extra finishing touch, offering my tiny contribution for a future version, are:

• A statistical analysis of the most common ICMP types currenty allowed on the field, similar to the study for TCP and UDP ports Fyodor did. On my experience, for example, I find ICMP timestamps allowed much frequently than ICMP netmask requests today.
• Extend the analysis of port knocking with the Single Packet Authorization (SPA) concept.
• Finally, I would have loved to see specific sections for the new nmap-related tools, such as ndiff (the command line version), or ncat.
  

Respectfully, once I finished reading the book I feel like Raul "Fyodor" Siles..., you will do too! :)

Fyodor was generous enough to release an extensive portion of the book for free on the official nmap book website. Take a look at it and you won't doubt about getting your own full copy.

UPDATE: Amazon review.

Security Book Review: "Voice over IP Security"

"Voice over IP Security"
Author: Patrick Park
Editorial: Cisco Press
Publication date: September, 2008
ISBN-10: 1587054698
ISBN-13: 978-1587054693



Summary: General VoIP security overview. Best chapters: SBC's and LI.

Score: 4/5

Review:
The book provides a good general overview of VoIP security, covering multiple topics involved on securing a VoIP infrastructure, from network devices to VoIP servers, plus secure VoIP protocols. In my opinion, the best chapters are chapter 8 and 10 & 11, Session Border Controllers (SBC's) and Lawful Interception (LI), respectively; it is difficult to find books covering these topics still today, although these are two of the major areas regarding VoIP security nowadays.

SBC's are the VoIP security element by design and therefore a key device in any VoIP infrastructure. The book covers SBC's types, access and peering, expected SBC functionality and capabilities (such as DoS protection, translation and NAT features, LI, high availability and load balancing, etc) and offers a brief introduction to its architecture design concepts.

Lawful Interception (LI) by law enforcement (LE), or LI by LE :), is one of the main VoIP research topics today, especially when strong security features are added, such as signaling and media encryption, that difficult the interception tasks. The last two chapters cover the fundamentals of LI on VoIP networks (following the Cisco model, as there are three other standards), describing the different elements, fucntions, and interfaces involved. It is a theoretical chapter followed by some practical advice to implement LI, very detailed and Cisco-based.

The book starts with an introductory overview of VoIP, its benefits and drawbacks, and some security concerns. Then it provides another VoIP threat taxonomy, a good generic overview that lacks some VoIP threats and complements (or simply provides another perspective to) the IETF draft and VOIPSA VoIP threat taxonomies. Unfortunately, I have not found yet a classification that consolidates all the different VoIP threats from (IMHO) the right perspective.

Chapter 3 offers an interesting summarized analysis of the main VoIP protocols, how they work, and their main security requirements and features. It covers H.323, SIP, and MGCP; I specially liked the SIP section, with descriptive message captures and flow diagrams. Chapter 5 complements the VoIP protocols with the main network devices in a VoIP environment, their role, and key security requirements. Although chapter 7 extends the security analysis of VoIP protocols, covering authentication and signaling and media encryption, it does not cover the latest key exchange solutions, such as DTLS, ZRTP or MickeyV2, as it is focused mainly on S/MIME.

All these chapters provide a lightweight analysis of VoIP security, not going very much in-depth into any of the topics covered. The book is a good overview reference for the VoIP security novice reader, I guess intended for network and system administrators, law enforcement, or security pros new to VoIP.

VoIP threats, including some attack types and tools, are analyzed on chapter 6. This chapter covers in detail a few VoIP attacks, providing simulation, examples and command line options for widely available attack tools. It allows the reader to see some real attacks in action, although it only shows the tip of the iceberg regarding all the tools and attacks that are possible; please, do not get the feeling that this is all you can do.

Chapter 4 covers cryptography, and in my opinion, it doesn't fit on the book; although crypto is a key aspect to protect VoIP infrastructures, the novice reader can get this info from other sources.

As the book is from Cisco Press, chapter 9 focuses on specific Cisco features and syntax, specially for practical sections that provide configuration details for firewalls, access devices, and the Unified Communication Manager (& Express), formerly CallManager. The info is useful to get an overview of the implementation steps, but do not apply to you if you are using equipment from other vendors.

