BKSCNCMP.RVW   20030209

"Security in Computing", Charles P. Pfleeger/Shari Lawrence Pfleeger,
2003, 0-13-035548-8, U$79.00/C$122.99
%A   Charles P. Pfleeger
%A   Shari Lawrence Pfleeger s.pfleeger@...
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2003
%G   0-13-035548-8
%I   Prentice Hall
%O   U$79.00/C$122.99 +1-201-236-7139 fax: +1-201-236-7131
%O  http://www.amazon.com/exec/obidos/ASIN/0130355488/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0130355488/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0130355488/robsladesin03-20
%P   746 p.
%T   "Security in Computing"

This work is still obviously a textbook.  The attempts to target it at
a "professional" audience are possibly more convincing than in the
first edition, but it still reads like a text, and includes material
that is addressed at a scholastic, rather than experienced, audience.
Even as a textbook it difficult to say that it succeeds.  It addresses
a broad range of computer security related topics, although there is a
notable shortage of material dealing with formal security models,
access concepts, operational procedures, physical security, and
business continuity.  The level of detail in the different areas
varies greatly, but the shortcomings of the book could be addressed in
the hands of a competent teacher.

The ten chapters in the book are not divided into parts, but seem, in
some cases, to come in chunks.  The introductory chapter is an
overview of basic concepts involved with system security.
Unfortunately, not all of them are explained fully.  The idea of
controls, for example, is a vital one, but the full ranges and types
of controls are not outlined.  There are also some not-quite-standard
additions to the lexicon, such as an attempt to divide threats into
four classes: interception, interruption, modification, and
fabrication.  It is difficult to see why fabrication is added to the
list, or why this provides a clearer view of threats than simply
looking to the opposites of confidentiality, integrity, and
availability.  Cryptography starts in chapter two (and, oddly, ends in
chapter ten).  The early coverage steps through different types of
simple encryption algorithms, followed up by cryptanalysis of the
same.  It strenuously avoids using any arithmetic, which makes
discussions of key sizes and strengths a bit difficult, but throws in
lots of symbolic logic, which seems to serve only to cloud the issue.

Chapter three starts what might be seen as a section on secure systems
development.  This is an important, and often neglected, topic, and is
generally covered reasonably well.  However, the material is not
always completely clear and rigorous.  For example, it is implied that
Thompson, rather than Cohen, was the first to investigate viruses.
Leaving aside the fact that Cohen's work started a year before
Thompson's lecture (only the date of Cohen's graduation is given),
Thompson's thought experiment proposed only an extremely limited form
of reproduction.  Again, when discussing covert channels, both the
terms "timing channel" and "storage channel" are used, but all the
examples given relate only to timing channels.  Operating system
protections are supposed to be covered in chapter four, but the
content is an odd amalgam of computer architecture and high level
access control.  In regard to designing trusted operating systems,
chapter five starts with a very poor outline of formal models (the
test is not clear, and, again, the addition of symbolic logic fails to
assist in the tutorial), presents a fair review of operating system
requirements, and then spends a lot of time going over various
evaluation criteria, without presenting much content of any use.  The
outline of database security is disappointing: chapter six spends too
much time on specific details, while almost ignoring major concepts
such as aggregation.

Chapter seven, the longest in the book, devotes excessive space to
basic communications technologies, including two copies of the section
on transmission methods.  Administration, in chapter eight, provides
the usual generic advice on planning, risk, and policies.
Intellectual property, computer crime, and ethics are presented as
problems with no solutions, in chapter nine.  The closing chapter
provides a whirlwind of the mathematics related to cryptography in an
impressive, disorganized, and basically pointless display.

This book could definitely use a wholesale reorganization and cleanup.
The level and tone of the content varies tremendously from section to
section, even within given chapters.  While most computer security
topics appear somewhere within the work, there is very little in the
way of logical flow or links between subjects.  Major areas seem to be
thrown in with minor sections simply because they had to be put
somewhere.  In terms of textbooks, I do not know that there is much to
choose between this volume and Bishop's "Computer Security: Art and
Science" (cf. BKCMSCAS.RVW), although Pfleeger and Pfleeger might have
a slight edge.  Certainly Gollman's "Computer Security" (cf.
BKCOMPSC.RVW) is superior to both.  And, depending upon the course,
Anderson's "Security Engineering" (cf. BKSECENG.RVW) probably outranks
them all.

copyright Robert M. Slade, 1993, 2003   BKSCNCMP.RVW   20030209

--
======================
rslade@...  rslade@...  slade@... p1@...
Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
           March 31, 2003           Indianapolis, IN

BKFRINSC.RVW  20030321

"Firewalls and Internet Security", William R. Cheswick/Steven M.
Bellovin/Aviel D. Rubin, 2003, 0-201-63466-X, U$49.99/C$77.99
%A   William R. Cheswick ches@...
%A   Steven M. Bellovin smb@...
%A   Aviel D. Rubin avi@...
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2003
%G   0-201-63466-X
%I   Addison-Wesley Publishing Company
%O   U$49.99/C$77.99 416-447-5101 fax: 416-443-0948
%O  http://www.amazon.com/exec/obidos/ASIN/020163466X/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/020163466X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/020163466X/robsladesin03-20
%P   433 p.
%T   "Firewalls and Internet Security: Repelling the Wily Hacker,
       Second Edition"

As the first work to deal seriously and completely with the topic, the
first edition of "Firewalls and Internet Security" was one of those
classics that get known only by the last names of the authors, so as
not to leave any possibility of confusion with books whose titles may
be similar.

When such a long time has elapsed between editions of a work such as
this, it is more than possible that the field has moved on far enough
that a minor updating of the material is simply not feasible.  The
authors are quite well aware of the new territory: where useful, the
original structure has been retained, but otherwise, the book has
essentially been rewritten.  A huge undertaking, but the only
practical course, in the circumstances.

Part one establishes a starting point.  Chapter one, an introduction,
presents a number of basic, but worthwhile, security concepts.  The
operations of various components of the TCP/IP protocol suite are
discussed, with the most serious security vulnerabilities helpfully
highlighted, in chapters two (lower layers) and three (upper layers).
The authors' thoughts on the security of the Web are amply expressed
in the title of chapter four: "The Web: Threat or Menace?"

Part two outlines the threats to networked machines.  Chapter five
describes a number of different types of attacks.  A variety of tools
for determining security weaknesses are listed in chapter six,
alongside discussions of the relative costs/benefits of disclosure
versus security by obscurity.

Part three details security tools and utilities.  Chapter seven
reviews authentication concepts and techniques.  Various network
security systems are described in chapter eight.

Part four gets us to firewalls and virtual private networks (VPNs)
themselves.  Chapter nine outlines the different types of firewalls.
Basic filtering concepts are examined in chapter ten.  Considerations
for constructing and tuning your firewall are in chapter eleven.
Tunnelling and VPNs are discussed in chapter twelve.

Part five extends the isolated technology of firewalls into the
application of protecting an organization.  Network layout, and the
implications thereof, is reviewed in chapter thirteen.  Chapter
fourteen deals with hardening of hosts.  Chapter fifteen is a rather
terse look at intrusion detection.

Part six is entitled "Lessons Learned."  The detection and tracing of
"berferd" is described in chapter sixteen, along with the taking of
the "CLARK" machine in chapter seventeen.  In chapter eighteen,
Kerberos and IPSec are used as examples of approaches to security of
insecure networks.  Chapter nineteen finishes with some ideas for work
that yet needs to be done to help with the security of the Internet.

The place of firewalls in regard to network security has broadened
considerably in the past decade.  This book does reflect that reality.
Unfortunately, that breadth of topic has come at the expense of some
depth in coverage.  The result is a book that is definitely worthwhile
as an introduction to the field, but which may no longer be suitable
as a working reference.  I must admit that, for some time, I have been
recommending Chapman and Zwicky (cf. BKBUINFI.RVW) over Cheswick and
Bellovin's original text, since "Building Internet Firewalls" seems to
have the edge in terms of practicality.  Upon reviewing this new
edition of the classic, I would have to stick to that recommendation.

copyright Robert M. Slade, 1994, 2003   BKFRINSC.RVW   20030321

--
======================
rslade@...  rslade@...  slade@... p1@...
"If you do buy a computer, don't turn it on."     - Richards' 2nd Law
============= for back issues:
[Victoria Freenet] site http://victoria.tc.ca/int-grps/books/techrev/
                      or http://www.victoria.tc.ca/techrev
                      or http://victoria.tc.ca/techrev
              an alternate site has been provided by CuD and NIU at:
                         http://sun.soci.niu.edu/~rslade/
CISSP refs:     [Victoria Freenet]mnbksccd.htm
Security Dict.: [Victoria Freenet]secgloss.htm
Security Educ.: [Victoria Freenet]comseced.htm
Book reviews:   [Victoria Freenet]mnbk.htm
                 [Victoria Freenet]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
Security Educ.: http://groups.yahoo.com/group/comseced/
Review mailing list: send mail to techbooks-subscribe@egroups.com

BKINONPR.RVW   20030321

"Internet and Online Privacy", Andrew Frackman/Rebecca C.
Martin/Claudia Ray, 2002, 0-9705970-7-X, U$34.95/C$52.95
%A   Andrew Frackman
%A   Rebecca C. Martin
%A   Claudia Ray
%C   105 Madison Avenue, New York, NY   10016
%D   2002
%G   0-9705970-7-X
%I   ALM Publishing
%O   U$34.95/C$52.95 800-537-2128 www.lawcatalog.com
%O  http://www.amazon.com/exec/obidos/ASIN/097059707X/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/097059707X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/097059707X/robsladesin03-20
%P   233 p.
%T   "Internet and Online Privacy: A Legal and Business Guide"

I have, in reviewing other works that deal with online law, noted the
limited utility of legal texts which address only, or primarily, the
laws of the United States.  As one would expect, this book, written by
three Americans, and published by an outfit named American Lawyer
Media, concentrates on American legislation.  (In fact, I find it
slightly ironic that a Canadian price is given on the jacket.)
However, the analysis is so clearly written, and so rooted in Common
Law and general legal principles, that I have very little compunction
in recommending this work to anyone interested in the legal aspects of
privacy, regardless of jurisdiction.

