Customer Reviews

Hack Attacks Revealed: A Complete Reference for UNIX, Windows, and Linux with Custom Security Toolkit, Second Edition

5 star:		(8)
4 star:		(2)
3 star:		(1)
2 star:		(1)
1 star:		(2)

 

 

Reviewed: Hack Attacks Revealed, 2nd Edition, 2002

I must say I am thoroughly disappointed with this book. The book's description, as well as other readers' comments led me to believe that this book would have been more than just a compilation of information that could be freely obtained at the dozens of security related web sites. Sadly, this was not the case.

The bulk of the book merely describes (mostly outdated) common
attacks/vulnerabilities, without getting into much detail why they exist and the underlying explanations on how they are exploited. As such the book reads like "For Vulnerability X, Install patch Y" without getting into more detail. Heck, even Microsoft's Security Bulletins give more info that this!

Many of the "75 Top Hack Attacks" that the book promises can be freely found online (check CERT's site).

The general impression I get from reading this book is that the author tried his best to fill up space in order to deliver an impressively thick book. Was it a requirement that he include SCREENSHOTS of various hacking tools/trojans, including step-by-step INSTALL SCREENSHOTS for the included TigerSuite software? (If you don't know how to install software then you need to develop more skills before learning about hacking!). Did he HAVE to include the useless 10 year old 'how to build a modem filter' BBS textfile (which by the way doesn't filter noise on modern modems)? Did the publisher mandate that he include 9 PAGES of Decimal-to-Hex conversion tables when you could use, say, Windows Calculator to do any needed conversions?

Another thing I disliked was that Windows XP as well as Wireless networks (802.11/WEP were glossed over) were not really covered in the sort of detail that I desired.

And, although I appreciate that a basic understanding of the x86 instruction set is required for better understanding low level security issues, I really don't see the point to Chapter 13's discussion on programming "How to Draw Circles in DOS mode" using the VESA bios interface. This is, in my opinion, not relevant considering the book's topic, so why include it? (A better choice would be explaining how the stack is used in high level languages (C, C++) and how buffer overrun hacks work). If you want to learn C, Assembly, or graphics programming buy a book dedicated to these topics. I think it's safe to say that the average reader will NOT become a programmer after reading the "Crash course in C" - it's an unreaslistic expectation.

And to top it all off, the final insult to readers is the interruption of the author's hacking experience "Intuitive Intermission" with the phrase "... to be continued in: Hack Attacks Denied, 2nd Edition". I guess both the author and publisher want you to buy both books!

My chief complaint with the book is that it doesn't seem to know who the reader is. In some areas the author gets down-and-dirty technical (x86 assembly/C programming) while in others he doesn't really explain details or just mentions things in passing (case in point: nowhere does he explain workings of a typical buffer overrun exploit, etc). Also, the author really does not give advice on how to secure or harden systems, aside from "install the update patch". For a book whose focus is security/hacking that's a pretty fatal flaw.

Like I said earlier, this book really seems to me like the author just threw any material that he could find that was remotely related to hacking and presto, one hacking book ready to ship!

If you are new to either the computer or security-related fields then perhaps this book may be of some value to you. If you are not an absolute beginner and know how to search the web, then I'd say that you probably don't need this book. Even if you do buy this book, it, like any security related book, will become technically obsolete as new software/exploits/patches are found.

Quote: (under "Who should read this book?")

"The hacking enthusiast and admirer of such films as Sneakers, The Matrix, Hackers, and Swordfish"

If you still need another reason not to purchase this book, the above quote says it all!

This book has done nothing to dispell my theory that the information
content of a book is often inversely proportional to the number of pages
in the book. I'm 200 pages into it and that's as far as I'm
going to get. I expected some basic filler/theory in the first few
pages, but plowed on in the hopes that the author understood
the theory he was presenting and would use it later to explain security
exploits. However, I lost all confidence in the book when
I reached page 167, where the author demonstrates that he doesn't
understand ping and/or DNS. I don't bring this up to nitpick. I bring it up
because I think that anybody with pretensions to
being a security expert had better know the basics of how the
Internet works. How is anybody to make sense of, say, DNS spoofing,
without knowing how DNS works?

In case it's not obvious, the author confuses and muddles together
the actions of resolving a DNS domain name to an IP
address, and then using that IP address to send an ICMP echo
request to the destination. This may seem like a minor thing,
but its not just a typo (he makes the same mistake in three
different places on page 167), and security is a confusing
enough business without muddled descriptions like these.

On a more minor note, I do not see the point in filling page
after page with pretty pictures of the GUIs that hackers use
at their end. The publishers probably know better than I do
what sells today, but I don't understand why they and/or the
authors apparently feel that the thicker a book is, the better.

I have been teaching Windows 2000 and Unix security for the U.S. Army for 3 years. I am constantly searching for a book that will provide true insight into the hacker mindset and methods. Most books dawdle in the routine and well known hacks and still leave you wanting. "Hack Attacks Revealed, 2nd edition", takes you to the next level. It is the single best security reference book that I've seen.

You rarely find a book that provides indepth coverage of Windows, Unix, and Linux security. Hack Attacks Revealed's information, tutorials, and tools provide you with everything you would need to test and secure a computer system or network. As a bonus, the fully licensed TigerSuite Professional (version 3.5) is included on the accompanying CD. This is an amazing grouping of tools to analyze and test the security of a computer network. In class, I routinely use TigerSuite to demonstrate security shortfalls. My students are so impressed that they immediately ask me where I got it and how can they get it.