Overall, it is a generic reference book to start getting involved into the VoIP security world, acquire a general understanding of the main VoIP security threats, target network elements, VoIP protocols, and security solutions. Once again, the SBC and LI sections are my favorites.

UPDATE: Amazon review.

NOTE: I will not publish my reviews on Bookpool anymore due to their hard-to-use interface and review rules.

Security Book Review: "Google Hacking for Penetration Testers - VOLUME 2"

"Google Hacking for Penetration Testers - VOLUME 2"
Authors: Johnny Long et. al.
Editorial: Syngress
Publication date: November, 2007
ISBN-10: 1597491764
ISBN-13: 978-1597491761



Summary: New updates and material for the second edition of the Google Hacking masterpiece. Volume 2 is today's reference.

Score: 4/5

Review:
This review mainly focuses on evaluating how valuable is to get a copy of "Google Hacking for Penetration Testers - VOLUME 2" if you already own a copy of the first edition, and the scores rates exactly that. If you don't have neither of them, I strongly encourage you to acquire Volume 2 (see details below), no matter what area of the information security field you work in (and specially if you are a penetration tester), as the contents affect to you in multiple ways. On my day-to-day security consulting practice, I'm still very surprised about how many IT people don't know about these techniques. The book is a masterpiece for information disclosure and mining from public sources, such as (but not only) Google. If I had to evaluate the book on itself, not comparing between editions, it would definitely get a score of 5/5.

The first edition was released in 2005 and opened the world of the Google Hacking techniques to the general public, together with the GHDB. The second edition title is (at least) confusing, as Volume 2 seems to denote it is a complementary book to the first edition. It is not, so I do not recommend you to get the first edition today. Volume 2, or the second edition as it should have been called, has been thoroughly updated (including most of the screenshots) to cover the latest changes and Google applications. I did a major update to the SANS "Power Search with Google" course on the first half of 2006, when some of the new Google functionality (not in the first edition) was already available. The second edition reflects those updates I identified and put back together then, even the tiny ones, such as the maximum search terms, that changed from 10 to 32. Additionally, all the statistical references, covering number of results returned by Google, and main contents have been reviewed and updated to reflect the current state of the art.

Some chapters have been kept from the previous edition (chapters 1 to 3, and chapters 6 to 9, and chapter 12), although they have suffered updates. Others have been moved (such as the old chapter 10, now chapter 4) or redesigned (like the new chapter 5). Besides, there are brand new chapters, like 10 and 11.

I specially like the updates on chapter 5, with the new tools and scripts to query Google and, specially, to parse and process the results, including several Perl and User-Agent tricks. The book, obviously, covers the Google API changes and provides solutions to overcome them, such as Aura. Chapters 6 and 8 include relevant updates to the Google code search engine and new capabilities to locate malware and binaries, plus new techniques to track down login portals and network embedded devices and reports, respectively.

The new chapter 10 is a great reference covering the new Google services from a hacking and "malicious" perspective. It is a required update given the pace Google releases new functionality and information sources, such as the AJAX capabilities and API, the source code search engine, calendar, blogger, and alert services.

The new chapter 11, "Google Hacking Showcase", includes the real-world Google Hacking samples and cases Johnny Long has been presenting in several hacking conferences during the last years. A found having a printed copy of it within the book very valuable, as it is an eye-opener, and it is a fun read. Definitely, if you have not seen Johnny's presentations and talks, I encourage you to access the archives from BlackHat and DefCon and enjoy them.

Finally, chapter 12 (the old chapter 11), covers new techniques and tools from a defensive perspective. The new additions increase the defender arsenal in order to mitigate the old and new threats covered throughout the book.

The influence of multiple authors in this edition is evident, something good for the new contents and material, but not so good for the chapter layout, as some do not follow the original format with a final summary, solutions, links and FAQ. Chapter 10 is a good example of both.

The complementary appendixes from the first edition, not directly relevant to the book topic from my perspective, have been removed. Overall, I feel some of the waffle has been left out, a smart decision (but not always easy) in order to keep the book size reasonable, and make room for the new contents.