The introduction states that this work is intended for both the legal
professional and the lay audience.  Indeed, there is an attempt to
point out the business case for attending to privacy.  It is noted
that Doubleclick's plan to merge the surfing information that it had
been collecting with a database of personally identifiable information
that it had purchased resulted in a 40% drop in stock price before the
plan was abandoned.  In addition, there is a serious effort to
emphasize the importance of international law, although not all
sections of the book addressing the issue are successful.

Chapter one demonstrates that definitions of privacy are problematic.
Refreshingly, an understanding of technology itself is considered to
be important.  Unfortunately, this position is somewhat undermined by
a bit of confusion in regard to the possibility of obtaining
personally identifiable information from the "clickstream" (activities
while surfing the Web), and a minor error when discussing IP
addresses.  The aforementioned business reasons for respecting privacy
are primarily given in chapter two.  The development of privacy
regulation, in chapter three, is predominately based on US laws and
cases, but, as noted, is also conceptual and therefore broadly
applicable.

Chapters four to nine deal with specific US legislation.  Chapter four
details the Children's Online Privacy Protection Act; five outlines
the Gramm-Leach-Bliley bill (for financial institutions), the Health
Insurance Portability and Accountability Act, Computer Fraud and
Abuse, and Electronic Communications Privacy; six looks at state level
versus federal jurisdiction; seven reviews case law (concentrating on
email interception); eight discusses decisions in some class action
civil suits; and nine examines Federal Trade Commission studies and
decisions.

The European Union directives are dealt with in depth in chapter ten.
The US Safe Harbor program is reviewed in terms of principles, but,
unfortunately, details and procedures are not covered.  Chapter eleven
provides brief but broad outlines of various international
regulations.  Corporate privacy policies are discussed in chapter
twelve.  Chapter thirteen has a brief overview of a number of privacy
enhancing technologies, but no mention of legal issues that might be
involved.  Government monitoring, the keyboard logging system (KLS,
aka Magic Lantern), Carnivore, and the Patriot Act are examined in
chapter fourteen.

This book is concise, readable, and valuable.  There are some areas
where one could hope for additional coverage and detail, but the
concepts and basics are covered well.  I would recommend this work to
anyone interested in privacy issues, and particularly to those in the
security industry who do not have an extensive legal background.

copyright Robert M. Slade, 2003   BKINONPR.RVW   20030321

--
======================
rslade@...  rslade@...  slade@... p1@...
"If you do buy a computer, don't turn it on."     - Richards' 2nd Law
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
       or mirror http://sun.soci.niu.edu/~rslade/
CISSP refs:     [Base URL]mnbksccd.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews:   [Base URL]mnbk.htm
                 [Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
Security Educ.: http://groups.yahoo.com/group/comseced/
Review mailing list: send mail to techbooks-subscribe@egroups.com

BKINSCMI.RVW   20030321

"Inside the Security Mind", Kevin Day, 2003, 0-13-111829-3,
U$44.99/C$69.99
%A   Kevin Day
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2003
%G   0-13-111829-3
%I   Prentice Hall
%O   U$44.99/C$69.99 +1-201-236-7139 fax: +1-201-236-7131
%O  http://www.amazon.com/exec/obidos/ASIN/0131118293/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0131118293/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0131118293/robsladesin03-20
%P   309 p.
%T   "Inside the Security Mind: Making the Tough Decisions"

I am quite sympathetic to the idea that the realization of a security
mindset or attitude (I frequently refer to it as professional
paranoia) is more important to attaining security than isolated
technical skills.  I'm sorry to say that this work is not likely to
help you find, attain, or assess that protection perspective.

Right from the beginning of the book, readers will find a flavour of
eastern philosophy, and even mysticism, to it.  There are four
virtues, an eight-fold path, and even repeated injunctions for the
reader to keep an "open mind"--a phrase which those who have conversed
with devotees of the Buddhist faith will find rather familiar.

Unfortunately, chapter one seems to demonstrate that Day is bringing
us only a newage vagueness in his description of the security mind.
We are to rid ourselves of negative thoughts, and follow fundamental
virtues, which we haven't been given yet.  Computer security is only a
decade old, we are told in chapter two, and constantly changing, and
expensive, and there are few practitioners, and lots of bad guys out
there, and we are paralyzed by fear--but we have nothing to fear but
fear itself!  Chapter three finally lists the four virtues for us:
security is ongoing, a group effort, requires a generic approach, and
is dependent upon education.  I don't disagree with any of these
points (other than the philological debate about whether they should
be called virtues), and neither would any other security professional.
However, they don't really provide us with much in the way of help.
Eight security "rules," in chapter four, list principles such as
"least privilege," which are also commonly known in security work.

Chapter five is supposed to tell us how to develop a security mind,
but actually seems to be an exercise in wishful thinking.  If the
world were neatly divided into safe and unsafe zones, and if our
systems all worked perfectly and in correspondence with our users'
known requirements, and if everyone that we trusted were completely
competent in regard to their own defence, security would be much
easier.  Decision-making is likewise simplistically seen to be
supported by the virtues and rules, in chapter six.  There is a
superficial overview of blackhats and vulnerabilities in chapter
seven.  Chapter eight has a standard review of risk analysis.  Vague
ideas on hiring security, and some thoughts on outsourcing, are in
chapter nine.  The author gives his opinion on some security tools in
chapter ten.  Chapter eleven is another attempt to prove that the
rules can be used.  We are given a final adjuration to change our
attitudes in chapter twelve.

Basically, this book is yet another attempt to write a general
security guide, without first ensuring that the material is
structured, sound, complete, or useful.

copyright Robert M. Slade, 2003   BKINSCMI.RVW   20030321

--
======================
rslade@...  rslade@...  slade@... p1@...
"If you do buy a computer, don't turn it on."     - Richards' 2nd Law
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
       or mirror http://sun.soci.niu.edu/~rslade/
CISSP refs:     [Base URL]mnbksccd.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews:   [Base URL]mnbk.htm
                 [Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
Security Educ.: http://groups.yahoo.com/group/comseced/
Review mailing list: send mail to techbooks-subscribe@egroups.com

BK8021SC.RVW   20030404

"802.11 Security", Bruce Potter/Bob Fleck, 2003, 0-596-00290-4,
U$34.95/C$54.95
%A   Bruce Potter
%A   Bob Fleck
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2003
%G   0-596-00290-4
%I   O'Reilly & Associates, Inc.
%O   U$34.95/C$54.95 800-998-9938 fax: 707-829-0104 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596002904/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596002904/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596002904/robsladesin03-20
%P   176 p.
%T   "802.11 Security"

The preface states that this book is aimed at the network engineer,
and the security engineer, or the hobbyist, but it is not an
introductory work.  The reader will need to know Linux to the kernel
configuration level, and TCP/IP networking to the ARP (Address
Resolution Protocol) level.

Part one addresses the basics of 802.11 security.  Chapter one
provides a background, and looks at issues, in wireless
communications, although primarily from a communications, rather than
security, perspective.  There is a review of attacks and risks, in
chapter two, and for once there is a comparison of wired versus
wireless hazards, ranging from the common (interference from portable
phones) to the sophisticated (signal strength attacks related to
diversity antennae).

Part two deals with station, or remote device, security.  Chapter
three examines attacks against machines and networks, and suggests the
use of SSL (Secure Sockets Layer) and SSH (Secure SHell).
Configuration recommendations for the kernel, startup, firewall, and
other aspects of FreeBSD are covered in chapter four.  Chapters five,
six, and seven do the same for Linux, OpenBSD, and Mac OS X,
respectively (with a concentration on the AirPort utilities for the
Mac).  Windows, in chapter eight, reviews basic workstation items
only, with limited advice and direction.

Part three looks at access port security, and the setup of access
points under Linux, FreeBSD, and OpenBSD are all contained in chapter
nine.

Gateway security is the topic of part four, with chapter ten looking
at gateways and firewalls, while the use of the three UNIX variants as
gateways is discussed in chapters eleven, twelve, and thirteen.
Authentication and encryption, mostly with IPSec, is reviewed in
chapter fourteen.  A rather vague closing is given in fifteen.

As noted, this is not a book for beginners.  Presumably readers should
already know the most common dangers of wireless LANs, such as
allowing default access passwords to remain active, and broadcasting
the station set identifier.  WEP (Wired Equivalent Privacy) is
dismissed as irrelevant: since it is deeply flawed, one can assume
that the concentration on technologies such as IPSec and station
security is of greater use than suggesting minor improvements in the
use of WEP keys and initialization vectors.  However, it is a bit of a
pity that the authors took this route.  With the addition of possibly
an extra fifty pages this could have been an excellent reference for
all wireless LAN administrators.

copyright Robert M. Slade, 2003   BK8021SC.RVW   20030404

--
======================
rslade@...  rslade@...  slade@... p1@...
"If you do buy a computer, don't turn it on."     - Richards' 2nd Law
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
       or mirror http://sun.soci.niu.edu/~rslade/
CISSP refs:     [Base URL]mnbksccd.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews:   [Base URL]mnbk.htm
                 [Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
Security Educ.: http://groups.yahoo.com/group/comseced/
Review mailing list: send mail to techbooks-subscribe@egroups.com

I've not gone there but for what is it "great"?

>>> mbrflnoughrs@... 11/03/02 08:13PM >>>
http://kealsndsr.8m.com/index.html



Community email addresses:
   Post message: secedu@onelist.com
   Subscribe:    secedu-subscribe@onelist.com
   Unsubscribe:  secedu-unsubscribe@onelist.com
   List owner:   secedu-owner@onelist.com

Shortcut URL to this page:
   http://www.onelist.com/community/secedu

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

BKMBLVPN.RVW   20030401

"Mobile VPN", Alex Shneyderman/Alessio Casati, 2003, 0-471-21901-0,
U$45.00/C$69.95/UK#33.50
%A   Alex Shneyderman
%A   Alessio Casati
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2003
%G   0-471-21901-0
%I   John Wiley & Sons, Inc.
%O   U$45.00/C$69.95/UK#33.50 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471219010/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0471219010/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471219010/robsladesin03-20
%P   330 p.
%T   "Mobile VPN"

Part one presents wireless data fundamentals.  Chapter one gives an
introduction to mobile virtual private networks (MVPN), and the
emphasis on cellular technology points out that the authors are
familiar with the telecommunications, rather than security, field of
work.  The material contains a weak suggestion that MVPNs may be
useful, lots of alphabet soup, and very little in the way of
conceptual background.  The data networking technologies in chapter
two are not explained very clearly: basic ideas get bogged down with
details.  Cellular radio interfaces are listed in chapter three, with
data services that can be provided over cellular networks in chapter
four.

