Hacking Books

This book aims to be a "one stop shop" covering all aspects of web application security, however your app is written: Java. CGI, Perl, PHP, Active X. To a large extent it succeeds, and in a surprisingly readable way. Each chapter covers on aspect of hacking or security, and ends with a summary, a "fast track" checklist, and a FAQ for the topics covered. The book is sold like software - you can register for a "1-year upgrade", to keep the content fresh.

Important topics include both detailed and general hints on how to read and spot security holes in code in different languages; and how to "think like a hacker", and use hacker tools to test your own security. Above all, the book emphasizes the need for creative thinking and to avoid producing code carelessly.

I know from experience that security is often ignored if it's seen as too hard to understand, plan or test. Don't be a victim of your own ignorance, read this book.

I'm working on a presentation on Web Application Security, and I
picked up this text as a reference. What a mistake! The text is
vague, poorly formatted and rife with errors.

Just one example:
p. 131 shows a sample CGI script for submitting comments to
FreeBSD.org. First of all, the screenshot references a page that
doesn't exist, tarnishing FreeBSD for no good reason. Secondly, the
Perl CGI script doesn't set PATH, doesn't use taint, and doesn't check
exit values. Third, the form uses a hidden field for the submit
address -- making it a juicy spam tool since the user could simply
replace "mcross@freebsd.org" with any address she chooses. And I
could go on and on with just that one script.

Other
gripes:
p. 465, "SSL makes the man-in-the-middle attack fail".
Wrong. ...

How about this: The authors refer to Perl as the
"Practical Extraction and Reporting Language." (p. 151, p. 223) Are
they trying to impress newbies?

SSL & PKI: only 20 pages of 565
are devoted to SSL & PKI, and those are mostly screen shots of Windows
MMC.

I'm not picking nits here, just citing examples that
particularly irk me while flipping through it. The author seems to
have little to say about Securing Web Applications, so he rambles on
with useless background and repeats himself often. This might be
useful had it been edited down to 100 pages.

I recommend Garfinkel
and Spafford's 'Web Security, Privacy & Commerce,' however Forristal
does minimally discuss ASP, which Garfinkel and Spafford neglect.
Also, Forristal has some interesting ideas for code review.

...

I am a senior engineer for network security operations. Since I am not a developer, I was initially reluctant to read and review a book seemingly targeted towards programmers. From a non-developer, security professional standpoint, I believe "Hack Proofing Your Web Applications" (HPYWA) is an excellent book. Because HPYWA provides sufficient background, administrators will find it enlightening. Programmers should find it practical as well.

HPYWA is unique. One sees dozens of general networking and security texts, but few on securing applications. Since attackers are gravitating towards exploiting subtle application flaws, HPYWA's advice is timely and sorely needed. Talented authors (who should be credited chapter-by-chapter) explain security strategies for Visual Basic for Applications, CGI, Java, XML, ActiveX, and Cold Fusion. They tell how to avoid becoming a "code grinder" ("a developer who lacks creativity... bound by rules and primitive techniques"). They also discuss general exploit techniques, but not to the depth of a "Hacking Exposed" volume.

Crucially, throughout the book, the authors do not assume the reader is an expert in all technologies. They instead begin with solid introductions to languages and tools. These help non-programmers understand the issues, and give developers common foundations for code improvement.

I was particularly impressed by chapter 6, which explained how to conduct code audits and reverse engineering. Even without a great deal of programming background, I understood the author's explanations of format string vulnerabilities, cross-site scripting, and related problems. Chapter 7 was also excellent, as it showed how to disassemble Java byte code and alter it with a hex editor.

HPYWA is not perfect, however. Despite offering very strong coding advice, discussions of network-based security issues contained flaws. For example, the descriptions of denial of service on pages 13-14 and 285-286 are confused. On page 171, "SMTP" is not "Sendmail Transfer Protocol." Since I didn't read HPYWA to learn network security techniques, I didn't weigh these errors too heavily.

Developers will probably view HPYWA as a useful reminder of sound programming practices. They will also find the specific recommendations (avoid certain system calls, watch out for these formatting errors, etc.) practical and immediately applicable to their work. System administrators and security professionals will gain an understanding of the underlying weaknesses in the technologies they deploy and maintain. In short, HPYWA has a place on the bookshelves of both communities.[....]

Just what I was looking for. The book gives a lot of insight on the internals of asterisk and tips on how to protect against hackers. Very good value for money.

This book was an utter disappointment. Its editorial review suggested to me that I would learn about the deficiencies of VoIP and/or Asterisk, but in reality its main focus is on implementing an Asterisk PBX.

Only chapter 7, "Threats to VoIP communications systems" uses 19 pages to address this issue, but only poorly: Most text addresses generic network problems that we already know from other networking books, like ARP spoofing. It spends as little as half a page each on SIP-specific attacks and H.323-specific attacks. These descriptions are, of course, rather general pointers to a few documented bugs.

This book has been a waste of money for me. The editorial review for this book makes it a complete rip-off.

Had this book been published 5 years ago, then it would have been considered OK (just ok). Today, this is only an anachronic, elementary and overall useless book.