I would like to see some of the pages that simply provide long listings from the GHDB moved to an appendix and simply referenced from the associated chapter. It might be useful to have these lists full of query samples on the book, but not just in the middle of a chapter. Another improvement would be to have a book webpage consolidating all the code samples, such as the Blogger submission script, as I'm not sure they are all available on a single website.

To sum up, if you don't have a copy of this book, go and buy Volume 2! (not to mention Johnny's involvement with charities). If you are a professional penetration tester, the new material in this second edition is highly recommended, so update your shelves and start applying the new contents on your daily practice. If you are an infosec pro, not directly involved in Google Hacking tasks, and you already own a copy of the first edition, I think you do not need Volume 2, as you already understand the threat, risks, and what is all this about.

At some point I was almost involved in co-authoring this 2nd edition, but finally it didn't happened. A pity, as definitely, this is one of today's reference books that should be on any infosec shelves.

UPDATE: Amazon review and Bookpool review (1st).

Security Book Review: "Applied Security Visualization"

"Applied Security Visualization"
Authors: Raffael Marty
Editorial: Addison-Wesley Professional
Publication date: August, 2008
ISBN-10: 0321510100
ISBN-13: 978-0321510105
http://safari.awprofessional.com/9780321510105



Summary: Definitely Security Visualization is one of the most relevant present and future topics in the security field, and this book is simply THE reference.

Score: 5/5

Review:
When security professionals are dealing with huge amounts of information, and who is not nowadays, correlation and filtering is not the easiest path (and sometimes enough) to discern what is going on. The in-depth analysis of security data and logs is a time consuming exercise, and security visualization (SecViz) extensively helps to focus on the relevant data and reduces the amount of work required to reach to the same conclusions. It is mandatory to add the tools and techniques associated to SecViz to your arsenal, as they are basically taking advantage of the capabilities we have as humans to visualize (and at the same time analyze) data. A clear example is the insider threat and related incidents, where tons of data sources are available.

The best sentence (unfortunately it is not an image ;) that describes SecViz comes from the author:

A picture is worth a thousand log entries.

This is a great book that joins two separate worlds, visualization and information security (infosec). The first chapter is an excellent introduction to the human perception system, its basic principles, and how we analyze, discern, and assimilate information. It is an eye opener for those new to the field. Chapter two is similar from an infosec perspective, and summarizes the main challenges and data sources, such as packet captures, traffic flows, and firewall, IDS/IPS, system, and application logs. The third chapter details different graph properties and chart types, including some open-source and online tools for chart and color selection. Although we (infosec pros) are familiarized with link graphs to represent relationships between botnet members or hosts, the book provides a whole set of charts for different purposes; one of the most useful types, and we are not very used too it in the security field, is treemaps. The chapter includes a really useful table to select the right graph based on the purpose of the analysis and the data available.

Then, the previous chapters are smoothly mixed together through a reference methodology that defines what is the problem to solve, and the process to manipulate the available data and generate a (or set of) graph(s) that allow gathering relevant conclusions and answers. The methodology is complemented with an introduction to the standard Unix-based text processing tools (grep, awk, Perl, etc). This methodology is later on applied, with a strong hands-on and how-to spirit, to an extensive set of common security use-cases, such as the perimeter threat, compliance, and the insider threat.

The perimeter chapter offers a deep insight into common attack scenarios, such as worms, DoS or anomaly detection, and operational tasks, like firewall log and ruleset analysis, IDS tuning, or vulnerability assessments. I could never forget how useful were SecViz techniques for anomaly detection on a huge DNS-related incident I was involved about 5 years ago. Thanks to the performance and statistical graphs we had available at that time, we were able to easily identify and solve a very complex and critical security incident.

When I saw this chapter included a wireless section I got really excited due to personal interest. However, I was disappointed as it was just a couple of pages. I think it could be extended to gather a whole set of useful information about complex wireless attacks and client and access points relationships, just by inspecting the different 802.11 management, control, and data frames, and even radio-frequency signals (from a spectrum analyzer). SecViz opens the door to a whole new wireless research area!

The compliance chapter offers a whole methodology to check and manage regulations, control frameworks, auditing, and risk monitoring and management from a visual perspective.