Part two looks at MVPN and advanced wireless data services.  MVPN
fundamentals, in chapter five, basically reiterates the text from
chapter two, with a little extra emphasis on virtual private networks.
Chapter six describes various GSM (Global System for Mobile
communications)/GPRS (General Packet Radio Service) and UMTS
(Universal Mobile Telecommunication System) offerings.  Options for
CDMA2000 (Code Division Multiple Access) are listed in chapter seven.
Chapter eight explains MVPN equipment components and requirements.
Possible developments in mobile VPN are advanced in chapter nine.

This book once again emphasizes the divide not only between the
cellular and wireless LAN camps, but also between communications and
security.  It fails to bring all the related technologies together
between two covers.  At the same time, for those in the LAN or
security fields who need to know about cellular service offerings,
this work does not provide a consistent level of explanation and depth
of background for those issues.  Possible utilities are tabulated, but
these could be obtained from almost any cell company sales office.

copyright Robert M. Slade, 2003   BKMBLVPN.RVW   20030401

--
======================
rslade@...  rslade@...  slade@... p1@...
"If you do buy a computer, don't turn it on."     - Richards' 2nd Law
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
       or mirror http://sun.soci.niu.edu/~rslade/
CISSP refs:     [Base URL]mnbksccd.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews:   [Base URL]mnbk.htm
                 [Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
Security Educ.: http://groups.yahoo.com/group/comseced/
Review mailing list: send mail to techbooks-subscribe@egroups.com

BKPIIVPN.RVW   20030404

"Protected Internet, Intranet, and Virtual Private Networks",
Alexander Moldovyan et al, 2003, 1-931769-14-1, U$44.95/C$67.95
%A   Alexander Moldovyan
%A   Nick Moldovyan
%A   Doug Summerville
%A   Vladimir Zima
%C   295 East Swedesford Road, PMB #285, Wayne, PA   19087
%D   2003
%G   1-931769-14-1
%I   A-LIST LLC
%O   U$44.95/C$67.95 fax 702-977-5377 mail@...
%O  http://www.amazon.com/exec/obidos/ASIN/1931769141/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1931769141/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1931769141/robsladesin03-20
%P   310 p.
%T   "Protected Internet, Intranet, and Virtual Private Networks"

Despite the slim size, it is still disconcerting to find that there
are only three chapters in this book.  Chapter one provides an
introduction to client/server networking, while implying that the
technology is *not* hierarchical.  Basic networking concepts are
covered, but the writing has an academic pomposity without the
requisite rigour.  Figures and illustrations are not only unhelpful,
but may actually confuse issues, and typographical and grammatical
errors abound.  Lists of idiosyncratic, and very odd, attack
taxonomies are given in chapter two.  Items like "attacks on the
security policy and administration procedures" aren't really
explained, while "attacks on permanent components of the security
system" seems to be limited to cryptanalysis.  Chapter three has some
descriptions of virtual private networks, tunnelling, IPSec, and key
management protocols.

The writing is hard to understand, there does not seem to be any
logical organization to the material, and the mistakes in the content
do not inspire any confidence in the reliability of any part of this
text.  All the topics touched on here are covered much more
effectively in other works, but the topics are so random that it is
difficult to make specific recommendations.  For those interested in
the basics of data communications I would suggest Tanenbaum (cf.
BKCMPNWK.RVW), while "Building Linux Virtual Private Networks (VPNs)"
(cf. BKBLVPNS.RVW) is a good introduction to VPNs themselves.

copyright Robert M. Slade, 2003   BKPIIVPN.RVW   20030404

--
======================
rslade@...  rslade@...  slade@... p1@...
"If you do buy a computer, don't turn it on."     - Richards' 2nd Law
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
       or mirror http://sun.soci.niu.edu/~rslade/
CISSP refs:     [Base URL]mnbksccd.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews:   [Base URL]mnbk.htm
                 [Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
Security Educ.: http://groups.yahoo.com/group/comseced/
Review mailing list: send mail to techbooks-subscribe@egroups.com

BKHKATTS.RVW   20030330

"Hack Attacks Testing", John Chirillo, 2003, 0-471-22946-6,
U$50.00/C$77.50/UK#34.95
%A   John Chirillo
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2003
%G   0-471-22946-6
%I   John Wiley & Sons, Inc.
%O   U$50.00/C$77.50/UK#34.95 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471229466/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0471229466/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471229466/robsladesin03-20
%P   540 p. + CD-ROM
%T   "Hack Attacks Testing"

The description in the introduction seems to indicate that this text
might be similar to SATAN (Security Administrator's Tool for Analyzing
Networks), in that it explains how to build a set of utilities in
order to identify vulnerabilities.  As such, there is the possibility
that the work is open to a charge of being more useful to attackers
than to defenders.  Fortunately, the book does not provide a great
deal of information that could be used to break into systems.
Unfortunately, it doesn't help much with defence, either.

Part one is supposed to describe how to build a multisystem "Tiger
Box," similar to SATAN, and the overview outlines the components of a
penetration test.  Chapters one to four, however, simply narrate the
installations for Microsoft Windows NT and 2000, Red Hat Linux,
Solaris, and Mac OS X, using the installation programs provided.  The
material is heavy on screen shots, and light on explanations of what
is going on and why.  There is no provision for specific security
testing requirements, or even multiboot systems.

Part two lists penetration analysis tools for Microsoft Windows, and
the introduction tabulates common vulnerability classes.  Chapter five
explains how to install the Cerberus Internet scanner, enumerates the
possible reports, and gives one (eight page) sample report.  Much the
same is true for the Cybercop Scanner, Internet Scanner, Security
Threat Avoidance Technology (STAT), and TigerSuite products in
chapters six through nine.  All of these systems do multiple probes
and analysis.

The description of UNIX and OS X tools, in part three, starts with a
twenty page list of UNIX commands.  UNIX utilities tend to be more
single purpose: hping/2 is for IP spoofing and nmap is for port
scanning, but Nessus, SAINT (Security Administrator's Integrated
Network Tool), and SARA (Security Auditor Research Assistant) are
collections.

Part four is entitled "Vulnerability Assessment," but contains only
chapter fifteen, which contains checklists for securing various
systems, primarily relying on outside sources.

Despite the introduction, this book does *not* describe how to set up
a "Tiger Box."  It lists a few vulnerability scanners and utilities.
There is little in the way of help or explanations, and the material
seems to be based primarily on product documentation and commonly
available guides.  The content actually by Chirillo often seems so
oddly written that it is difficult to parse any meaning from the text.

The book does provide you with a list of vulnerability scanners.  But
then, so would any decent Web search.

copyright Robert M. Slade, 2003   BKHKATTS.RVW   20030330


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
More than any time in history mankind faces a crossroads.  One
path leads to despair and utter hopelessness, the other to total
extinction.  Let us pray that we have the wisdom to choose
correctly.                                             - Woody Allen
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Interesting! There seem to be several security/vulnerability testing
books coming out now.  I was a reviewer for "How to Break Software
Security" by Whittaker et. al. (Addison Wesley) -- I'd be interested
in your comments on that one if you get a chance. (It's a security
extension of the book "How to Break Software", but with surprisingly little
carryover in text.)

Is it just that vul testing is hot right now, or is there something
else going on?
				 Tim

Tim

I'd argue that vuln testing is no hotter than it was a year ago, what's
changed is that the methodology (and some of the tools) has become more
clearly articulated and therefore more accessible to the "public". Which
is what enables a author to write how to books (as opposed to
researching their own techniques and publishing those).

Ben

-----Original Message-----
From: Tim Shimeall [mailto:tjs@...]
Sent: Saturday, 31 May 2003 2:07 AM
To: secedu@yahoogroups.com
Subject: Re: [secedu] REVIEW: "Hack Attacks Testing", John Chirillo


Interesting! There seem to be several security/vulnerability testing
books coming out now.  I was a reviewer for "How to Break Software
Security" by Whittaker et. al. (Addison Wesley) -- I'd be interested in
your comments on that one if you get a chance. (It's a security
extension of the book "How to Break Software", but with surprisingly
little
carryover in text.)

Is it just that vul testing is hot right now, or is there something else
going on?
				 Tim


Community email addresses:
   Post message: secedu@onelist.com
   Subscribe:    secedu-subscribe@onelist.com
   Unsubscribe:  secedu-unsubscribe@onelist.com
   List owner:   secedu-owner@onelist.com

Shortcut URL to this page:
   http://www.onelist.com/community/secedu

Your use of Yahoo! Groups is subject to
http://docs.yahoo.com/info/terms/

BKMSCRSP.RVW   20030330

"Mission Critical Security Planner", Eric Greenberg, 2003,
0-471-21165-6, U$35.00/C$54.95/UK#25.95
%A   Eric Greenberg
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2003
%G   0-471-21165-6
%I   John Wiley & Sons, Inc.
%O   U$35.00/C$54.95/UK#25.95 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471211656/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0471211656/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471211656/robsladesin03-20
%P   416 p.
%T   "Mission Critical Security Planner"

In the introduction, Greenberg claims that his book provides guidance
on how to do quantitative security planning without calculations
(which sounds somewhat self-contradictory) using a new technique he
calls impact analysis (which doesn't sound too different from business
impact analysis).  A technical background is said to be unnecessary,
the process is worksheet based, and the target audience is security
managers.

Chapter one says that protecting information is not exact (a statement
that doesn't seem to fit well with the worksheet approach).  Random
security topics include planning, intruders, and a risk analysis
example which is, ironically in view of the introduction, more
computationally intensive than most.  An overview of planning, in
chapter two, majors on the minors.  Policies are not discussed until
twenty five pages into the material, and then the emphasis is on very
specific areas like exit (termination of employment) procedures,
leaving huge topics uncovered.  Twenty eight security elements are
listed, and all are important, but almost all are either over-vague or
over-specific.

