Hacking Books

Starts out a little dry, but it's the necessary building blocks for the rest of the book. This is a great end-to-end description of the science of IW. Good buy!

This book presents an information warfare framework that is more aligned to national infrastructure and military systems protection than commercial enterprises. However, the framework and systematic discussion of all of the relevant elements of information warfare can be applied to any environment - commercial, government or military.

The framework itself is sound and is the foundation of any infowar readiness posture. The book emphasizes a readiness posture that is defensive in nature, and the approach set forth addresses both strategic and tactical defense considerations.

There are a three of interesting viewpoints provides, which is consistent with the systems engineering approach taken: (1) hierarchy of strategic components. These are presented topdown with defense and deterrence paths as follows: Policy, Strategy and Operational levels and Operational Influence Relationships. (2) A strategic process that encompasses development of strategy, threat analysis and assessment of effectiveness. (3) Operational model, comprised of perceptual, information and physical layers.

Issues such as MEII (Minimum Essential Information Infrastructure deployment and modes of operations are cogently discussed along with associated tactical responses (surveillance, mode control, auditing/forensic analysis and reporting). The conceptual and process framework is augmented by a solid discussion of security technologies that are still in the large as accurate and valid today as when the book was written in 1998.

What I especially like about this book, aside from the systems engineering approach and viewpoints, is the complete coverage of the full spectrum of information warfare, including more subtle issues such as data and knowledge analysis, the cursory examination of offensive operations (seeing the info war from a hostile's viewpoint), and the copious amount of detail provided for each of the topics and subjects associated with infowar.

This book is an excellent starting point for corporate security organs that have matured to the point where infowar defensive measures can be effectively addressed. Although infowar is an element of information security, the mindset for defense requires a vastly more mature security program than normal network and system security practices because the threats may not be strictly technical in nature. This book will prepare you for the realities of infowar and give you insights about how it can be incorporated into your security posture.

Are you a wireless security administrator? If you are, then this book is for you. Authors Chris Hurley, Russ Rogers, Frank Thornton, Daniel Connelly and Brian Baker, have done an outstanding job of writing a book to show you how to analyze wireless networks through wardriving and penetration testing.

Hurley, Rogers, Thornton, Connelly and Baker, begin with a discussion about wardriving and how it applies to a wireless penetration test. Then, the authors discuss how antennas work and how to choose the right antenna for conduction wireless network penetration testing. Next, they show you how to use a handheld device for direction finding and tracking, down to rogue access points and clients. The authors also introduce some basic techniques for wardriving and penetration testing using Microsoft Windows. They continue by describing the steps necessary to configure and utilize the KisMAC WLAN discovery tool in order to successfully wardrive. Then, the authors show you how to identify your specific WLAN target and determine what security measures are being utilized. Next, they show you how to use two of the most popular mapping applications: Kismet and NetStumbler. The authors then discuss the hardware required for a wireless MITM attack. They continue by focusing on the Open WRT firmware. Finally, they focus on how to perform a wireless test against a client, and examine some of the vulnerabilities related to wireless video.

This most excellent book assesses wireless networks, while leveraging these free tools to low-cost supporting hardware. Perhaps more importantly, after reading this book, you'll get a taste of how wardriving really works in the real world.

Disclaimer: I know the guy who wrote the forward, although I don't think in any way this has influenced my review of this book.

I'm not a wireless hacker, although I've dabbled some in examining networks and some of the software in the book. That said, I think I learned quite a bit by reading this book. I didn't know what to expect with "Wardriving & Wireless Penetration Testing", but what I found was a focused, well prepared book with clear examples. Now, this book is very heavy on network discovery and mapping and not as complete on wireless attacks, although this topic does get coverage in a full chapter and parts of others.

What I like about the book is that it's comprehensive without being exhaustive. It covers WiFi hacking from Windows and Linux, which you would expect, and also from OS X (not so common) and also from, very pleasantly, handheld devices. The software covered is mainly using Kismet/Kismac and the NetStumbler family of software, which is not unexpected. These are premier tools and offer everything you would want. Several minor tools are also discussed.