The same applies to the insider threat chapter, as it provides an impressive framework, not only visualization-based, to deal with malicious insiders. It is based on setting up scores for certain behaviors and activities (precursors), generating lists of suspicious candidates, and apply thresholds to accommodate exceptions. It also contains an extensive and directly applicable precursor list at the end to detect suspicious insider activities.

Finally, the book contains a whole chapter, full of references and comparison tables, of open-source and commercial visualization tools and libraries that allow the reader to select the appropriate tool for specific tasks and scenarios.

Although the book hands-on component is very significant, with lots of detailed examples of commands, scripts, and tool options to generate the different graphs, I would have liked to see a thorough usage of the how-to portions, as for some sections there are no specific details about how the graphs have been generated. The book layout makes it the perfect candidate to become a fully interactive technical book. I would suggest to add (for a 2nd edition ;)) practical sections to each chapter where the reader could reproduce all the steps discussed. The book CD is the perfect tool to provide the reader with all the (sanitized) data sets and logs used to generate the graphs, and even allow to include some challenges where the reader needs to analyze the data and answer some questions after generating the appropriate graphs.

To sum up, this book is a mandatory reference for anyone involved in the operational side of infosec, doing intrusion detection, incident handling, forensic analysis, etc, and it can be applied to both, historical analysis and real-time monitoring. Additionally, I found it useful too for auditing and pen-testing professionals, as it provides great tips to generate relevant and efficient graphs for the associated reports.

The accompanying DAVIX Live CD is an excellent resource to start applying the techniques covered throughout the book through open-source tools, SecViz is the Web portal to expand your knowledge on this topic, and AfterGlow is (one of) the most relevant SecViz open-source tools.

UPDATE: Amazon review and Bookpool review (1st)

Security Book Review: "Penetration Tester's - Open Source Toolkit Volume 2"

"Penetration Tester's - Open Source Toolkit Volume 2"
Authors: Aaron Bayles, et. al.
Editorial: Syngress
Publication date: October 12, 2007
ISBN-10: 1597492132
ISBN-13: 978-1597492133
http://www.elsevierdirect.com/product.jsp?isbn=9781597492133



NOTE: My copy of the book is not authored by Chris Hurley, as other book references on the Internet show, although they have the same ISBN, ¿?.

Summary: A good generic penetration testing reference guide. It includes a wide range of topics, and it is just based on open-source tools.

Score: 4/5

Review:
Penetration testing is definitely a recommended security discipline that helps you find real vulnerabilities and security wholes before the adversary does. This book is a reference guide of the different penetration testing stages and considerations, covering a wide range of technologies and tools. It is just focused on open-source and freely available tools, and do not include any commercial counterparts, like Core Impact or the specialized Web application testing suites. Perhaps this is a good addition for a future edition without the "open-source" term on its title.

The wide scope of the book is one of the reasons why it is not extremely cutting-edge and does not go into the deep details required to master each topic covered. I completely understand it is not possible to create such a book (at least with less than 9999 pages), covering a wide range of topics and including in-depth details. Overall, this book is a good reference guide (in fact one of the few generic references) that will open the door for more advanced knowledge from other books focused on specific areas, such as wireless, Web applications, databases, etc.

Something that can be quickly appreciated is the involvement of multiple authors, as the quality and look and feel of chapters varies. I specially liked the first two chapters, focused on Recon, Enumeration and Scanning. Even if you're an experience pen-tester, I've been doing penetration tests since 2000, you can easily identify the positive SensePost influence on these chapters, and the section contains valuable tips and tricks. At some extent, the "you always have something new to learn" principle applies here.

The book is really good emphasizing best practices and suggestions from a professional pen-testing perspective. When running tests over production environments, there are lots of considerations to need to have in mind, beyond the pure attack techniques. The book does an excellent work on this area, and this is also ratified by the final chapter detailing how to build your own pen-testing lab, including common political and technical issues (I can confirm I've seen lots of them in real world situations). Once you run pen-tests frequently, you need to customize and build your own scripts and tool set. The book also emphasizes this by explaining how to customize the Backtrack CD with your own additions. Definitely, it is a good approach as Backtrack is the reference pen-testing Linux Live CD distribution nowadays.