Chapters three and four introduce the worksheets themselves.  Sixteen
topic areas have four sheets each, dealing with the technical,
lifecycle, business, and "selling to management" aspects of the
themes, while other domains may have only a single sheet.  The
questions listed may be helpful as reminders to address certain
aspects which are often overlooked, but the odd and arbitrary
structure is confusing, and the real work is definitely left as an
exercise to the reader.

A description and analysis of PKI (Public Key Infrastructure), in
chapter five, is vague and weak, and contains much unrelated material.
Chapter six is a recap of the book, along with a simple list of
threats.

While the advice in the book is not wrong or misleading, and many
important and useful points are buried throughout, poor organization,
a lack of consistent depth, and gaps in topical coverage ensure that
the text would only poorly repay the investment of time spent studying
it.  Certainly it should not be used as a major guide to structure the
security planning process.

copyright Robert M. Slade, 2003   BKMSCRSP.RVW   20030330


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Given enough eyeballs, all bugs are shallow.
                                       - Linus's Law, Eric S. Raymond
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKSCRTPG.RVW   20030320

"Security+ Prep Guide", Ronald L. Krutz/Russell Dean Vines, 2003,
0-7645-2599-9, U$60.00/C$90.99/UK#39.95
%A   Ronald L. Krutz
%A   Russell Dean Vines
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2003
%G   0-7645-2599-9
%I   John Wiley & Sons, Inc.
%O   U$60.00/C$90.99/UK#39.95 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0764525999/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0764525999/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0764525999/robsladesin03-20
%P   456 p. + CD-ROM
%T   "Security+ Prep Guide"

The introduction is a quick outline of the Security+ domains and exam
structure.  Chapter one, covering the general security concepts, has
parts that are better than the other Security+ guides, possibly due to
Krutz' and Vines' familiarity with the CISSP (Certified Information
Systems Security Professional) material.  However, there are also
oddities such as a purported "Discretionary Security Property" of the
Bell-LaPadula model (might this be an idiosyncratic renaming of the
later tranquility property?) and an alleged "Axiom Three" of the Biba
model.  In terms of the Clark-Wilson model, most of the space is
devoted to defining unneeded terms, and the three vital concepts are
dismissed in a single sentence.  Kerberos is described well, but
perhaps with an excess of symbolic logic.  The list of attacks mixes
types, and the virus explanation uses dated concepts.  The sample
question given at the end of the chapter (and domain) are less
simplistic than other sets, but, ironically, may go too far in the
other direction.  Experienced security professionals will be able to
understand the intent behind the answers (when looking at the answers
and explanations in Appendix A), but the careless wording will make
the questions unclear and confusing to novices (which, more or less by
definition, Security+ candidates are).

Chapter two deals with the communications security domain.  Again,
there are some problems, such as a confusion of authentication
protocols with those of VPNs (Virtual Private Networks) and an odd
emphasis on a possible exploit based on the DOS "8.3" naming
convention.  The material is piecemeal and without a logical structure
(the Perl programming language is discussed next to SMTP [Simple Mail
Transfer Protocol]).  There is a confusion of the Java and JavaScript
languages (although they are later distinguished).  The pages of
screen shots for AirMagnet and NetStumbler don't seem to have any
purpose or value.  The infrastructure material, in chapter three,
covers more telecommunications.  (DSSS [Direct Sequence Spread
Spectrum] is not explained well.)  Strangely, the sample questions ask
about RAID (Redundant Array of Inexpensive/Independent Disks), which
is not covered until domain five.  Chapter four covers cryptography
basics reasonably, but the depth is uneven.  Operational and
organizational security is a bit of a grab bag of a domain, and that
is amply reflected in the otherwise decent material in chapter five.

Despite the problems, overall I would have to recommend Krutz' and
Vines' entry into the Security+ field over Trevor Kay's "Mike Meyers'
Security+ Certification Passport" (cf. BKMMSCRP.RVW), the "Security+
Study Guide and DVD Training System" (cf. BKSCRTYP.RVW), or "Security+
Certification for Dummies" (cf. BKSCRTPD.RVW).

copyright Robert M. Slade, 2003   BKSCRTPG.RVW   20030320


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
The chief forms of beauty are order and symmetry and
definiteness, which the mathematical sciences demonstrate in a
special degree.              - Aristotle (384-322 B.C.), Metaphysics
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKSCRTPD.RVW   20030330

"Security+ Certification for Dummies", Lawrence Miller/Peter Gregory,
2003, 0-7645-2576-X, U$29.99/C$44.99/UK#24.50
%A   Lawrence Miller
%A   Peter Gregory peter.gregory@...
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2003
%G   0-7645-2576-X
%I   John Wiley & Sons, Inc.
%O   U$29.99/C$44.99/UK#24.50 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/076452576X/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/076452576X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/076452576X/robsladesin03-20
%P   375 p. + CD-ROM
%T   "Security+ Certification for Dummies"

Part one deals with exam basics.  Chapter one has some promotional
material on the exam, and some generic test writing tips.  Basic
networking background content is included in chapter two, which is
reasonable in view of the fact that the OSI (Open Systems
Interconnection) model is not, strictly speaking, related to security,
but so much of the exam touches on networking concepts.  There is also
a very terse review of the CIA (confidentiality, integrity,
availability) triad.

Part two addresses the domain of general security concepts.  Chapter
one's brief but fair information about access control is sporadically
interrupted by silly attempts at humour, which serve only to distract
and confuse the issue.  (Jokes can, at times, help to cement ideas or
lighten the study process: these quips do neither.)  Lists of attacks
and exploits are in chapter four.  As an example of the utility of the
material, the definition of a virus is all right, as far as it goes,
but the protective measures are dated.

Part three covers communications security.  Some remote access terms
and names of related technologies comprise the whole of chapter five.
Chapter six has a basic listing of email security systems, but a very
terse discussion of Web security, with major holes and gaps.  Given
the abbreviated content of prior material, the inclusion of a list of
command line options for ftp (File Transfer Protocol) and Microsoft
Windows file sharing dialogue boxes seems quite odd, as does the
inclusion of DNS (Domain Name System) in the topic of directory
services.  Chapter eight has some discussion of the security issues of
wireless LANs, but almost no detail.

Part four is the infrastructure domain of the Security+ exam.  There
is a brief look at devices (mostly network components) and media, in
chapter nine.  Chapter ten expands on earlier descriptions of
firewalls and IDS (Intrusion Detection Systems).  "Security
Baselines," in chapter eleven, basically deals with hardening of
systems, and is mostly concerned with keeping patches up to date.

Part five is on cryptography.  Chapter twelve presents the basics, and
most of it is fine, although it does make odd statements such as that
block ciphers have reuseable keys and stream ciphers don't.  Some
components and services of PKI (Public Key Infrastructure) are
described in chapter thirteen, but, as with so many areas in the book,
the information is very scant.

Part six relates to the operational and organizational domain.
Chapter fourteen talks about physical security.  Business continuity
planning and disaster recovery are discussed in fifteen.  Security
management, in terms of policies and risk management, is in sixteen.
Forensics, in chapter seventeen, concentrates on the chain of
evidence.

The "part of tens" is a standard feature of the "for Dummies" series.
The fact that "check your biorhythm" is the first suggestion in
chapter eighteen does not inspire confidence in the quality of the
advice.  Of the ten references in chapter nineteen some are great and
some are mediocre.  The same holds true for the URLs (Uniform Resource
Locators) in chapter twenty.  There doesn't seem to be a lot of point
to the list of other certifications in chapter twenty one.

The sample questions provided at the ends of the chapters are
extremely simplistic, and require rote memorization of phrases, rather
than any degree of understanding.

Trevor Kay's "Mike Meyers' Security+ Certification Passport" (cf.
BKMMSCRP.RVW) is slightly but definitely superior to this work.  The
"Security+ Study Guide and DVD Training System" (cf. BKSCRTYP.RVW) is
roughly the same quality as the current work, but has more depth,
background, and material.  However, overall, I would have to recommend
Krutz and Vines entry into the Security+ field (cf. BKSCRTPG.RVW) over
any of them.

copyright Robert M. Slade, 2003   BKSCRTPD.RVW   20030330


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Undeveloped intellectual vision is just as indiscriminating and
erroneous in its classings as undeveloped physical vision.
       - Herbert Spencer (1820-1903), The Man versus the State (1884)
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKSCRPTG.RVW   20030419

"Security+ Training Guide", Todd King, 2003, 0-7897-2836-2,
U$49.99/C$77.99/UK#36.50
%A   Todd King
%C   201 W. 103rd Street, Indianapolis, IN   46290
%D   2003
%G   0-7897-2836-2
%I   Macmillan Computer Publishing (MCP)
%O   U$49.99/C$77.99/UK#36.50 800-858-7674 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/0789728362/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0789728362/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0789728362/robsladesin03-20
%P   699 p. + CD-ROM
%T   "Security+ Training Guide"

Aside from the list of exam objectives, the introduction is an
extremely vague and generic document.  The set of exam tips even
provides suggestions for a format that the text itself admits is
inappropriate to the CompTIA Security+ test.

Part one, the bulk of the book, breaks the exam topics into nine
sections, rather than the five domains proposed by CompTIA.  Chapter
one supposedly deals with general security concepts.  However, the
material is padded out with a great deal of gratuitous content and
confusing verbiage.  The glossary contains such vital items as "lamer"
and "luser."  The discussions of mandatory, discretionary, and role-
based access control do not make the distinctions clear.  The review
of Kerberos really only mentions tickets, and does not deal with the
concepts that allow the use of symmetric encryption in a system that
never sends keys in cleartext.  The description of "challenge" based
authentication systems provides a completely misleading idea of what a
challenge actually is or does.  Some security factors, such as the
list of attacks (with the notable exception of the malware related
content), are reasonably well done, but even these tend to be
excessively verbose.  The practice questions do not test for concepts:
they seem to be based strictly on wording in the text, and
carelessness in writing the questions makes one answer flatly wrong.