Various attacks covered include breaking the security mechanisms of WEP, WPA and LEAP, not surprisingly, and how to commit MITM attacks. In all of these, the instructions are clear and straightforward with clear illustrations.

Lest you think this book is all about software, there's good coverage of hardware, both wireless cards and adapters as well as antennas. Also, some GPS software and its integration with wireless mapping efforts is also covered in detail. Another surprise is the coverage of the OpenWRT software kit for the WRT54G device, which can easily be loaded into a functional, dedicated wireless pentest and attack tool. The authors provide valuable tips and insights along the way. A short "bonus" chapter on wireless video device hacking is also included. Appendix B covers driver static analysis and testing, which is becoming a hot topic right now in vulnerability research.

Screenshots, examples, and images were generally well done. A handful of Linux-specific screenshots (ie for the kernel configuration) were poorly reproduced, unfortunately.

While I'm not an expert at wireless (either the security protocols, the auth protocols, or the physics) I didn't spot any obvious mistakes in their background material.

I found "Wardriving & Wireless Penetration Testing" to be well written and full of useful information, all clearly and well presented. The authors have prepared a good, timely book on the subject, and cover the topic in full, sharing insights and tips along the way.

Buy this book if you want to have decent information on tools to use for testing and defending your applications against various Web 2.0 security-related vulnerabilities. I deducted one star because I felt that some parts of the book were redundant and some concepts were not explained well, but overall I am quite happy with this book!

Are you a security- professional or developer? If you are, this book is for you! Author Shreeraj Shah, has done an outstanding job of writing a great book that explores Web 2.0 hacking methods.

Shah, begins by covering real life Web 2.0 applications that offer a better perspective on the overall infrastructure. Next, the author focuses on the overall Web 2.0 changes and their impact on security. Then, he discusses Web services footprinting and identifies access points for SOA as well as an understanding of application discovery and profiling to identify internal Web 2.0 resources. The author continues by discussing the XSS attack vector and its security implications for Web 2.0 applications. In addition, the author explores the security concerns growing around RSS, mashup, and widgets. He also provides an overview of SOA and the security concerns associated with it. Next, the author takes a look at ModSecurity for Apache and IhttpModule for the .NET framework, as well as some tricks with which you can identify Ajax-based requests and act upon them on the server side. Finally, he covers some interesting tools, techniques, references, and cheat sheets.

This most excellent book addresses several critical aspects of Web 2.0 security/. What's most important though, is that this book addresses in detail both tactical attack vectors and defense strategies, while focussing on web 2.0.

Adequate for noobs and pros to understand how important social engineering in our security is, this applied not only in software; you can relate it with anything in your live.
Highly recommended

This is a great starting point for anybody interested in deceit. While the book focuses on "real-world" deceit, many of the principles carry over to online crime. It is very easy to read, and yet, informative and helpful. If you want to find an answer to the question "Just how much will people agree to?" then this is the book for you to read -- whether you are a system administrator, security researcher, policy maker, or simply interested in understanding fraud and psychology better.

Markus Jakobsson
[..]

This book is filled with information that you would not believe. I never read books ever, but this is one of the few exceptions. It is truly amazing!

This is a great, but frightening book. The book explains many, many ways how "social engineers" (what the author calls those who manipulate strangers) can take advantage of people. These stories are clearly and convincingly illustrated by examples. Unfortunately, when one realizes all the people who have access to their private information and that it only takes one to fall for the kind of tricks mentioned here, it is clear that safety is all but impossible. That said, this can serve as a wake up call to fix what we can, especially in our own workplaces. My one complaint with the book is that the sample security policies in the last chapter were not available electronically.

Kevin Mitnick, probably the most famous (and controversial) computer hacker of the 1990's, has spent several years of his life on the run, as well as a few years in jail. For years after leaving prison he was forbidden to log on to a computer, a prohibition he appealed successfully. He now runs a computer security business, lectures to large corporations, and has co-authored two books on computer network security.

This book focuses on the human element of computer security. Reminding us that even the most sophisticated high-tech security systems can be rendered worthless if the people running them are not sufficiently vigilant, Mitnick goes on to point out the myriad ways in which human carelessness can contribute to security breaches. An experienced con artist who is well-versed in social engineering techniques can often do far more damage by manipulating people to provide information they shouldn't than by relying on technologically sophisticated hacking methods.