At first sight, the book structure is a bit strange and it seems there is a lot of repetition on each and every chapter, but once you get used to it, I think is a great approach. Each chapter introduces the goals and scope, then covers the technologies (or pen-testing phases) analyzed, plus the hacking techniques and vulnerabilities involved, and after that it focuses on the tools required to implement the attacks and how to use them, with practical and detailed examples.
It is crucial to differentiate between the techniques and foundations, and the tools, as multiple tools can be used for the same attack, sometimes you do not even need any hacking tool, and new tools will come in the future. I recommend you to master the techniques, the attack principles, and understand the vulnerabilities, and from there, select the best tool on each case. All this structure is complemented with a final case studies subsection on each chapter that exemplifies real-world situations where the techniques and tools can be applied, and how.

The databases, wireless and network devices hacking chapters are good. They provide some insight in the methodology, hacking tools and techniques available for these type of targets. The database hacking focuses on MS SQL Server and Oracle, for sure the most common DB's available out there. The wireless section mainly focuses on WiFi, and Bluetooth is barely mentioned; not enough. And finally, the network devices chapter is a must, as these systems are typically forgotten, although they manage all the network traffic and are a critical IT component of any organization.

In particular, I didn't like too much the Web application chapter. Although it contains lots of tools references, the structure and methodology presented is not very clear, and there is a kind of mix of tools to perform different tasks. Because Web application pen-testing is one of the cutting-edge areas we are dealing with today, I'd have liked to see more quality and in-depth material on it.

From my point of view, the forensic chapter is not related at all with the book and I would completely remove it. There are other very good forensic books available, so I guess it has been included because the tools and infrastructure for basic forensic analysis is available on Backtrack.
Instead, I would have liked to see more details, practical examples, and resources about vulnerable testing environments, such as the DVL (Damn Vulnerable Linux) distro, WebGoat, the Foundstone hackme suites; just to name a few, as well as Capture-the-Flag scenarios and conference references. It would be great to provide an overview on how to build and break into these testing environments using the tools and techniques covered throughout the book.

I strongly recommend this book to people thinking about, or starting on, the penetration testing field. It provides a good and wide overview of topics you need to master, tools available to launch the appropriate attacks, and other pen-testing best practices. As the book is directly aligned with the Backtrack CD, unfortunately version 2 and not the latest version 3 (time for a new edition, including more Bluetooth stuff and adding VoIP hacking ;)), it has a direct and very strong hands-on component, that allows the reader to test the different tools and examples, and makes it very valuable.

UPDATE: Amazon review (1st) and Bookpool review (1st)

Security Book Review; "Virtual Honeypots: From Botnet Tracking to Intrusion Detection"

"Virtual Honeypots: From Botnet Tracking to Intrusion Detection"
Authors: Niels Provos and Thorsten Holz
Editorial: Addison-Wesley Professional
Publication date: July 26, 2007
ISBN-10: 0321336321
ISBN-13: 978-0321336323
http://safari.awprofessional.com/9780321336323



Summary: This book is THE current reference about honeynet technologies and solutions. Definitely a must read if you are interested on improving the intrusion detection capabilities of your IT infrastructure, and who is not? :)

Score: 5/5

Review:
Honeynet solutions were seen just as a research technology a couple of years ago. It is not the case anymore. Due to the inherent constraints and limitations of the current and widely deployed intrusion detection solutions, like IDS/IPS and antivirus, it is time to extended our detection arsenal and capabilities with new tools: virtual honeypots.

Do not get confused about the book title, specially about the "virtual" term. The main reason to mention virtual honeypots, although the book covers all kind of honeynet/honeypot technologies, is because during the last few years virtualization has been a key element in the deployment of honeynets. It has offered us a significant cost reduction, more flexibility, reusability and multiple benefits. The main drawback of this solution is the detection of virtual environments by some malware specimens.

The detection of honeypots has always been one of the main concerns in the honeynet community, basically because if the attacker can identify them, they are useless. For this reason, one of the chapters is just focused on providing some light, tips, and tricks about what an adversary can really accomplish. In fact, we have not seen lots of real-world incidents where the attacker actively checks the existence of honeynet setups.