"Hack Attacks Revealed" has something for every skill level, whether it is teaching you how to subnet, compile a security tool or walking you through a buffer overflow. The First edition was great and John Chirillo found a way to go it one better.

I was relieved to read that this isn't considered a very useful reference on How to Hack. Certainly Ch. seems at his most enthusiastic, frothiest, even foamiest, in talking about the wonderful world of hacking. Yeah, he repeatedly trots out the line about having to know how to attack to know how to defend, time after time, but ya' gotta' wonder where his heart lies (Okay, even Milton had this problem.)

And that certainly is irksome if you, like me, are one of the growing number of people who have reluctantly become 'security amateurs,' and find ourselves reading 900+ page books, due to invasion of our privacy by amateur criminals. Whatever its merits for security professionals, this is probably not the book for you. It assumes too much technical background and doesn't provide sufficient detail on implementing various solutions. True, this may be covered in more detail in his other book, but including that we're talking 1800 pages...

Editing would have helped, certainly. The 75 basic hack attacks are a useful overview on just how paranoid you should be, but the basic information about some of them is repeated up to 4 times, sometimes as boilerplate.

I have seen a few books more suitable for amateurs, but the truth is that they aren't detailed enough to be helpful. I think that the only real solution to the security problem in the IT industry is to wake up to the fact that caveat emptor, 'professional ethics,' and self-regulation isn't working any better there than in health and safety, restaurant sanitation, the stock market or...well, you work it out. As long as it is only sort of illegal to break into someone's house as long as you use a computer, most geeks will do it.

The ISPs aren't taking this seriously because they know people aren't much more likely to stop using e-mail than to stop using the phone, and most companiues were only kidding when they said they were interested in your problems.

Once there are some laws with real teeth and real fines and real jail time, those who aspire to the appearance of respectability will go back to their regularly scheduled activities including tale bearing, beating the old lady, bothering the women (men) at work just enough to stay on the right side of the law, bitching about how the old lady (old man) doesn't want to screw, kicking the dog, pulling the wings off flies, and complaining how much better everything was in the good old days.

I found this 2ed more useful than the first. With updated NEWER exploits and Top 75 Hacks I found a great resource. My company is now using them in our policy testing. Oh and finally no more trial software on the CD.

I read the first Hack Attacks Revealed, and it helped me out a great deal. I just completed reading the Second Edition, and it is even better. There is a good amount of new material and new vulnerability information, and the Tiger Suite continues to get even better.
The Second Edition does a better job of explaining some of the methods used by hackers and the like. What I especially like is the explanaitons of how some of these negatives can be used as positives. For example, using password crackers to gain legitimate access in cases of forgotten passwords, or when employees leave a company without ensuring company assets are made available.

EXCELLENT JOB, KEEP UP THE GOOD WORK--Can't wait for the Third Edition......

This book promises quite a bit in the new edition, let's see what's really in here. Okay, the chapter layout is completely different as the book starts with a Technology section, followed by Discovery, then Penetration, Vulnerabilities, and finally the Toolbox. The technology part is nicely abridged to about 87 pages. The Discovery part differs greatly in that the source code has been moved to the CD and the author added more coverage and examples plus some stealthier techniques and most recent SNMP, file sharing, DNS, NetBIOS, and CGI stuff. The ports and services are still there but I found them to be pretty handy references at any rate. Penetration contains updated material and it's nice to see IDS stuff in here too. The Vulnerabilities section is promising. There's an excellent chapter on the top 75 exploits that have certainly proven to be the most misuses of security weaknesses and the newer material makes it significant. The CD contains some of the same plus full licensed software, an updated repository and all the source code moved from the original text. All things considered, this book pans out to be more of an original than a second edition and well worth the read.

The book highlight all the topics about the hacker used to hack. Very interesting book and easy to follow in order to defense yourself. Good for middle level user (some terms may not be easy to understand by beginner).

I bought the 4th edition of Hack Attacks Revealed. This whole genre seems to be drenched in hyperbole and once again the marketing machine seems to have invaded these pages. The book does have copious basic information. The Tiger Tools are a very sick joke with barely any functionality or worth. Someone really should sue. The exploit code, which is unusually copious for a work of this ilk, does not of course in the main part work and I found only a very few of the very most mundane code would compile under MinGW, Cygwin or Linux, even after downloading the libraries specifically recommended by the online support team at tigertools.com who, to be fair, were prompt in their reply. No manner or library-jiggling and simple repairs sufficed: you've really got to understand programming sockets in C or perl to fix the average exploit. The hype of the titles and cover blurbs for this kind of book increases every season but the delivery remains as lame as it always has been. For anyone serious about taking a practical look at hacking time spent at securityfocus.org, neworder.box.sk or similar is in my opinion much more rewarding.

I was pleasantly surprised with not only the wealth of information contained within, but also at the very thought-of integration of different aspects (I am talking here about the "Technology Handbook" chapter, alongside the networking, OS, etc. ... not necessarily hacker-only related, but rather with extraordinary good content for any technical reader).
I think the book is a great reference of not only "hacking issues", but also in regards to many other aspects involved in multilateral characteristics of jobs like ours - the IT people (the very condensed and right on the subject VLAN section is a perfect example of what I am referring too ... to mention just one of the many similarly very useful, but hard to come by in other security books, info pieces from this one).