Similar problems are involved in the other material.  Chapter two
demonstrates a fundamental lack of understanding of wireless LAN
security technologies and where they are applied.  (Wired Equivalent
Privacy, dealing with encryption on LANs, and Wireless Access
Protocol, providing Web access for cellular telephones, seem to be
confused in the author's mind.)  Again, a great deal of only
marginally relevant material seems to have been included.  Devices,
media, and topologies, in chapter three, are packaged along with a
grab bag of disorganized topics.  (Firewall technologies and
topologies are, in fact, covered in two separate sections of the same
chapter.)  Intrusion detection, baselines, and hardening, in chapter
four, might be a bit better, but only because the topic is so large
that the lists of recommendations do all have some relation to the
subject.  Chapter five, on cryptographic algorithms, seems to just
list them, without providing an understanding of basic concepts.  PKI
(Public Key Infrastructure) is simply a list of cryptological terms
and technologies, and chapter six doesn't provide much in the way of
solid definitions for them.  As a welcome relief, physical security is
covered quite well in chapter seven.  Oddly, however, business
continuity planning is tacked on to the same chapter, and has numerous
gaps.  The vital topic of security policy, in chapter eight, is
unfortunately treated with a random assortment of material.
Similarly, chapter nine's view of security management seems to be
primarily administrative (featuring a flurry of Windows 2000 dialogue
box screen shots) with a chaser of additional subjects (such as
computer forensics).

Part two seems to bear almost no relation to the previous material.
The "Fast Facts" are arranged in the five CompTIA domains.  The
questions in the practice exam are completely unlike those given at
the end of the chapters.

Given the plethora of unnecessary verbiage and the paucity of reliable
content, this book has to get the lowest recommendation of the
Security+ guides reviewed so far (cf. BKMMSCRP.RVW, BKSCRTYP.RVW,
BKSCRTPD.RVW, and BKSCRTPG.RVW).

copyright Robert M. Slade, 2003   BKSCRPTG.RVW   20030419


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
Never forget the power of silence, that massively disconcerting
pause which goes on and on and may at last induce an opponent to
babble and backtrack nervously.                       - Lance Morrow
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKCISPCG.RVW   20030421

"CISSP: Certified Information Systems Security Professional Study
Guide", Tittel et al, 2003, 0-7821-4175-7, U$69.99/C$111.95/UK#52.99
%A   Ed Tittel etittel@...
%A   Mike Chapple
%A   James Michael Stewart
%C   1151 Marina Village Parkway, Alameda, CA   94501
%D   2003
%G   0-7821-4175-7
%I   Sybex Computer Books
%O   U$69.99/C$111.95/UK#52.99 800-227-2346 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/0782141757/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0782141757/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0782141757/robsladesin03-20
%P   783 p. + CD-ROM
%T   "CISSP: Certified Information Systems Security Professional Study
       Guide"

Although the table of contents departs from the usual ten domains of
the CISSP CBK (Common Body of Knowledge), the introduction points out
that the nineteen chapters actually represent two chapters for each of
the ten domains, except for physical security.  While begging the
question of why the domains need to be so divided, the structure
doesn't quite follow the (ISC)^2 domains: security models, for
example, are covered in the chapter on access control, rather than the
chapter on security models.  An interesting aspect of this book is an
"assessment test," given at the beginning of the book.  This is a good
idea to focus the student on both the content and the type of
questions likely to be on the CISSP exam--or, it would be, if the test
was representative of the CISSP exam itself.  Unfortunately, too many
of the queries presented are the usual sad mix: strictly fact based
and too simplistic.  A number of others use nonstandard terminology,
and the answers given in the key are correct only in the sense that
they are the "least wrong" of the options provided.  This quality of
enquiry holds true for the other quizzes in the book.

Chapter one deals with a part of access control, but the vital topic
of controls themselves is only partially covered, neglecting, for
example, deterrent, directive, and recovery controls.  At the same
time, idiosyncratic terms are added, such as a "Type 1," Type 2," and
"Type 3" distinctions for different authentication factors.  A number
of topics, such as biometrics, Kerberos, and the Bell-LaPadula
security model, are not explained in a depth appropriate to the level
of the exam.  Attacks and monitoring, in chapter two, provides too
much space to the assaults, at the expense of detail in terms of
intrusion detection (the difference between host and network based
systems is not properly explained, and the four types are reduced to
two).  A standard overview of TCP/IP, with almost no reference to
security, is given in chapter three.  (The minimal mention of
firewalls is very brief, confuses firewall types and topologies, and
completely misses circuit-level proxies.)  Chapter four covers a
number of communications security technologies, but tersely, and
without any organizational structure.  I frequently note that security
essentially *is* management, so the ludicrously inadequate list of
random concepts and terminology in chapter five's dismissal of
security management comes as a shock.  Chapter six is better, with a
review of the aspects of a security policy (though not much help in
creating one) and a reasonably adequate overview of risk analysis and
management.  Data and application security, in chapter seven, has a
very ragged structure, and an obvious lack of familiarity with basic
issues.  (Polyinstantiation is an aspect of object-oriented
programming, rather than a risk of database security.)  Malicious code
gets a fair, but dated, examination, but chapter eight also contains a
random assortment of other threats, many of which should be dealt with
elsewhere.  Chapter nine lists a number of basic concepts in
cryptography, as well as major encryption systems, but the
explanations clearly demonstrate that the authors do not understand
the fundamental operations.  (Modular arithmetic is not restricted to
decimal representation, and the transposition example used does not
require a keyword or alphabetical ordering.)  As with the other
"second chapters" in the book, chapter ten collects the random
cryptography topics that haven't been dealt with.  Chapter eleven
presents a list of computer hardware basics, rather than the computer
architecture that it should be discussing.  Security models are
mentioned briefly in chapter twelve (sometimes contradicting the
earlier material), but most of the content is a grab bag of
certification terms and some vulnerabilities missed in the prior
compilations.  Updating antivirals, performing backups, and protecting
media passes for operations security in chapter thirteen, while
auditing and monitoring are covered better in fourteen.  Business
continuity and disaster recovery are given the usual treatment in
chapter fifteen and sixteen respectively.  Law and investigation, in
chapter seventeen, concentrates too much on specific US statutes, and
far too little on legal principles and forensic examination.  Chapter
eighteen spends too much time on specific incidents, rather than
process, and, predictably, allows ethics only two pages.  At first
glance, the material on physical security, in chapter nineteen, seems
adequate, but closer examination reveals gaps and missing information.

When physically lined up with the other CISSP guides, this one appears
to be closest in size to Harris' leading "All-in-One" guide (cf.
BKCISPA1.RVW).  Appearances, and particularly shear physical bulk, can
obviously be deceiving.  The actual useful content, when stripped of
the excessive verbiage, is only about the same as the lower ranked
works, such as Harris' second attempt (cf. BKMMCISP.RVW), Endorf's
(cf. BKSCDCMP.RVW), or Miller/Gregory (cf. BKCISPDM.RVW).  Possibly it
is equal to the similarly bulky, and unreliable, entry by Bragg (cf.
BKCISPTG.RVW).  Krutz and Vines' "Gold Edition" (cf. BKCIPGGE.RVW),
comparable in size, has a greater breadth of coverage, although
possibly less depth.

Could this book get you through the CISSP exam?  Well, that would
depend upon your background.  If you had a lot of experience in
security, then possibly yes.  But then, you wouldn't need the book,
now would you?

copyright Robert M. Slade, 2003   BKCISPCG.RVW   20030421


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
                     ASCII to ASCII, DOS to DOS
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

I am, today, seeing an absolute flood of messages infected with the Sobig.E
worm.
It may be an anomaly, but the numbers I am seeing in my own mail would seem to
warrant some kind of warning.

Sobig spoofs message headers, so the email will appear to come from a legitimate
address.  Most of the subject lines that I have received are "Re: Application":
I've
also received one "Re: Movie."  The body is always (in the ones I've received)
"Please see the attached zip file for details."  The raw message size is always
110K.  All of the messages I have received carry an attached file named
"your_details.zi": note that the trailing "p" is missing.  This version carries
a file
named details.pif.  Note that two of the antivirals that I have run do *not*
recognize the virus in the compressed form (your-details.zi) although they do
recognize the executable file (details.pif).  I have also received a bounce
message
as a result of an infected message spoofed with my email address: this indicates
that at least one email scanner does catch the infected message in the
compressed
form.  The MIME info in the message is as follows (and may be presented
differently by different mailers):
--CSmtpMsgPart123X456_000_00C72C65
Content-Type: application/x-zip-compressed;
	 name="your_details.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	 filename="your_details.zi"


Note that Sobig is primarily a worm: it spreads through network shares.  (I
can't
see anyone dumb enough to rename the file, extract the contents, then run the
executable and infect themselves ... no, wait, I *can* see people being dumb
enough to do that ...)

At any rate, I'm seeing significant numbers this morning, and thought a heads-up
would be a good idea.  More info can be found at
http://www.f-secure.com/v-descs/sobig_e.shtml and
http://www.sophos.com/virusinfo/analyses/w32sobige.html

======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
Acknowledge and take to heart this day that the Lord is God in
heaven above and on the earth below.  There is no other.  Deut. 4:39
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKCMINFO.RVW   20030605

"Computer and Intrusion Forensics", George Mohay et al, 2003,
1-58053-369-8, U$79.00
%A   George Mohay
%A   Alison Anderson
%A   Byron Collie
%A   Olivier de Vel
%A   Rodney McKemmish
%C   685 Canton St., Norwood, MA   02062
%D   2003
%G   1-58053-369-8
%I   Artech House/Horizon
%O   U$79.00 800-225-9977 fax: +1-617-769-6334 artech@...
%O  http://www.amazon.com/exec/obidos/ASIN/1580533698/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1580533698/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1580533698/robsladesin03-20
%P   395 p.
%T   "Computer and Intrusion Forensics"

The traditional data recovery aspect of computer forensics has been
covered by Kruse and Heiser in "Computer Forensics" (cf.
BKCMPFRN.RVW), and by Caloyannides in "Computer Forensics and Privacy"
(cf. BKCMFRPR.RVW) (and somewhat less ably by Casey [cf.
BKCMCRIN.RVW], Kovavish and Boni [cf. BKHTCRIH.RVW], Icove, Seger, and
VonStorch [cf. BKCMPCRM.RVW], Marcella and Greenfield [cf.
BKCYBFOR.RVW], van Wyk and Forna [cf. BKINCRES.RVW], and Mandia and
Procise [cf. BKINCDRS.RVW]).