Currently I am researching in the secure code area and got a lot of related paper and books. By no means this book could be considered as a valid contender (alternative). It only provides "yet another" useless collection of naive and dated (loosely explained) attacks.

If really interested in this area, try Mr. VIEGAS' books. A bit repetitive (same issues discussed again in each book) but very helpful for understanding, classifying, preventing and detecting vulnerable codes.

The collaboration of freelance computer consultant Richard Conway and security and distributed applications consultant Julian Cordingley, Code Hacking: A Developer's Guide To Network Security is a guidebook that teaches developers basic hacking techniques and hacker methodologies and thought processes, so that developers can write code that more effectively resists hacking as well as how to write network security test harnesses for application and infrastructure. Scanners, sniffers, and common exploits are also covered in this in-depth guide that uses the languages of C#, C++, and Java to present and explain its lessons. An accompanying CD-ROM contains a custom security scanner written in C#. Highly recommended for aspiring and skilled developer's in today's modern age of cybercrime.

I am not sure what book the previous reviewer was reading, but this is a good companion book to Google Hacking if you are trying to squeeze the most out of the Google phenomenon.

I don't use much Google Talk (most of the people I talk to use IRC, SILC, or AIM as real-time chat), but I have had the opportunity to use it some. I was looking forward to this book to see if it would be worthwhile to learn more about Google Talk and how to get more out of it. I have to say that I'm disappointed in the quality of the writing and the organization of the book. The writing tries to be cute and funny, but the clarity suffers dramatically for it (the requirements discussion in Chap 2, plug-ins in Chap 5, etc). Furthermore, the organization of the book jumps around too much, mixing core usage of GTalk and extra uses (ie video or audio chats) too much. If the book had kept a basic theme to it -- put the common stuff up front, then talk about extras slowly and with increasing complexity and rarity -- it would have helped. However, unlike many Syngress books, this one uses screen shots effectively and clearly.

Chapter 1 is sort of what you would expect it to be, an overview of many of the popular, modern chat clients: AIM, MSN Messenger, Yahoo!, ICQ. The author slams the competition and champions Google (Google fanboy-type stuff is pretty common throughout the book) as the savior of chat. Sadly, this overview is incomplete and limited, and sets the tone of the book.

Chapter 2 talks about installing Google Talk for Windows users, and spends a lot of time talking about tangential subject matter. This is where the book's main flaw -- poor organization and a lack of clarity -- really starts to show. The book wastes some space on requirements for video and audio chats (which are not core Google Talk uses), and really skimps on the installation.

Chapter 3 talks about using Google Talk for non-Windows users. This chapter is a bit muddled, and perhaps it's because the author isn't a native OS X or Linux user. A couple of things: really, any Jabber client can work (there are dozens), and Gaim is basically the same for Linux and other supported platforms.

Chapter 4 is perhaps the most poorly organized of them all. The chapter skips around in usage, talking about basic chat usage, contact management, then over to music listings, chatting, voice chats and voice mail, file sharing, and so on. The section on personalizing Gtalk is very poorly presented.

Chapter 5 is a lengthy, mishmash of a chapter on plugins. Had the author organized the plugins better this wouldn't have been so bad, but again, the quality of presentation keeps it unclear. I had to look at a few sections a couple of times to try and figure out what was going on, including the section on theme modification. I wound up more confused about these extensions as I went along. Not a very good thing in a book!

Chapter 6 talks about proxies (as you might find in a corporate environment, in a Tor situation, or with SSH tunnels). Sadly, the section on Tor talks more about Tor basics (very incomepletely) than about how to make GTalk work with Tor. Very lousy presentation of how to set up SSH tunnels, too, with incomplete steps at every turn.

Chapter 7 -- GTalk in the Enterprise -- is a neat idea, although it could have been implemented more completely. Because many enterprises have strict IM policies, they will either want to standardize on GTalk or ban it, and so both topics are (poorly, and incompletely) covered. I like this idea a lot, and I think this could have been more completely covered. I think that more books on applications should cover this sort of concept more often.

Two appendices round out the book. Appendix A covers video chats, and honestly should have been included in a standalone chapter devoted GTalk and video (and audio) chats, which would have cut down on a lot of the confusion in the "basic usage" chapter.

Appendix B covers free video calling software, and is kind of wierd -- it doesn't look like these apps integrate with GTalk, but rather would replace GTalk with video. I don't get why they're in the book, to be honest.

All in all not the best book I've read. I don't like writing negative reviews of books, but I have to be honest with this one: it's not well done. The organization is poor (it's downright confusing!), the writing is unclear (it tries to be too cute for its own good), and the coverage is weak and incomplete. If you want to learn how to use GTalk, look elsewhere, this one will not be of much use.

Contrary to the previous reviewer's comments, I found this book to be very helpful. I'm new to the BlackBerry wold and this book helped me quickly get up to speed and learn about tools and techniques that aren't mentioned in the BlackBerry manuals.