I have been working with honeynets during the last 5 years. We founded the Spanish Honeynet Project on 2004, and almost at the same time we became part of The Honeynet Project and released the Scan of the Month 32. The main honeynet/pot book reference till last year was the book published by the Honeynet Project. As this is a rapidly evolving field, definitely it has been replaced by this book, written by two project members.

The first chapter is a very brief introduction to honeynet technologies and basic tools. You can jump through it if you are not new to this field. Then, the book covers the main two honeypots types: high and low interaction. The high interaction section provides details about the tools to virtualize your honeypots: VMware, UML, or more specific solutions, such as Argos. The low interaction section provides details about some the most relevant honeypot types to cover lots of detection scenarios: worms, traditional server attacks, Google Hacking, Web-based attacks, etc. It is a wide overview that will give you lot of ideas for new deployments.

The whole book has been cooked with a how-to mentality , and it explains in detail how to install and configure the different tools and software elements covered. Additionally, it provides guidelines, best practices, and analysis recommendations for each tool based on the authors experience. However, for the how to portions take into account that most of the solutions are Linux-based, and the installation and setup process will vary based on the tool version and the Linux distribution you are using (library dependencies, etc). In any case, the step by step guides are very useful as a general setup reference.

From my perspective, the most valuable part of the book is chapters 4 to 6. The authors, Niels Provos and Throsten Holz, are the lead developer/architect for honeyd (chapter 4 and 5) and strongly related with nephentes (chapter 6), respectively. These two are the most famous and advanced low-interaction server-based honeypot and malware honeypot. They know what they are talking about :), and you cannot find a better reference out there for these two tools. The book is an excellent guide, covering from the design principles and innovative deployment ideas, to all kinds of configuration options and possibilities, including limitations on real-world scenarios. Chapter 6 is complemented with other less popular malware-based honeypots (except for Honeytrap).

The book includes some extra material, covering academic and research hybrid solution, still on their early stages, but that can give you and idea of where these technologies are evolving to and the major challenges we are facing nowadays. This pretty much theoretical content is well balanced with the case studies chapter, where real incidents involving different honeypot types are presented. These are always a fun read and a way of getting experience and learn how to deal with intrusions.

Finally, one of the main expansion areas we are involved today is the creation of new client-based honeypot technologies. This book section (highly recommended) does a great job introducing multiple high and low interaction honeyclients currently available, their benefits and drawbacks (chapter 7). This information is perfectly complemented by the last two chapters, focused on tracking botnets and analyzing malware with sandbox environments. Once a client is compromised, it typically becomes a member of a botnet, and for easy and quick categorization, we start by performing a malware analysis of the specimens. I recommend you to add all this knowledge to your incident handling and response capabilities.

Something I would have liked to see in the book is a section about a fully virtualized honeynet environment, showing how using VMware, you can build up a virtual Honeywall (just slightly mentioned on chapter 2) and different honeypots, creating a complete, cheap, mobile and multi-purpose virtual honeynet infrastructure. Also, we receive multiple questions related to this kind of setup in the Honeynet Project mailing lists, because all the previous whitepapers are obsoleted now. I've been deploying these type of solutions for fun and professionally during the last few years and I strongly recommend you to start using them. You won't be disappointed about how much you can learn of what is going on in your networks and systems, and this book is the best starting point.

If you have any relationship with the intrusion detection, incident handling and forensics, threat analysis, or SOC and CERT security side of things, definitely this book is for you. Go through it and improve your capabilities with easy to deploy virtual honeypot solutions. You just need a (not so new) computer, virtualization software, and some time!

UPDATE: Amazon review & Bookpool review (1st) & Slashdot (1st)

Security Book Review: "LAN Switch Security: What Hackers Know About Your Switches"

"LAN Switch Security: What Hackers Know About Your Switches"
Authors: Eric Vyncke and Christopher Paggen
Editorial: Cisco Press
Publication date: Sep 6, 2007
ISBN-10: 1-58705-256-3
ISBN-13: 978-1-58705-256-9
http://www.ciscopress.com/title/1587052563



Summary: The layer 2 attack and defense master piece. One of the best security books I have read, covering a topic that is a hole in the infosec industry.