The book is interesting for the most part, though it would have benefited from a 25% reduction in length, and there are some annoying stylistic tics. Throughout the first 14 chapters, each of which reviews a particular type of `con' used by hackers/social engineers to breach computer security, the chapter setup follows the same schema:
(i) an anecdote or vignette, involving fictitious characters but based on actual events, which lays out the deception as it unfolds, following it through to the successful breach (ii) analysis of the `con', focusing specifically on the mistakes or behaviors (at the individual and at the organizational level) which allowed it to succeed (iii) discussion of the changes that would be needed to stop the con from succeeding (e.g. behavior of individual employees, corporate policies and procedures, computer software and hardware). This is actually a pretty decent way to make the points Mitnick wants to get across - starting out with a concrete example of how things go wrong gets attention and motivates the reader to read on to figure out the solution.

One feature of the book which was meant to be helpful started to annoy me by about the third chapter. Interspersed throughout each chapter, the authors insert highlighted textboxes of two types: `lingo' - repeating the definition of a concept already adequately defined in the text, or `mitnick messages' - which seemed superfluous, and a little condescending, as they generally repeated what was already obvious. In general, this is not a book you will read for the delights of its prose style (after successfully gaining access to a cache of hidden documents, one hacker is described as spending his evening gleefully "pouring over" the documents); however, the prose is serviceable, managing to avoid lapses into the dreaded corpspeak, for the most part.

For some readers, the most useful part of the book may be its final two chapters. Here the authors lay out, in considerable detail, outlines for recommended corporate information security policies, and an associated training program on information security awareness. Though I am no expert in these areas, the outlines strike me as being commendably thorough - complete enough that they could be fleshed out without too much difficulty to generate a comprehensive set of policies and procedures.

Despite some redundancy, and occasional infelicities of style, this book seemed to me to be interesting, and likely to be practically useful.

This book will give a LOT of information about all kinds of networking protocols, Operating Systems, and hardware from the security standpoint. However, it is way too theoretic. There are vurtually no real life examples, no code listings. This may or may not actually be a drawback, because some poeple do not want code in the text they are reading. Well, then this book is for beginners. Either way it does not deserve MY five stars.

The main problem with this book is that it's essentially a series of links to tools. Tools are known to age quickly, and what was a useful took a month ago is now obsolete. By being too tool heavy the book lends itself to the same problem - it quickly becomes dated and useless. Compare this for example to some other textbooks which delve into the underlying principles of crypto, networking, operating systems, etc., and you'll see that this is not a necessary evil.

There is no task more daunting than one that is fundamentally impossible, extensive and yet necessary. Computer security is like that, as the only secure computer is one that is disconnected from all power sources. The moment it is powered up in a mode that allows useful work to be done, it becomes vulnerable. Furthermore, the number of ways it is vulnerable is effectively infinite, meaning that the number is so large and complex, that it is not possible to handle them all. Finally, it is necessary, as the world is full of a large number of people whose sole purpose in life seems to be to cause as much damage and frustration as they possibly can. Therefore, there is no choice but to apply as many security features as possible to all our computer systems.
This book is an overview of the primary aspects of computer security. Split up into the six broad categories: security concepts, hacking 101, a defender's toolkit, weapons of mass destruction, architecture, platforms and security; and security and integrated services, there is also an extensive bibliography of websites, books and software. If you are interested in an overview of computer security, then this book will provide it.
However, the main value that I get from the book is from the links to more detailed information. I recently taught a special topics course in computer security and I found it invaluable in tracking down detailed information concerning topics such as specific types of distributed denial of service attacks, steganography, password cracking dictionaries and communication protocols. The encyclopedia form of the book makes it very valuable as a primary initial reference.
Useful as an overview for people seeking their first knowledge of computer security, this book will also have value for the IT worker who needs pointers to specific information regarding computer security.