I eagerly awaited the arival of this book, only to be faced with a manual on where to find shareware or commercial applications! As an example, the cover boldly states "Download and install custom ringtones". I then looked up the chapter only to be faced with the fact that I have to go subscribe to a service for $19.95(US) per year to load ringtones! That's not a hack, that's an excuse to push product! In this case I found all the information I need on Google to do this for free - that's a hack. The rest of the book is filled with commercial software recommendations and I was amazed that all the real hacks I found elsewhere on the Internet are not mentioned or explained?!

Seriously, save your money if you know how to use your BlackBerry and look elsewhere at the books available on Amazon.

If I'd had this book before I sold my car, I wouldn't have had my identity stolen. Author John Q gives an overview of identity thieves that lets you know what areas you need to look out for. Also gives you information on the tedious follow up while you try to repair the damage done--who to contact, what to say or write. This is a real good book for the average person who is just trying to protect their privacy. I hope Loompanics has him write more on this subject. I checked with them, but although there is more in the way of privacy books, no other identity theft books come close to this for clear, concise information.

This book very informative in dealing with the identity theft that is present in the US which is what I was interested in. However, I did noticed it was lacking in content when dealing with other countries. For this one needs to apply previous knowledge of local systems to understand what Newman is describing. For anyone interested in Identity theft I recomend this for a once over lightly te get a quich understanding on a large topic. This book is suitable for the general public who may know very little about this crime. However, there really is no new information to be gleaned from the book.

I am a security engineer for a large corportation (over 2000 employees) and found this guide very useful. It had numerous case studies and some of them really related to problems I am experiencing right now. The CD Rom also helped our department work out a security outline.

This is a waste of time and money. With the big threat of Virus and Piracy in the Information age, anyone can seek to capitalize on people's fears of something they do not understand. This book is a perfect example

New Age meets the New Economy in this book by British author Nicola Phillips, who shows her cyber-stripes with catchy Internet lingo, and graphics - including underlining, arrows and buttons - that give the book pages the look of Web pages. Whether you find this faux-functionality refreshing or distracting, it truly is original and unique. It's more difficult to say the same about the book's content, which is somewhat unfocused, a bit repetitive and often familiar. Nevertheless, we [...] found it interesting to read this very British approach to the Yankee-dominated self-help genre, spiced up with a jazzy high-tech angle on the most low-tech of all subjects: personal growth.

I thought this book was interesting but it was too vague. It includes interesting information on why things are done and the mentality of the computer hacker rather than a how to book. It also includes good information that I never knew.It also includes ideas on how to find out more. I would suggest getting this book if you have enough money and want to have a more broad view of hacking.

Ian Hacking is a brilliant thinker and an elegant writer. I read this book after one of my husband's friends suggested it. He said it was the best book he can ever remember reading (like me, he prefers to read good nonfiction).
After reading the book (during which I couldn't help marking particularly good passages because I knew I'd want to reread them), I have found myself refering to this book frequently in my own writing (I'm an academic) and conversation with my students. I must agree with my husband's friend: this is certainly one of the best books I've read.
If you enjoy smart analysis of contemporary culture and the frailties of sciences claiming to map the human mind, you will really enjoy this book. If you are a deep believer in the pure and virtuous authority of psychology, you will feel disturbed.

Hacking asks, "Is it real?" He referred to the epidemic nature of multiplicity. He wrote that at one time multiplicity was considered rare. Hacking asks, "What happened? What is it? And, what is the answer?" He considered that multiplicity could be a fabrication between doctor and patient or as a social circumstance. He suggests that an intervention should be made and concluded that the situation demand professional caution. He sites the organizational work done by, "the False Memory Syndrome Foundation, but he claimed to be neutral.

Hacking seems to be part of a movement that believes that "... emphasis on personalities is wrongheaded." He writes that multiplicity is a failure to integrate. He quotes Spiegel (1993) as saying, "The problem is not having more than one personality; it is having less than one personality." Hacking further writes a comparison of multiplicity to Alice (in Wonderland). "For this curious child was very fond of pretending to be two people. `But it's no use now,' thought poor Alice, `to pretend to be two people! Why, there is hardly enough of me left to make one respectable person!"

Yesterday, I pulled from my shelves the first book I found on multiplicity. I wanted to write the first item in THE CATALOG. I skimmed through the first chapter. And, I felt anger and betrayal. This author's thinking horrified me. I don't have the ability to remember what I have or have not read or who is who, but I'd fallen under the wrong assumption that I have bought only "good books." So-be-it. This remains the first entry. We hope to offer "some" objectivity.

We will be checking out the other books on our shelves before going much further. We find it hard to remember, but we do know what allows feeling good or bad. We're not less than one!

Kate (Aynetal System)
KathrynCoreyCenter.com

If you are new to the Forensic game then this book might make good reading. A large portion of the book is on disk and data structure & geometry. This makes for interesting reading if you have not covered this before, but if you are an investigator, this will be 'old' and somewhat irrelevant news.
Chapters include information on;
* PDA/Electronic Organisers,
* Search and seizure of PC's
* A little on Network and encryption (informational reading only).
Overall, not a book I would recommend for someone who has "been there, done that". From each book I read I expect find a little bit of information that is new to me, but unfortunately I went hungry on this one! I probably wouldn't call it a 'Practitioners Guide', but more of a 'beginners guide'.