Score: 5/5

Review:
I have been promoting the need to protect access to local network infrastructures (against the insider threat) for so many years that I'm even tired of sending the same message again and again these days, but I do not give up. I never understood why if we require authentication to each and every technology resource, such as your computer operating system, servers, databases, applications, and even physical facilities, why this has not been the case to access the network. Still today, lots of local networks from big companies and organizations are "free", that is, if the attacker gets physical access to an Ethernet port (RJ-45 connector) he is in! (the network). This is one of the attacker's dreams, and we can simply mitigate this threat through the 802.1X protocol. The expansion of wireless networks has helped a lot to promote it, but still it must be applied to most wired networks out there.

802.1X is just one of the multiple additions you can make to your layer 2 security stance in order to protect the local (layer 2) network infrastructure from several attacks. Definitely, you need to stop thinking about IP (layer 3) attacks only, and move one level down. Honestly, one of the layer 2 attacks that works 99% of the times I'm running an internal penetration test is ARP spoofing or poisoning. I tried to emphasize the impact of this attack and the associated defenses on my first GIAC paper for the Incident Handler (GCIH) certification in 2003, "Real World ARP Spoofing".

The book covers most of the vulnerabilities, design flaws, and security holes associated to the layer 2 protocols we currently and extensively use on our networks, such as MAC flooding and spoofing attacks, and STP, VLAN, DHCP, ARP, PoE, HSRP, VRRP, CDP, VTP, LAP and even layer-2 IPv6 related attacks. However, and starting with the minimum privilege principle (if you don't need it, why it is enabled?), the main focus of this book (and specially Part I) is to provide the reader with the knowledge and specific details to detect these attacks and protect the network and network devices (mainly switches) against all these threats. For each protocol and attack it describes the proper settings for a secure implementation.

Parts II of the book focuses on Denial of Service (DoS and DDoS) attacks on layer 2 devices and provide an excellent overview of switches architectures, internal implementation details (mainly Cisco focused), the relationships between the Control Plane and the Data Plane, the protocols each layer deals with, and the security implications on the internal operation of switches. If you want to know how your switches really work and the security implications of enabling/disabling certain capabilities, this is the section of the book you must read.

Part III then provides an introduction to more advanced access control options, through multiple ACL types, and layer-2 authentication (802.1X). It's a good introduction to go deeper into serious layer-2 access control and authentication projects and deployments.

Simplifying the threat, the attackers have a single tool (in fact they have multiple but this is THE tool) to do real damage at layer 2, Yersinia, co-develop by a Spanish security colleague, David. We, as defenders, need to properly design and deploy all the layer 2 technologies and protocols considering the security implications of its presence on the network. Fortunately enough, the countermeasures available to mitigate layer 2 risks are available in some current network devices, mainly switches. BTW, I encourage you to use the attack tools, like Yersinia, to audit your network. Some of the book countermeasures are trivial to apply, while some others require a very carefully thought-out planning. The book provides the guidance you need to start accomplishing the goal of getting a definitive layer 2 protected network by exposing the complexity, advantages and disadvantages of each solution.

The book is structured in small, easy to read, chapters that describe each of the technologies analyzed and its operation, the security issues and attack examples, and the detection and protection mechanisms you need to apply, straight to the most relevant implementation details. It also includes practical examples and describes multiple scenarios where each countermeasure can be applied, as well as the main decision factors to apply it in a given way. If you are busy (and who is not these days?), I recommend you to select a layer 2 protocol or technology you are using, select the appropriate chapter (a 30-45 minutes read at most), and start planning and applying the related security best practices. You can repeat this chapter selection process every couple of weeks, and in 2-3 months your network will be what I would like to see on all my customers. The book allows network administrators and infosec professionals to independently digest any of the chapters and start protecting the associated technology. Obviously, the main goal should be to apply all the book recommendations to your infrastructure in the short-mid term. Unfortunately, not all the countermeasures mentioned are available in all switches; there is still lot of work to be done by the vendors to implement all them.