So far network forensics has only been specifically dealt with in the
not-terribly-useful "Hacker's Challenge," by Schiffman (cf.
BKHKRCHL.RVW).

"Computer and Intrusion Forensics" is the first attempt to bring both
topics into a single book.  (It is intriguing to note that Eugene
Spafford, who wrote the foreword, is a pioneer of the "third leg":
software forensics, which the book does not cover.)

Chapter one is an introduction to computer and network (intrusion)
forensics, pointing out the ways that computers can be involved in the
commission of crimes and the requirements for obtaining and preserving
evidence in such cases.  While the material provides a good
foundation, the text is inflated in many places, and could benefit
from stricter adherence to the topic and more focused writing.  (One
illustration shows a pattern of concentric rings indicating that the
set of productive activities encompasses all legal endeavors which, in
turn, encompasses all approved actions.  I suspect that a great many
legal and even approved activities are unproductive--while no doubt a
number of illegal activities would be approved, at times.)  "Current
Practice," in chapter two, is a broad overview of the concerns,
technologies, applications, procedures, and legislation bearing on
digital evidence recovery from computers.  In fact, this single
chapter is the equivalent of, and sometimes superior to, a number of
the computer forensics books mentioned above.  However, the breadth of
the discussion does come at the expense of depth.  This content is
quite suitable for the information security, or even legal,
professional who needs to understand the field of computer forensics,
but it does not have the detail that a practitioner may require.
Although chapter three is supposed to deal with computer forensics in
law enforcement (and there is a brief section on the rules of
evidence), it is primarily a reiteration (and some expansion) of the
procedures for data recovery and the software tools available for this
task.  Forensic accounting, and the algorithms that can be used to
detect fraud, are outlined in chapter four, but very little is
directly relevant to computer forensics as such.  Case studies,
demonstrating the techniques discussed earlier and some that are not,
are described in chapter five.  Intrusion forensics concentrates on
intrusion detection systems (IDS), although it does not provide a very
clear or complete explanation of the distinctions in data collection
(host- or network-based) or analysis engines (rule, signature,
anomaly, or statistical).  Chapter seven finishes off the book with a
list of computer forensic research which is being, or should be,
undertaken.

While the computer forensic content is sound, and it is heartening to
see other fields being included, the very limited work on network
forensics is disappointing.  This text is a useful reference for those
needing background material on forensic technologies, but breaks no
new ground.

copyright Robert M. Slade, 2003   BKCMINFO.RVW   20030605


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
People demand freedom of speech as a compensation for the freedom
of thought which they seldom use.                - Soren Kierkegaard
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKGDFOTS.RVW   20030604

"A Guide to Forensic Testimony", Fred Chris Smith/Rebecca Gurley Bace,
2003, 0-201-75279-4, U$49.99/C$77.99
%A   Fred Chris Smith
%A   Rebecca Gurley Bace
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2003
%G   0-201-75279-4
%I   Addison-Wesley Publishing Co.
%O   U$49.99/C$77.99 416-447-5101 fax: 416-443-0948 bkexpress@...
%O  http://www.amazon.com/exec/obidos/ASIN/0201752794/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0201752794/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0201752794/robsladesin03-20
%P   509 p.
%T   "A Guide to Forensic Testimony"

The subtitle explains the book more fully: "The Art and Practice of
Presenting Testimony as an Expert Technical Witness."  However, those
with expectations about the form of technical literature should note
that the style of this work follows that of the legal profession and
case law: it primarily teaches by using examples rather than pointing
out a specific methodology.

The preface illustrates another difference between the technical and
legal worlds.  Computer work generally involves finding an answer to a
problem: if the code works, background study and documented analysis
is generally irrelevant.  The legal profession, on the other hand,
absolutely depends upon advance preparation, and an answer is almost
useless unless the reasoning, background, and process is not only
chronicled, but properly and legally obtained.  Thus the authors are
aware of the twin needs to inform technical experts about the
requirements of the legal world, and to instruct legal professionals
in aspects of technology that may be relevant to the pursuit of a
case.  The introduction notes the possible tragedies that can result
if either the trial attorney or the technical expert attempts to act
as ventriloquist to the other's dummy.

Chapter one gives examples of expert witnesses, starting with a
fictional example from a movie.  Normally this would not be very
instructive, but the authors are careful to point out, from the
fictional story, important legal points to be aware of in regard to
the possibilities and limits of expert testimony (and also the legal
restrictions that would prevent some of the story points from
happening in a real case).  The rest of the chapter then goes on to
introduce legitimate and recognized experts, and present their
opinions and advice in regard to the practice of expert testimony.
Chapter two is supposed to promote both the idea of becoming an expert
witness, and of preparing for the experience.  In fact, most of the
material deals with Bill Gates' first deposition in the antitrust
litigation, and the mistakes that he made.  The example does make
valid points both about the value of preparation and the need to
testify whether we want to or not, but the message is not always
obvious.  Using testimony to provide a story about what happened is
presented in chapter three.  The example, though, is the tracing of
Kevin Mitnick's intrusion on the systems managed by Tsutomu Shimomura,
and therefore the testimony, which never happened, is simulated, which
weakens the lessons the text intends to convey.  Chapter four outlines
the rules of testimony and the legal process, and is the section that
technical people should probably study most thoroughly.  Although
there are important points to be made in regard to the dangers of
reasoning beyond the facts, chapter five reads more like an editorial
inveighing against pseudoscience.

Ethical issues are discussed in chapter six.  The early material
involves a great deal of text from two case decisions, but eventually
there is a review of codes of conduct, and even examination of some of
the moral aspects of court battles.  Chapter seven deals specifically
with the matter of bias.  The gatekeeper function of American judges,
who must decide not only whether a witness is truly expert, but on
what the expert may testify about or to, is covered in chapter eight.
This material also reviews important points about the qualifications
for experts and the characteristics of good evidence.  Credible and
convincing evidence and presentation is described in chapter nine, and
this is extended to visual exhibits in chapter ten, demeanour in
eleven, and non-verbal communications in twelve.  Chapter thirteen
contains examples of, and advice from, some experts who have extensive
experience in court testimony.

The book sometimes flows rather oddly, and it would be easy to take
issue with a number of the topics or the emphasis given to certain
ones over others.  Even so, this work *is* important, and information
security professionals; and certainly those in management or
consulting roles; should seriously consider it.  The text is written
with the technical worker in mind, although legal professionals would
undoubtedly find the research, advice, and explanations to be helpful
in preparing for technical cases.  Litigation involving technical
topics is increasing all the time, and new (and therefore unfamiliar)
technologies are now as constant a fact of legal life as forensic
concerns are in technical work.

copyright Robert M. Slade, 2003   BKGDFOTS.RVW   20030604


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
It's a kind of spiritual snobbery that makes people think they
can be happy without money.                 - Albert Camus (1913-60)
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Sobig load is increasing: over the past 15 hours I've received 52 copies in my
inbox, up from yesterday's 47 in 20 hours (and, as previously noted, well
exceeding the previous record for Klez at its height).  (On the slightly bright
side,
spammers seem to have been affected: other spam seems slightly down today  :-)

As noted, Sobig uses its own SMTP engine, and spoofs both the From and Return-
Path headers on a random basis, so that is no indication.  Most subject lines I
have
received have been:
Your details
Re: Re: My details
Thank you!
Re: Thank you!
Re: That movie
Re: Your application
Re: Approved
Re: Wicked screensaver

Others may be found in the lists and detailed descriptions at the URLs below.

However, the message body is always "Please see the attached file for details."
so
that is a reliable indicator.  In addition, I've had a look at more headers, and
the
following two seem to appear in every copy I've received:

X-MailScanner: Found to be clean

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

Once again, *PLEASE* spread the word: DO NOT OPEN ATTACHMENTS.  If
in doubt, don't.  Sobig uses no special technology beyond this rather simplistic
social engineering.  (Can anyone tell me: is there any content scanner lazy
enough
to be bypassed by the X-MailScanner header?)

http://www.sophos.com/virusinfo/analyses/w32sobigf.html
http://www.f-secure.com/v-descs/sobig_f.shtml

======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
If you like laws and sausage, you should never watch either being
made.                                            - Otto von Bismarck
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

About 4 hours before it was due to trigger, F-Secure found an encrypted section
of
code in the Sobig virus that indicated an unsuspected payload.  At 1900H UTC
(noon, PDT) on Friday, infected computers would try to connect to a number of
servers, download a program, and run it.

Within that four hour period, F-Secure, possibly with the assistance of other
institutions, was able to contact the ISPs for these machines, and have them all
shut down.  (One remains up.  Presumably it has been turned into a honeypot, a
form of trap for the people who intended to use it for the attack.)

At this time, we do not know what the intention of the so-called "Stage 2"
payload was, but the plan shows evidence of very careful planning, and, given
the
extreme number of Sobig infections, it could have been very serious.

http://www.f-secure.com/news/items/news_2003082200.shtml
http://www.f-secure.com/v-descs/sobig_f.shtml

======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
              TV - Why do you think they call it programming?
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Given that Sobig.F seems to have subsided from its weekend peak (from my
numbers, it was doubling every day last week up until Sunday and then suddenly
dropped off--to a rate that is still roughly as high as Klez at its worst) and
that
"Stage 2" seems to have been averted, a few thoughts.

Blaster, a worm, infected relatively few machines but inconvenienced (and in
some
cases worse) companies, so it gets it's name in the paper.  Sobig surpasses all
records in terms of number of email messages generated, and almost nobody
(outside of our little security circle) is paying attention.

Spoofing of email headers in virus messages goes back to Hybris or before.  Most
of the successful email viruses have used some form of spoofing.  Yet antivirus
companies, in their mail server based products, are continuing to generate
bounce
messages to the nominal sender, probably in an attempt to market their products.

I got a lot of bounced Sobig over the past week.  None, of course, had been sent
from me.  What these bounces are actually doing is aiding the virus: the bounce
messages send the virus (a full copy of the original message is often included)
to
yet another machine.  Spammers have also been using spoofed email addresses for
some time.  Bounced spam is therefore also helping spammers to spread their
messages.  Two spam for the price of one, thanks to bounces.  (Occasionally I
hear of a server being inundated by a faked sender address on spam, but this
seems
to be rare.  Which would seem to indicate that spammers are deliberately using
random addresses, possibly for reasons of multiplication through bounces.)