Security is an enormous task, the amount of information in this book, both written and referenced, is intimidating. Furthermore, the reality that it is necessary for your survival can raise your blood pressure and the number of hours you lay awake at night. Fortunately, it is not necessary to do it all at once and there are software tools that can make the scanning for security problems much easier.
This book contains complete descriptions of the most common forms of computer security problems, including how attackers use the weaknesses and links to additional information. Computer security is an area of computing that is very close to the shadowy world of spies and secret agents. Fourteen contributors other than the lead author are listed on the inside front cover, four of which are not pictured. The lead author is also listed as anonymous.
In terms of content, the descriptions are complete, both in coverage and detail. Somewhere, somehow, the people who manage the IT facilities at organizations must make contact with the material in this book and it is as good a place as any to do so. The authors also do an excellent job in aggregating references to more detailed explanations of the various areas of security. You could literally spend weeks following all the research paths listed for most of the topics.
The only people who can afford to do nothing are those who have nothing. Everyone else should read this book and take the appropriate actions to protect themselves.

Well, I have bought every version of this book since the first and continue to find reasons enclosed to keep it on my bookshelf. I even own Maximum Linux Security. Yep. It's excellent as well.

Not only does the book give you a good feel about where to find the tools of the trade it also gives you insight into their usage.

I regularly investigate computer-based instrusions and find that many of the concepts included in these chapters are enclosed.

I cut my teeth on this series of books a few years ago and continue to keep my skills fresh with them today.

I belieive in this book. I think any serious practitioner should at least browse it to see what he or she is missing. Loved it - Keep them coming.

I'm looking forward to seeing if this edition has anything on the latest exploits concerning the use of Nimda/Code Red/Unicode invasions that I am seeing in conjunction with Scanner Tools and remote control utilities is discussed or not... IRC-Scripters...

Anyone have info contact me ...Thanks...

to many old hacks. not enough tools. to much talking......save your money. get from the library and save your money. Go to a SANS class or get the SANS books.

The book is one of the best that i've read.
It speaks about hacking in a technical way and it's full of information

This book offers an excellent overview of techniques, though some outdated, to exploit and secure systems. The book is easy to read with just enough technical jargon to teach you something. It covers most major exploits and the techniques used to secure your system against them. I have tested many of the exploits and tools and found them to work very well attacking and defending. If you are new to computer security this is a must-read. If you are an expert in the field this is a great reference.

While starting out in a new career, this book has been recommended to me time and time again. I have some background in security and penetration testing however this book takes you into a deeper understanding of how things work. I strongly recommend it for the beginner as well as the seasoned Information Security Professional.

I read this book cover to cover and bookmarked half the pages with tips I want to use. It's not just a book on preventing hacks...it's full of great productivity tips as well. Nowadays, I rarely buy computer books because all the info is on the internet. But this book is an exception. The internet can't substitute for the education you'll get by walking through this one page at a time.

At 225 pages you can breeze through it rather quickly, enjoying a fascinating look at young people with the commitment, energy and intelligence it took to hack and learn new systems. It was a time when the phone company was deregulated but Ma Bell's offspring still held quite a lot of power and were irresistible to phone phreaks and hackers. If you don't expect too much you'll enjoy a look into the hacker sub-culture. They were explorers and not criminals. I attended several conferences with these guys in later years and can report that their pursuit of knowledge is still fascinating. Social engineering is still the best hack for me. Plik!

THIS BOOK IS SIMPLY IN MY LIST OF ''BEST BOOKS OF ALL TIME''. I HAD STARTED READING IT AND JUST CAN'T STOPED !! IT'S FASCINATING TO LEARN ABOUT THE WAR BETWEEN ''THE MASTERS OF DECEPTION'' AND ''THE LEGION OF DOOM'' AND THE WIDE RANGE OF VULNERABILITY OF TELECOMUNICATIONS WORLDWIDE. I HARDLY RECOMEND THIS BOOK. A MUST HAVE !!!

Actually this is a great book about the hacker sub-culture, indeed one of the bests I have ever read. This book describes very well the whole story and social aspects of New York City hackers but fails when dealing with technical aspects or lacks it. I can afirm it's a good book for people who are intersted to know how poor guys in Queens, NY, rised from nothing to create one of the most notorious hacker gang ever and to improve knowledge about the late 80's and early 90's american hacker scene.