The book opens the doors to a whole set of layer-2 threats, but it is not a complete guide to implement all the related protections, neither a command documentation book. It is up to the reader to check his switch documentation (Cisco or others) to get the full syntax details and multiple options for each of the countermeasures detailed. If you have managed Cisco devices, you know syntax also changes between IOS/CatOS versions, so I prefer this approach rather than a detailed syntax compendium that may be unusable on my specific IOS/CatOS version.

Even this is a Cisco Press book, and obviously it is focused on the current solutions available from Cisco, it is fair to admit that Cisco is leading the networking market and includes some of the most advanced layer 2 protection mechanisms in its switches, such as port security, UUFP, root and BPDU guard, BPDU filtering and rate-limiting, VLAN and layer-2 protocols best practices, DHCP snooping, DHCP rate-limiting and validation, IP source guard, DAI (Dynamic ARP Inspection), PoE defenses, HSRP and VRRP strong authentication, 802.1X, and lots of ACLs types: . RACL, VACL, PACLs, etc. Therefore, as this is the way to go, other vendors (if they do not already have these) should provide similar protection capabilities on their layer 2 network devices.

I specially liked how the book ends up (Part IV) covering LinkSec, 802.1AE and 802.1af, future standards that will finally provide confidentiality and integrity at layer 2 at wire-speeds, similarly to what be have today in wireless networks with 802.11i (WPA and WPA2). Why don't you start checking if these standards are supported by your endpoint (client, servers, printers, VoIP phones, etc) and network devices? The sooner we use it, the better.

The only portion missing on the book IMHO is the inclusion of layer 2 QoS protocols, such as 802.1p. Apart from that, chapter 1 is a light intro to security. If you have been in the field for a while, you can directly jump over it. I think it could have been omitted.

Before reading this book, I had an extensive previous experience on layer 2 security, switches, layer 2 penetration testing, and layer 2 network security architectures and design, and I really enjoyed the book, specially its practical focus, broad scope on layer 2 issues, the format and examples. If you are a penetration tester, I'm sure you will get a few ideas too for your next challenge, and you can easily apply them as most attack tools are publicly available and included on the latest Backtrack 3 version. Definitely, if you are a network security professional or network administrator in any way, shape or form, this book must be in your shelves.

UPDATE: Amazon review & Bookpool review (1st).

Security Books Reviews: A Humble Opinion

Something I wanted to add this year to the uncountable list of security-related tasks I'm involved in, is the publication of security books reviews. As I end up reading several security books, mainly technical, throughout the year, I thought it may be interesting for some people to know the opinion of other readers (myself included ;) before getting a copy of a specific book. I hope you find my comments and reviews valuable in your book buying decissions.

Apart of publishing the review in the RaDaJo blog, I plan to insert my reviews in Amazon and Bookpool.

The idea is to follow a common review format for each book I dig through, including:
- Book details: Title, author(s), editorial, publication date, ISBN, and book reference.
- Summary: A brief and descriptive sentence reflecting my overall impression about the book.
- Score: A numeric score from 1 to 5, being 5 the top score (an excellent book).
- Review: Several comments about the book contents, including what I enjoyed the most and the less, my previous experience on the book topic, as I'm convinced that the value of a book is highly conditioned by the knowledge the reader has on the topic, the type of audience that could benefit from reading the book, as well as any other comments and opinions that come to my mind at the time of writing it. Comments might be focused on the book or on the topic covered by the book.

BTW, most publishers provide a free sample (in PDF format) for their books, so I'm including the book reference so that you can get all the book details and also have access to the sample chapter. That way you can read one chapter and see if the book seems to be what you expected from my review ;)

Due to the huge amount of technical security books published yearly, you could easily spend your whole life (without doing anything else) buying and reading them. These book review posts try to provide you useful details and, as a result, save you some time.

I have a few books in the current queue, so you should see some reviews published in the following weeks. As I'm starting this new task, and typically very busy with other security research and services, you will see that some of the books on my queue were published some time ago. I still think people may be interested on buying them today, so this is why I'm reviewing them.

If you are interested on having me reading and reviewing a specific book (because your are a frequent reader or a publisher), send your suggestions to radajo@gmail.com. If I like the topic, most probably I will go for it, digest it, and publish a review.

Time to improve your security skills with additional literature!!