One of the interesting points to come out the height of the Sobig numbers on
Saturday, was that I saw relatively *few* bounces, in proportion to what one
might have thought was the case.  My address is obviously on enough infected
machines for me to get huge numbers of infected messages: due to the way the
virus spoofs addresses, a large number of the Sobig messages would have been
sent
"from" me.  Given that the majority of server based antiviral packages do bounce
messages, the penetration of server based virus scanning would therefore seem to
be quite low.  (Interesting, the indirect things you can learn in the aftermath
of an
attack.  Consider the subject line of this message a test of content scanners
still
doing simplistic subject line rejections.)

I have been warning about the type of convergence of malware technologies
involved in the "stage 2" situation for a few years now.  Will it be taken
seriously
after Sobig?  (Listen to the sound of me *not* holding my breath.)  Sobig seems
to
have been planned and designed with much greater care than is usually the case
with viruses and malware.  Up until now, we have been spared what viruses
*could*
do primarily by the fact that we have been facing a bunch of disorganized
amateurs.  A number of comments about Sobig have raised the possibility of an
involvement with spammers and/or organized crime.  (We already know that "red
guest" groups in China are much more organized and disciplined than traditional
blackhats.)  Sobig may simply be the result of an isolated creative mind, but
relying on that supposition as fact is dangerous security planning.

Buried in the investigations into Sobig.F, you will find reference to the fact
that it
stops reproducing after September 10th.  I'm afraid it took my wife pointing it
out
to make me realize that this is one day before September 11th.  Sobig.G, anyone?

======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
You know the type.  They like to blame it all on the Jews or the
Blacks, 'cause if they couldn't, they'd have to wake up to the
fact that life's one big, scary, glorious, complex and ultimately
unfathomable crapshoot -- and the only reason THEY can't seem to
keep up is they're a bunch of misfits and losers
                  - An analysis of Neo-Nazis, from `The Badger' comic
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKSTNFMC.RVW   20030727

"Securing the Network from Malicious Code", Douglas Schweitzer, 2002,
0-7645-4958-8, U$40.00/C$60.99/UK#29.95
%A   Douglas Schweitzer
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2002
%G   0-7645-4958-8
%I   John Wiley & Sons, Inc.
%O   U$40.00/C$60.99/UK#29.95 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0764549588/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0764549588/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0764549588/robsladesin03-20
%P   338 p.
%T   "Securing the Network from Malicious Code"

While there is some basic information about viruses and trojans in
this work, it isn't clear, good, particularly helpful, or easy to
extract from the surrounding verbiage.  What content is related to
networks has very little to do with securing or protecting them from
malware.

Part one looks at threat analysis.  Chapter one lists various types of
problems that might possibly arise from the presence of malware.
Generic statements about virus writers, with little judgment or
backing, are made in chapter two.  Programs related to malware are
described in chapter three, although the examples and explanation are
limited.  Chapter four is a poorly structured and disorganized list of
viruses, rife with artificial distinctions.  (Two of the
classifications are said to be "UNIX viruses" and "Linux viruses").
There are some examples, but with poor analysis and interpretation.

Part two talks about defence.  "Fundamentals Needed for Digital
Security," as chapter five is entitled, contains a random assortment
of semi-technical topics which does not have enough detail or
definition to be of much use in establishing protection.  Haphazard
net topics are reviewed in chapter six.  Chapter seven lists various
network applications, threats (such as stalking) that are not related
to malware, and a list of ports used by trojans--but the directions on
how to determine whether those ports are in use on your machine do not
appear until the following chapter, along with some generic advice on
policies and awareness training.  Firewalls, antivirus software, and
backups are outlined in chapter nine, but with terse and poor
explanations.  Server and application vulnerabilities are briefly
discussed in chapter ten.

Part three is supposed to look ahead.  Chapter eleven has an
unfocussed and sensationalist commentary on cyberterrorism.  A grab
bag of security topics is in chapter twelve.

The text has numerous errors, but they are neither excessively
abundant (in comparison to some of the other horrible examples extent)
nor especially egregious.  Saying that this work is "less bad" than
the worst, though, is hardly a recommendation.  The book is
indifferent and slipshod (many of the entries in the glossary are very
careless) and does not contribute to the body of malware literature.

copyright Robert M. Slade, 2003   BKSTNFMC.RVW   20030727


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
Oh, great reviews are the worst.  They mislead you more than the
bad ones, because they only fuel your ego.  Then you only want
another one, like potato chips or something, and the best thing
you get is fat and bloated.                       - Chazz Palminteri
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKDSKWTN.RVW   20030819

"Desktop Witness", Michael A. Caloyannides, 2002, 0-471-48657-4
%A   Michael A. Caloyannides
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2002
%G   0-471-48657-4
%I   John Wiley & Sons, Inc.
%O   416-236-4433 fax: 416-236-4448
%P   366 p.
%T   "Desktop Witness: The Do's and Don'ts of Personal Computer
       Security"

The title and the subtitle of this book are somewhat at odds.  Is this
text about the evidence that can be extracted from desktop machines?
Or is it about protecting yourself and your personal computer or
information?  Caloyannides would seem to be making the point that the
answer is both: that there is an overwhelming need to ensure that your
computer isn't finking on you, and that you must make every effort to
ensure that the government cannot obtain the information on your
desktop.  While he is clearly on the personal side of the privacy
versus national security debate, even those who agree with him may
find the arguments shrill and extreme.

The subtitle of chapter one; indicating that the material is the
author's opinion; should warn the reader that the discussion is
editorial rather than closely reasoned.  Caloyannides may, however,
have hurt his own case by taking an anarchistic and almost paranoid
position in stating the need for privacy against government
encroachment.  He does make a number of valid points, but misses other
grounds that might have been convincing to a much wider audience, such
as the point that the responsibility of protecting your own
information is recognized in such legal areas as the difference
between patent and trade secret.  (A patent offers control over a
device for a limited time as long as the technology is disclosed,
whereas a trade secret offers protection for unlimited time as long as
reasonable efforts are made to protect the information from
disclosure.)  The major point of chapter two appears to be that the
use of encryption could, in and of itself, land you in trouble, and
you should prepare to either hide the fact that encryption is taking
place, or have a diversionary explanation ready for the authorities.
(The recommended use of one-time-pad technology and variant keys is
technically interesting, but is unlikely to survive beyond a first
use.  Ironically, it seems to support a point that the author made
earlier: "clever" tricks that rely on obscurity provide very poor
protection.)  The types of information that might be available from
your computer, or Internet connection, are discussed in chapter three.
The material ranges over a number of topics and has a difficult
structure: some points are raised more than once and there are a
number of related issues that are not mentioned at all.  Means of
recovering some of the data, and of getting rid of it, are reported,
but not consistently.

Chapter four lists a vast array of protective measures.  Most are very
useful.  Depending upon your situation, many will be considered
overkill.  Some are questionable: Caloyannides makes a blanket
recommendation to install all operating system patches, but notes that
doing so for some versions of Windows requires you to give away a lot
of information.  He does not, though, detail the times that official
patches have made the situation worse rather than better, nor the
complexity of some patches: by mid-2002 one expert noted that an
effective installation of the Windows NT operating system required
twenty nine steps, including no less then three separate installations
of the latest service pack at different points.  Oddly, while this
section is supposed to review measures for computers not connected to
networks, some of the points relate to activities on the Internet.
Protection for connected machines is discussed in chapter five, with a
heavy emphasis on the usage of the PGP encryption system.  There is
also an interesting insistence that steganography *is* an effective
means of hiding communications: while Caloyannides points out a number
of pitfalls in the use of the technology he does not mention detection
measures, such as the ease of determining excessive entropy in the
low-order bits of graphic images used to hide files.  Secure telephony
is discussed in chapter six.  The legal issues reviewed in chapter
seven are mostly related to recent legislation providing for
additional search authority.  The author does include material and
actions from outside the United States.  The editorial finish in
chapter eight warns against a society where everything must be
homogenized in order to be safe.

In many places the book suffers from very poor copy editing.  There
are a great many instances of improper punctuation, sentence
fragments, and words or phrases dropped into apparently unrelated
text.  Generally speaking one can discern the meaning, but deciphering
the organization and intention of a section can be difficult.  (Given
the thrust of the book, is the author embedding hidden messages?)

While there are issues of general security in the book, it is, first
and last, about privacy, and primarily personal privacy.  The material
could have been structured more usefully, and written less stridently,
but a great deal of helpful content is included.  Those interested in
privacy will find it interesting, and computer forensic specialists
may also find it to be a handy reference.

copyright Robert M. Slade, 2002   BKDSKWTN.RVW   20030819


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
If you like laws and sausage, you should never watch either being
made.                                            - Otto von Bismarck
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Although BS 7799/ISO 17799 seems to have taken centre stage, there is still some
interest in the Common Criteria.  There is a somewhat humorous and sarcastic
take on the recent Windows evaluation at:

http://eros.cs.jhu.edu/~shap/NT-EAL4.html

by Jonathan S. Shapiro, which does explain the functional (profiles) and
assurance
(evaluation) aspects.  Some highlights:

"By now, you may have heard that Microsoft has received a Common Criteria
certification for Windows 2000 (with service pack 3) at Evaluation Assurance
Level (EAL) 4. Since a bunch of people know that I work on operating system
security and on security assurance, I've received lots of notes asking "What
does
this mean?" On this page I will try to answer the question. For the impatient
the
answer is:

             Security experts have been saying for years that the security of
             the Windows family of products is hopelessly inadequate. Now
             there is a rigorous government certification confirming this.

[...]

"The Controlled Access Protection Profile (CAPP) standard document can be
found at the Common Criteria website. Here is a description of the CAPP
requirements taken from the document itself (from page 9):

             The CAPP provides for a level of protection which is appropriate
             for an assumed non-hostile and well-managed user community
             requiring protection against threats of inadvertent or casual
             attempts to breach the system security. The profile is not intended
             to be applicable to circumstances in which protection is required
             against determined attempts by hostile and well funded attackers
             to breach system security. The CAPP does not fully address the
             threats posed by malicious system development or administrative
             personnel.