This is not a book about hackers; it's a book about some specific hackers who happen to come after much of the action was concluded. Even more than that, it's a book biased toward New York which contains every implied slander of Texas that one can meld into a narrative about hackers. I like the description of MOD, and thought the authors did an excellent job of building up the character of these kids, but find that for the size of this book, it missed an absolute raft of important knowledge. Why do people hack? What, besides damaged egos, makes it thrilling to have forbidden knowledge? How could our society be so incompetent as to leave these giant security holes everywhere? And finally: what was the global hacking culture like, outside of the spacy little land of New York City? The boys from LOD are treated as props and their contributions ignored, which is infuriating to someone who is familiar with the goings-on in the computer underground at that time. Also, technical writing is not difficult, and while this book tries to stay non-technical, I have to ask "why?" There are interesting details which are overlooked and could have been conveyed in English. These authors do a credible job of buildup, but then hype a few incidents into some metaphor for cyberspace, and consequently halve the strength of their book. I would recommend this to people who cannot simply pick up a copy of "2600" magazine or "Phrack" and figure it out for themselves, but not to anyone who cares about the heart, soul or brains of hacker culture.

Great book going behind the scenes of computer hackers in teh late 80's early 90's. It really takes you back to the time. Not overly complex. A fantastic read for anyone with an interest in computer crime or within the "IT" community. Easy enough to read for someone not technicle savy to understand the basics. For $10 USD you cant go wrong.

Nutshell review - An average review book for the CISSP exam. There are better resources available.

I used the CISSP for Dummies as a first book to get me in the mode and hit this book hard over and over again. It helped me to pass the test on my first try. It has enough details and excellent test questions. I'm not sure about the ISSEP parts as I did not go through it. At $6.99 when I bought it compared to the $26.99 I paid for the Dummies book, this is the best bang for the buck in studying for the exam, no question about that.

Good points:

+Surveys of all areas of the CISSP exam.
+Each area covered in detail with many examples.
+Well written in the usual sober style of Wiley guides.
+Good layout, easy on the eyes and with lots of margin space for notes. Easier to read than the official (ISC)2 guide.
+CD gives over 300 practice questions.

Bad points:

-Typos, one every ten pages or so.
-Some mistakes, or at least areas where I disagreed. (See below for an example.)
-Out of date. (That's not really the author's fault but that's Reality, accept it, what with revolutions happening every six months...)

One example of a disagreement came in a question where we were asked to choose which of four methods was NOT a good way of wiping data from a diskette. I chose "writing data to the diskette several times" but the book gave the correct answer as "formatting the diskette seven times". I disagree. At my office before disgarding a PC, IT wipes the hard drive. They reformat the drive once then they overwrite the entire hard disk several times with random sequences of bytes. Such software is easy to find on the internet and the method is pretty standard.

While there are many challenging concepts and more than a few insights especially in areas where I don't have much experience, I find much to be just plain wrong or at best naive. One big problem is (ISC)2 itself: what you need to know to get their accreditation is wrong. The above disagreement is one example, but there are more: (ISC)2 thinks software piracy is like stealing anything else, when in fact the status of intellectual property is not yet well defined.

Verdict: if you need to take the CISSP accreditation get this book along with the official (ISC)2 study guide, otherwise don't.


Vincent Poirier, Tokyo

Afterword: I underwent the exam last March and passed. I can't talk about the exam's content (as part of the agreement one signs upon taking the exam) but I will make one positive comment: the questions were more relevant and less naive than the study material had led me to expect.

VP, Dublin

This book is ok, but I think the book sold by ISC2 is much better. I only used this as a "supplement" to the official guide.

There are so many CISSP products on the market and I think most of them are BS (i.e. Shon Harris' $1000 review product). Maybe if you know nothing about security and have the choice of a $4,000 boot camp and the Shon Harris $1,000 package, otherwise, get the official guide (about $60) and spend some time reading it. It comes with practice tests in the back and a small test per chapter (most certification books are like this).

I received notice today that I passed the CISSP test, and this book was the main source I used for studying. It is thorough without giving you extraneous information you don't need for the test. The writing style is adequately pleasant to get through for a technical book. Having the book in PDF form as well was a really helpful plus.

Thanks, Ron Krutz! I will add that reading one or two other books at the same time will greatly increase your overall comprehension of the material. This test is not about technical details, but showing that you grasp the underlying big concepts in security. I would study a domain by reading three study guides' chapters on that one domain before moving on to another domain. This gave me a great perspective.

Strat

The book is great for telling you what it has to tell you. Unfortunately, so many new exploits are found each day, it is hard for the book to keep up to date. I am already a couple of revisions behind. Still, it is a worthwhile read.

This is the first technical book about security in network/systems. I found that some books only show how to "close" a hole in a network without informing what it is closing from. This is a good book for busy administrators that does not have enough time to update himself, since this book is a compilation of security threats/tools/defences

This is a good book for anyone who wants to learn more about network security and hacking in general. The author provides likes to a substantial amount of downloadable resources from the web. Although some of the sites are no longer in existance, there are a substantial amount of the tools discussed in the book on the internet that are free for a short period.

This book is a must for every Admin out there. I would also recommend this book to IT managers/directors/etc. This book is more than just an explaination of security holes/fixes but puts you into the mind of the cracker. You must see the world as the cracker does in order to defend yourself. In Patton, Patton was shouting "I read your book" to Rommel as he beat Rommel in a tank battle. This is the same for System/Netowkr Admins everywhere, it is imperitive we read the cracker's book and understand his assault from beginning to end. Only then can you be prepared. This will also wake up your managers if they are not paranoid enough :-)

If you want to go over to the 'dark side', this book describes enough hacking technique to turn you into a 'script kiddie' (or enough to defend against them). Of course, it's the things that the book *doesn't* go into detail about that makes you want to learn more in-depth detail about network security (things like buffer overruns and process hijacking). A good starting point for budding hackers, people who administer networks, or anyone who is technically-minded. It also teaches enough about Back Orifice and NetBus to have fun messing with your co-workers on those occasional boring days in the cubicle!

Hackers and Painters is a good read. I enjoyed learning about the author's perspective on programming trends. I really enjoyed learning about his enthusiasm for Lisp. This book is not a how-to, but a collection of essays describing the authors views, opinions, and experiences with various programming topics. I definitely recommend it.

The book particularly deals with the nexus between programming, creativity, social commentary, wealth-generation, business-personal-entrepreneurial psychology (his specialty!) and LISP-related stuff. I skipped the programming sections because Im not a programmer. The philosophical commentary was better than 90% of other philosophy books I've read, more cutting and more true-to-life.

I was entertained and greatly appreciated the view of the author but the many times I completely disagreed (due to very substantiated reasons) made me skeptical of several ideas of the author. But, the reasons for him holding those views is, in and of itself, interesting. He does have several good and controversial ideas and his experiences are quite valuable to read. Most of the time, I found myself flying high with him as he stated things that really need to be said which ran against conventional thought. Other times, I found myself raising my eyebrows in bewilderment. After all, it really is a book about his thoughts so take it as such. His book, his soapbox.

The book reads well but really trails off towards the end. I found myself finishing the book just so I could say I was through with it. The opening chapters are quite entertaining. Read a few chapters that you find interesting and leave it at that.

Paul Graham is very clever (and rich - is that relevant?), however light also bends around his ego. Whether the sum of these qualities is positive is not absolutely clear to me.

If you want to read the best thing that he has written, you might be better served by his book on advanced Lisp programming, which is a monument anybody can be proud of - it comes close behind SICP on my personal list.

And, if you do read this book, I suggest you also look at 'The Science of Art' by Martin Kemp, which gives another perspective on the maybe slightly overweighted metaphor of the title, and the relation between theory and practice it implies.

In spite of the strong desire to punch the author in the face after finishing the book, there are many great truths inside. Basically why is it that most people think salaries on the same position should be the same if work results differ in orders of magnitude.

Also it's funny to see an ultra-capitalist criticize the western decadent corporate structure. It's The Market for Lemons all over the place.

Don't expect to find anything useful to make a dot com startup on this book. It's all anecdotes from his experience and his quasi-religious views. It's more rhetoric on Lisp than business.

As another reviewer said, read first his online essays before diving into this.