"Translating that into colloquial English:

             Don't hook this to the internet, don't run email, don't install
             software unless you can 100% trust the developer, and if anybody
             who works for you turns out to be out to get you you are toast.

[...]

"EAL4 means that the design documents were reviewed using non-challenging
criteria. This is sort of like having an accounting audit where the auditor
checks
that all of your paperwork is there and your business practice standards are
appropriate, but never actually checks that any of your numbers are correct. An
EAL4 evaluation is not required to examine the software at all.

"An EAL4 rating means that you did a lot of paperwork related to the software
process, but says absolutely nothing about the quality of the software itself.
There
are no quantifiable measurements made of the software, and essentially none of
the code is inspected. Buying software with an EAL4 rating is kind of like
buying a
home without a home inspection, only more risky.

[...]

"In the case of the CAPP protection profile, there actually isn't much point to
doing anything better than a low-confidence evaluation, because the requirements
set itself is very weak. In effect, you would be saying "My results are
inadequate,
but the good news is that I've done a lot of work so that I can be really sure
that
the results are inadequate.

"In the case of CAPP, an EAL4 evaluation tells you everything you need to
know. It tells you that Microsoft spent millions of dollars producing
documentation that shows that Windows 2000 meets an inadequate set of
requirements, and that you can have reasonably strong confidence that this is
the
case. "

[The page ends with a reference to the EROS secure operating system project -
rms]

======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
Never forget the power of silence, that massively disconcerting
pause which goes on and on and may at last induce an opponent to
babble and backtrack nervously.                       - Lance Morrow
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Rob,

Was this a review or just a bunch of excerpts? Why do you think that BS
7799/ISO 17799 is over-shadowing Common Criteria/ISO 15408? ISO 17799 and
ISO 15408 deal with completely different aspects of security and information
assurance as I'm sure your aware. While I am no fan of Windows 2000 or Unix
for that matter (both were designed as open systems and security was a far
afterthought), Microsoft has managed to get an EAL4+ rating which is as good
as any product currently listed by the International Common Criteria
Consortium. I am waiting somewhat breathlessly (sic) for a semiformal
verified (EAL5/6) product to come down the pipe. I'm not testing my
immortality awaiting a EAL7 product. It's so rare to see such a brief
commentary from you.

Kind Regards,

John Sforza

ISRisk
jsforza@...
585-230-3516 voice
720-294-6533 fax

From:            "John Sforza" <jsforza@...>
Date sent:       Mon, 29 Sep 2003 19:40:57 -0400

> Was this a review or just a bunch of excerpts?

Just a note of the site, and a few excerpts.


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
It is better, of course, to know useless things than to know
nothing.                                                    - Seneca
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKINSIAN.RVW   20030831

"Intrusion Signatures and Analysis", Stephen Northcutt et al, 2001,
0-7357-1063-5, U$39.99/C$59.95/UK#30.99
%A   Stephen Northcutt stephen@...
%A   Mark Cooper
%A   Matt Fearnow
%A   Karen Frederick
%C   201 W. 103rd Street, Indianapolis, IN   46290
%D   2001
%G   0-7357-1063-5
%I   Macmillan Computer Publishing (MCP)
%O   U$39.99/C$59.95/UK#30.99 800-858-7674 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/0735710635/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0735710635/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0735710635/robsladesin03-20
%P   408 p.
%T   "Intrusion Signatures and Analysis"

Intrusion detection and network forensics are now vitally important
topics in the security arena.  An explanation of how to identify
dangerous signatures, and extract evidence of an intrusion or attack
from network logs, is something that most network administrators
require.  Unfortunately, while the idea is good, and badly needed, the
execution, in the case of the current work, is seriously flawed.

The introduction doesn't really specify a purpose or audience for this
book.  Mention is made of the GIAC (Global Incident Analysis Center,
also seemingly referred to at times as the GCIA) certification, but no
definition is given as to what this actually is.  Chapter one presents
a number of examples of network log entries and formats.  The
interpretation, though, concentrates on easily identifiable items such
as IP addresses, and neglects components that are less well known.
There seems to be some attempt to structure the descriptions, but it
is unclear and confusing, as are a number of the illustrations and
figures.

Chapters three and four list a "top ten" of specific attacks,
described down to a byte level, but not always in clear detail.
Perimeter logs, such as those from firewalls and routers, are
discussed in chapter six.  Restraint in reaction to odd traffic is
urged in chapter seven, particularly in light of the probability of
address spoofing.  Chapter eight outlines packets that indicate
mapping scans, while nine does the same with searches that might be
gathering system information.  Denial of services attacks are reviewed
in chapters ten and eleven, first with respect to attacks that attempt
to exhaust specific resources, and then in regard to bandwidth
consumption.  Chapter twelve discusses trojan programs, concentrating
on detection of unusual open ports.  Miscellaneous exploits are listed
in chapter thirteen, but since exploits are listed throughout the
previous three chapters it is difficult to find a distinctive for this
section.  Fragmentation attacks are described in chapter fifteen.
Chapter sixteen reports on some odd looking non-malicious packets, in
warning against reacting to false positives.  A grab bag of odd
packets is listed in chapter seventeen.

As should be evident from the description above, there is a good deal
of valuable material in this book.  Unfortunately, it is not easy to
extract the useful bits.  The book as a whole could use serious
reorganization.  While chapter one appears to be an introduction to
the technical details, a far better explanation of packets and the
import of various fields is given in chapter five, ostensibly on non-
malicious or normal traffic, and this material should probably have
been placed at the beginning of the manual.  Chapter fourteen, almost
at the end of the text, reviews buffer overflows, which are seen
throughout the chapters preceding it.  There is a slight attempt to
explain the book in chapter two, but the content and organization is
perplexing, there is heavy use of unilluminated insider jargon, and
the presentation of example packets and subsequent conclusions without
the middle step of identifying the items that make these data
suspicious could be quite frustrating to the student.  The new system
administrator will not find the explanations clear or illuminating.
The experienced professional will not find particular attacks or
traffic types easy to find for reference.  Both groups will find
themselves flipping back and forth between sections of the book, or
even between sections of the exegesis of one particular attack.

However, both groups will likely be interested in the book anyway,
simply because of the lack of other sources.

copyright Robert M. Slade, 2003   BKINSIAN.RVW   20030831


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
Those whom the Gods would destroy, they first call promising.
                                                     - Cyril Connolly
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKINDTSN.RVW   20030901

"Intrusion Detection with Snort", Jack Koziol, 2003, 1-57870-281-X,
U$45.00/C$69.99/UK#32.99
%A   Jack Koziol
%C   201 W. 103rd Street, Indianapolis, IN   46290
%D   2003
%G   1-57870-281-X
%I   Macmillan Computer Publishing (MCP)
%O   U$45.00/C$69.99/UK#32.99 800-858-7674 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/157870281X/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/157870281X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/157870281X/robsladesin03-20
%P   340 p.
%T   "Intrusion Detection with Snort"

Chapter one is a good introduction to the basics of intrusion
detection, although it is odd that the list of detection methods is
missing some important entries, such as heuristic rule-based and
statistical methods.  The background overview of Snort, in chapter
two, describes alerts, related applications, and even has
recommendations for sensor net architecture.  Most of the content in
regard to the components of Snort, in chapter three, deals with the
preprocessors, and various attack signatures.  Chapter four's advice
about planning for the installation of Snort is broadly based,
addressing policy, architecture, and even incident response, but the
material is quite abstract, and could have benefitted from more
practical examples.  Some of these missing considerations are dealt
with in chapter five, which looks at hardware and operating system
factors.  The text concentrates on server and sensor performance, but
also addresses the network connection.  Directions on building a Snort
server under Red Hat Linux version 7.3 are given in chapter six.  The
sensor and console instructions are provided in chapters seven and
eight, respectively.  A few optional architectures are described in
chapter nine.

Chapter ten deals with tuning various rulesets and components in order
to reduce the level of false alarms.  Creating real-time alert systems
is discussed in chapter eleven.  Chapter twelve is a major one,
outlining the creation and modification of rules for filtering and
analyzing traffic.  Chapter thirteen is supposed to be about upgrading
and maintaining Snort, but concentrates on ancillary management tools.
Advanced or unusual configurations of Snort are described in chapter
fourteen.

The book is generally lucidly written and easy to study, but it
contains many typographical errors and a great deal of clumsy wording
in the text.  Better copy editing word have improved readability, as
well as confidence in the reliability of various commands and
settings.  However, the meaning is usually clear, even if the
expression is sometimes jarring.  For those planning to use Snort,
this should be a serviceable introduction.

copyright Robert M. Slade, 2003   BKINDTSN.RVW   20030901


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
               The size of a man is determined by what makes him mad.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKIDWSAI.RVW   20030902

"Intrusion Detection with Snort", Rafeeq Ur Rehman, 2003,
0-13-140733-3, U$39.99/C$62.99
%A   Rafeeq Ur Rehman
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2003
%G   0-13-140733-3
%I   Prentice Hall
%O   U$39.99/C$62.99 +1-201-236-7139 fax: +1-201-236-7131
%O  http://www.amazon.com/exec/obidos/ASIN/0131407333/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0131407333/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0131407333/robsladesin03-20
%P   263 p.
%T   "Intrusion Detection with Snort"

Chapter one is a very simple introduction to intrusion detection and
Snort.  Beginning with a brief look at topology, chapter two runs
through an installation of Snort, but does not provide much in the way
of explanation or recommendation at the various points.  The coverage
of Snort rule creation and syntax, in chapter three, is clear and
reasonable, but could use more examples of malicious packets and how
they might be identified.  Chapter four does explain some exploit
rules, in discussing preprocessors, but briefly, and then goes on to
output options.  Chapters five, six, and seven describe MySQL, ACID
(Analysis Console for Intrusion Databases), and other tools for using
Snort in conjunction with collected information.

This is a decent printed documentation for the system, but not much
more.

copyright Robert M. Slade, 2003   BKIDWSAI.RVW   20030902


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
Of all things, good sense is the most fairly distributed:
everyone thinks he is so well supplied with it that even those
who are the hardest to satisfy in every other respect never
desire more of it than they already have.
          - Rene Descartes (1596-1650), Discours de la Methode (1637)
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade